VPN solutions range from simple ones that can be implemented on a Windows server essentially for free—using the Remote Access Service RAS included with Windows NT Server or the equivalen
Trang 1corporate LAN Even for users who don’t have DSL or cable modems available in their area, ISDN is usually an option from the local telephone company (ISDN and DSL technology are discussed in more detail in Chapter 7.)
Remote users using DSL or cable modems are “hard-wired” to a particular ISP for their connection, so they need to use a virtual private networking approach to connecting
to the LAN ISDN users, on the other hand, have the choice of either connecting to an ISDN-capable ISP or to ISDN “modems” hosted on the LAN Through a process called
bonding, ISDN users can achieve speeds up to 128 Kbps, although this consumes two
B-channels (and doubles the call charges!) Still, such speeds are better than the 33.6 Kbps that you can otherwise achieve through a modem
Virtual Private Networks
A virtual private network (VPN) is a network link formed through the Internet between the remote user connected to an ISP and the company LAN A VPN connection is carried over a shared or public network—which is almost always the Internet VPNs use sophisticated packet encryption and other technologies, so the link from the user
to the LAN is secure, even though it may be carried over a public network VPN connections cost much less than dedicated connections, such as the WAN technologies discussed in Chapter 7, because they take advantage of the cost efficiencies of the Internet without compromising security
VPN solutions range from simple ones that can be implemented on a Windows server essentially for free—using the Remote Access Service (RAS) included with Windows NT Server or the equivalent Routing and Remote Access Service (RRAS)
in Windows 2000 Server or later—to stand-alone specialized VPN routers that can support hundreds of users Figure 10-6 shows how a VPN connection works
VPN connections are used in two important ways:
N To form WAN connections using VPN technology between two networks that might be thousands of miles apart but which each have some way of accessing the Internet
N To form remote access connections that enable remote users to access the LAN through the Internet
The emphasis in this chapter is on remote access, but it’s important to know that VPNs support WAN connections in much the same way as they support a remote access connection The main difference for a WAN VPN connection is that it connects two networks together, rather than a user and a network, and relies on different
hardware (typically) than a remote access connection uses A WAN VPN connection takes advantage of the existing Internet connection for both LANs and might run virtually 24 hours a day A remote access connection, on the other hand, is usually formed when needed and uses less expensive hardware on the remote side, such as a
dialup modem or perhaps a higher-speed Internet connection, such as xDSL, ISDN, or
cable modem
Trang 2TIP In some circumstances, a VPN might even be an appropriate way to segregate users in a
single location from other users, by using the company’s intranet to host the VPN tunnel Such a
scheme might be appropriate, for example, if one group of users accesses data that is so sensitive
that it must be separated from the rest of the company in some fashion In such cases, the sensitive
network can be separated from the corporate LAN, except for a firewall that allows VPN connections
from the sensitive LAN to the corporate LAN, but not vice versa This configuration would still allow
users on the sensitive LAN to access general corporate network services
A VPN connection has several requirements:
N Both sides of the VPN connection must be connected to the Internet, usually
using the Point-to-Point Protocol (PPP) (Other public or private networks can
also carry VPNs, but this discussion will stick with the Internet because it’s the
most frequently used network for this purpose.)
N Both sides must have a networking protocol in common This protocol is usually
TCP/IP, but can also be IPX, NetBEUI, or AppleTalk
Figure 10-6. A typical VPN connection
Trang 3N Both sides must establish a tunnel through their existing PPP connections, through which their data packets will pass The tunnel is formed using a tunneling protocol
N Both sides must agree on an encryption technique to use with the data
traversing the tunnel A variety of different encryption techniques are available
So, both sides of a VPN connection must be running compatible VPN software using compatible protocols For a remote access VPN solution, the software you install depends on the VPN itself Dedicated VPN solutions also sell client software that you can distribute to your users Usually, this software carries a per-copy charge, typically around
$25 to 50 per remote computer supported (Some VPNs include unlimited client licenses, but the VPN is licensed to accept only a certain number of connections at a time.)
If you are using a Windows server and RRAS service on the server, and some version of Windows 95 or later on the remote computer, you can take advantage of the VPN software included for free with those network operating systems However, this software must still be set up on each client computer
VPN Protocols
The three most popular tunneling protocols used for VPNs are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Protocol Security (IPSec) PPTP is a Microsoft-designed protocol that can handle IP, IPX, NetBEUI, and AppleTalk packets PPTP is included with Windows, starting with Windows 95, and
is also supported by Windows RRAS (a free upgrade to RAS) and by later versions of Windows servers For a Windows-oriented network, PPTP is the way to go
L2TP is a newer protocol that is an Internet Engineering Task Force standard It will probably become the most widely supported tunneling protocol because it operates at layer 2 of the OSI model, and thus can handle all layer 3 protocols, such as IP, IPX, and AppleTalk
IPSec, while probably the most secure tunneling protocol, seems to be most popular for LAN-to-LAN VPNs and for UNIX-oriented VPNs, due to its reliance on IP IPSec is
a layer 3 protocol and is limited to handling only IP traffic
TIP While IPSec works only with IP packets, an L2TP VPN can also carry the resulting IPSec packets, because they can be handled like the other major layer 3 packets, such as IP, IPX, and AppleTalk packets
Types of VPNs
Four major types of VPNs are in use today One type uses a router with added VPN capabilities VPN routers not only can handle normal routing duties, but they can also be configured to form VPNs over the Internet to other similar routers, located on remote networks This method is used to create VPN WAN links over the Internet, usually between multiple company locations
Trang 4Another major type of VPN is one built into a firewall device Most popular firewalls,
such as Check Point’s Firewall-1 or WatchGuard’s Firebox, serve not only as firewall
devices, but also as VPN hosts Firewall VPNs can be used both to support remote
users and also to provide WAN VPN links The benefit of using a firewall-based VPN
is that you can administer your network’s security—including both standard firewall
security and VPN security—entirely within the firewall For example, you could
configure the firewall to allow connections to the network only when they are made as
part of a valid VPN connection
The third major type of VPN includes those offered as part of a network operating
system The best example of this type is Windows RRAS, and Novell’s BorderManager
software These VPNs are most often used to support remote access, and they are
generally the least expensive to purchase and install
The fourth major type is the SSL VPN, a relatively new category This is actually
my overall favorite for remote access support An SSL VPN takes advantage of the
Secure Sockets Layer (SSL) encryption technology built into most web browsers to offer
VPN services through the web browser SSL is the same technology used to encrypt
information in web pages that use the http:// prefix, such as for shopping or online
banking web sites
SSL VPNs bring a number of attractive benefits to supporting remote access:
N No client software needs to be installed on the remote computer, except for
usually an ActiveX or Java add-in that installs into the browser automatically
N There is essentially no configuration or management required on the remote
system This is an important point, because most VPN client software is very
difficult to support
N Provided the users know the web address of the SSL VPN server and have the
correct information to authenticate (log in) to the system, they can log in from
almost any Internet-connected computer in the world and access a wide range
of network services through simple web pages
N Because many common functions, such as file management, can be performed
using web pages, SSL VPNs work much better over lower-bandwidth
connections than other VPN alternatives HTML was designed to be stingy in
its use of network bandwidth, so many tasks that are slow over a traditional
VPN connection are much faster with an SSL VPN
N Most SSL VPNs, in addition to their web-based access features, also allow
the user to start a remote node connection on demand, and this remote node
connection runs using automatically installing and configuring browser
plug-ins
SSL VPNs are typically offered as an appliance—a rack-mountable piece of
equipment that contains all of the hardware and software needed to run the VPN
Trang 5This gives rise to the only real drawback to SSL VPNs: They are still fairly expensive for smaller companies, with the smallest configurations starting at $8,000 to $10,000 to support up to 100 simultaneous users Still, even if you need to support only 20 to 30 remote users, you may find this to be a small price to pay to reduce the administrative burden of a traditional VPN, which is often considerable
At the time of this writing, there are a number of SSL VPN vendors The pioneer
in this space is the NetScreen product family from Juniper Networks (which acquired
a product originally launched by a company called Neoteris, which pioneered SSL VPNs) Another leader is the FirePass line of products from F5 Networks AEP Networks, SonicWALL, and Nokia are some other firms that offer SSL VPNs Since this product area is evolving rapidly, you should conduct a careful search for products that meet your needs
To give you an idea of how an SSL VPN looks to a remote access user, some screens
of a demo version of F5 Network’s FirePass 4000 are shown in this section Figure 10-7
Figure 10-7. An SSL VPN login screen