book

Virtual Private Networks, Second Edition

by Mike Erwin, Charlie Scott, Paul Wolfe

December 1998

Intermediate to advanced

228 pages

6h 36m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Virtual Private Networks, 2nd Edition
Preface
Audience
Contents of This Book
Conventions Used in This Book
Comments and Questions
Updates
Acknowledgments
1. Why Build a Virtual Private Network?
What Does a VPN Do?The Rise of IntranetsHow VPNs relate to Intranets
Security Risks of the Internet
What Are We Protecting with Our VPN?
How VPNs Solve Internet Security Issues
FirewallsAuthenticationEncryptionTunneling

VPN Solutions
Quality of Service Issues
A Note on IP Address and Domain Name Conventions Used in This Book
2. Basic VPN Technologies
Firewall DeploymentWhat Is a Firewall?What Types of Firewalls Are There?Packet restriction or packet filtering routersBastion hostDMZ or perimeter zone networkProxy serversUse of Firewalling in a VPN
Encryption and Authentication
A Brief History of CryptographyCryptography: How to Keep a SecretCryptography in Network CommunicationsCryptographic AlgorithmsHash algorithmsSecret key systemsPublic key cryptosystemsDiffie-HellmanRSAHow Secure Is It Really?Use of Cryptosystems and Authentication in a VPN
VPN Protocols
IPSecIPSec security issuesIPSec organizationsESP (Encapsulating Security Payload)AH (Authentication Header)Internet Key Exchange, ISAMKP/OakleyISO X.509 v.3 (Digital Certificates)LDAP (Lightweight Directory Access Protocol)RadiusPPTP (Point-to-Point Tunneling Protocol)
Methodologies for Compromising VPNs
Basic FirewallingCryptographic AssaultsCiphertext-only attackKnown plaintext attackChosen plaintext attackChosen ciphertext attackBrute force attacksPassword guessers and dictionary attacksSocial engineeringNetwork Compromises and AttacksDenial of service attacksAddress spoofingSession hijackingMan-in-the-middle attackReplay attackDetection and cleanup
Patents and Legal Ramifications
3. Wide Area, Remote Access, and the VPN
General WAN, RAS, and VPN Concepts
VPN Versus WAN
Small to Medium SolutionsTelcoHardware/softwareAdministrationSecurity, scalability, and stabilityLarge SolutionsTelcoHardware/softwareAdministrationSecurity, scalability, and stability
VPN Versus RAS
Small to Medium SolutionsTelcoHardware/softwareAdministrationSecurity, scalability, and stabilityLarge SolutionsTelcoHardware/softwareAdministrationSecurity, scalability, and stability
4. Implementing Layer 2 Connections
Differences Between PPTP, L2F, and L2TP
How PPTP Works
Dialing into an ISP That Supports PPTPDialing into an ISP That Doesn’t Support PPTPWhere PPTP Fits into Our ScenarioDissecting a PPTP PacketThe encapsulation processPPTP SecurityRAS authentication methodsAccept encrypted authenticationAccept Microsoft encrypted authenticationAccept any authentication, including clear textData encryption
Features of PPTP
AvailabilityEasy ImplementationMultiprotocol TunnelingAbility to Use Corporate and UnregisteredIP Addresses
5. Configuring and Testing Layer 2 Connections
Installing and Configuring PPTP on a Windows NT RAS ServerInstalling PPTPSetting Up RASChoosing the protocols to tunnelChoosing your authentication methodIP address negotiation using DHCPPPTP FilteringOutbound authentication using PPTP filteringFiltering caveatsFiltering by IP AddressConfiguring Users for Dial-up Access
Configuring PPTP for Dial-up Networking on a Windows NT Client
Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
Enabling PPTP on Remote Access Switches
Configuring PPTP on a 3Com/U.S. Robotics Total Control Enterprise Network HubSetting up global PPTP parametersSetting up a port for PPTPSetting up a user for PPTPConfiguring PPTP on an Ascend MAX 4004
Making the Calls
Troubleshooting Problems
Login problemsThe Event ViewerThe Dial-Up Networking MonitorConnectivity Testingping and traceroute
Using PPTP with Other Security Measures
How to Allow PPTP Through FirewallsFixed IP addressesHow PPTP Can Bypass a Proxy Server
6. Implementing the AltaVista Tunnel 98
Advantages of the AltaVista Tunnel SystemAccessibilitySecurityThree-part encryption techniqueSupport for an emerging security standardSupport for Security Dynamics SecureIDFlexibility
AltaVista Tunnel Limitations
Platform LimitationsSecurity Drawbacks of User Authentication
How the AltaVista Tunnel Works
System ConsiderationsExtranet serverTelecommuter clientPlanningThe GutsAltaVista Tunnel Extranet serverSecurity proceduresAltaVista Tunnel Telecommuter Client
VPNs and AltaVista
Implementing a LAN-to-LAN TunnelSample configurationTunnel server configurationFirewall configurationHost configurationRouting over the VPNImplementing Single Connections-to-LAN TunnelsSample configurationTunnel server configurationFirewall configurationLocal host configurationRemote PC configurationTracing the packetsImplementing PC-to-WAN TunnelsSample configurationTunnel server configurationWAN router configurationFirewall configurationNetwork host configurationsRemote client configurationsTracing the packets
7. Configuring and Testing the AltaVista Tunnel
Getting Busy
Installing the AltaVista Tunnel
Preparing to InstallInstalling the AltaVista Tunnel Extranet Serverfor Windows NTWindows NT 4.0Installing the AltaVista Tunnel Telecommuter Client for WindowsInstalling the AltaVista Tunnel Telecommuter Client for MacOS
Configuring the AltaVista Tunnel Extranet and Telecommuter Server
Adding Routes and Dynamic AddressesInitial configurationManaging routes and dynamic IPsAdding DNS and WINS ServersAdding Tunnel GroupsGroup configurationTunnel client informationTools for Tunnel ManagementChanging Port SettingsRekey Interval and Minimum Encryption SettingsConfiguring Unix-to-Windows NT Tunnel Connections
Configuring the AltaVista Telecommuter Client
Troubleshooting Problems
Tunnel Server and Client Configuration ChecksLocal Network and Internet Gateway Configuration Checks
8. Creating a VPN with the Unix Secure Shell
The SSH SoftwareEncryption Capabilities
Building and Installing SSH
SSH Components
sshdUseful sshd parameters for our purposessshUnderstanding SSH authenticationRunning ssh in “batch mode”Useful ssh parameters for our purposesssh-keygenssh-agent and ssh-addscpmake-ssh-known-hosts
Creating a VPN with PPP and SSH
The VPN ComponentsSetting Up the VPNSetting up the master and slave Linux systemsSetting up the PPP daemonCreating a user account on the slaveSetting up SSH authenticationConfiguring sudo on the slavePutting pty-redir on the masterSetting up the VPN scriptSetting up the slave’s scriptsTesting the Connection
Troubleshooting Problems
Errors from the VPN ScriptConnection ProblemsDebugging an SSH connectionDebugging a PPP connectionGetting Help with SSH
A Performance Evaluation
9. The Cisco PIX Firewall
The Cisco PIX Firewall
The PIX in Action
ISP Assigned Addresses (Global Pool)Advantages of the PIX FirewallHardware solutionSuperior to Unix and other router firewallsSingle point of control/failureDynamic address translationPIX acts like a proxy serverEase of configuration and maintenanceHigh-speed accessLinksLimitations of the PIX FirewallHardware solutionDynamic address useBudgetary considerationsMaintenance
Configuring the PIX as a Gateway
Connecting to the PIXA Sample ConfigurationFirewall Configuration on the PIXTesting, Tracing, and Debuggingdebugxlatearpshow interface
Configuring the Other VPN Capabilities
Offering Services to the Internet Through Conduits and the static CommandTunneling with the link Directive
10. Managing and Maintaining Your VPN
Choosing an ISP
Solving VPN Problems
Connectivity ProblemsAuthentication ErrorsRouting ProblemsDealing with an ISPCompatibility with Other Products
Delivering Quality of Service
Security Suggestions
Restrict Who Has VPN AccessRestrict What VPN Users Can Get ToAvoid Public DNS Information for VPN Servers and Routers
Keeping Yourself Up-to-Date
11. A VPN Scenario
The Topology
Central Office
Network ConnectionsHardware and Operating SystemVPN Package
Large Branch Office
ConnectionHardware and Operating SystemVPN Package
Small Branch Offices
ConnectionHardware and Operating SystemVPN Package
Remote Access Users
ConnectionHardware and Operating SystemVPN Package
A Network Diagram
A. Emerging Internet Technologies
IPv6
IPSec
S/WAN
B. Resources, Online and Otherwise
Software Updates
The IETF
CERT Advisories
The Trade Press
Networking and Intranet-Related Web Sites
Usenet Newsgroups
Mailing Lists
Index
Colophon

Content preview from Virtual Private Networks, Second Edition

Using PPTP with Other Security Measures

What we’ve covered so far are the basic steps for setting up a VPN using PPTP. The viability of VPNs is directly affected by security measures implemented on the destination LAN. PPTP is a protocol like any other, and must be allowed to pass through (or bypass) a firewall or proxy server in order to work successfully.

How to Allow PPTP Through Firewalls

Like most IP-based tunneling protocols, PPTP operates on a specific IP port—in this case, TCP port 1723. On your firewall or filter, you’ll want to allow IP access to and from that port for your RAS server. If your firewall also filters by protocol, you’ll need to allow GRE (IP protocol 47) to pass through. It’s a good idea to block every other port off on your RAS server, especially the nefarious NetBIOS name service, datagram, and session ports of 137, 138, and 139. These ports can be used to browse the NetBIOS names and shares of the machines on your network.

Fixed IP addresses

Since remote PPTP users will be dialing in through ISPs, they may not always have the same IP address. This eliminates the possibility of host-based filtering and means that a PPTP VPN will rely strictly on its user-based authentication system. A fixed IP address, where a user will be assigned the same IP address every time they dial in, is a way around this problem. Some ISPs offer a fixed IP address as an account add-on for a nominal monthly fee. If available, this is a great way to enhance security by allowing ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Second Edition

Publisher Resources

ISBN: 1565925297Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Virtual Private Networks, Second Edition

by Mike Erwin, Charlie Scott, Paul Wolfe

Using PPTP with Other Security Measures