mod3_disuccion
Network Security, Firewalls,
and VPNs
Week 5&6
VPN Fundamentals
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Virtual Labs
Configuring a pfSense Firewall for the Server
Penetration Testing a pfSense Firewall
Chapters 2 & 7
Required Reading
From Last Week…
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
2
Learning Objectives
Describe the foundational concepts of VPNs.
Appraise the elements of VPN implementation and management.
Describe common VPN technologies.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
3
Key Concepts
Virtual private network (VPN) essentials
The roles of VPN appliances, edge routers, and corporate firewalls
VPN implementation
Best practices for implementing and managing VPNs
Common network locations where VPNs are deployed
VPN deployment planning for the enterprise
VPN policy creation
Strategies for overcoming VPN performance and stability issues
Software- and hardware-based VPN solutions
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
4
Virtual Private Network (VPN)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
5
What Is a VPN?
Network that uses the public telecom infrastructure (Internet) to provide remote access to secure private networks
Allows organizations to privately transmit sensitive data remotely over public networks
Secures communication between separate private networks through tunneling
Protects sensitive information transiting the public network
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
6
What Is a VPN?
Low-cost alternative to leased-line infrastructure
Supports Internet remote access
Provide remote access and remote control
Employs encryption and authentication for secure transmission
Restrictions for mobile users that ensure a baseline level of conformity and security
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
7
VPN Endpoints
Host Computer Systems
Edge Routers
Corporate Firewalls
Dedicated VPN Appliances
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
8
VPN Encryption Modes
Tunnel mode
Protects packet from header to payload
Transport mode
Protects only the packet payload
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
9
VPNs Bridge Distant Connections
Home and satellite offices
May span separate cities, states, countries, geographic territories, and international borders
Provide varying levels of granular network access to separate locations
VPNs maintain confidentiality and integrity for users and data (C-I-A triad)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
10
Drawbacks of VPNs
Congestion, latency, fragmentation, and packet loss
Difficulties with compliance and troubleshooting
Encrypted traffic does not compress
Lacks repeating patterns
More bandwidth-intensive than clear-text transmission
Connectivity requires high availability
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
11
VPNs Security and Privacy Issues
Cannot ensure quality of service (QoS) or complete security
Links depend on availability, stability, and throughput of ISP connection
Not ideal connection method for dial-up modems or low-bandwidth links
Infected mobile users can potentially damage or disrupt the private network
Confidential data can be copied outside the boundaries of internal controls
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
12
VPNs Are Not a Cure-all Solution
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
13
Upkeep, Updates, and Upgrades
Safety and Security
Software Fixes
Client Compliance
Roaming profiles
Tamper with systems
Inconsistent Security
True VPN
Software Updates
Careless users
Trusted VPN
Secure
Hybrid VPN
Software Patches
Hardware Upgrades
Bypass restrictions
Defiant users
VPN Best Practices: Predeployment
Choose a solution that's right for your environment, with proven capabilities
Plan to provide redundancy
Create a written VPN policy
Ensure client security
Vulnerability management
Document your VPN implementation plan
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
14
Developing a VPN Policy
Restrict remote access to the organization’s VPN solution.
Prohibit split tunneling.
Define classes of employee that can access the network by VPN.
Define types of VPN connections to permit.
Define authentication methods permitted.
Prohibit sharing of VPN credentials.
List configuration requirements for remote hosts, including current virus protection, anti-malware, host-based intrusion detection system (HIDS), and a personal firewall.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
15
Developing a VPN Policy (Cont.)
Prohibit the use of non-company equipment or, if personal systems may connect to the VPN, define the minimum standards for those connections.
Define required encryption levels for VPN connections.
If you will be using your VPN for network-to-network connections, define approval process and criteria for establishing a network-to-network connection.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
16
VPN Best Practices: Post Deployment
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
17
Perform Regularly
Usage Review
Back Up
Patching
Types of VPN Implementations
Bypass VPN
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
18
Types of VPN Implementations
Internally Connected VPN
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
19
Types of VPN Implementations
A VPN in a DMZ
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
20
Internet Protocol Security (IPSec)
IPSec VPNs:
Support all operating system platforms
Provide secure, node-on-the-network connectivity
Offer standards-based solution
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
21
Layer 2 Tunneling Protocol (L2TP)
Largely replaced by IPSec and SSL/TLS
Is a combination of best features of Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Forwarding (L2F) Protocol
Limitation: Provides mechanism for creating tunnels through an IP network but not for encrypting the data being tunneled
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
22
Secure Sockets Layer SSL)/ Transport Layer Security (TLS)
Non-IPSec alternative for VPNs
SSL/TLS authentication is one-way
SSL VPNs:
Platform independent
Client flexibility
Work with NAT
Fewer firewall rules required
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
23
Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)
A secure browser session using SSL.
A certificate in an HTTPS connection.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
24
Secure Shell (SSH) Protocol
Used for:
Login to a shell on a remote host (replaces Telnet and rlogin)
Executing a single command on a remote host (replaces rsh)
File transfers to a remote host
In conjunction with the OpenSSH server and client to create a full VPN connection
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
25
Secure Shell (SSH) Protocol
An application that uses SSH.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
26
VPN Deployment Models
True, Trusted, Secure, and Hybrid Models
Tailor VPN security to match organizational and data privacy needs
Establish control
Components (software and hardware)
Conversations (endpoint connections)
Communications (network infrastructure)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
27
VPN Deployment Models
Customers and providers may separately manage and maintain devices
Customers may outsource different aspects of VPN ownership and operation to service providers
Custom tailor ownership and operator responsibilities to budgetary needs
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
28
VPN Architectures
Remote access (host-to-site) supports single connections into the LAN
LAN-to-LAN and WAN (site-to-site) supports LAN-to-LAN via Internet
Client-server (host-to-host) supports direct connections via Internet
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
29
VPN Architectures
A corporation may control different aspects of the network
Authentication, Authorization, and Accounting (AAA) server deployment
Different technologies for different needs
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
30
VPN to Connect a LAN with Remote Mobile Users
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Used to Connect Multiple LANs
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Used to Connect Multiple LANs with Remote Mobile Users
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Supporting Services and Protocols
Enterprise-class VPNs require enterprise-class security
Authentication establishes levels of authorization and access
Cryptographic transport protocols don’t “play well” together
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
34
VPN Protocols
IPSec (originally for IPv6 but widely used on IPv4)
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Datagram Transport Layer Security (DTLS)
Microsoft Point-to-Point Encryption
Secure Socket Tunneling Protocol (SSTP)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Network Protocols
Tunneling protocols package packets within packets for secure transport
Transport protocols package payloads within packets
Encapsulating protocols wrap around original passenger protocols
Carrier protocols carry the packaged VPN packets
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Tunnel
Encapsulates an entire packet within another packet
Encrypts payload and header (IP and UDP/TCP) to protect identities
Carrier protocol used to transmit the VPN packets
Encapsulating protocol packages the original data
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Tunnel
Passenger protocol—original data payload or protocol being carried
Encapsulates packets that are not routable through the Internet
Routes non-routable address traffic over public infrastructure
Ideal for gateway-to-gateway or network-to-network communication
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Transport
Encapsulates only the packet payload
Cannot prevent some forms of observation (eavesdropping and alteration)
Does not conceal endpoint identity
Ideal for direct endpoint-to-endpoint or endpoint-to-gateway communication
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Cryptographic Protocols
Ensure confidentiality and non-repudiation
Require encryption algorithms, protocols, and authentication methods
Endpoints must support identical cryptographic protocols and methods
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
40
VPN Authentication, Authorization, and Accountability Mechanisms
Allow approved external entities to interconnect and interact with private network
Use varying methods for authenticating users (passkeys, biometrics, etc.)
Track and log user interactions to maintain user accountability
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Hosts and Trust
Trust should vary depending on who is allowed in via the VPN
Employee on corporate laptop on managed network
Employee on home computer
Employee on airport internet (wireless or kiosk)
Authorized partner
Authorized customer
Least Risk
Most Risk
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
42
VPNs, NAT, and IPSec
Network Address Translation (NAT)
Static
Dynamic
IPSec (originally for IPv6 but widely used on IPv4)
IPSec has issues traversing a translated (NAT) network
Run IPSec VPNs on untranslated addresses
or
Deploy an SSL VPN
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Appliances
Dedicated network offload devices
Specialized to handle VPN offloading from routers and host systems
Can be placed outside corporate firewalls for traffic filtering
Supplements existing corporate firewalls that do not support VPN services
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Edge Routers
Transport VPN over public networks
Insures that all traffic complies with firewall
Ideal for customer and supplier or business partner access
Best suited for controlled access into DMZ
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Corporate Firewall
Pass LAN-to-LAN traffic
Joined networks are treated as any other LAN route
Users don’t have to re-authenticate across segments
No additional firewall filtering or restriction applies
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Implementation Choices
A VPN can be implemented as software on the host and gateway
A VPN can be implemented as a hardware appliance
Both have advantages and disadvantages
Both offer cost savings and scalability
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
47
Hardware-Based VPNs
Dedicated Resources and Optimized Processing
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
48
Advantages
Designed for Routing
Sustains Resources
Disadvantages
Costs and
Compatibility
Streamlined for security
Software-Based VPNs
Platform-independent SSL/TLS VPNs to connect systems
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
49
Advantages
Install and Deploy Rapidly
Connection Speed
Disadvantages
Complex to Install and Configure
Portable and Efficient
Server Exposed
Owned and Outsourced VPNs
Own or operate telecommunications infrastructure and VPN endpoints
Contract maintenance or management
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VPN Deployment Planning
Plan the physical location of the VPN
Ensure the location meets power and cooling requirements
Plan your IP addressing scheme
Plan firewall rules for permitting VPN access
Configure the VPN server
Set up authentication
Follow change management policies
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
51
VPN Deployment Planning
Test the deployment
Create operations manual, user documentation, etc.
Develop support processes
Install VPN clients
Train users
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
52
Overcoming VPN Performance Challenges
| Item | Consideration |
| VPN type | Client or site-to-site connection support |
| Protocol | IPSec VPN or SSL VPN |
| Load | Number of remote access or site-to-site connections |
| Client configuration | Legacy hardware, memory-intensive applications |
| Bandwidth | Unreliable connections |
| Topology | Connection traverses a firewall or proxy server |
| Encryption level | High encryption necessary but impacts performance |
| Traffic | Traffic spikes, such as from streaming media |
| Client version | Older versions |
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
53
Overcoming VPN Stability Challenges
| Item | Consideration |
| Configuration | Mission-critical requires high availability or failover |
| Location | Number of devices connection must traverse (firewalls, routers, etc.) |
| VPN software version | Older software may be unstable |
| Underlying OS | Older versions of OS, or firmware code in hardware VPN |
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
54
Summary
Virtual private network (VPN) essentials
The roles of VPN appliances, edge routers, and corporate firewalls
VPN implementation
Best practices for implementing and managing VPNs
Common network locations where VPNs are deployed
VPN deployment planning for the enterprise
VPN policy creation
Strategies for overcoming VPN performance and stability issues
Software- and hardware-based VPN solutions
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
55
Virtual Lab
Using Social Engineering Techniques to Plan an Attack
Chapters 3, 11, 12
Midterm Study Guide has been posted. The exam will be available next week and needs to be completed next week as well.
Required Reading
Midterm Exam
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5/31/2020
56