mod3_disuccion

profileColin Horn
Week_5_6_PPT.pptx

Network Security, Firewalls,

and VPNs

Week 5&6

VPN Fundamentals

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Virtual Labs

Configuring a pfSense Firewall for the Server

Penetration Testing a pfSense Firewall

Chapters 2 & 7

Required Reading

From Last Week…

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

2

Learning Objectives

Describe the foundational concepts of VPNs.

Appraise the elements of VPN implementation and management.

Describe common VPN technologies.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

3

Key Concepts

Virtual private network (VPN) essentials

The roles of VPN appliances, edge routers, and corporate firewalls

VPN implementation

Best practices for implementing and managing VPNs

Common network locations where VPNs are deployed

VPN deployment planning for the enterprise

VPN policy creation

Strategies for overcoming VPN performance and stability issues

Software- and hardware-based VPN solutions

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

4

Virtual Private Network (VPN)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

5

What Is a VPN?

Network that uses the public telecom infrastructure (Internet) to provide remote access to secure private networks

Allows organizations to privately transmit sensitive data remotely over public networks

Secures communication between separate private networks through tunneling

Protects sensitive information transiting the public network

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

6

What Is a VPN?

Low-cost alternative to leased-line infrastructure

Supports Internet remote access

Provide remote access and remote control

Employs encryption and authentication for secure transmission

Restrictions for mobile users that ensure a baseline level of conformity and security

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

7

VPN Endpoints

Host Computer Systems

Edge Routers

Corporate Firewalls

Dedicated VPN Appliances

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

8

VPN Encryption Modes

Tunnel mode

Protects packet from header to payload

Transport mode

Protects only the packet payload

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

9

VPNs Bridge Distant Connections

Home and satellite offices

May span separate cities, states, countries, geographic territories, and international borders

Provide varying levels of granular network access to separate locations

VPNs maintain confidentiality and integrity for users and data (C-I-A triad)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

10

Drawbacks of VPNs

Congestion, latency, fragmentation, and packet loss

Difficulties with compliance and troubleshooting

Encrypted traffic does not compress

Lacks repeating patterns

More bandwidth-intensive than clear-text transmission

Connectivity requires high availability

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

11

VPNs Security and Privacy Issues

Cannot ensure quality of service (QoS) or complete security

Links depend on availability, stability, and throughput of ISP connection

Not ideal connection method for dial-up modems or low-bandwidth links

Infected mobile users can potentially damage or disrupt the private network

Confidential data can be copied outside the boundaries of internal controls

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

12

VPNs Are Not a Cure-all Solution

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

13

Upkeep, Updates, and Upgrades

Safety and Security

Software Fixes

Client Compliance

Roaming profiles

Tamper with systems

Inconsistent Security

True VPN

Software Updates

Careless users

Trusted VPN

Secure

Hybrid VPN

Software Patches

Hardware Upgrades

Bypass restrictions

Defiant users

VPN Best Practices: Predeployment

Choose a solution that's right for your environment, with proven capabilities

Plan to provide redundancy

Create a written VPN policy

Ensure client security

Vulnerability management

Document your VPN implementation plan

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

14

Developing a VPN Policy

Restrict remote access to the organization’s VPN solution.

Prohibit split tunneling.

Define classes of employee that can access the network by VPN.

Define types of VPN connections to permit.

Define authentication methods permitted.

Prohibit sharing of VPN credentials.

List configuration requirements for remote hosts, including current virus protection, anti-malware, host-based intrusion detection system (HIDS), and a personal firewall.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

15

Developing a VPN Policy (Cont.)

Prohibit the use of non-company equipment or, if personal systems may connect to the VPN, define the minimum standards for those connections.

Define required encryption levels for VPN connections.

If you will be using your VPN for network-to-network connections, define approval process and criteria for establishing a network-to-network connection.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

16

VPN Best Practices: Post Deployment

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

17

Perform Regularly

Usage Review

Back Up

Patching

Types of VPN Implementations

Bypass VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

18

Types of VPN Implementations

Internally Connected VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

19

Types of VPN Implementations

A VPN in a DMZ

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

20

Internet Protocol Security (IPSec)

IPSec VPNs:

Support all operating system platforms

Provide secure, node-on-the-network connectivity

Offer standards-based solution

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

21

Layer 2 Tunneling Protocol (L2TP)

Largely replaced by IPSec and SSL/TLS

Is a combination of best features of Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Forwarding (L2F) Protocol

Limitation: Provides mechanism for creating tunnels through an IP network but not for encrypting the data being tunneled

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

22

Secure Sockets Layer SSL)/ Transport Layer Security (TLS)

Non-IPSec alternative for VPNs

SSL/TLS authentication is one-way

SSL VPNs:

Platform independent

Client flexibility

Work with NAT

Fewer firewall rules required

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

23

Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)

A secure browser session using SSL.

A certificate in an HTTPS connection.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

24

Secure Shell (SSH) Protocol

Used for:

Login to a shell on a remote host (replaces Telnet and rlogin)

Executing a single command on a remote host (replaces rsh)

File transfers to a remote host

In conjunction with the OpenSSH server and client to create a full VPN connection

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

25

Secure Shell (SSH) Protocol

An application that uses SSH.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

26

VPN Deployment Models

True, Trusted, Secure, and Hybrid Models

Tailor VPN security to match organizational and data privacy needs

Establish control

Components (software and hardware)

Conversations (endpoint connections)

Communications (network infrastructure)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

27

VPN Deployment Models

Customers and providers may separately manage and maintain devices

Customers may outsource different aspects of VPN ownership and operation to service providers

Custom tailor ownership and operator responsibilities to budgetary needs

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

28

VPN Architectures

Remote access (host-to-site) supports single connections into the LAN

LAN-to-LAN and WAN (site-to-site) supports LAN-to-LAN via Internet

Client-server (host-to-host) supports direct connections via Internet

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

29

VPN Architectures

A corporation may control different aspects of the network

Authentication, Authorization, and Accounting (AAA) server deployment

Different technologies for different needs

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

30

VPN to Connect a LAN with Remote Mobile Users

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Used to Connect Multiple LANs

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Used to Connect Multiple LANs with Remote Mobile Users

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Supporting Services and Protocols

Enterprise-class VPNs require enterprise-class security

Authentication establishes levels of authorization and access

Cryptographic transport protocols don’t “play well” together

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

34

VPN Protocols

IPSec (originally for IPv6 but widely used on IPv4)

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

Datagram Transport Layer Security (DTLS)

Microsoft Point-to-Point Encryption

Secure Socket Tunneling Protocol (SSTP)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Network Protocols

Tunneling protocols package packets within packets for secure transport

Transport protocols package payloads within packets

Encapsulating protocols wrap around original passenger protocols

Carrier protocols carry the packaged VPN packets

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Tunnel

Encapsulates an entire packet within another packet

Encrypts payload and header (IP and UDP/TCP) to protect identities

Carrier protocol used to transmit the VPN packets

Encapsulating protocol packages the original data

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Tunnel

Passenger protocol—original data payload or protocol being carried

Encapsulates packets that are not routable through the Internet

Routes non-routable address traffic over public infrastructure

Ideal for gateway-to-gateway or network-to-network communication

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Transport

Encapsulates only the packet payload

Cannot prevent some forms of observation (eavesdropping and alteration)

Does not conceal endpoint identity

Ideal for direct endpoint-to-endpoint or endpoint-to-gateway communication

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Cryptographic Protocols

Ensure confidentiality and non-repudiation

Require encryption algorithms, protocols, and authentication methods

Endpoints must support identical cryptographic protocols and methods

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

40

VPN Authentication, Authorization, and Accountability Mechanisms

Allow approved external entities to interconnect and interact with private network

Use varying methods for authenticating users (passkeys, biometrics, etc.)

Track and log user interactions to maintain user accountability

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Hosts and Trust

Trust should vary depending on who is allowed in via the VPN

Employee on corporate laptop on managed network

Employee on home computer

Employee on airport internet (wireless or kiosk)

Authorized partner

Authorized customer

Least Risk

Most Risk

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

42

VPNs, NAT, and IPSec

Network Address Translation (NAT)

Static

Dynamic

IPSec (originally for IPv6 but widely used on IPv4)

IPSec has issues traversing a translated (NAT) network

Run IPSec VPNs on untranslated addresses

or

Deploy an SSL VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Appliances

Dedicated network offload devices

Specialized to handle VPN offloading from routers and host systems

Can be placed outside corporate firewalls for traffic filtering

Supplements existing corporate firewalls that do not support VPN services

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Edge Routers

Transport VPN over public networks

Insures that all traffic complies with firewall

Ideal for customer and supplier or business partner access

Best suited for controlled access into DMZ

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Corporate Firewall

Pass LAN-to-LAN traffic

Joined networks are treated as any other LAN route

Users don’t have to re-authenticate across segments

No additional firewall filtering or restriction applies

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Implementation Choices

A VPN can be implemented as software on the host and gateway

A VPN can be implemented as a hardware appliance

Both have advantages and disadvantages

Both offer cost savings and scalability

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

47

Hardware-Based VPNs

Dedicated Resources and Optimized Processing

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

48

Advantages

Designed for Routing

Sustains Resources

Disadvantages

Costs and

Compatibility

Streamlined for security

Software-Based VPNs

Platform-independent SSL/TLS VPNs to connect systems

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

49

Advantages

Install and Deploy Rapidly

Connection Speed

Disadvantages

Complex to Install and Configure

Portable and Efficient

Server Exposed

Owned and Outsourced VPNs

Own or operate telecommunications infrastructure and VPN endpoints

Contract maintenance or management

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Deployment Planning

Plan the physical location of the VPN

Ensure the location meets power and cooling requirements

Plan your IP addressing scheme

Plan firewall rules for permitting VPN access

Configure the VPN server

Set up authentication

Follow change management policies

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

51

VPN Deployment Planning

Test the deployment

Create operations manual, user documentation, etc.

Develop support processes

Install VPN clients

Train users

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

52

Overcoming VPN Performance Challenges

Item Consideration
VPN type Client or site-to-site connection support
Protocol IPSec VPN or SSL VPN
Load Number of remote access or site-to-site connections
Client configuration Legacy hardware, memory-intensive applications
Bandwidth Unreliable connections
Topology Connection traverses a firewall or proxy server
Encryption level High encryption necessary but impacts performance
Traffic Traffic spikes, such as from streaming media
Client version Older versions

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

53

Overcoming VPN Stability Challenges

Item Consideration
Configuration Mission-critical requires high availability or failover
Location Number of devices connection must traverse (firewalls, routers, etc.)
VPN software version Older software may be unstable
Underlying OS Older versions of OS, or firmware code in hardware VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

54

Summary

Virtual private network (VPN) essentials

The roles of VPN appliances, edge routers, and corporate firewalls

VPN implementation

Best practices for implementing and managing VPNs

Common network locations where VPNs are deployed

VPN deployment planning for the enterprise

VPN policy creation

Strategies for overcoming VPN performance and stability issues

Software- and hardware-based VPN solutions

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

55

Virtual Lab

Using Social Engineering Techniques to Plan an Attack

Chapters 3, 11, 12

Midterm Study Guide has been posted. The exam will be available next week and needs to be completed next week as well.

Required Reading

Midterm Exam

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5/31/2020

56