Network Security, Firewalls, and VPNs

Network Security, Firewalls, and VPNs

VPN Fundamentals

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Virtual Labs

Configuring a pfSense Firewall for the Server

Penetration Testing a pfSense Firewall

Chapters 2 & 7

Required Reading

From Last Week…

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Use the following script to introduce the first lab for this lesson:

“In this lesson, you explored the basic functions of firewalls and learned how firewalls fit into the network security framework. You also examined firewall filtering, port control strategies, and the implications of encryption, along with firewall monitoring and logging.

 

In the first lab for this lesson, Configuring a pfSense Firewall for the Server, In the lab for this lesson, Configuring a pfSense Firewall for the Server, you will use Network Address Translation, or NAT, to bind a public Internet address to an internal server. Then you will configure the firewall to allow limited access to services, such as HTTP, DNS, and SMTP, hosted on the internal server.”

Use the following script to introduce the second lab for this lesson:

One method organizations use to check whether a firewall is adequately protecting the network is to perform a penetration test. Penetration testing, or pen testing for short, tests the strengths and weaknesses of IT security, as well as the readiness of a facility and its employees to respond to an attack. Penetration testers use the same methods as hackers to try to penetrate a system or network. The difference is that penetration testing is performed by trusted employees or licensed pen testers. The process includes reconnaissance, scanning, vulnerability analysis (enumeration), exploitation (the actual attack), and post-attack activities, including remediation of the vulnerabilities. Before attacking a system, the pen tester uses an automated tool or set of tools to scan for and identify vulnerabilities to exploit.

 

In the lab for this lesson, Penetration Testing a pfSense Firewall, you will configure a basic pfSense Firewall on a virtual machine in preparation for a penetration testing scenario. Then, you will use OpenVAS to check for vulnerabilities on a virtual Windows server, and craft a plan to reduce or eliminate those vulnerabilities.”

1/24/18

2

Learning Objectives

Describe the foundational concepts of VPNs.

Appraise the elements of VPN implementation and management.

Describe common VPN technologies.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

3

Key Concepts

Virtual private network (VPN) essentials

The roles of VPN appliances, edge routers, and corporate firewalls

VPN implementation

Best practices for implementing and managing VPNs

Common network locations where VPNs are deployed

VPN deployment planning for the enterprise

VPN policy creation

Strategies for overcoming VPN performance and stability issues

Software- and hardware-based VPN solutions

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

4

Virtual Private Network (VPN)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Virtual Private Network (VPN)

A computer network that uses the public telecom infrastructure (i.e., Internet) to provide remote access to secure private networks

Allows organizations to privately transmit sensitive data remotely over public networks

Secures communication between separate private networks through tunneling, which protects sensitive information transiting the public network

1/24/18

5

What Is a VPN?

Network that uses the public telecom infrastructure (Internet) to provide remote access to secure private networks

Allows organizations to privately transmit sensitive data remotely over public networks

Secures communication between separate private networks through tunneling

Protects sensitive information transiting the public network

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Virtual Private Network (VPN)

A computer network that uses the public telecom infrastructure (i.e., Internet) to provide remote access to secure private networks

Allows organizations to privately transmit sensitive data remotely over public networks

Secures communication between separate private networks through tunneling, which protects sensitive information transiting the public network

1/24/18

6

What Is a VPN?

Low-cost alternative to leased-line infrastructure

Supports Internet remote access

Provide remote access and remote control

Employs encryption and authentication for secure transmission

Restrictions for mobile users that ensure a baseline level of conformity and security

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Low-cost alternative to leased-line infrastructure for delivering remote connectivity to offices and workers.

Leased lines create a direct and permanent path between two locations

Provides wide area connectivity via reserved connection for private customer use

Dedicated circuits that provide “last mile” access from user premises to ISP

Supports Internet remote access (i.e., remote office and telecommuter), LAN-to-LAN internetworking (i.e., home office and satellite offices), and controlled access within a network (i.e., mobile users and desktop users).

Provide remote access and remote control, and employ encryption and authentication for secure transmission.

Policies can impose restrictions for mobile users that ensure a baseline level of conformity and security.

VPNs provide remote access and remote control, and employ encryption and authentication for secure transmission.

Organizations can keep private information protected by encryption and remotely accessible to individuals or groups on an as-needed basis.

Unauthorized parties cannot eavesdrop, intercept, or otherwise capture private sessions between VPN client and server.

VPN policies can impose restrictions for mobile users that ensure a baseline level of conformity and security.

Enforce network policies that mandate client systems maintain up-to-date patches, signature files, and versions of anti-malware and anti-virus packages.

Enforce minimum and mandatory rules that dictate levels of user privilege, separate areas of access, ensure recommended cryptographic capabilities, etc.

1/24/18

7

VPN Endpoints

Host Computer Systems

Edge Routers

Corporate Firewalls

Dedicated VPN Appliances

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Endpoints can terminate at a host computer system, edge router, corp. firewall, or dedicated VPN appliance.

Provides secure remote access, site-to-site connectivity (i.e., college campuses), host-to-host networking, and extranet (i.e., distributor to supplier)

Operates in two modes of encryption “encapsulation”—

Tunnel mode: protects the entire packet from header to payload.

Transport mode: protects only the packet payload

1/24/18

8

VPN Encryption Modes

Tunnel mode

Protects packet from header to payload

Transport mode

Protects only the packet payload

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Endpoints can terminate at a host computer system, edge router, corp. firewall, or dedicated VPN appliance.

Provides secure remote access, site-to-site connectivity (i.e., college campuses), host-to-host networking, and extranet (i.e., distributor to supplier)

Operates in two modes of encryption “encapsulation”—

Tunnel mode: protects the entire packet from header to payload.

Transport mode: protects only the packet payload

1/24/18

9

VPNs Bridge Distant Connections

Home and satellite offices

May span separate cities, states, countries, geographic territories, and international borders

Provide varying levels of granular network access to separate locations

VPNs maintain confidentiality and integrity for users and data (C-I-A triad)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Home and satellite offices may span separate cities, states, countries, geographic territories, and international borders.

Share private LAN and intranet resources globally.

Suppliers and distributors may maintain a separate private network for product sales and purchasing or parts ordering.

Organizational headquarters and satellite offices may share common directory services, informational databases, supply chain resources, etc.

Provide varying levels of granular network access to separate locations.

Client-server connections focus on user profile permissions and restrictions.

Multiple site-to-site connections apply user policies and network controls.

VPN clients are browser-based and executable formats.

VPN servers can integrate into routing devices and network appliances.

1/24/18

10

Drawbacks of VPNs

Congestion, latency, fragmentation, and packet loss

Difficulties with compliance and troubleshooting

Encrypted traffic does not compress

Lacks repeating patterns

More bandwidth-intensive than clear-text transmission

Connectivity requires high availability

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPNs suffer from the same congestion, latency, fragmentation, and packet loss as any long-distance connection experiences.

VPN clients are more difficult to keep compliant and troubleshoot than on-site devices and systems.

Encrypted traffic does not compress because it lacks repeating patterns and is therefore more bandwidth-intensive than clear-text transmission.

VPN connectivity requires high availability for constant uptime and accessibility

1/24/18

11

VPNs Security and Privacy Issues

Cannot ensure quality of service (QoS) or complete security

Links depend on availability, stability, and throughput of ISP connection

Not ideal connection method for dial-up modems or low-bandwidth links

Infected mobile users can potentially damage or disrupt the private network

Confidential data can be copied outside the boundaries of internal controls

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Corporations can save on leased-line costs with VPN.

Eliminates need for long-distance leased-line connectivity

Reduces long-distance telecommunication charges

Can offload support costs (outsource) to network operators

Scalable network arrangements are possible with VPN.

Branch offices can deploy readily available VPNs.

VPNs can scale from a few nearby offices to several campuses around the world.

VPNs cannot ensure quality of service (QoS) or complete security.

VPN links depend on availability, stability, and throughput of ISP connection.

Not an ideal connection method for dial-up modems or low-bandwidth links

Infected mobile users can potentially damage or disrupt the private network.

Confidential data can be copied outside the boundaries of internal controls.

1/24/18

12

VPNs Are Not a Cure-all Solution

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPNs require upkeep, updates, and upgrades just like any other network.

Clients must maintain baseline levels of safety and security.

Servers must maintain current fixes and patches for software.

Administrators must maintain software updates and hardware upgrades

VPN clients are harder to keep compliant.

Roaming profiles are more challenging to maintain than local user profiles.

Offline users can tamper with systems or bypass some restrictions.

Careless or defiant users may compromise systems and threaten the network.

Varying VPN client-server setups provide inconsistent security provisions.

True VPN—a single organization owns all of the network infrastructure (ideal)

Trusted VPN—controls communication pathway, doesn’t prevent eavesdropping

Secure VPNT—uses public networks, does not control or ensure transmission path

Hybrid VPN—secure VPN over a trusted VPN connection

1/24/18

13

Upkeep, Updates, and Upgrades

Safety and Security

Software Fixes

Client Compliance

Roaming profiles

Tamper with systems

Inconsistent Security

True VPN

Software Updates

Careless users

Trusted VPN

Secure

Hybrid VPN

Software Patches

Hardware Upgrades

Bypass restrictions

Defiant users

VPN Best Practices: Predeployment

Choose a solution that’s right for your environment, with proven capabilities

Plan to provide redundancy

Create a written VPN policy

Ensure client security

Vulnerability management

Document your VPN implementation plan

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

14

Developing a VPN Policy

Restrict remote access to the organization’s VPN solution.

Prohibit split tunneling.

Define classes of employee that can access the network by VPN.

Define types of VPN connections to permit.

Define authentication methods permitted.

Prohibit sharing of VPN credentials.

List configuration requirements for remote hosts, including current virus protection, anti-malware, host-based intrusion detection system (HIDS), and a personal firewall.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

15

Developing a VPN Policy (Cont.)

Prohibit the use of non-company equipment or, if personal systems may connect to the VPN, define the minimum standards for those connections.

Define required encryption levels for VPN connections.

If you will be using your VPN for network-to-network connections, define approval process and criteria for establishing a network-to-network connection.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

16

VPN Best Practices: Post Deployment

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

17

Perform Regularly

Usage Review

Back Up

Patching

Types of VPN Implementations

Bypass VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

18

Types of VPN Implementations

Internally Connected VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

19

Types of VPN Implementations

A VPN in a DMZ

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

20

Internet Protocol Security (IPSec)

IPSec VPNs:

Support all operating system platforms

Provide secure, node-on-the-network connectivity

Offer standards-based solution

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

21

Layer 2 Tunneling Protocol (L2TP)

Largely replaced by IPSec and SSL/TLS

Is a combination of best features of Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Forwarding (L2F) Protocol

Limitation: Provides mechanism for creating tunnels through an IP network but not for encrypting the data being tunneled

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

22

Secure Sockets Layer SSL)/ Transport Layer Security (TLS)

Non-IPSec alternative for VPNs

SSL/TLS authentication is one-way

SSL VPNs:

Platform independent

Client flexibility

Work with NAT

Fewer firewall rules required

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

23

Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)

A secure browser session using SSL.

A certificate in an HTTPS connection.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

24

Secure Shell (SSH) Protocol

Used for:

Login to a shell on a remote host (replaces Telnet and rlogin)

Executing a single command on a remote host (replaces rsh)

File transfers to a remote host

In conjunction with the OpenSSH server and client to create a full VPN connection

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

25

Secure Shell (SSH) Protocol

An application that uses SSH.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

26

VPN Deployment Models

True, Trusted, Secure, and Hybrid Models

Tailor VPN security to match organizational and data privacy needs

Establish control

Components (software and hardware)

Conversations (endpoint connections)

Communications (network infrastructure)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

27

VPN Deployment Models

Customers and providers may separately manage and maintain devices

Customers may outsource different aspects of VPN ownership and operation to service providers

Custom tailor ownership and operator responsibilities to budgetary needs

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

28

VPN Architectures

Remote access (host-to-site) supports single connections into the LAN

LAN-to-LAN and WAN (site-to-site) supports LAN-to-LAN via Internet

Client-server (host-to-host) supports direct connections via Internet

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Remote access (host-to-site) supports single connections into the LAN.

Supports private LAN access without edge routers, corp. firewalls, or appliances

LAN-to-LAN and WAN (site-to-site) supports LAN-to-LAN via Internet.

Combines site-to-site with remote access VPN capabilities

Scales to large groups of users and network endpoints

Client-server (host-to-host) supports direct connections via Internet.

Provides additional security over shared public infrastructure

Links mobile platforms to mission-critical systems and services

1/24/18

29

VPN Architectures

A corporation may control different aspects of the network

Authentication, Authorization, and Accounting (AAA) server deployment

Different technologies for different needs

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

A corporation may control different aspects of the network.

Provider network: uses a service provider infrastructure for VPN services

Customer network: customer-controlled network infrastructure for VPN

Customer site: physical location is the only control point

Provider device: not under customer control, operates as routing device

Authentication, Authorization, and Accounting (AAA) server deployment

Tracks who you are (authentication), checks what you’re authorized to do (authorization), and records what you’ve done (accounting)

Different technologies for different technological needs

Desktop and server software for remote client connections

Dedicated firewalls, optimized routers, VPN servers, and VPN concentrators

Network Access Servers (NASs) for service providers

VPN network and policy management centers

A corporation may control different aspects of the network.

Provider network: uses a service provider infrastructure for VPN services

Customer network: customer-controlled network infrastructure for VPN

Customer site: physical location is the only control point

Provider device: not under customer control, operates as routing device

Authentication, Authorization, and Accounting (AAA) server deployment

Tracks who you are (authentication), checks what you’re authorized to do (authorization), and records what you’ve done (accounting)

Different technologies for different technological needs

Desktop and server software for remote client connections

Dedicated firewalls, optimized routers, VPN servers, and VPN concentrators

Network Access Servers (NASs) for service providers

VPN network and policy management centers

1/24/18

30

VPN to Connect a LAN with Remote Mobile Users

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Used to Connect Multiple LANs

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Used to Connect Multiple LANs with Remote Mobile Users

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Supporting Services and Protocols

Enterprise-class VPNs require enterprise-class security

Authentication establishes levels of authorization and access

Cryptographic transport protocols don’t “play well” together

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Enterprise-class VPNs require enterprise-class security.

Confidentiality: strong cryptographic tunneling protocols (avoid intercepts, sniffing)

Authentication: strong authentication for non-repudiation and identity spoofing

Secure cryptographic transport protocols

Authentication establishes levels of authorization and access.

Uses passwords, two-factor authentication, biometrics, and other forms

Cryptographic transport protocols don’t “play well” together.

Internet Protocol Security (IPSec) VPNs use IPv4 and L2TP running over an IPSec layer.

Transport Layer Security (TLS/SSL) tunnels over IPv4 networks (i.e., Internet).

Platform-specific transport methods using proprietary protocol formats

Cryptographic transport protocols don’t “play well” together.

IP Security (IPSec) VPNs use IPv4 and L2TP running over an IPSec layer.

1/24/18

34

VPN Protocols

IPSec (originally for IPv6 but widely used on IPv4)

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

Datagram Transport Layer Security (DTLS)

Microsoft Point-to-Point Encryption

Secure Socket Tunneling Protocol (SSTP)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Network Protocols

Tunneling protocols package packets within packets for secure transport

Transport protocols package payloads within packets

Encapsulating protocols wrap around original passenger protocols

Carrier protocols carry the packaged VPN packets

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Tunnel

Encapsulates an entire packet within another packet

Encrypts payload and header (IP and UDP/TCP) to protect identities

Carrier protocol used to transmit the VPN packets

Encapsulating protocol packages the original data

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Tunnel

Passenger protocol—original data payload or protocol being carried

Encapsulates packets that are not routable through the Internet

Routes non-routable address traffic over public infrastructure

Ideal for gateway-to-gateway or network-to-network communication

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Transport

Encapsulates only the packet payload

Cannot prevent some forms of observation (eavesdropping and alteration)

Does not conceal endpoint identity

Ideal for direct endpoint-to-endpoint or endpoint-to-gateway communication

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Cryptographic Protocols

Ensure confidentiality and non-repudiation

Require encryption algorithms, protocols, and authentication methods

Endpoints must support identical cryptographic protocols and methods

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

40

VPN Authentication, Authorization, and Accountability Mechanisms

Allow approved external entities to interconnect and interact with private network

Use varying methods for authenticating users (passkeys, biometrics, etc.)

Track and log user interactions to maintain user accountability

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Hosts and Trust

Trust should vary depending on who is allowed in via the VPN

Employee on corporate laptop on managed network

Employee on home computer

Employee on airport internet (wireless or kiosk)

Authorized partner

Authorized customer

Least Risk

Most Risk

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

With each level there is less control that IT has. The first level might be an employee on a hotel network (assuming a decent hotel). At home the employee should be following IT policy but also has potentially a family or a roommate and friends and neighbors who might have access. Also, there is the risk of physical breach. Policy may be sufficient in mitigating these risks if the employee is trustworthy.

Airport networks are improving every day and many are at the level of the managed network. The disadvantage is that the employee is out in the open and subject to surveillance.

Authorized partners and customers are more of a risk because there is no expectation of corporate policy controls. One has to assume they will act autonomously and may represent an increased risk.

1/24/18

42

VPNs, NAT, and IPSec

Network Address Translation (NAT)

Static

Dynamic

IPSec (originally for IPv6 but widely used on IPv4)

IPSec has issues traversing a translated (NAT) network

Run IPSec VPNs on untranslated addresses

or

Deploy an SSL VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Appliances

Dedicated network offload devices

Specialized to handle VPN offloading from routers and host systems

Can be placed outside corporate firewalls for traffic filtering

Supplements existing corporate firewalls that do not support VPN services

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Edge Routers

Transport VPN over public networks

Insures that all traffic complies with firewall

Ideal for customer and supplier or business partner access

Best suited for controlled access into DMZ

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Corporate Firewall

Pass LAN-to-LAN traffic

Joined networks are treated as any other LAN route

Users don’t have to re-authenticate across segments

No additional firewall filtering or restriction applies

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Implementation Choices

A VPN can be implemented as software on the host and gateway

A VPN can be implemented as a hardware appliance

Both have advantages and disadvantages

Both offer cost savings and scalability

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The problem remote users face is that their communications are open on the long journey from the laptop or home computer to the work environment. One solution is the leased line. This is expensive compared to all vpn options but has the advantage in that it would require a physical attack to compromise. The major disadvantage is that you can only have so many physical leased lines and installation of leased lines is extremely time consuming and expensive.

1/24/18

47

Hardware-Based VPNs

Dedicated Resources and Optimized Processing

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Advantages

VPN appliances and supportive corporate firewalls are designed for routing.

Dedicated services never borrow from general processing resources.

Devices are streamlined for high-throughput secure network delivery.

Disadvantages

More expensive option and exclusive to compatible VPN termination points

1/24/18

48

Advantages

Designed for Routing

Sustains Resources

Disadvantages

Costs and

Compatibility

Streamlined for security

Software-Based VPNs

Platform-independent SSL/TLS VPNs to connect systems

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Advantages

Browser-based VPN clients install and deploy rapidly.

Establish quick VPN connections using client-server software

Are lightweight, portable, cross-platform, and inexpensive

Disadvantages

Open source client software can be complex to install and configure.

Server must be exposed to the public network to make connections.

1/24/18

49

Advantages

Install and Deploy Rapidly

Connection Speed

Disadvantages

Complex to Install and Configure

Portable and Efficient

Server Exposed

Owned and Outsourced VPNs

Own or operate telecommunications infrastructure and VPN endpoints

Contract maintenance or management

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

VPN Deployment Planning

Plan the physical location of the VPN

Ensure the location meets power and cooling requirements

Plan your IP addressing scheme

Plan firewall rules for permitting VPN access

Configure the VPN server

Set up authentication

Follow change management policies

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

51

VPN Deployment Planning

Test the deployment

Create operations manual, user documentation, etc.

Develop support processes

Install VPN clients

Train users

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

52

Overcoming VPN Performance Challenges

Item Consideration
VPN type Client or site-to-site connection support
Protocol IPSec VPN or SSL VPN
Load Number of remote access or site-to-site connections
Client configuration Legacy hardware, memory-intensive applications
Bandwidth Unreliable connections
Topology Connection traverses a firewall or proxy server
Encryption level High encryption necessary but impacts performance
Traffic Traffic spikes, such as from streaming media
Client version Older versions

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

53

Overcoming VPN Stability Challenges

Item Consideration
Configuration Mission-critical requires high availability or failover
Location Number of devices connection must traverse (firewalls, routers, etc.)
VPN software version Older software may be unstable
Underlying OS Older versions of OS, or firmware code in hardware VPN

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

54

Summary

Virtual private network (VPN) essentials

The roles of VPN appliances, edge routers, and corporate firewalls

VPN implementation

Best practices for implementing and managing VPNs

Common network locations where VPNs are deployed

VPN deployment planning for the enterprise

VPN policy creation

Strategies for overcoming VPN performance and stability issues

Software- and hardware-based VPN solutions

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

55

Virtual Lab

Using Social Engineering Techniques to Plan an Attack

Chapters 3, 11, 12

Study Guide will be posted later this week and the test will be posted early next week

Required Reading

Midterm Quiz

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Use the following script to introduce the lab:

“In this lesson, you learned about VPN technologies and protocols, and you explored strategies for overcoming VPN performance and stability issues.

 

Although VPNs are a secure method of remote access and information exchange, malicious people will try to gain access to a network and protected resources using non-technological means, at least initially, so it’s helpful for network administrators to be able to view their network from the perspective of a social engineer.

 

In the lab for this lesson, Using Social Engineering Techniques to Plan an Attack, you will explore a scenario in which a cybercriminal performs common social engineering techniques. More specifically, you will discover how a criminal gathers the information he or she needs to develop an attack on a company. Then, you will concentrate on reverse social engineering. By following the example provided in the lab, you will learn the importance of open source intelligence in designing a reverse social engineering attack.”

1/24/18

56

OPTIONAL SLIDES

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

57

Establishing a VPN Connection with Cryptography (1 of 3)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Establishing a VPN Connection with Cryptography (2 of 3)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Establishing a VPN Connection with Cryptography (3 of 3)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Protect the VPN

Firewall is the best protection

Keep the VPN behind a firewall or

Use a firewall/VPN appliance

Rule of thumb

If your VPN is compromised

So is your firewall

And the network behind it

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

These are important security considerations. Think like a hacker. What is easier to attack, a surface or a gap? Protect your gaps and harden your surfaces to keep the network safe.

1/24/18

61

Firewall and VPN Integration

Firewalls control access to the network through a variety of means

VPNs facilitate secure communication for hosts, not on the network

VPNs allow the host to appear as if it were on the target network

VPNs can work across the Internet or across a intranet

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

62

Transition from IPv4 to IPv6

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

63

Migration Strategies

Dual-stack

Tunneling

Translation

Chapter 11 Slides

Chapter 11: “VPN Management”

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Nature of VPN Threats and Attacks

Home computers are often less secure than IT-maintained machines

If a home computer is compromised, that attack can follow the VPN to the internal network

A constant live connection such as always-on DSL gives hackers more opportunities to penetrate the corporate network via VPN

A personal firewall on the home computer should be mandatory and will mitigate a lot of risk

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

A machine with a VPN on it needs security passwords, firewalls, and physical security. Don’t let others use your VPN-enabled computer. Treat the machine the same way you would a dangerous weapon. You wouldn’t leave it out of your sight or laying around carelessly. You want to control who has access to it. Corporate espionage can start with the home being burglarized so consider physical security recommendations.

1/24/18

65

Nature of VPN Threats and Attacks

All home users should have intrusion detection.

When possible, the IT team should set up the home system and not trust the user to get it right

Make sure home users are all aware of the latest patches and make sure they get applied

Traveling workers should be reminded not to leave computers in hotel rooms or cars—don’t let a system with a VPN into the company network out of sight.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

66

VPN Vulnerabilities

Denial of service attacks

Missing patches

Backdoor attacks

Unpublished vulnerability in the code

Weak client security

Weak authentication

Hairpinning

Credential sharing

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

67

VPN Troubleshooting

Identify the symptoms

Determine the scope of the problem

Look for changes

Call the vendor

Try the most likely solution

Test it

Check to see if you broke anything else

Document, document, document

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1/24/18

68

Chapter 12 Slides

Chapter 12: “VPN Technologies”

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Types of Virtualization

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Desktop

Separates PC desktop environment from physical desktop machine using a client/server model of computing

Can complicate VPN troubleshooting

SSL VPN

Separates physical and logical sides of VPN

Greater flexibility, delegation of management, added security in multigroup environment


Comments are closed.