Bảo mật hệ thống mạng part 27

CHAPTER 10 Virtual Private Networks Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. 167 168 Network Security: A Beginner’s Guide rivatenetworkshavebeenusedbyorganizationstocommunicatewithremotesites and with other organizations. Private networks are made up of lines leased from the various phone companies and ISPs. The lines are point to point and the bits that travelontheselinesaresegregatedfromothertrafficbecausetheleasedlinescreateareal circuit between the two sites. There are many benefits to private networks: Information is kept “within the fold.” Remote sites can exchange information instantaneously. Remote users do not feel so isolated. Unfortunately, there is also a big disadvantage: cost. Private networks cost a lot of money. Using slower lines can save some money but then the remote users start to notice the lack of speed and some of the advantages begin to evaporate. With the increasing use of the Internet, many organizations have moved to Virtual Private Networks (VPN). VPNs offer organizations many of the advantages of private networks with a lower cost. However, VPNs introduce a whole new set of issues and risks for an organization. Properly architected and implemented, VPNs can be advanta-geous to the organization. Poorly architected and implemented, all the information that passes across the VPN might as well be posted on the Internet. DEFINING VIRTUAL PRIVATE NETWORKS So, we are going to send sensitive organization information across the Internet in such a wayastoreducetheneedforleasedlinesandstillmaintaintheconfidentialityofthetraf-fic. How do we separate our traffic from everyone else’s? The short answer is that we use encryption. AllkindsoftrafficflowacrosstheInternet.Muchofthattrafficissentintheclearsothat anyone watching the traffic can see exactly what is going by. This is true for most mail and Web traffic as well as telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer Protocol - Secure (HTTPS) traffic is encrypted and thus cannot be examined by someone reading the packets. However, SSH and HTTPS traffic does not constitute a VPN. VPNs have several characteristics: Traffic is encrypted so as to prevent eavesdropping. The remote site is authenticated. Multiple protocols are supported over the VPN. The connection is point to point. Since neither SSH nor HTTPS can handle multiple protocols, neither is a real VPN. VPN packets are mixed in with the regular traffic flow on the Internet and segregated be-cause only the end points of the connection can read the traffic. Chapter 10: Virtual Private Networks 169 Let’s look more closely at each of the characteristics of a VPN. We have already stated that VPN traffic is encrypted to prevent eavesdropping. The encryption must be strong enough to guarantee the confidentiality of the traffic for the length of time the traffic is valuable. Passwords may only be valuable for 30 days (assuming a 30-day change pol-icy); however, sensitive information may be valuable for years. Therefore, the encryption algorithm and the VPN implementation must prevent an unauthorized individual from decrypting the traffic for some number of years. The second characteristic is that the remote site is authenticated. This characteristic may require that some users be authenticated to a central server or it may require that bothendsoftheVPNbeauthenticatedtoeachother.Theauthenticationmechanismused willbegovernedbypolicy.Itmayrequirethatusersauthenticatewithtwofactorsorwith dynamic passwords. For mutual authentication, both sites may be required to demon-strate knowledge of a shared secret that is preconfigured. VPNs are built to handle different protocols, especially at the application layer. For example, a remote user may use SMTP to communicate with a mail server while also us-ing NetBIOS to communicate with a file server. Both of these protocols would run over the same VPN channel or circuit (see Figure 10-1). Point to point means that the two end points of the VPN set up a unique channel be-tween them. Each end point may have several VPNs open with other end points simulta-neously but each is distinct from the others and separated by the encryption. Figure 10-1. VPNs handle multiple protocols 170 Network Security: A Beginner’s Guide VPNs are generally separated into two types: user VPNs and site VPNs. The differ-encebetweenthemisthewaythetwotypesareused,notbecauseofthewaytrafficisseg-regatedbyeachtype.TheremainderofthischapterdiscusseseachtypeofVPNindetail. USER VPNS User VPNs are virtual private networks between an individual user machine and an or-ganization site or network. Often user VPNs are used for employees who travel or work from home. The VPN server may be the organization’s firewall or it may be a separate VPN server. The user connects to the Internet via a local ISP dial-up, DSL line, or cable modem and initiates a VPN to the organization site via the Internet. The organization’s site requests the user to authenticate and, if successful, allows the user access to the organization’s internal network as if the user were within the site and physically on the network. Obviously, the network speeds will be slower since the limit-ing factor will be the user’s Internet connection. User VPNs may allow the organization to limit the systems or files that the remote user can access. This limitation should be based on organization policy and depends on the capabilities of the VPN product. While the user has a VPN back to the organization’s internal network, he or she also has a connection to the Internet and can surf the Web or perform other activities like a normal Internet user. The VPN is handled by a separate application on the user’s com-puter (see Figure 10-2). Benefits of User VPNs There are two primary benefits of user VPNs: Employees who travel can have access to e-mail, files, and internal systems wherever they are without the need for expensive long distance calls to dial-in servers. Employees who work from home can have the same access to network services as employees who work from the organization facilities without the requirement for expensive leased lines. Both of these benefits can be figured into cost savings. Whether the costs are long-dis-tance charges, leased-line fees, or staff time to administer dial-in servers, there is a cost savings. For some users there may also be a speed increase over dial-in systems. Home users with DSL or cable modems should see a speed increase over 56K dial-up lines. More and more hotel rooms are also being equipped with network access connections so speed should also increase for employees who travel. Chapter 10: Virtual Private Networks 171 Figure 10-2. User VPN configuration NOTE: Aspeedincreaseovera56Kdial-uplineisnotguaranteed.Theoverallspeedoftheconnection depends upon many things, including the user’s Internet connection, the organization’s Internet connec-tion,congestionontheInternet,andthenumberofsimultaneousconnectionstotheVPNserver. Issues with User VPNs The proper use of user VPNs can reduce the costs to an organization but user VPNs are notapanacea.Therearesignificantsecurityrisksandimplementationissuesthatmustbe dealt with. Perhaps the biggest single security issue with the use of a VPN by an employee is the simultaneous connection to other Internet sites. Normally, the VPN software on the user’s computer determines if the traffic should be sent to the organization via the VPN or to some other Internet site in the clear. If the user’s computer has been compromised with a Trojan Horse program, it may be possible for some external, unauthorized user to use the employee’s computer to connect to the organization’s internal network (see Fig-ure 10-3). This type of attack takes some sophistication but is far from impossible. UserVPNsrequirethesameattentiontouser-managementissuesasinternalsystems. Insomecases,theusersoftheVPNcanbetiedtouserIDsonaWindowsNTdomainorto some other central user-management system. This capability makes user management ... - tailieumienphi.vn