You are previewing Virtual Private Networks, Second Edition.
O'Reilly logo
Virtual Private Networks, Second Edition

Book Description

Historically, only large companies could afford secure networks, which they created from expensive leased lines. Smaller folks had to make do with the relatively untrusted Internet. Nowadays, even large companies have to go outside their private nets, because so many people telecommute or log in while they're on the road. How do you provide a low-cost, secure electronic network for your organization? The solution is a virtual private network: a collection of technologies that creates secure connections or "tunnels" over regular Internet lines--connections that can be easily used by anybody logging in from anywhere. A number of products now exist to help you develop that solution. This book tells you how to plan and build a VPN. It starts with general concerns like costs, configuration, and how a VPN fits in with other networking technologies like firewalls. It continues with detailed descriptions of how to install and use VPN technologies that are available for Windows NT and Unix, such as PPTP and L2TP, Altavista Tunnel, Cisco PIX, and the secure shell (SSH). New features in the second edition include SSH, which is a popular VPN solution for Unix systems, and an expanded description of the IPSec standard, for which several vendors have announced support. Topics include:

  • How the VPN compares to other available networking technologies

  • Introduction to encryption, firewalls, the IPSec standard, and other technologies that let VPNs work

  • Point to Point Tunneling Protocol (PPTP) and L2TP

  • The Altavista Tunnel

  • The Cisco PIX Firewall

  • Secure Shell (SSH)

  • Maintenance and troubleshooting

Table of Contents

  1. Virtual Private Networks, 2nd Edition
    1. Preface
      1. Audience
      2. Contents of This Book
      3. Conventions Used in This Book
      4. Comments and Questions
      5. Updates
      6. Acknowledgments
    2. 1. Why Build a Virtual Private Network?
      1. What Does a VPN Do?
        1. The Rise of Intranets
          1. How VPNs relate to Intranets
      2. Security Risks of the Internet
        1. What Are We Protecting with Our VPN?
      3. How VPNs Solve Internet Security Issues
        1. Firewalls
        2. Authentication
        3. Encryption
        4. Tunneling
      4. VPN Solutions
        1. Quality of Service Issues
      5. A Note on IP Address and Domain Name Conventions Used in This Book
    3. 2. Basic VPN Technologies
      1. Firewall Deployment
        1. What Is a Firewall?
        2. What Types of Firewalls Are There?
          1. Packet restriction or packet filtering routers
          2. Bastion host
          3. DMZ or perimeter zone network
          4. Proxy servers
        3. Use of Firewalling in a VPN
      2. Encryption and Authentication
        1. A Brief History of Cryptography
        2. Cryptography: How to Keep a Secret
        3. Cryptography in Network Communications
        4. Cryptographic Algorithms
          1. Hash algorithms
          2. Secret key systems
          3. Public key cryptosystems
          4. Diffie-Hellman
          5. RSA
        5. How Secure Is It Really?
        6. Use of Cryptosystems and Authentication in a VPN
      3. VPN Protocols
        1. IPSec
          1. IPSec security issues
          2. IPSec organizations
        2. ESP (Encapsulating Security Payload)
        3. AH (Authentication Header)
        4. Internet Key Exchange, ISAMKP/Oakley
        5. ISO X.509 v.3 (Digital Certificates)
        6. LDAP (Lightweight Directory Access Protocol)
        7. Radius
        8. PPTP (Point-to-Point Tunneling Protocol)
      4. Methodologies for Compromising VPNs
        1. Basic Firewalling
        2. Cryptographic Assaults
          1. Ciphertext-only attack
          2. Known plaintext attack
          3. Chosen plaintext attack
          4. Chosen ciphertext attack
          5. Brute force attacks
          6. Password guessers and dictionary attacks
          7. Social engineering
        3. Network Compromises and Attacks
          1. Denial of service attacks
          2. Address spoofing
          3. Session hijacking
          4. Man-in-the-middle attack
          5. Replay attack
          6. Detection and cleanup
      5. Patents and Legal Ramifications
    4. 3. Wide Area, Remote Access, and the VPN
      1. General WAN, RAS, and VPN Concepts
      2. VPN Versus WAN
        1. Small to Medium Solutions
          1. Telco
          2. Hardware/software
          3. Administration
          4. Security, scalability, and stability
        2. Large Solutions
          1. Telco
          2. Hardware/software
          3. Administration
          4. Security, scalability, and stability
      3. VPN Versus RAS
        1. Small to Medium Solutions
          1. Telco
          2. Hardware/software
          3. Administration
          4. Security, scalability, and stability
        2. Large Solutions
          1. Telco
          2. Hardware/software
          3. Administration
          4. Security, scalability, and stability
    5. 4. Implementing Layer 2 Connections
      1. Differences Between PPTP, L2F, and L2TP
      2. How PPTP Works
        1. Dialing into an ISP That Supports PPTP
        2. Dialing into an ISP That Doesn’t Support PPTP
        3. Where PPTP Fits into Our Scenario
        4. Dissecting a PPTP Packet
          1. The encapsulation process
        5. PPTP Security
          1. RAS authentication methods
            1. Accept encrypted authentication
            2. Accept Microsoft encrypted authentication
            3. Accept any authentication, including clear text
          2. Data encryption
      3. Features of PPTP
        1. Availability
        2. Easy Implementation
        3. Multiprotocol Tunneling
        4. Ability to Use Corporate and UnregisteredIP Addresses
    6. 5. Configuring and Testing Layer 2 Connections
      1. Installing and Configuring PPTP on a Windows NT RAS Server
        1. Installing PPTP
        2. Setting Up RAS
          1. Choosing the protocols to tunnel
          2. Choosing your authentication method
          3. IP address negotiation using DHCP
        3. PPTP Filtering
          1. Outbound authentication using PPTP filtering
          2. Filtering caveats
        4. Filtering by IP Address
        5. Configuring Users for Dial-up Access
      2. Configuring PPTP for Dial-up Networking on a Windows NT Client
      3. Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
      4. Enabling PPTP on Remote Access Switches
        1. Configuring PPTP on a 3Com/U.S. Robotics Total Control Enterprise Network Hub
          1. Setting up global PPTP parameters
          2. Setting up a port for PPTP
          3. Setting up a user for PPTP
        2. Configuring PPTP on an Ascend MAX 4004
      5. Making the Calls
      6. Troubleshooting Problems
        1. Login problems
          1. The Event Viewer
          2. The Dial-Up Networking Monitor
        2. Connectivity Testing
          1. ping and traceroute
      7. Using PPTP with Other Security Measures
        1. How to Allow PPTP Through Firewalls
          1. Fixed IP addresses
        2. How PPTP Can Bypass a Proxy Server
    7. 6. Implementing the AltaVista Tunnel 98
      1. Advantages of the AltaVista Tunnel System
        1. Accessibility
        2. Security
          1. Three-part encryption technique
          2. Support for an emerging security standard
          3. Support for Security Dynamics SecureID
        3. Flexibility
      2. AltaVista Tunnel Limitations
        1. Platform Limitations
        2. Security Drawbacks of User Authentication
      3. How the AltaVista Tunnel Works
        1. System Considerations
          1. Extranet server
          2. Telecommuter client
        2. Planning
        3. The Guts
          1. AltaVista Tunnel Extranet server
          2. Security procedures
          3. AltaVista Tunnel Telecommuter Client
      4. VPNs and AltaVista
        1. Implementing a LAN-to-LAN Tunnel
          1. Sample configuration
          2. Tunnel server configuration
          3. Firewall configuration
          4. Host configuration
          5. Routing over the VPN
        2. Implementing Single Connections-to-LAN Tunnels
          1. Sample configuration
          2. Tunnel server configuration
          3. Firewall configuration
          4. Local host configuration
          5. Remote PC configuration
          6. Tracing the packets
        3. Implementing PC-to-WAN Tunnels
          1. Sample configuration
          2. Tunnel server configuration
          3. WAN router configuration
          4. Firewall configuration
          5. Network host configurations
          6. Remote client configurations
          7. Tracing the packets
    8. 7. Configuring and Testing the AltaVista Tunnel
      1. Getting Busy
      2. Installing the AltaVista Tunnel
        1. Preparing to Install
        2. Installing the AltaVista Tunnel Extranet Serverfor Windows NT
          1. Windows NT 4.0
        3. Installing the AltaVista Tunnel Telecommuter Client for Windows
        4. Installing the AltaVista Tunnel Telecommuter Client for MacOS
      3. Configuring the AltaVista Tunnel Extranet and Telecommuter Server
        1. Adding Routes and Dynamic Addresses
          1. Initial configuration
          2. Managing routes and dynamic IPs
        2. Adding DNS and WINS Servers
        3. Adding Tunnel Groups
          1. Group configuration
          2. Tunnel client information
        4. Tools for Tunnel Management
        5. Changing Port Settings
        6. Rekey Interval and Minimum Encryption Settings
        7. Configuring Unix-to-Windows NT Tunnel Connections
      4. Configuring the AltaVista Telecommuter Client
      5. Troubleshooting Problems
        1. Tunnel Server and Client Configuration Checks
        2. Local Network and Internet Gateway Configuration Checks
    9. 8. Creating a VPN with the Unix Secure Shell
      1. The SSH Software
        1. Encryption Capabilities
      2. Building and Installing SSH
      3. SSH Components
        1. sshd
          1. Useful sshd parameters for our purposes
        2. ssh
          1. Understanding SSH authentication
          2. Running ssh in “batch mode”
          3. Useful ssh parameters for our purposes
          4. ssh-keygen
          5. ssh-agent and ssh-add
        3. scp
        4. make-ssh-known-hosts
      4. Creating a VPN with PPP and SSH
        1. The VPN Components
        2. Setting Up the VPN
          1. Setting up the master and slave Linux systems
          2. Setting up the PPP daemon
          3. Creating a user account on the slave
          4. Setting up SSH authentication
          5. Configuring sudo on the slave
          6. Putting pty-redir on the master
          7. Setting up the VPN script
          8. Setting up the slave’s scripts
        3. Testing the Connection
      5. Troubleshooting Problems
        1. Errors from the VPN Script
        2. Connection Problems
          1. Debugging an SSH connection
          2. Debugging a PPP connection
        3. Getting Help with SSH
      6. A Performance Evaluation
    10. 9. The Cisco PIX Firewall
      1. The Cisco PIX Firewall
      2. The PIX in Action
        1. ISP Assigned Addresses (Global Pool)
        2. Advantages of the PIX Firewall
          1. Hardware solution
          2. Superior to Unix and other router firewalls
          3. Single point of control/failure
          4. Dynamic address translation
          5. PIX acts like a proxy server
          6. Ease of configuration and maintenance
          7. High-speed access
          8. Links
        3. Limitations of the PIX Firewall
          1. Hardware solution
          2. Dynamic address use
          3. Budgetary considerations
          4. Maintenance
      3. Configuring the PIX as a Gateway
        1. Connecting to the PIX
        2. A Sample Configuration
        3. Firewall Configuration on the PIX
        4. Testing, Tracing, and Debugging
          1. debug
          2. xlate
          3. arp
          4. show interface
      4. Configuring the Other VPN Capabilities
        1. Offering Services to the Internet Through Conduits and the static Command
        2. Tunneling with the link Directive
    11. 10. Managing and Maintaining Your VPN
      1. Choosing an ISP
      2. Solving VPN Problems
        1. Connectivity Problems
        2. Authentication Errors
        3. Routing Problems
        4. Dealing with an ISP
        5. Compatibility with Other Products
      3. Delivering Quality of Service
      4. Security Suggestions
        1. Restrict Who Has VPN Access
        2. Restrict What VPN Users Can Get To
        3. Avoid Public DNS Information for VPN Servers and Routers
      5. Keeping Yourself Up-to-Date
    12. 11. A VPN Scenario
      1. The Topology
      2. Central Office
        1. Network Connections
        2. Hardware and Operating System
        3. VPN Package
      3. Large Branch Office
        1. Connection
        2. Hardware and Operating System
        3. VPN Package
      4. Small Branch Offices
        1. Connection
        2. Hardware and Operating System
        3. VPN Package
      5. Remote Access Users
        1. Connection
        2. Hardware and Operating System
        3. VPN Package
      6. A Network Diagram
    13. A. Emerging Internet Technologies
      1. IPv6
      2. IPSec
      3. S/WAN
    14. B. Resources, Online and Otherwise
      1. Software Updates
      2. The IETF
      3. CERT Advisories
      4. The Trade Press
      5. Networking and Intranet-Related Web Sites
      6. Usenet Newsgroups
      7. Mailing Lists
    15. Index
    16. Colophon