Vp nwebcast williams_wallaboswell

203 views

Published on

VPN

Published in: Internet, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
203
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Vp nwebcast williams_wallaboswell

  1. 1. WEBCAST SCHEDULEWEBCAST SCHEDULE Today’s event will run one-hour long. Here are the expectedToday’s event will run one-hour long. Here are the expected times for each segment of the Webcast:times for each segment of the Webcast:  :00 – :05: Moderator introduces the speaker and discusses the:00 – :05: Moderator introduces the speaker and discusses the details of the Webcast.details of the Webcast.  :05- :35: Speaker delivers a PowerPoint presentation on the:05- :35: Speaker delivers a PowerPoint presentation on the Webcast topic.Webcast topic.  :35- :60: Moderator and speaker engage in a Q&A on the topic.:35- :60: Moderator and speaker engage in a Q&A on the topic.
  2. 2. TECHNICAL FAQsTECHNICAL FAQs Here are answers to the most common technical problems users encounter during aHere are answers to the most common technical problems users encounter during a Webcast:Webcast: Q: Why can’t I hear the audio part of the webcast?Q: Why can’t I hear the audio part of the webcast? A: Try increasing the volume on your computer.A: Try increasing the volume on your computer. Q: I just entered the webcast and do not see the slide that the speaker is referring to. WhatQ: I just entered the webcast and do not see the slide that the speaker is referring to. What should I do?should I do? A: The slides are constantly being pushed to your screen. You should refresh (hit F5) toA: The slides are constantly being pushed to your screen. You should refresh (hit F5) to view the latest slide.view the latest slide. Q. I can’t view some of the detail on the slides. How do I enlarge the slides for a better view?Q. I can’t view some of the detail on the slides. How do I enlarge the slides for a better view? A: Click the “Enlarge slide” link in the upper right corner of your presentation. This willA: Click the “Enlarge slide” link in the upper right corner of your presentation. This will open a new browser with a full view of the current slide.open a new browser with a full view of the current slide. You can also visit the Broadcast Help page for more information or to test your browserYou can also visit the Broadcast Help page for more information or to test your browser compatibility. Click here: http://audience.broadcast.yahoo.comcompatibility. Click here: http://audience.broadcast.yahoo.com If you still have technical questions or problems, send an e-mail toIf you still have technical questions or problems, send an e-mail to WebcastHelp@TechTarget.comWebcastHelp@TechTarget.com. A technical support person will respond to you within. A technical support person will respond to you within 24 hours.24 hours.
  3. 3. TechTarget Virtual Private Networks onVirtual Private Networks on Windows 2000 andWindows 2000 and Windows 2003 ServerWindows 2003 Server Bill BoswellBill Boswell Windows Consulting GroupWindows Consulting Group
  4. 4. Slide PresentationSlide Presentation Prepared ByPrepared By Mark WallaMark Walla Secure Logistix CorpSecure Logistix Corp Robert WilliamsRobert Williams Secure Logistix CorpSecure Logistix Corp
  5. 5. VPN Webcast ExpectationsVPN Webcast Expectations  Technical overview of VPN technology … this isTechnical overview of VPN technology … this is not intended to troubleshoot VPNsnot intended to troubleshoot VPNs  Provide tutorial on Virtual Private Networks basicsProvide tutorial on Virtual Private Networks basics  DefinitionsDefinitions  ProtocolsProtocols  ConfigurationConfiguration  ArchitectureArchitecture  Go through VPN implementation with theGo through VPN implementation with the Windows 2003 Server familyWindows 2003 Server family  Participants should have working knowledge ofParticipants should have working knowledge of computing networks and the Windows platformcomputing networks and the Windows platform
  6. 6. VPN DefinitionVPN Definition A Virtual Private Network is a connectionA Virtual Private Network is a connection between two communication endpointsbetween two communication endpoints that ensures privacy and authenticationthat ensures privacy and authentication VPN connections between offices createsVPN connections between offices creates a tunnel through which users can accessa tunnel through which users can access resources securely without dedicatedresources securely without dedicated point-to-point WAN linkspoint-to-point WAN links
  7. 7. VPN ConfigurationsVPN Configurations Two general VPN configurations:Two general VPN configurations: Site-to-SiteSite-to-Site RRAS servers acts as demand-dial VPN routersRRAS servers acts as demand-dial VPN routers Example: Branch office with Internet accessExample: Branch office with Internet access connects via VPN to corporate networkconnects via VPN to corporate network Remote accessRemote access RRAS server acts as endpoint for clientRRAS server acts as endpoint for client connectionsconnections Example: XP laptop connects through Internet toExample: XP laptop connects through Internet to main office from hotel roommain office from hotel room
  8. 8. Remote Access ViewRemote Access View
  9. 9. Router-to-Router ViewRouter-to-Router View
  10. 10. AuthenticationAuthentication VPNs use standard PPP for initialVPNs use standard PPP for initial authenticationauthentication Password-based authentication to RRASPassword-based authentication to RRAS serverserver X.509 certificates used to establish secureX.509 certificates used to establish secure connection for IP Security (IPSec)connection for IP Security (IPSec) Protocol selection dependent on client andProtocol selection dependent on client and serverserver Windows servers support all InternetWindows servers support all Internet standardsstandards
  11. 11. VPN/PPP AuthenticationVPN/PPP Authentication
  12. 12. PPP Authentication ProtocolsPPP Authentication Protocols  Password AuthenticationPassword Authentication Protocol (PAP)Protocol (PAP)  Sends password in clear textSends password in clear text  Shiva Password AuthenticationShiva Password Authentication  Sends encrypted password - canSends encrypted password - can be compromisedbe compromised  Challenge HandshakeChallenge Handshake Authentication ProtocolAuthentication Protocol (CHAP(CHAP))  Uses MD-5 hash of user’s plainUses MD-5 hash of user’s plain text password and challenge.text password and challenge. Requires reversible password.Requires reversible password.  Microsoft ChallengeMicrosoft Challenge Handshake AuthenticationHandshake Authentication Protocol (MS-CHAPProtocol (MS-CHAP))  One-way authentication (One-way authentication (notnot mutual) between client and server.mutual) between client and server. Challenge hashed with user’sChallenge hashed with user’s Windows password hashWindows password hash  MS-CHAP Version 2MS-CHAP Version 2  Stronger version of MS-CHAP thatStronger version of MS-CHAP that uses longer challenge, salteduses longer challenge, salted response, mutual authentication,response, mutual authentication, and a more secure passwordand a more secure password change mechanismchange mechanism  Extensible AuthenticationExtensible Authentication Protocol (EAPProtocol (EAP))  Allows for additional protocolsAllows for additional protocols within PPP authenticationwithin PPP authentication  IEEE 802.1X SupportIEEE 802.1X Support  EAP module that supportsEAP module that supports certificate-based authenticationcertificate-based authentication using RADIUSusing RADIUS
  13. 13. VPN Uses Encrypted TunnelVPN Uses Encrypted Tunnel Encrypted data encapsulated in additionalEncrypted data encapsulated in additional protocolprotocol Forms impenetrable pipe between endpointsForms impenetrable pipe between endpoints TCP and IP headers included in encryptedTCP and IP headers included in encrypted payload to prevent eavesdroppingpayload to prevent eavesdropping Only IP address of tunnel endpoints requiredOnly IP address of tunnel endpoints required to route packetsto route packets Window uses MPPE, L2TP and IPSec toWindow uses MPPE, L2TP and IPSec to encrypt data within VPNencrypt data within VPN
  14. 14. Point to Point Tunneling ProtocolPoint to Point Tunneling Protocol  Uses standard PPP authenticationUses standard PPP authentication  Authentication occurs prior to forming tunnelAuthentication occurs prior to forming tunnel  Makes PPTP subject to Man-in-the-Middle exploitsMakes PPTP subject to Man-in-the-Middle exploits  Encapsulates PPP frame inside Generic RoutingEncapsulates PPP frame inside Generic Routing Encapsulation (GRE) datagramEncapsulation (GRE) datagram  IP Type 47 (0x2f)IP Type 47 (0x2f)  Sometimes not supported through ISP firewallSometimes not supported through ISP firewall  Establishes connection and sends control trafficEstablishes connection and sends control traffic over TCP Port 1723over TCP Port 1723  Standard PPP controls piggybacked on GREStandard PPP controls piggybacked on GRE  GRE datagrams not signedGRE datagrams not signed
  15. 15. PPTP ConnectionPPTP Connection
  16. 16. PPTP EncryptionPPTP Encryption  PPTP usesPPTP uses MicrosoftMicrosoft Point-to-Point EncryptionPoint-to-Point Encryption (MPPE) to encrypt GRE(MPPE) to encrypt GRE payloadpayload  RC4 Streaming encryptionRC4 Streaming encryption with 128-bit keywith 128-bit key  RRAS server has copy ofRRAS server has copy of user PW hashuser PW hash  Obtains via secure channelObtains via secure channel from domain controllerfrom domain controller  MPPE keys based onMPPE keys based on user passwordsuser passwords  PW hashed using MD4PW hashed using MD4  First 16 bytes of PW hashFirst 16 bytes of PW hash are hashed to produceare hashed to produce PwHashHashPwHashHash  PwHashHash hashed withPwHashHash hashed with challenge to form masterchallenge to form master keykey  Send and Receive keysSend and Receive keys generated from master keygenerated from master key
  17. 17. GRE DatagramGRE Datagram
  18. 18. Layer 2 Tunneling ProtocolLayer 2 Tunneling Protocol  Works at Layer 2 (Data Link)Works at Layer 2 (Data Link) rather than at the applicationrather than at the application layerlayer  Encap entire PPP frame (L2)Encap entire PPP frame (L2) within datagramwithin datagram  Datagram protocol depends onDatagram protocol depends on L2TP implementationL2TP implementation  Windows uses IPSecWindows uses IPSec Encapsulating SecurityEncapsulating Security Payload (ESP)Payload (ESP)  IP Protocol 50IP Protocol 50  ESP uses variety of algorithmsESP uses variety of algorithms  W2K3 uses 3DES by defaultW2K3 uses 3DES by default and AES if FIPS140 selectedand AES if FIPS140 selected in Group Policyin Group Policy  IPSec Handles Key ExchangeIPSec Handles Key Exchange  Internet Security AssociationInternet Security Association and Key Managementand Key Management Protocol (ISAKMP)Protocol (ISAKMP) Endpoints exchange sessionEndpoints exchange session keys encrypted with publickeys encrypted with public key of partnerkey of partner Occurs over UDP Port 500Occurs over UDP Port 500  Superior to PPTP -Superior to PPTP - Authentication occurs insideAuthentication occurs inside encrypted tunnel – no MIMencrypted tunnel – no MIM exploit possibleexploit possible  IPSec also offers data integrityIPSec also offers data integrity  Each L2TP datagram digitallyEach L2TP datagram digitally signed within IPSecsigned within IPSec Authentication Header (AH)Authentication Header (AH)
  19. 19. L2TP ConnectionL2TP Connection
  20. 20. ESP DatagramESP Datagram
  21. 21. ISAKMP Key ExchangeISAKMP Key Exchange
  22. 22. L2TP Requires CertificatesL2TP Requires Certificates Deploy Windows PKIDeploy Windows PKI Refer to most current MSFT white papersRefer to most current MSFT white papers Use W2K3 CA to get maximum featuresUse W2K3 CA to get maximum features Can also use for EFS, S/MIME, SSLCan also use for EFS, S/MIME, SSL Configure group policy for autoenrollmentConfigure group policy for autoenrollment Feature available on W2K and W2K3Feature available on W2K and W2K3 Avoids manually obtaining ComputerAvoids manually obtaining Computer certificatescertificates
  23. 23. IPSEC TunnelingIPSEC Tunneling L2TP not firewall friendlyL2TP not firewall friendly TCP headers encrypted in ESP payloadTCP headers encrypted in ESP payload Standard IPSec suffers from same problemStandard IPSec suffers from same problem W2K3 and XP support IPSec tunnelW2K3 and XP support IPSec tunnel through NATthrough NAT Can use IPSec Tunnel when L2TP and PPTPCan use IPSec Tunnel when L2TP and PPTP not available on VPN servers or clientsnot available on VPN servers or clients Look for NAT-T support in your firewallLook for NAT-T support in your firewall
  24. 24. RRAS Server ConfigurationRRAS Server Configuration  Routing and remote access serviceRouting and remote access service  Installed by default but not enabledInstalled by default but not enabled  Configure for VPN to support individual usersConfigure for VPN to support individual users  Configure for VPN and router to support site-to-siteConfigure for VPN and router to support site-to-site tunnelstunnels  Configure PPTP ports for dial-in accessConfigure PPTP ports for dial-in access  LimitationsLimitations  W2K3 Web Edition only supports one inbound VPNW2K3 Web Edition only supports one inbound VPN connection at a timeconnection at a time  RRAS server must be domain member or useRRAS server must be domain member or use RADIUSRADIUS
  25. 25. VPN PortsVPN Ports RRASRRAS server hasserver has virtual portsvirtual ports for VPNfor VPN connectionsconnections
  26. 26. Remote Access PoliciesRemote Access Policies  Subset of RADIUSSubset of RADIUS policies in IASpolicies in IAS  By defaultBy default  7x24 access denied7x24 access denied  MS-RAS-Vendor =MS-RAS-Vendor = Microsoft deniedMicrosoft denied  First Policy WinsFirst Policy Wins  Lower precedentLower precedent policies not read ifpolicies not read if upper policy appliesupper policy applies
  27. 27. Policy Profiles Assign RestrictionsPolicy Profiles Assign Restrictions
  28. 28. Steps for PPTP ImplementationSteps for PPTP Implementation  Internet connection must support IP protocol 47Internet connection must support IP protocol 47 (GRE)(GRE)  Firewall must allow TCP Port 1723Firewall must allow TCP Port 1723  Configure RRAS ServiceConfigure RRAS Service  Configure for VPNConfigure for VPN  Configure L2TP ports for dial-in accessConfigure L2TP ports for dial-in access  Define Remote Access PolicyDefine Remote Access Policy  Denied by defaultDenied by default  VPN client configurationVPN client configuration  Create New Connection – Specify PPTP in NetworkCreate New Connection – Specify PPTP in Network
  29. 29. Steps for L2TP ImplementationSteps for L2TP Implementation  Internet connection must support IP protocol 50Internet connection must support IP protocol 50 (ESP)(ESP)  Firewall must allow TCP Port 500Firewall must allow TCP Port 500  Routing and remote access serviceRouting and remote access service  Configure for VPNConfigure for VPN  Configure L2TP ports for dial-in accessConfigure L2TP ports for dial-in access  Enroll for Computer CertificatesEnroll for Computer Certificates  Configure autoenroll policy in W2K and W2K3Configure autoenroll policy in W2K and W2K3  Define Remote Access PolicyDefine Remote Access Policy  Denied by defaultDenied by default  VPN client configurationVPN client configuration  Create New Connection – Specify L2TP in NetworkCreate New Connection – Specify L2TP in Network
  30. 30. Additional InformationAdditional Information  To receive a copy of Chapter 13: VPN andTo receive a copy of Chapter 13: VPN and IPSec fromIPSec from The Ultimate Windows 2003 ServerThe Ultimate Windows 2003 Server Administrator’s GuideAdministrator’s Guide (Addison Wesley 2003),(Addison Wesley 2003), contact Mark or Bob atcontact Mark or Bob at info@securelogistix.cominfo@securelogistix.com Mark WallaMark Walla Secure Logistix CorpSecure Logistix Corp Robert WilliamsRobert Williams Secure Logistix CorpSecure Logistix Corp
  31. 31. Additional QuestionsAdditional Questions For more details on W2K3 VPNs andFor more details on W2K3 VPNs and Windows security information in general,Windows security information in general, contact Bill Boswellcontact Bill Boswell bboswell@winconsultants.combboswell@winconsultants.com
  32. 32. Audience QuestionsAudience Questions Bill will be taking audience questions on this topic following the event. You can submit your specific questions for Bill by clicking the Ask a Question button in the lower left corner of your presentation screen.
  33. 33. FeedbackFeedback Thank you for your participationThank you for your participation Did you like this Webcast topic? Would you like us toDid you like this Webcast topic? Would you like us to host other events similar to this one? Send us yourhost other events similar to this one? Send us your feedback on this event and ideas for other topics atfeedback on this event and ideas for other topics at editor@searchWin2000.comeditor@searchWin2000.com..

×