170 likes | 267 Views
Virtual Private Networks. Version B.00 H7076S Module 2 Slides. K-CLASS. The Security Problem with IP Today. Bad Guy. Server in Chicago. Users in San Francisco. It is trivial to snoop on Internet traffic, including passwords sent over the network.
E N D
Virtual Private Networks Version B.00 H7076S Module 2 Slides
K-CLASS The Security Problem with IP Today Bad Guy Server in Chicago Users in San Francisco • It is trivial to snoop on Internet traffic, including passwords sent over the network. • It is fairly easy to forge IP packets and impersonate another user or machine. • Malicious people exist who actually do these things.
Encrypted Link Non-Encrypted Link What Is a Virtual Private Network? This mobile client uses encrypted links when communicating w/ systems in site A and B. Legend VPN Server for Site B VPN Server for Site A Internet Site A Intranet Site B Intranet The nodes in site A and B use non- encrypted links when performing Intranet communications. The nodes use encrypted links when communicating across the Internet.
Types of Virtual Private Networks Types of VPNs HP Solution • Network-to-Network • Replace expensive dedicated leased line WAN charges for site-to-site data connectivity • Network-to-Host (Remote Access) • Replace expensive modem pools, ISDN per-minute charges • Host-to-Host • End-to-End security to protect sensitive data for intra- or inter-network communications e-Firewall Extranet IPSec/9000
K-CLASS K-CLASS K-CLASS HP Solutions for VPNs Firewall and Encryption Devices • e-Firewall The Global Internet Business Partner • HP-UX IPSec/9000 Corporate HQ Site Branch Host • Extranet VPN • e-Firewall with • Mobile client option Laptop computer Encrypted “tunnels”
K-CLASS K-CLASS K-CLASS K-CLASS Network-to-Network VPNs Firewall and Encryption Devices Business Partner The Global Internet Field Office Corporate Headquarters Overseas Site Multiple Encrypted “tunnels” Value Prop: Low Cost, Quick Setup of WAN Connectivity
VPN Gateway Device K-CLASS ISDN or DSL Connections Corporate HQ Site Dialup Line All connections initiated by remote user Encryption occurs on Software Client Remote Access VPNs The Global Internet Mobile Laptop User
Host-to-Host VPNs Business Partner The Global Internet Corporate HQ Site DMZ • End-to-End Security • Within the Enterprise • Through the Internet
VPN Software Products Advantages Product Disadvantages Application Public Domain S/W(socks) hp Extraet VPN Close integration with the application May need to modify the application Level Security Network hp IPFilter/9000 hp IPSec/9000 hp e-Firewall May need to modify firewall configuration No need to modify applications Level Security Link Level Security PPTP, L2TP Easy to implement Not scalable
System Firewall needed!! VPN Gateway Device K-CLASS ISDN or DSL or Dial up Connections The Global Internet Corporate HQ Site If I can get into their host, maybe I can go through their VPN. I wonder which ports are open? They probably have no firewall. Hacker Why a System Firewall?
Hewlett-Packard’s Solution • HP IPFilter/9000 – B9901AA • Features supported by Hewlett-Packard: • Full-fledged statefull inspection firewall • Free product • Workstations and servers • HP-UX 11.0 and 11i • Features not supported by Hewlett-Packard • (features supported in public domain): • Perimeter firewall • Network address translation
Intranet Packets destined for our machine not part of a VPN connection that we initiated. System Firewall Installed IPFilter rules pass or block depending upon the rules. Bit Bucket Matched pass rules Matched block rules How a System Firewall Works
Hardware and Software Requirements • Hewlett-Packard 9000 series 800 or 700 • HP-UX 11.0 or 11i operating system • Dynamically loadable kernel module support • Commands to verify: • #uname –a • #kmsystem –q dlkm
Patches Required • PHNE_22397 (or newer replacement for 32-bit or 64 bit 11.0) • PHCO_22899 (or newer replacement for 32-bit 11.0) • PHCO_22989 (or newer replacement for 32-bit 11i) • Command to verify: • #swlist –l product patch_name
Installation • Use SD-UX to install product number B9901AA • Available on application CD AP0301 • Command to use: • #swinstall • Configuration file and start-up scripts installed: • /etc/rc.config.d/ipfconf • /sbin/init.d/pfilboot • /sbin/init.d/ipfboot
Verification of Installation To verify the product was installed correctly after reboot: #kmadmin –s #ps –ef | grep ipmon Logs to look at if installation unsuccessful: /etc/rc.log /var/adm/sw/swagent.log /var/adm/sw/swinstall.log
Filter Rules • Rules are processed from top to bottom • Last match takes effect • Installing and Administering IPFilter/9000 or the Public Domain HOWTO document for detailed explanations. • Rule File: • /etc/opt/ipf/ipf.conf • Default file is empty, implied contents: • pass in all • pass out all