SlideShare a Scribd company logo

Best practices for using VPNs for easy network-to-network protection

Download as PPTX, PDF
Westermo Network Technologies
Westermo Network Technologies

This presentation by Westermo’s Cyber Security Product Manager Niklas Mörth and Network Applications Expert Dr. Jon-Olov Vatn is an integral part of the Westermo cybersecurity webinar: https://www.westermo.com/news-and-events/webinars/cybersecurity-fundamentals-vpn-best-practices

Technology
1 of 28
Robust Industrial Data Communications – Made Easy Network-to-Network protection Best practices for using VPNs for easy network-to-network protection Westermo webinar
2 Westermo group 2018  Founded in 1975  Industry leading software and hardware development force  Own production in Sweden with state of the art process control  Own sales and support units in 12 key countries, distribution partners in many others
3 Questions  Ask questions in the chat window  Ask question to ”Host”  Questions will be answered in the end of the presentation
4 Presenters Niklas Mörth Product manager, Cybersecurity Dr. Jon-Olov Vatn Network applications expert Topic: Network-to-Network protection Run-time: 45 minutes + questions A webinar recording will be provided after the session is completed.
Robust Industrial Data Communications – Made Easy How to protect site-to-site communication with VPN Dr. Jon-Olov Vatn
6 Outline  Introduction  What do we mean with a VPN?  Network security concepts  VPN standards  How to setup a site-to-site VPN  Preparation  VPN Configuration  Routing, NAT, Firewall, etc.  Q&A
7 Virtual Private Network (VPN) - what is it?  What do we mean?  Secure real-time communication over an insecure network (Internet)  Site-to-site VPN: Connect two or more sites  Remote access VPN: Individual hosts (PCs, etc.) connect to a central site  Private: Enable confidentiality using encryption  Virtual: Build secure network over shared intermediate network (Internet) VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Internet Central Office Branch Office
8 VPN - alternate meanings  Evolution of old “leased line” concept  Private Network (leased line)  => Virtual Private Network  Provider Provisioned VPN (PPVPN)  Not necessarily encrypted!  Home usage  Circumvent geo-restrictions/ geo-blocking  Circumvent censorship VPN to access geo-blocked service
9 Terminology and entities  VPN Gateways  VPN Server Gateway (Alice)  VPN Client Gateway (Bob)  Central Office and Branch Office  Road-warriors  “Site-to-site” or “Remote access” VPN  Firewall  Part of VPN Gateway  External Firewall  Often Both  Backend authentication server Internet VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Alice Bob Site-to-site VPN Internet VPN GW (Server) Alice Bob Remote access VPN AS AS Central Office Central Office Branch Office
10 Extended topologies  Multiple clients  Multiple clients can connect to the server  Mix site-to-site and remote access  Redundant site-to-site  Multiple VPN gateways at each site  Dynamic routing protocols (OSPF/RIP) for automatic failover Alice Charlie Bob Dave Internet Alice2 Bob2 Alice1 Bob1 Internet Central Office Branch Office Branch Office Central Office Branch Office
11 Establishing a secure “tunnel”  Authentication phase  Long term secret  Preshared key (symmetric), KAB  Certificates (asymmetric)  Prove identity  Prepare data transfer phase  Negotiation of cipher suite  Create session key (Ksession)  Data transfer  Protection: Encryption (e.g. AES-128) and Integrity (e.g., SHA1)  Encapsulation (format/layer) of data to be protected Alice Bob KAB Ksession AES SHA-1 Authenticated Key Exchange Based on KAB Data transfer: Data Protection & Encapsulation KAB Ksession AES SHA-1
12 Real-time security protocols  “Real-time” as opposed to asynchronous communication (secure email, etc)  WeOS support two protocols  OpenVPN (SSL VPN)  IPsec VPN  Roughly equivalent service  Encapsulation  OpenVPN: Layer-4 (UDP/TCP)  IPsec: Layer-3 (IP)  Pros of IPsec  Well recognized IETF standard  Relatively good performance  Pros of OpenVPN  Widespread platform support  Easier to setup (in particular if VPN GW is placed behind a 3rd party firewall)
13 Site-to-Site VPN in Nutshell In this example we use OpenVPN  Preparation  OpenVPN configuration  Routing  Firewall and NAT  Hardening of WAN interface Internet VPN GW (Server) VPN GW (Client) Alice Bob Site-to-site VPN AS Central Office Branch Office
14 Preparation (1/3)  Hardware: Alice and Bob  WeOS units, SW-level ”Extended”, for example RFI-2xx  Latest WeOS 4.x release  Or Westermo MRD  IP Plan: In this example we  Use range 10.0.0.0/16 for local networks and VPN  Assign 10.0.0.0/24 for ”VPN Subnet”  Assign 10.0.1.0/24 to Alice and 10.0.2.0/24 to Bob  Plan to grow with more sites (Charlie & Dave) within the same IP range Alice Bob 10.0.2.0/2410.0.1.0/24 IP Plan: range 10.0.0.0/16 VPN: 10.0.0.0/24 Charlie: 10.0.3.0/24 Dave: 10.0.4.0/24 Internet 10.0.0.0/24 Alice: 10.0.1.0/24 Bob: 10.0.2.0/24
15 Preparation (2/3)  Generate Certificates  Easy-RSA scripts (openvpn.net)  Your own Certificate Authority (CA)  Certificates and private keys  CA: CA certificate  Alice: User Certificate (Server)  Bob: User Certificate (Client)  Generate TLS-Authentication key  Enable NTP client  Important to have correct time when using certificates  Use local NTP server or on Internet Internet Alice Bob e.g, ”pool.ntp.org”NTP Server Easy-RSA scripts Alice User Cert (Client)User Cert (Server) CA Bob 10.0.2.0/2410.0.1.0/24
16 Preparation (3/3)  Sign up for DDNS (e.g., DynDNS)  Bob initiates VPN connection to Alice  ”peer alice.example.com”  What if Alice has dynamic address?  Alice should sign up with a DDNS provider  Should Bob also use DDNS?  (Optional) RADIUS or TACACS+ Server  Centralized authentication of VPN clients (Bob, Charlie, Dave)  Alice relays authentication handshake to Backend Authentication Server (AS)  E.g., FreeRADIUS (freeradius.org) Internet Alice Bob e.g, ”DynDNS”DDNS Server IP=1.2.3.4 AS Internet Alice Bob 10.0.2.0/2410.0.1.0/24 10.0.2.0/2410.0.1.0/24
17 OpenVPN configuration  Mode:  Alice: Server  Bob: Client  Client sets peer: alice.example.com  Authentication  Certificates: Upload Cert, Key, CA Cert  (Optional) Identity/password  Specify Cipher Suite  Must be same on Alice/Bob  Encryption: AES-128-CBC or better  Integrity: SHA1 or better
18 OpenVPN configuration: Virtual Subnet  SSL Interface Type  Can be Layer-2 (MAC) or Layer-3 (IP)  Site-to-site: Must use Layer-2  (Remote-access: Layer-2 or Layer-3)  SSL Interface IP address (ssl0)  Server and clients form virtual subnet  Alice: set static, e.g. 10.0.0.1/24  Bob: set ”dynamic” or ”static”  Let Alice assign address to Bob  Specific: CN-binding => 10.0.0.2  Or from pool (10.0.0.100-199)  Assigned as part of tunnel establishment Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2 or ”ssl0 dynamic”
19 OpenVPN configuration: TLS Authentication  Add ”TLS-authentication” key  Extra key used during tunnel establishment (Authentication Phase)  Alice does not respond unless correct key is used by client  ”Stealth”  This limits server exposure to  Port scans  DDOS attacks Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 Limits exposure of Alice’ WAN interface
20 Routing Site-to-Site  Alternative 1: Static routing  Let both Alice and Bob have static IP on tunnel interface (ssl0)  Alice 10.0.0.1  Bob 10.0.0.2  Alice sets static route to Bob’s network ”route 10.0.2.0 via 10.0.0.2”  And Bob does the same ”route 10.0.1.0 via 10.0.0.1” Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2
21 Routing Site-to-Site  Alternative 2: Dynamic routing  Alice and Bob run OSPF or RIP  Here Bob can get address dynamically  Also supports VPN redundancy Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 SSL conf pool 10.0.0.100-199 router rip conf network vlan 1 network ssl0 ssl0 10.0.0.1 ssl0 dynamic router rip conf network vlan 1 network ssl0
22 Firewall and NAT  Firewall rules (towards WAN interface)  NAPT/IP Masquerading (NAT-wall)  Drop by default  Firewall rules towards VPN tunnel  Allow traffic to flow between local interface (vlan1) and tunnel interface (ssl0)  Black-hole route  Alice/Bob may route private traffic unencrypted towards Internet when VPN tunnel is down  Ensure data is dropped if VPN is down Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200 IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200
23 Hardening  WAN interface on Internet  Limit exposure on WAN interface  Consider external FW  On WAN interface, disable  All remote management (perhaps except SSH/HTTPS)  Access to DNS port (firewall filter)  LLDP  Other general good practices (good ”admin” password, disable unused services, etc.) Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf filter deny in vlan2 proto udp dport 53 filter deny in vlan2 proto tcp dport 53 Iface vlan2 Conf no management Allow ssh/https for remote mgmt?
24 Done!
25 WeConnect – Easy VPN management WeConnect delivers easy to use and reliable connections to industrial equipment Made Easy  WeConnect does not require IT experts to deploy, maintain or use Reliable  WeConnect is powered by highly robust and reliable Amazon servers in three locations world-wide Secure  Every user get their own virtual server secured by sophisticated encryption techniques
26 Fundamentals of  Network-to-Network protection 5th December at 9.00 & 15.00 CET  Best practices for using VPNs for easy network-to-network protection  Network segmentation 20th February 2019 at 9.00 & 15.00 CET  Divide your network into different zones to strengthen your security defense  Perimeter protection (TBA)  Protect your industrial network from unsolicited requests  Spoofing protection (TBA)  Defend your network from unauthorized devices
27 Thank you for attending!  An email will be sent to you including  Playback link to Webinar recording  Contact information to your local Westermo dealer Next webinar: February 20th, 2019 Network Segmentation Divide your network into different zones to strengthen your security defense
28 Creating the World’s Most Robust Networks

Recommended

Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Cisco router-commands
Cisco router-commandsCisco router-commands
Cisco router-commandsRobin Rohit
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus seriesAnwesh Dixit
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Cisco DevNet
 

Recommended

Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
 
Cisco router-commands
Cisco router-commandsCisco router-commands
Cisco router-commandsRobin Rohit
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Cisco nexus series
Cisco nexus seriesCisco nexus series
Cisco nexus seriesAnwesh Dixit
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Cisco DevNet
 
Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptxsamimaqbol
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingJohnson Liu
 
ssh.ppt
ssh.pptssh.ppt
ssh.pptjoekr1
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Kerberos for Distributed System Security - Omal Perera
Kerberos for Distributed System Security - Omal PereraKerberos for Distributed System Security - Omal Perera
Kerberos for Distributed System Security - Omal PereraOmal Perera
 
FreeSBC How To - Advanced SIP Routing
FreeSBC How To - Advanced SIP RoutingFreeSBC How To - Advanced SIP Routing
FreeSBC How To - Advanced SIP RoutingAlan Percy
 
Neutron qos overview
Neutron qos overviewNeutron qos overview
Neutron qos overviewSławomir Kapłoński
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic CommandsHanan Nmr
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookRHC Technologies
 
Block Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationBlock Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationVittorio Giovara
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
 
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...ST_World
 
Web Mapping con Django
Web Mapping con DjangoWeb Mapping con Django
Web Mapping con DjangoCarlos Gustavo Ruiz
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
CAPsMANv2 | Wireless APs Controller by MikroTik
CAPsMANv2 | Wireless APs Controller by MikroTikCAPsMANv2 | Wireless APs Controller by MikroTik
CAPsMANv2 | Wireless APs Controller by MikroTikDobri Boyadzhiev
 
Cisco Commands
Cisco CommandsCisco Commands
Cisco CommandsFredrick Hall
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQAlan Percy
 
ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments Eueung Mulyana
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Cisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallCisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallIT Tech
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfssuserf0e32f
 

More Related Content

What's hot

Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptxsamimaqbol
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingJohnson Liu
 
ssh.ppt
ssh.pptssh.ppt
ssh.pptjoekr1
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Kerberos for Distributed System Security - Omal Perera
Kerberos for Distributed System Security - Omal PereraKerberos for Distributed System Security - Omal Perera
Kerberos for Distributed System Security - Omal PereraOmal Perera
 
FreeSBC How To - Advanced SIP Routing
FreeSBC How To - Advanced SIP RoutingFreeSBC How To - Advanced SIP Routing
FreeSBC How To - Advanced SIP RoutingAlan Percy
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic CommandsHanan Nmr
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookRHC Technologies
 
Block Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationBlock Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationVittorio Giovara
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
 
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...ST_World
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...Siddharth Rao
 
CAPsMANv2 | Wireless APs Controller by MikroTik
CAPsMANv2 | Wireless APs Controller by MikroTikCAPsMANv2 | Wireless APs Controller by MikroTik
CAPsMANv2 | Wireless APs Controller by MikroTikDobri Boyadzhiev
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQAlan Percy
 
ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments Eueung Mulyana
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 

What's hot (20)

Diffie Hellman.pptx
Diffie Hellman.pptxDiffie Hellman.pptx
Diffie Hellman.pptx
 
Packet Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 SwitchingPacket Tracer Simulation Lab Layer 2 Switching
Packet Tracer Simulation Lab Layer 2 Switching
 
ssh.ppt
ssh.pptssh.ppt
ssh.ppt
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
Kerberos for Distributed System Security - Omal Perera
Kerberos for Distributed System Security - Omal PereraKerberos for Distributed System Security - Omal Perera
Kerberos for Distributed System Security - Omal Perera
 
FreeSBC How To - Advanced SIP Routing
FreeSBC How To - Advanced SIP RoutingFreeSBC How To - Advanced SIP Routing
FreeSBC How To - Advanced SIP Routing
 
Neutron qos overview
Neutron qos overviewNeutron qos overview
Neutron qos overview
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic Commands
 
Cisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBookCisco ASA Firewall Lab WorkBook
Cisco ASA Firewall Lab WorkBook
 
Block Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationBlock Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For Authentication
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption Algorithm
 
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...
Track 5 session 5 - st dev con 2016 - stm32 hands on seminar - cloud connec...
 
Web Mapping con Django
Web Mapping con DjangoWeb Mapping con Django
Web Mapping con Django
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...User location tracking attacks for LTE networks using the Interworking Functi...
User location tracking attacks for LTE networks using the Interworking Functi...
 
CAPsMANv2 | Wireless APs Controller by MikroTik
CAPsMANv2 | Wireless APs Controller by MikroTikCAPsMANv2 | Wireless APs Controller by MikroTik
CAPsMANv2 | Wireless APs Controller by MikroTik
 
Cisco Commands
Cisco CommandsCisco Commands
Cisco Commands
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQ
 
ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments ONOS SDN Controller - Clustering Tests & Experiments
ONOS SDN Controller - Clustering Tests & Experiments
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 

Similar to Best practices for using VPNs for easy network-to-network protection

Cisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallCisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallIT Tech
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfssuserf0e32f
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome HenryITSitio.com
 
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep DiveVMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep DiveVMworld
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopCisco Canada
 
Data Center Design Guide 4 2
Data Center Design Guide 4 2Data Center Design Guide 4 2
Data Center Design Guide 4 2Fiyaz Syed
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNsAmazon Web Services
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...ir. Carmelo Zaccone
 
Moving Enterprise Windows Workloads to AWS
Moving Enterprise Windows Workloads to AWSMoving Enterprise Windows Workloads to AWS
Moving Enterprise Windows Workloads to AWSAmazon Web Services
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view IPv6 Conference
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonusmscug
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusAdam Hand
 
How to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregationHow to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregationWestermo Network Technologies
 
Wireless Feature Update
Wireless Feature UpdateWireless Feature Update
Wireless Feature UpdateCisco Canada
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestChanaka Lasantha
 
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAmazon Web Services
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Cohesive Networks
 
file-storage-100.pdf
file-storage-100.pdffile-storage-100.pdf
file-storage-100.pdfAbhi850745
 
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012Safe Swiss Cloud
 

Similar to Best practices for using VPNs for easy network-to-network protection (20)

Cisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallCisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewall
 
presentation_4102_1493726768.pdf
presentation_4102_1493726768.pdfpresentation_4102_1493726768.pdf
presentation_4102_1493726768.pdf
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry#CiscoLiveLA 2017 Presentacion de Jerome Henry
#CiscoLiveLA 2017 Presentacion de Jerome Henry
 
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep DiveVMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
 
Meraki Cloud Networking Workshop
Meraki Cloud Networking WorkshopMeraki Cloud Networking Workshop
Meraki Cloud Networking Workshop
 
Data Center Design Guide 4 2
Data Center Design Guide 4 2Data Center Design Guide 4 2
Data Center Design Guide 4 2
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
 
Moving Enterprise Windows Workloads to AWS
Moving Enterprise Windows Workloads to AWSMoving Enterprise Windows Workloads to AWS
Moving Enterprise Windows Workloads to AWS
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
Simple hybrid voice deployments with Sonus
Simple hybrid voice deployments with SonusSimple hybrid voice deployments with Sonus
Simple hybrid voice deployments with Sonus
 
How to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregationHow to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregation
 
Wireless Feature Update
Wireless Feature UpdateWireless Feature Update
Wireless Feature Update
 
Site to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latestSite to-multi site open vpn solution-latest
Site to-multi site open vpn solution-latest
 
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel AvivAWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
AWS Direct Connect & VPN's - Pop-up Loft Tel Aviv
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
 
file-storage-100.pdf
file-storage-100.pdffile-storage-100.pdf
file-storage-100.pdf
 
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
 

More from Westermo Network Technologies

450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der EnergiewirtschaftWestermo Network Technologies
 

More from Westermo Network Technologies (20)

Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Technologie Webinar WeOS4 und WeOS5Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Technologie Webinar WeOS4 und WeOS5
 
Westermo Webinar - Geroutete Redundanzen
Westermo Webinar - Geroutete RedundanzenWestermo Webinar - Geroutete Redundanzen
Westermo Webinar - Geroutete Redundanzen
 
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdfWebinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
 
Webinar WeConfig - State of the Art NCM
Webinar WeConfig - State of the Art NCMWebinar WeConfig - State of the Art NCM
Webinar WeConfig - State of the Art NCM
 
Webinar Serial-over-IP
Webinar Serial-over-IPWebinar Serial-over-IP
Webinar Serial-over-IP
 
Webinar - Protokollkonvertierung
Webinar - ProtokollkonvertierungWebinar - Protokollkonvertierung
Webinar - Protokollkonvertierung
 
OpenWRT - Überblick
OpenWRT - ÜberblickOpenWRT - Überblick
OpenWRT - Überblick
 
DHCP
DHCPDHCP
DHCP
 
Switchkonfiguration
SwitchkonfigurationSwitchkonfiguration
Switchkonfiguration
 
PoE & Lösungen.pdf
PoE & Lösungen.pdfPoE & Lösungen.pdf
PoE & Lösungen.pdf
 
VPN&Verschlüsselung
VPN&VerschlüsselungVPN&Verschlüsselung
VPN&Verschlüsselung
 
Mobilfunkanbindungen
MobilfunkanbindungenMobilfunkanbindungen
Mobilfunkanbindungen
 
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
 
Netzwerkmonitoring.pdf
Netzwerkmonitoring.pdfNetzwerkmonitoring.pdf
Netzwerkmonitoring.pdf
 
Firewall.pdf
Firewall.pdfFirewall.pdf
Firewall.pdf
 
WeOS 4.32.0 und WeConfig 1.15.pdf
WeOS 4.32.0 und WeConfig 1.15.pdfWeOS 4.32.0 und WeConfig 1.15.pdf
WeOS 4.32.0 und WeConfig 1.15.pdf
 
WLAN
WLANWLAN
WLAN
 
Merlin - Die neue Mobilfunkrouterserie
Merlin - Die neue MobilfunkrouterserieMerlin - Die neue Mobilfunkrouterserie
Merlin - Die neue Mobilfunkrouterserie
 
We os 4.31.0 und weconfig 1.14.0
We os 4.31.0 und weconfig 1.14.0We os 4.31.0 und weconfig 1.14.0
We os 4.31.0 und weconfig 1.14.0
 
Layer 2 Redundanzen
Layer 2 RedundanzenLayer 2 Redundanzen
Layer 2 Redundanzen
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Best practices for using VPNs for easy network-to-network protection

  • 1. Robust Industrial Data Communications – Made Easy Network-to-Network protection Best practices for using VPNs for easy network-to-network protection Westermo webinar
  • 2. 2 Westermo group 2018  Founded in 1975  Industry leading software and hardware development force  Own production in Sweden with state of the art process control  Own sales and support units in 12 key countries, distribution partners in many others
  • 3. 3 Questions  Ask questions in the chat window  Ask question to ”Host”  Questions will be answered in the end of the presentation
  • 4. 4 Presenters Niklas Mörth Product manager, Cybersecurity Dr. Jon-Olov Vatn Network applications expert Topic: Network-to-Network protection Run-time: 45 minutes + questions A webinar recording will be provided after the session is completed.
  • 5. Robust Industrial Data Communications – Made Easy How to protect site-to-site communication with VPN Dr. Jon-Olov Vatn
  • 6. 6 Outline  Introduction  What do we mean with a VPN?  Network security concepts  VPN standards  How to setup a site-to-site VPN  Preparation  VPN Configuration  Routing, NAT, Firewall, etc.  Q&A
  • 7. 7 Virtual Private Network (VPN) - what is it?  What do we mean?  Secure real-time communication over an insecure network (Internet)  Site-to-site VPN: Connect two or more sites  Remote access VPN: Individual hosts (PCs, etc.) connect to a central site  Private: Enable confidentiality using encryption  Virtual: Build secure network over shared intermediate network (Internet) VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Internet Central Office Branch Office
  • 8. 8 VPN - alternate meanings  Evolution of old “leased line” concept  Private Network (leased line)  => Virtual Private Network  Provider Provisioned VPN (PPVPN)  Not necessarily encrypted!  Home usage  Circumvent geo-restrictions/ geo-blocking  Circumvent censorship VPN to access geo-blocked service
  • 9. 9 Terminology and entities  VPN Gateways  VPN Server Gateway (Alice)  VPN Client Gateway (Bob)  Central Office and Branch Office  Road-warriors  “Site-to-site” or “Remote access” VPN  Firewall  Part of VPN Gateway  External Firewall  Often Both  Backend authentication server Internet VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Alice Bob Site-to-site VPN Internet VPN GW (Server) Alice Bob Remote access VPN AS AS Central Office Central Office Branch Office
  • 10. 10 Extended topologies  Multiple clients  Multiple clients can connect to the server  Mix site-to-site and remote access  Redundant site-to-site  Multiple VPN gateways at each site  Dynamic routing protocols (OSPF/RIP) for automatic failover Alice Charlie Bob Dave Internet Alice2 Bob2 Alice1 Bob1 Internet Central Office Branch Office Branch Office Central Office Branch Office
  • 11. 11 Establishing a secure “tunnel”  Authentication phase  Long term secret  Preshared key (symmetric), KAB  Certificates (asymmetric)  Prove identity  Prepare data transfer phase  Negotiation of cipher suite  Create session key (Ksession)  Data transfer  Protection: Encryption (e.g. AES-128) and Integrity (e.g., SHA1)  Encapsulation (format/layer) of data to be protected Alice Bob KAB Ksession AES SHA-1 Authenticated Key Exchange Based on KAB Data transfer: Data Protection & Encapsulation KAB Ksession AES SHA-1
  • 12. 12 Real-time security protocols  “Real-time” as opposed to asynchronous communication (secure email, etc)  WeOS support two protocols  OpenVPN (SSL VPN)  IPsec VPN  Roughly equivalent service  Encapsulation  OpenVPN: Layer-4 (UDP/TCP)  IPsec: Layer-3 (IP)  Pros of IPsec  Well recognized IETF standard  Relatively good performance  Pros of OpenVPN  Widespread platform support  Easier to setup (in particular if VPN GW is placed behind a 3rd party firewall)
  • 13. 13 Site-to-Site VPN in Nutshell In this example we use OpenVPN  Preparation  OpenVPN configuration  Routing  Firewall and NAT  Hardening of WAN interface Internet VPN GW (Server) VPN GW (Client) Alice Bob Site-to-site VPN AS Central Office Branch Office
  • 14. 14 Preparation (1/3)  Hardware: Alice and Bob  WeOS units, SW-level ”Extended”, for example RFI-2xx  Latest WeOS 4.x release  Or Westermo MRD  IP Plan: In this example we  Use range 10.0.0.0/16 for local networks and VPN  Assign 10.0.0.0/24 for ”VPN Subnet”  Assign 10.0.1.0/24 to Alice and 10.0.2.0/24 to Bob  Plan to grow with more sites (Charlie & Dave) within the same IP range Alice Bob 10.0.2.0/2410.0.1.0/24 IP Plan: range 10.0.0.0/16 VPN: 10.0.0.0/24 Charlie: 10.0.3.0/24 Dave: 10.0.4.0/24 Internet 10.0.0.0/24 Alice: 10.0.1.0/24 Bob: 10.0.2.0/24
  • 15. 15 Preparation (2/3)  Generate Certificates  Easy-RSA scripts (openvpn.net)  Your own Certificate Authority (CA)  Certificates and private keys  CA: CA certificate  Alice: User Certificate (Server)  Bob: User Certificate (Client)  Generate TLS-Authentication key  Enable NTP client  Important to have correct time when using certificates  Use local NTP server or on Internet Internet Alice Bob e.g, ”pool.ntp.org”NTP Server Easy-RSA scripts Alice User Cert (Client)User Cert (Server) CA Bob 10.0.2.0/2410.0.1.0/24
  • 16. 16 Preparation (3/3)  Sign up for DDNS (e.g., DynDNS)  Bob initiates VPN connection to Alice  ”peer alice.example.com”  What if Alice has dynamic address?  Alice should sign up with a DDNS provider  Should Bob also use DDNS?  (Optional) RADIUS or TACACS+ Server  Centralized authentication of VPN clients (Bob, Charlie, Dave)  Alice relays authentication handshake to Backend Authentication Server (AS)  E.g., FreeRADIUS (freeradius.org) Internet Alice Bob e.g, ”DynDNS”DDNS Server IP=1.2.3.4 AS Internet Alice Bob 10.0.2.0/2410.0.1.0/24 10.0.2.0/2410.0.1.0/24
  • 17. 17 OpenVPN configuration  Mode:  Alice: Server  Bob: Client  Client sets peer: alice.example.com  Authentication  Certificates: Upload Cert, Key, CA Cert  (Optional) Identity/password  Specify Cipher Suite  Must be same on Alice/Bob  Encryption: AES-128-CBC or better  Integrity: SHA1 or better
  • 18. 18 OpenVPN configuration: Virtual Subnet  SSL Interface Type  Can be Layer-2 (MAC) or Layer-3 (IP)  Site-to-site: Must use Layer-2  (Remote-access: Layer-2 or Layer-3)  SSL Interface IP address (ssl0)  Server and clients form virtual subnet  Alice: set static, e.g. 10.0.0.1/24  Bob: set ”dynamic” or ”static”  Let Alice assign address to Bob  Specific: CN-binding => 10.0.0.2  Or from pool (10.0.0.100-199)  Assigned as part of tunnel establishment Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2 or ”ssl0 dynamic”
  • 19. 19 OpenVPN configuration: TLS Authentication  Add ”TLS-authentication” key  Extra key used during tunnel establishment (Authentication Phase)  Alice does not respond unless correct key is used by client  ”Stealth”  This limits server exposure to  Port scans  DDOS attacks Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 Limits exposure of Alice’ WAN interface
  • 20. 20 Routing Site-to-Site  Alternative 1: Static routing  Let both Alice and Bob have static IP on tunnel interface (ssl0)  Alice 10.0.0.1  Bob 10.0.0.2  Alice sets static route to Bob’s network ”route 10.0.2.0 via 10.0.0.2”  And Bob does the same ”route 10.0.1.0 via 10.0.0.1” Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2
  • 21. 21 Routing Site-to-Site  Alternative 2: Dynamic routing  Alice and Bob run OSPF or RIP  Here Bob can get address dynamically  Also supports VPN redundancy Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 SSL conf pool 10.0.0.100-199 router rip conf network vlan 1 network ssl0 ssl0 10.0.0.1 ssl0 dynamic router rip conf network vlan 1 network ssl0
  • 22. 22 Firewall and NAT  Firewall rules (towards WAN interface)  NAPT/IP Masquerading (NAT-wall)  Drop by default  Firewall rules towards VPN tunnel  Allow traffic to flow between local interface (vlan1) and tunnel interface (ssl0)  Black-hole route  Alice/Bob may route private traffic unencrypted towards Internet when VPN tunnel is down  Ensure data is dropped if VPN is down Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200 IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200
  • 23. 23 Hardening  WAN interface on Internet  Limit exposure on WAN interface  Consider external FW  On WAN interface, disable  All remote management (perhaps except SSH/HTTPS)  Access to DNS port (firewall filter)  LLDP  Other general good practices (good ”admin” password, disable unused services, etc.) Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf filter deny in vlan2 proto udp dport 53 filter deny in vlan2 proto tcp dport 53 Iface vlan2 Conf no management Allow ssh/https for remote mgmt?
  • 25. 25 WeConnect – Easy VPN management WeConnect delivers easy to use and reliable connections to industrial equipment Made Easy  WeConnect does not require IT experts to deploy, maintain or use Reliable  WeConnect is powered by highly robust and reliable Amazon servers in three locations world-wide Secure  Every user get their own virtual server secured by sophisticated encryption techniques
  • 26. 26 Fundamentals of  Network-to-Network protection 5th December at 9.00 & 15.00 CET  Best practices for using VPNs for easy network-to-network protection  Network segmentation 20th February 2019 at 9.00 & 15.00 CET  Divide your network into different zones to strengthen your security defense  Perimeter protection (TBA)  Protect your industrial network from unsolicited requests  Spoofing protection (TBA)  Defend your network from unauthorized devices
  • 27. 27 Thank you for attending!  An email will be sent to you including  Playback link to Webinar recording  Contact information to your local Westermo dealer Next webinar: February 20th, 2019 Network Segmentation Divide your network into different zones to strengthen your security defense
  • 28. 28 Creating the World’s Most Robust Networks