© 2001, Cisco Systems, Inc. All Rights Reserved.

2001, Cisco Systems, Inc. All rights reserved. <Title of Course (ACRO) vX.
X>
A Virtual Private Network (VPN) is an umbrella term that refers to all technologies enabling secure communications over the public Internet. VPNs allow organizations to securely extend a LAN over the Internet to remote networks and remote clients by encrypting the data traffic.
With the advent of VPN technology, it is now possible to use public networks to cost-effectively broaden the reach of Intranet applications. VPNs constitute the ideal infrastructure for creating extranets, making them practical and affordable. Companies can now provide a secure method for the exchange of data and other resources with trusted partners, suppliers, and key business associates.
2001, Cisco Systems, Inc. All rights reserved. <Title of Course (ACRO) vX.X>
Step 1: Connect to the Internet
The first step is for the user to establish an Internet connection via their Internet Service Provider (ISP) or broadband service.
Step 2: Attempt to Access Remote, Private Network The second step is to access the remote private network (i.e. network protected by the firewall) Step 3: Initiate Secure Connection to Remote VPN Gateway The VPN device (client or gateway) automatically initiates the secure connection to the private network.
Step 4: Authenticate Connection

The fourth step is to check the authentication of the user. If the user is not known, the connection is terminated. If the user is known, the user proceeds to step 5. Step 5: VPN Tunnel is Complete The user is now connected to the protected network and can now access company resources such as email or databases. 2001, Cisco Systems, Inc. All rights reserved.
<Title of Course (ACRO) vX.X> 33778 SonicWall.ppt #3
Organizations using VPNs benefit from increased flexibility and productivity. Remote sites and teleworkers can connect securely to the corporate network from almost any place. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it.
The figure shows leased lines in red. The blue lines represent VPNbased connections. Consider these benefits when using VPNs: Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth. Security - Advanced encryption and authentication protocols protect data from unauthorized access. Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.
a site-to-site VPN is an extension of classic WAN networking. Site-tosite VPNs connect entire networks to each other. For example, they can connect a branch office network to a company headquarters network.
In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.
Mobile users and telecommuters use remote access VPNs extensively.

Most teleworkers now have access to the Internet from their homes and can establish remote VPNs using broadband connections. Similarly, a mobile worker can make a local call to a local ISP to access the corporation through the Internet. In effect, this marks an evolutionary advance in dialup networks. Remote access VPNs can support the needs of telecommuters, mobile users, as well as extranet consumer-tobusiness. In a remote-access VPN, each host typically has VPN client software. Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.
A VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity.
The figure illustrates a typical VPN topology. Components required to establish this VPN include: 1. 2. 3. An existing network with servers and workstations A connection to the Internet VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections Appropriate software to create and manage VPN tunnels
4.
The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both.
2001, Cisco Systems, Inc. All rights reserved. <Title of Course (ACRO) vX.X> 7
A VPN tunnel refers to a secure VPN connection between two VPN gateways. Tunneling is the process of encapsulating private IP packets in a public IPSec packet. In order for data to be transported across the Internet, the data must be tunneled. To create a tunnel, the source encapsulates its packet in IP packets for transit across the Internet.
Once the authentication and authorization steps are complete, the VPN tunnel is established. The user can then send data across the Internet through the VPN tunnel. Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network.
33778 SonicWall.ppt #8
10
IPSec defines a set of protocols and cryptographic algorithms for creating secure IP traffic sessions between IPSec gateways. It is a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the Internet Engineering Task Force (IETF), IPSec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPSec provides a necessary component of a standardsbased, flexible solution for deploying a network-wide security policy
11
A security association is a group of settings that define the type of security and encryption method used between two VPN gateways. Information specified in the security association includes the public IP address of the remote VPN gateway and remote private network range.
Authentication allows the network administrator to establish the identity of a remote VPN user, eliminating the possibility of another VPN device comprising the security of the VPN tunnel.
A Digital Certificate is a small file used to establish the digital identity of a person. It establishes a users credentials when doing business or other transactions across the Internet. It contains the users name, a serial number, expiration dates, a copy of the certificate holders public key, and the digital signature of the certificate-issuing authority. Digital Certificates and VPN is analogous to signing and sealing an envelope. The signing provides authentication and the envelope provides confidentiality. The Public Key Infrastructure (PKI) is an infrastructure that enables the enrollment, issuing, maintenance, publication and revocation of Digital Certificates.
VPN allows traveling employees to securely access the corporate LAN. As viewed in the first illustration, the man on the beach can use his cell phone to dial-up though a local ISP and connect to the corporate LAN. With VPN Client installed on his laptop, this employee is able to access information and get a tan at the same time. The most common use for VPN is referred to as Box to Box VPN. The second and third illustrations depict this. In the second illustration, an at home employee with broadband Internet access is securely connecting to the corporate LAN. This employee is able to access information and resources as if he was at work. Furthermore, the firewall is protecting him from any hackers or vandals on the Internet. The third illustration depicts a branch office with broadband access connecting to the corporate LAN via the VPN device. Every desktop and laptop behind the device is able to securely access the resources on the corporate network. Not only are 33778 companies able to affordably communicate and share SonicWall.ppt 2001, Cisco Systems, Inc. All rights reserved. #14 resources, the firewalls are securing the entire network from <Title of Course (ACRO) vX.X> hackers and vandals on the Internet.
15
16
IPSEC uses the Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks
17
18
Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.[1]
19
Internet key exchange (IKE and IKEv2) to set up a security association (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec
20
ISAKMP (Internet Security Association and Key Management Protocol) is a protocol for establishing Security Associations (SA) and cryptographic keys in an Internet environment.
ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks). ISAKMP typically utilizes IKE for key exchange, although other methods can be implemented. Preliminary SA is formed using this protocol; later a fresh keying is done
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

© 2001, Cisco Systems, Inc. All Rights Reserved.

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

© 2001, Cisco Systems, Inc. All Rights Reserved.

Încărcat de

Drepturi de autor:

Formate disponibile

2001, Cisco Systems, Inc. All rights reserved. <Title of Course (ACRO) vX.

Step 1: Connect to the Internet

Step 4: Authenticate Connection

Mobile users and telecommuters use remote access VPNs extensively.

33778 SonicWall.ppt #12

33778 SonicWall.ppt #13

S-ar putea să vă placă și