Скачать презентацию FIREWALLS NETWORK SECURITY with Intrusion Detection and Скачать презентацию FIREWALLS NETWORK SECURITY with Intrusion Detection and

8ee4342876078eae1aa8d5f9719795d6.ppt

  • Количество слайдов: 47

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 11 Setting FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 11 Setting Up a Virtual Private Network By Whitman, Mattord, & Austin © 2008 Course Technology

Learning Objectives ¨ Explain the components and essential operations of virtual private networks (VPNs) Learning Objectives ¨ Explain the components and essential operations of virtual private networks (VPNs) ¨ Describe the different types of VPNs ¨ Create VPN setups, such as mesh or hub-andspoke configurations ¨ Choose the right tunneling protocol for your VPN ¨ Enable secure remote access for individual users via a VPN ¨ Recommend best practices for effective configuration and maintenance of VPNs Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 2

Introduction ¨ Organizations routinely join LANs to facilitate secure point-to-point communications ¨ Private leased Introduction ¨ Organizations routinely join LANs to facilitate secure point-to-point communications ¨ Private leased lines don’t scale well, utilize complex technology, and are expensive ¨ VPNs function like private leased lines – Encapsulate and encrypt data being transmitted – Use authentication to ensure only approved users gain access ¨ VPNs provide secure point-to-point communications over public Internet Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 3

VPN Components and Operations ¨ VPNs can be set up with special hardware or VPN Components and Operations ¨ VPNs can be set up with special hardware or with firewall software that includes VPN functionality ¨ Many firewalls have VPN systems built in ¨ Correctly set up VPN can be a critical component in an organization’s perimeter security configuration ¨ Goal of VPNs is to provide a cost-effective and secure way to connect business locations to one another and remote workers to office networks Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 4

VPN Components ¨ VPNs consist of two types of components: – Hardware devices – VPN Components ¨ VPNs consist of two types of components: – Hardware devices – Software that performs security-related activities ¨ VPN tunnels have two endpoints or terminators ¨ Endpoints: – Hardware devices or software modules – Encrypt data to secure information – Authenticate to ensure host requesting data is an approved user – Encapsulate data to protect integrity of information being sent Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 5

VPN Components (continued) ¨ VPN connection occurs within TCP/IP tunnel ¨ Tunnel: channel or VPN Components (continued) ¨ VPN connection occurs within TCP/IP tunnel ¨ Tunnel: channel or pathway of networks used by VPN that runs through the Internet from one endpoint to another ¨ “Tunnel” can be misleading as it implies: – There is a single cable joining endpoints – Only approved VPN users can utilize that cable ¨ In reality, VPN “tunnel” is virtual ¨ Using the Internet keeps costs down and simplifies setup of VPN but can also add uncertainty to communications Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 6

VPN Components (continued) ¨ Endpoint devices can be one of the following: – A VPN Components (continued) ¨ Endpoint devices can be one of the following: – A server running a tunneling protocol – A VPN appliance (a special hardware device devoted to setting up VPN communications) – A firewall/VPN combination – A router-based VPN (routers that support IPSec can be set up on perimeter of connected LANs) ¨ VPN scenario may also include: – Certificate servers: manage certificates – Client computers: run VPN client software, allowing remote users LAN access over the VPN Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 7

Essential Activities of VPNs ¨ Information transferred via VPN travels over the Internet and Essential Activities of VPNs ¨ Information transferred via VPN travels over the Internet and must be well protected ¨ Essential activities that protect data are: – IP encapsulation – Data payload encryption – Encrypted authentication Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 8

IP Encapsulation ¨ Used to protect VPN data packets ¨ Process of enclosing one IP Encapsulation ¨ Used to protect VPN data packets ¨ Process of enclosing one packet within another packet that has different IP source and destination information ¨ Hides source and destination information of encapsulated packets ¨ IP addresses of encapsulated packets can be in the private reserved blocks that are not usually routable over the Internet Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 9

Data Payload Encryption ¨ VPNs can be configured to fully or partially encrypt data Data Payload Encryption ¨ VPNs can be configured to fully or partially encrypt data portion of packets ¨ Encryption accomplished in one of two ways: – Transport method: host encrypts traffic when it is generated; data is encrypted, but not headers – Tunnel method: traffic encrypted and decrypted in transit; both header and data portions of packets are encrypted ¨ Level of encryption varies Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 10

Encrypted Authentication ¨ Encryption domain: everything in the protected network and behind the gateway Encrypted Authentication ¨ Encryption domain: everything in the protected network and behind the gateway ¨ Authentication essential; VPN communication recipients must know sender is approved user ¨ Hosts authenticated by exchanging keys ¨ Two types of keys: – Symmetric keys: keys are the same; hosts exchange same secret key to verify identities – Asymmetric keys: participants have private key and public key; public keys exchanged; public key used to encrypt; decrypt using private key Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 11

Benefits and Drawbacks of VPNs ¨ Benefits: – Secure networking without costly leased lines Benefits and Drawbacks of VPNs ¨ Benefits: – Secure networking without costly leased lines – Encryption/translation handled by dedicated systems, reducing production machine workload – Allows control of physical setup ¨ Drawbacks: – Complex and, if configured improperly, can create significant network vulnerabilities – Uses unpredictable and often unreliable Internet – Some vendor solutions have more documented security issues than others Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 12

VPNs Extend Network Boundaries ¨ VPN connections that are “always on” extend your network VPNs Extend Network Boundaries ¨ VPN connections that are “always on” extend your network to locations out of your control ¨ Some suggestions for dealing with increased risk presented by these connections: – Use of two or more authentication tools to identify remote users – Integrate virus protection – Use Network Access Control (NAC) – Set usage limits Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 13

Types of VPNs ¨ In general, you can set up two types of VPN: Types of VPNs ¨ In general, you can set up two types of VPN: – Site-to-site: links two or more networks – Client-to-site: makes a network accessible to remote users who need dial-in access ¨ These two VPN types are not mutually exclusive ¨ Options for configuring VPNs: – Hardware systems – Software systems – Hybrids ¨ VPNs need to be able to work with any number of different operating systems or computer types Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 14

VPN Appliances ¨ Hardware device specially designed to terminate VPNs and join multiple LANs VPN Appliances ¨ Hardware device specially designed to terminate VPNs and join multiple LANs ¨ Can permit connections between large numbers of users or multiple networks ¨ Don’t provide other services such as file sharing and printing ¨ Some examples include the Sonic. WALL series and the Symantec Firewall/VPN appliance Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 15

Software VPN Systems ¨ Generally less expensive than hardware systems ¨ Tend to scale Software VPN Systems ¨ Generally less expensive than hardware systems ¨ Tend to scale better on fast-growing networks ¨ Some examples include F-Secure VPN+ and Novell’s Border. Manager VPN services Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 16

VPN Combinations of Hardware and Software ¨ VPN systems may implement VPN appliance at VPN Combinations of Hardware and Software ¨ VPN systems may implement VPN appliance at the central network and use client software at remote end of each VPN connection ¨ Most VPN concentrator appliances are capable of operating in one of two modes: – Client mode: concentrator acts as software client, enabling users to connect to other remote networks via VPN – Network extension mode: concentrator acts as hardware device enabling secure site-to-site VPN connection Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 17

Combination VPNs ¨ VPN system that is “mixed” uses hardware and software from different Combination VPNs ¨ VPN system that is “mixed” uses hardware and software from different vendors ¨ Challenge: get all pieces of the system to communicate with one another successfully ¨ Solution: pick a standard security protocol that is widely used and supported by all devices, such as IPSec Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 18

VPN Setups ¨ With two participants in a VPN, configuration is relatively straightforward in VPN Setups ¨ With two participants in a VPN, configuration is relatively straightforward in terms of: – Expense – Technical difficulty – Time involved ¨ When three or more networks/individuals are connected, several configuration options exist: – Mesh – Hub-and-spoke – Hybrid Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 19

Mesh Configuration ¨ Each participant (network, router, or computer) in the VPN has an Mesh Configuration ¨ Each participant (network, router, or computer) in the VPN has an approved relationship, called a security association (SA), with every other participant ¨ During VPN configuration, each participant must be specifically identified to every other participant using the VPN ¨ Before initiating connection, each VPN terminator checks its routing table or SA table to confirm the other participant has an SA with it Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 20

Mesh VPN Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 21 Mesh VPN Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 21

Hub-and-Spoke Configuration ¨ A single VPN router contains records of all SAs in the Hub-and-Spoke Configuration ¨ A single VPN router contains records of all SAs in the VPN ¨ Any LANs or computers participating in VPN need only connect to central server, not to any other machines in VPN ¨ Easy to increase the size of VPN as more branch offices or computers are added Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 22

Hub-and-Spoke VPN Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 23 Hub-and-Spoke VPN Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 23

Hybrid Configuration ¨ As organizations grow, mesh or hub-and-spoke VPN designs commonly evolve into Hybrid Configuration ¨ As organizations grow, mesh or hub-and-spoke VPN designs commonly evolve into a mixture of the two ¨ Mesh configurations tend to be more efficient; central core linking most important network branches should be mesh configuration; other branch offices added as spokes connecting to VPN router at central office ¨ Hybrid setup benefits from strengths of each one —scalability of hub-and-spoke and speed of mesh Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 24

Configurations and Extranet and Intranet Access ¨ Each VPN endpoint represents extension of corporate Configurations and Extranet and Intranet Access ¨ Each VPN endpoint represents extension of corporate network to new location—an extranet ¨ Same security measures taken to protect corporate network should be applied to VPN endpoints (firewalls, anti-virus, etc. ) ¨ VPNs can also be used to give parts of organization access to other areas through corporate intranet ¨ VPN users inside organization should have usage limits, anti-virus, and firewall protection, just as outside users should Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 25

Tunneling Protocols Used with VPNs ¨ In the past, firewalls providing establishment of VPNs Tunneling Protocols Used with VPNs ¨ In the past, firewalls providing establishment of VPNs used proprietary protocols ¨ Such firewalls could only establish connections with remote LANs using same firewall brand ¨ Today, widespread acceptance of IPSec protocol with Internet Key Exchange (IKE) system means proprietary protocols are used far less often Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 26

IPSec/IKE ¨ IPSec provides two security methods: – Authenticated Header (AH): authenticates packets – IPSec/IKE ¨ IPSec provides two security methods: – Authenticated Header (AH): authenticates packets – Encapsulating Security Payload (ESP): encrypts data portion of packets ¨ IPSec can work in two different modes: – Transport mode: provides secure communications between hosts – Tunnel mode: used to create secure links between two private networks Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 27

IPSec/IKE (continued) ¨ IPSec/IKE VPN connection process: – 1. Request to establish a connection IPSec/IKE (continued) ¨ IPSec/IKE VPN connection process: – 1. Request to establish a connection sent – 2. Remote host generates random number and sends to machine that made original request – 3. Original machine encrypts its pre-shared key using random number and sends to remote host – 4. Remote host decrypts key, compares it to its own pre-shared key or keyring; if key matches, remote host encrypts public key using pre-shared key and sends to original machine – 5. Original machine uses public key to establish security association (SA) and VPN connection Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 28

PPTP ¨ Point-to-Point Tunneling Protocol (PPTP) ¨ Commonly used to connect to a network PPTP ¨ Point-to-Point Tunneling Protocol (PPTP) ¨ Commonly used to connect to a network using a dial-in modem connection ¨ Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data ¨ Useful if support for older clients is needed ¨ Also useful because packets sent can pass through firewalls that perform Network Address Translation (NAT) Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 29

L 2 TP ¨ Layer 2 Tunneling Protocol (L 2 TP) ¨ Extension of L 2 TP ¨ Layer 2 Tunneling Protocol (L 2 TP) ¨ Extension of Point-to-Point Protocol (PPP) ¨ Uses IPSec rather than MPPE to encrypt data ¨ Provides secure authenticated remote access by separating connection initiation process from encapsulated data forwarding process Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 30

PPP Over SSL/PPP Over SSH ¨ Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) PPP Over SSL/PPP Over SSH ¨ Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH) – UNIX-based methods for creating VPNs – Combine existing tunnel system (PPP) with way of encrypting data in transport (SSL or SSH) ¨ SSL: public key encryption system used to provide secure communications over WWW ¨ SSH: UNIX secure shell; performs secure authenticated logons and encrypted communications; requires pre-shared key Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 31

VPN Protocols and Their Uses Firewalls & Network Security, 2 nd ed. - Chapter VPN Protocols and Their Uses Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 32

Enabling Remote Access Connections within VPNs ¨ To enable remote user to connect to Enabling Remote Access Connections within VPNs ¨ To enable remote user to connect to VPN, user must be issued VPN client software ¨ User’s computer should be equipped with a firewall and anti-virus software ¨ Key may need to be obtained for remote user if IPSec is used to make VPN connection ¨ Problems may be encountered finding phone provider having dial-up numbers in all locations Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 33

Configuring the Server ¨ If firewall-based VPN is used, client computer must be identified Configuring the Server ¨ If firewall-based VPN is used, client computer must be identified ¨ Check Point Fire. Wall-1 calls the process defining a network object ¨ Major operating systems incorporate their own methods of providing secure remote access ¨ Linux uses IP Masquerade feature ¨ Windows XP and 2000 include New Connection Wizard Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 34

Configuring Clients ¨ Involves installing and configuring VPN client software or using New Connection Configuring Clients ¨ Involves installing and configuring VPN client software or using New Connection Wizard ¨ Fire. Wall-1 uses Secu. Remote that enables connections to hosts or networks via VPN ¨ Important issues to consider: – Will client software work with all client platforms – Is client workstation itself firewall protected ¨ Because each VPN connection is potential opening for viruses and hackers, requirement that remote hosts be protected with firewalls should be part of organization’s VPN policy Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 35

VPN Best Practices ¨ Successful operation of VPN depends not only on hardware and VPN Best Practices ¨ Successful operation of VPN depends not only on hardware and software components and overall configuration ¨ Also depends on a number of best practices ¨ These include: – Security policy rules specific to the VPN – Integration of firewall packet filtering with VPN traffic – Auditing VPN to ensure acceptable performance Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 36

The Need for a VPN Policy ¨ Essential for identifying who can use the The Need for a VPN Policy ¨ Essential for identifying who can use the VPN and for ensuring all users know what constitutes proper use ¨ Can be a separate stand-alone policy or part of a larger security policy ¨ Points to cover include but are not limited to: – Who is permitted to have VPN access – Whether authentication is to be used and how – Whether split tunneling is permitted – How long users can be connected in one session – Whether virus protection is included Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 37

Packet Filtering and VPNs ¨ Decision must be made early as to where data Packet Filtering and VPNs ¨ Decision must be made early as to where data encryption and decryption will be performed in relation to packet filtering ¨ Encryption and decryption can occur either inside or outside the packet-filtering perimeter Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 38

PPTP Filters ¨ PPTP commonly used when older clients need to connect to a PPTP Filters ¨ PPTP commonly used when older clients need to connect to a network through a VPN or when a tunnel must pass through a firewall that performs NAT ¨ For PPTP traffic to pass through a firewall, packet-filtering rules must permit such communications ¨ Incoming PPTP connections on TCP Port 1723 ¨ PPTP packets use Generic Routing Encapsulating (GRE) packets identified by protocol identification number ID 47 Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 39

L 2 TP and IPSec Packet-Filtering Rules ¨ L 2 TP uses IPSec to L 2 TP and IPSec Packet-Filtering Rules ¨ L 2 TP uses IPSec to encrypt traffic as it passes through the firewall ¨ Packet-filtering rules must be set up that cover IPSec traffic Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 40

Auditing and Testing the VPN ¨ Each VPN computer client should be tested ¨ Auditing and Testing the VPN ¨ Each VPN computer client should be tested ¨ VPN should be checked to ensure component reliability and acceptable file transfer rates ¨ If parts of network frequently fail, switch ISPs ¨ If ISP switch is needed, consider the following: – How often does network go offline? – Are there backup servers to keep customers online if primary server goes down? – Are there backup power supplies in case of a power outage? – How far is the network backbone? Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 41

Chapter Summary ¨ VPNs: – Provide secure point-to-point communications over the public Internet – Chapter Summary ¨ VPNs: – Provide secure point-to-point communications over the public Internet – Used for e-commerce and telecommuting – Can be set up with special hardware or with firewall software that includes VPN functionality – Are a critical component in an organization’s perimeter security configuration Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 42

Chapter Summary (continued) ¨ VPN data travels over public networks and needs to be Chapter Summary (continued) ¨ VPN data travels over public networks and needs to be well protected ¨ Essential data protection activities: – IP encapsulation – Data payload encryption – Encrypted authentication ¨ Two different types of VPN: – Site-to-site – Client-to-site ¨ The two are not necessarily mutually exclusive Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 43

Chapter Summary (continued) ¨ VPN configurations: – Mesh configuration: each participant has an approved Chapter Summary (continued) ¨ VPN configurations: – Mesh configuration: each participant has an approved relationship with every other participant – Hub-and-spoke arrangement: single, central VPN router contains records of all associations; any other participants connect only to central server – Hybrid setup: mixture that often evolves from the other configuration types as organization grows ¨ Widespread use of IPSec with Internet Key Exchange (IKE) means proprietary protocols used far less often Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 44

Chapter Summary (continued) ¨ IPSec provides two security methods: – Authenticated Header (AH): authenticates Chapter Summary (continued) ¨ IPSec provides two security methods: – Authenticated Header (AH): authenticates packets – Encapsulating Security Payload (ESP): encrypts the data portion of packets ¨ Both methods can be used together Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 45

Chapter Summary (continued) ¨ Point-to-Point Tunneling Protocol (PPTP) used to connect to network using Chapter Summary (continued) ¨ Point-to-Point Tunneling Protocol (PPTP) used to connect to network using dial-in modem ¨ Layer 2 Tunneling Protocol (L 2 TP) extension of protocol long used for dial-up connections on the Internet, Point-to-Point Protocol (PPP) ¨ Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH) – UNIX-based methods for creating VPNs – Combine existing tunnel system (PPP) with data encryption in transport (SSL or SSH) Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 46

Chapter Summary (continued) ¨ To enable remote user to connect to a VPN, issue Chapter Summary (continued) ¨ To enable remote user to connect to a VPN, issue that user VPN client software ¨ Make sure user’s computer has anti-virus software and a firewall ¨ May need to obtain key for remote user if using IPSec to make VPN connection ¨ VPN best practices include: – Security policy rules specific to the VPN – Integration of firewall packet filtering and VPN traffic – Auditing VPN to ensure acceptable performance Firewalls & Network Security, 2 nd ed. - Chapter 11 Slide 47