300 likes | 448 Views
Chapter 11. PROTECTING EXTRANET COMMUNICATIONS. VPN PROTOCOLS. Point-to-Point Tunneling Protocol (PPTP): Not standards-based Linux and Mac software available Layer 2 Transport Protocol over Internet Protocol Security (L2TP/IPSec): Standards-based Linux and Mac software commonly available
E N D
Chapter 11 PROTECTING EXTRANET COMMUNICATIONS
Chapter 11: Protecting Extranet Communications VPN PROTOCOLS • Point-to-Point Tunneling Protocol (PPTP): • Not standards-based • Linux and Mac software available • Layer 2 Transport Protocol over Internet Protocol Security (L2TP/IPSec): • Standards-based • Linux and Mac software commonly available • Early versions of Microsoft Windows require Windows Dial-Up Networking version 1.4 Upgrade
Chapter 11: Protecting Extranet Communications VPN AUTHENTICATION METHODS • EAP • MS-CHAP • CHAP • SPAP • PAP • Pre-shared keys • Unauthenticated access
Chapter 11: Protecting Extranet Communications CONNECTION MANAGER ADMINISTRATION KIT (CMAK) • Simplify deployment of remote access client configurations: • Routing table updates • Proxy configuration • Phone books • VPN server • Protocols
Chapter 11: Protecting Extranet Communications REMOTE ACCESS POLICIES (RAPs) • Control who connects remotely to your network • RAPs consist of: • Conditions • Permission • Profile settings
Chapter 11: Protecting Extranet Communications REMOTE ACCESS POLICY SCREENSHOT
Chapter 11: Protecting Extranet Communications QUARANTINE CONTROL • Verifies client security before allowing full remote access: • Antivirus software is installed • Critical updates are installed • Known worms and viruses are not present • Can grant access to download required software and updates
Chapter 11: Protecting Extranet Communications QUARANTINE CONTROL COMPONENTS • A post-connect network policy requirements script • A network policy requirements script • A notifier component: Rqc.exe • A listener component: Rqs.exe
Chapter 11: Protecting Extranet Communications QUARANTINE CONTROL NETWORK
Chapter 11: Protecting Extranet Communications REMOTE ACCESS BEST PRACTICES • Require smart cards or client certificates • Enforce strong password policies • Disable PAP, SPAP, CHAP, LM, and MS-CHAP • Upgrade VPN servers to Windows 2000 Server or Windows Server 2003 • Require L2TP with the strongest encryption
Chapter 11: Protecting Extranet Communications ROUTING TABLES
Chapter 11: Protecting Extranet Communications ROUTING PROTOCOL UPDATES
Chapter 11: Protecting Extranet Communications VPNs SENDING ROUTING UPDATES
Chapter 11: Protecting Extranet Communications DEMAND-DIAL LINKS • Network-to-network links established as needed • Can be established one-way or two-way • Do not support routing protocols • Require statically configured routes
Chapter 11: Protecting Extranet Communications DEMAND-DIAL STATIC ROUTES
Chapter 11: Protecting Extranet Communications VPN ARCHITECTURES • Behind the firewall • In front of the firewall • In a screened subnet • Hosted at an ISP
Chapter 11: Protecting Extranet Communications VPN BEHIND THE FIREWALL
Chapter 11: Protecting Extranet Communications VPN IN FRONT OF THE FIREWALL
Chapter 11: Protecting Extranet Communications VPN IN A SCREENED SUBNET
Chapter 11: Protecting Extranet Communications VPN HOSTED AT AN ISP
Chapter 11: Protecting Extranet Communications GEOGRAPHIC PLACEMENT OF VPN SERVERS • VPN servers compound latency • Latency leads to poor network performance • To improve performance, add VPN servers near users
Chapter 11: Protecting Extranet Communications HIGH-LATENCY VPN ARCHITECTURE
Chapter 11: Protecting Extranet Communications LOW-LATENCY VPN ARCHITECTURE
Chapter 11: Protecting Extranet Communications SPLIT TUNNELING • Without split tunneling: • Users access internal resources through VPN • Users access Internet resources through VPN • With split tunneling: • Users access internal resources through VPN • Users access Internet resources through ISP
Chapter 11: Protecting Extranet Communications WITHOUT SPLIT TUNNELING
Chapter 11: Protecting Extranet Communications WITH SPLIT TUNNELING
Chapter 11: Protecting Extranet Communications ACTIVE DIRECTORY APPLICATION MODE (ADAM) • Free download • Provides Active Directory Lightweight Directory Access Protocol (LDAP) functionality for applications • Does not use security principals • Allows multiple instances on a single computer • Use Active Directory to ADAM Synchronizer
Chapter 11: Protecting Extranet Communications SYNCHRONIZING ACTIVE DIRECTORY TO ADAM
Chapter 11: Protecting Extranet Communications SUMMARY • Use L2TP for VPN access whenever possible • Use Connection Manager Administration Kit (CMAK) for client VPN and remote access settings • RAPs control who can remotely connect • Quarantine control checks remote access clients for security requirements • Configure static routes for demand-dial links • Design VPN architectures to minimize latency • Do not create Active Directory accounts for extranet users