ITS Client Support Staff Meeting Sept 14, 2006

1. ITS Client Support Staff Meeting Sept 14, 2006

2. Why use the Yale VPN? Protect all data sent to and from Yale (MM/SMTP). Relay E-Mail to Internet through Yale�s E-mail servers (use Authenticated SMTP over SSL instead). Access Internet information or services only available from the campus network IP range (proxy substitute) Access information and services only available on the campus network (including those on Yale private IP addresses): Microsoft Networking (MSRPC, File/Print sharing, etc.) Unix/Linux RPC/NFS, X Windows Restricted web sites, applications and remote console access (SSH, Remote Desktop, VNC, etc). Vulnerable/insecure/unencrypted protocols (telnet/ftp/rsh).

3. Yale Campus Network Architecture/Topology 2 Public Class B networks 128.36 Originally CS/Math/Eng & Yale College 130.132 Most of rest of campus Private (RFC1918) networks 10 Behind firewalls, YSM wireless, YNHH 172.16-31 Routed on campus network 192.168.* Anyone can use privately locally. Other Yale Public networks (Class C) 192.26.88, 192.31.2, 192.35.89, 198.125.138 (Physics) YNHH Public Networks with Yale Computers 204.90.81, 205.167.18

5. Yale VPN Current Architecture Two Cisco VPN Concentrators (3030 models): Each has 3 100 Megabit/sec Interfaces Each has 200 -- 400 simultaneous users, more per day Both support PPTP & IPSEC. SSL & L2TP not on. Any Yale user with a valid NetID can use either. VPN.NET.YALE.EDU Entirely (almost) used by non-YSM users with PPTP VPN.MED.YALE.EDU Primarily used by YSM users with Cisco IPSEC client. Also used for Med School wireless VPN sessions (req�d).

6. VPN Technologies PPTP (Point-to-Point Tunneling Protocol) IPSEC L2TP SSL VPNs SSH (�Secure Shell�) - Poor Man�s VPN Port forwarding, can encrypt and tunnel protocols (e.g. X Windows).

7. Yale VPN Supported Protocols PPTP Encrypted, but weaker than IPSEC MSCHAPv2 RADIUS authentication against Yale AD Windows 32 bit, MacOS X, Linux & Palm versions Either tunnel all traffic to/thru Yale via VPN, or only tunnel 130.132 traffic to Yale thru VPN by default Or you can use scripts to route other networks to/thru Yale via the VPN tunnel (such as 128.36, 172.16-31.*). We will support PPTP for at least a few more years.

8. Yale VPN Supported Protocols IPSEC Strong encryption RADIUS authentication against Yale AD Windows 32 bit, MacOS X, Linux implementations PocketPC - MovianVPN (cost is ~$75), Palm version in testing Either tunnel all traffic to/thru Yale via VPN, or only tunnel 130.132 traffic to Yale thru VPN by default Or you can use scripts to route other networks to/thru Yale via the VPN tunnel (such as 128.36, 172.16-31.*). IPSEC will be the recommended Yale VPN protocol.

9. Yale VPN Not Currently Supported Protocols No plans to support either of these two currently. L2TP - Layer Two Tunneling Protocol Microsoft / Cisco merge of L2F and PPTP. Supported in Windows 2000, XP, Server 2003 RRAS. IPSEC would be run on top of L2TP. SSL - Secure Socket Layers �clientless� VPNs WebVPN

10. Current VPN.NET.YALE.EDU Interfaces: Internal 130.132.166.33 External 130.132.1.200 Unused/Disabled IP Address Ranges: 130.132.120.1-255 130.132. 44.1-255 130.132. 45.1-255 4 We should allocate one more. Don�t hardcode IP #, particularly not on Med wireless.

11. Current VPN.MED.YALE.EDU Interfaces: Internal 172.21.89.200 External 128.36.118.7 Wireless 10.10.0.2 IP Address Ranges: 130.132.117.1-255 128.36.122.1-255 128.36.141.1-255 128.36.124.1-255 (reserved by not in use currently) Don�t hardcode IP #, particularly not on Med wireless.

12. Current VPN-TEST.NET.YALE.EDU Interfaces: Internal 130.132.251.69 External 130.132.1.230 Unused/Disabled IP Address Ranges: 130.132.252.33-46 We could allocate more in an emergency. Don�t use for production. You can use for testing and non-critical use. We can shut down any time.

13. Cisco VPN IPSEC Client

14. Cisco VPN IPSEC Client - Yale/YNHH Profiles YSM Global - ALL traffic from VPN client is routed through IPSEC �tunnel� to YSM VPN server. YSM Split - Only Yale IP Network traffic (128.36, 130.132, 172.16-31) is �tunneled� to YSM VPN srvr. YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - Use for YSM staff to access the YNHH Network from Yale There are new YNHH PCF files (profiles) in testing.

15. Which IPSEC profile to use? YSM_Global - No split tunneling Must use when on Yale Med Wireless. Recommended for use when on any wireless net and whenever you require a higher level of security. When outside Yale use to access Library resources.

20. Which IPSEC profile to use? YSM_Split - Split tunneling Use when you need to access a local network at the same time as you are accessing Yale networks. The local network could be at home. When outside Yale use split tunneling if you need to access non-Yale Internet sites directly for performance connectivity reasons.

23. Which IPSEC profile to use? YNHH You need permission to access the YNHH network. YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - The current PCF for YSM users to access the YNHH Network. There are new YNHH PCF files (profiles) in testing. There will (is) a profile for Yale users to access a YNHH VPN service from the Yale network which will be separate from a new profile for YNHH users to use when they are on the Internet and not at Yale.

25. VPN Service Offering Changes One Single Virtual System Image - Convergence We are syncing both servers (resolving config diffs) VPN.YALE.EDU DNS Round Robin record Name switches between the IP #s for VPN.MED & VPN.NET Load Balancing Cisco VPN client can automatically split load Currently we could handle 1,000 VPN clients per VPN server -- but we may need more than 2,000 for pandemic planning.

26. VPN Service Offering Changes Profile Name Changes (proposals) Yale Library Resources (Global) Yale Med Wireless (Global) Yale Remote Access (Split) Yale with Local Access (Split) Two YNHH Profiles Yale Network to YNHH VPN Non-Yale Network to YNHH VPN

27. Questions?