Computer Networks - VPN - Virtual Private Networks...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Virtual Private Networks (Tunnels) When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or EAP-TLS Router authentication uses user-based certificates VPN with L2TP tunnel Used if: All routers support VPN tunnels Router authentication uses computer-based certificates or user-based certificates Components of Remote Connectivity DHCP Server Network Access Server (VPN or Dial-Up) Domain Controller IAS (RADIUS) Server Wireless Access Point VPN Client Dial-up Client Wireless Client Network access service Network Network access clients Authentication service Active Directory (not required) Configuration Requirements for a Network Access Server A network access server is a server that acts as a gateway to a network for a client To configure the network access server, you will need to know: Whether the server will also act as a router Authentication methods and providers Client access IP address assignment PPP configuration options Event logging preferences What Is a Network Access Client? Type of Client VPN Client Dial-up Client Wireless Client Description Connects to a network across a shared or public network Emulates a point-to-point link on a private network Connects to a network by using a communications network Creates a physical connection to a port on a remote access server on a private network Uses a modem or ISDN adapter to dial in to the remote access server Connects to a network by infrared light and radio frequency technologies Includes many different types of devices What Are Network Access Authentication and Authorization? 2 Network Access Client Network Access Server 1 Domain Controller 1 Authentication Verifies a remote user's identification to the network service that the remote user is attempting to access (interactive logon) 2 Authorization Verifies that the connection attempt is allowed; authorization occurs after a successful logon attempt Available Methods of Authentication Remote and wireless authentication methods include: CHAP PAP SPAP MS-CHAP MS-CHAP v2 EAP-TLS PEAP MD-5 Challenge Recommended method for user authentication is by using smart card certificates How a VPN Connection Works A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link VPN Server Domain Controller VPN Client 1 VPN client calls the VPN VPN server 3 VPN server authenticates and authorizes the client 2 VPN server answers the call 4 VPN server transfers VPN data Components of a VPN Connection VPN Server Domain Controller VPN Tunnel Tunneling Protocols Tunneled Data VPN Client Authentication Authentication DHCP Server Transit Network Address and Name Server Allocation Encryption Protocols for a VPN Connection Category Description PPTP Employs user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption L2TP/IPSec Employs user-level PPP authentication methods over a connection that is encrypted with IPSec Recommended authentication method for VPN network access is L2TP/IPSec with certificates Examples of Remote Access Server Using L2TP/IPSec Examples Remote Access Server Remote User to Corp Net Remote Remote Access Server Branch Office to Branch Office Configuration Requirements for a VPN Server Before adding a remote access / VPN server: Identify which network interface connects to the Internet and which network interface connects to your private network Identify whether clients receive IP addresses from a DHCP server or the VPN server Identify whether to authenticate connection requests by RADIUS or by the VPN server How Dial-up Network Access Works Dial-up networking is the process of a remote access client making a Dial-up temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider Remote Access Server Domain Controller Dial-up Client 1 Dial-up client calls Dial-up the RA server 3 RA server authenticates and authorizes the client 2 RA server answers the call 4 RA server transfers RA data Components of a Dial-up Connection Remote Access Server Domain Controller LAN and Remote Access Protocols WAN Options: Telephone, ISDN, X.25, or ATM Dial-up Client Authentication Authentication DHCP Server Address and Name Server Allocation Authentication Methods for a Dial-up Connection Authentication methods for dial-up include: Authentication CHAP PAP SPAP MS-CHAP MS-CHAP v2 EAP-TLS EAP-MD5 Challenge Mutual Authentication Remote Access Server Remote Access User Strongest method: EAP-TLS with smart cards Configuration Requirements for a Remote Access Server Before adding a remote access server for dial-up access: Identify whether clients receive IP addresses from a DHCP server or the remote access server Identify whether to authenticate connection requests by RADIUS or by the remote access server Verify that users have user accounts configured for dial-up access Overview of Wireless Network Access A wireless network uses technology that enables devices to communicate by using standard network protocols and electromagnetic waves—not network cabling—to carry signals over part or all of the network infrastructure DHCP Server Network Access Server Domain Controller IAS Server Standard Description Infrastructure WLAN Wireless Access Point Wireless Client Clients connect to wireless access points Peer-to-peer WLAN Network wireless clients communicate directly with each other without the use of cables Components of a Wireless Connection Authentication Remote Access Server Ports Domain Controller DHCP Server Wireless Access Point Address and Name Server Allocation Wireless Client Wireless (Station) Wireless Standards Standard Description 802.11 A group of specifications for WLANs developed by IEEE Defines the physical and MAC portion of the OSI data-link layer 802.11b 11 megabits per second Good range but susceptible to radio signal interference Popular with home and small business users 802.11a Transmissions speeds as high as 54 Mbps Allows wireless LAN networking to perform better for video and conferencing applications Works well in densely populated areas Is not interoperable with 802.11, 802.11b, 802.11g 802.11g Enhancement to and compatible with 802.11b 54 Mbps but at shorter ranges than 802.11b 802.1x Authenticates clients before it lets them on the network Can be used for wireless or wired LANs Requires greater hardware and infrastructure investment Authentication Methods for Wireless Networks 802.1x Authentication Methods Description EAP-MS-CHAP v2 Provides mutual authentication Uses certificates for server authentication and password-based credentials for client authentication EAP-TLS Provides mutual authentication and is the strongest method of authentication and key determination Uses certificates for both server and client authentication PEAP Provides support for EAP-TLS and EAP-MS-CHAP v2 Encrypts the negotiation process Lesson: Centralizing Network Access Authentication and Policy Management by Using IAS What Is RADIUS? What Is IAS? How Centralized Authentication Works How to Configure an IAS Server for Network Access Authentication How to Configure the Remote Access Server to Use IAS for Authentication What Is RADIUS? RADIUS is a widely deployed protocol, based on a client/server model, RADIUS that enables centralized authentication, authorization, and accounting for network access RADIUS is the standard for managing network access RADIUS for VPN, dial-up, and wireless networks Use RADIUS to manage network access centrally across many types of network access RADIUS servers receive and process connection requests or accounting messages from RADIUS clients or proxies What Is IAS? IAS, a Windows Server 2003 component, is an industry-standard compliant RADIUS server. IAS performs centralized authentication, authorization, auditing, and accounting of connections for VPN, dialup, and wireless connections You can configure IAS to support: Dial-up corporate access RADIUS Server Extranet access for business partners Internet access Outsourced corporate access through service providers How Centralized Authentication Works 4 2 Communicates to the RADIUS client to grant or deny access RADIUS Client Forwards requests to a RADIUS server Domain Controller Remote Access Server Client RADIUS Server 1 Dials in to a local RADIUS client to gain network connectivity 3 Authenticates requests and stores accounting information ...
View Full Document

This note was uploaded on 10/15/2011 for the course COMPUTER E EC-321 taught by Professor Liaqatali during the Spring '11 term at College of E&ME, NUST.

Ask a homework question - tutors are online