A VPN is a virtual private network that allows connectivity between two remote net- works. It can also be used locally, but that implementation is much less common.

In order to better understand virtual private networks, let’s discuss them a bit further and show how to set up a basic VPN.

A virtual private network (VPN) is a connection between two or more computers or devices that are not on the same private network. In fact, there could be LANs or WANs in between each of the VPN devices. In order to ensure that only the proper users and data sessions cross to a VPN device, data encapsulation and encryption are used. A “tunnel” is created, so to speak, through the LANs and WANs that might intervene; this tunnel connects the two VPN devices together. Every time a new session is initiated, a new tunnel is created. Some techni- cians refer to this as tunneling through the Internet, although some VPN tunnels might go through private networks as well.

VPNs normally utilize one of two tunneling protocols:

• Point-to-Point Tunneling Protocol (PPTP) is the more commonly used protocol, but it is also the less secure option. PPTP generally includes security mechanisms, and no additional software or protocols need to be loaded. A VPN device or server that allows

c08DefiningNetworkInfrastructure167 Page 167 12/24/10 12:13:10 PM f-392

c08DefiningNetworkInfrastructure167 Page 167 12/24/10 12:13:10 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

168 | Lesson 8

incoming PPTP connections must have inbound port 1723 open. PPTP works within the point-to-point protocol (PPP), which is also used for dial-up connections.

• Layer 2 Tunneling Protocol (L2TP) is quickly gaining popularity due to the inclusion of IPsec as its security protocol. Although this is a separate protocol and L2TP doesn’t have any inherent security, L2TP is considered the more secure solution because IPsec is required in most L2TP implementations. A VPN device or server that allows incoming L2TP connections must have inbound port 1701 open.

An illustration of a basic VPN is shown in Figure 8-2. Note that the VPN server is on one side of the cloud and the VPN client is on the other. The VPN client will have a standard IP address to connect to its own LAN. The IP address shown in the figure is the IP address it gets from the VPN server. The computer has two IP addresses; in essence, the VPN address is encapsulated within the logical IP address.

Figure 8-2

A basic VPN connection

VPN Client

192.168.1.150 VPN Server

192.168.1.100 ISP

CREATE AND CONNECT TO A VPN

GET READY. In order to set up a VPN, you first need to configure a VPN appliance or server.

Then, the clients need to be configured to connect to it. In this exercise, we will use Windows Server 2008 for our VPN server and Windows 7 as our VPN client. Here, we are setting up a mock VPN. Although both computers are on the same LAN, this exercise simulates what it is like to set up a real VPN.

1. Configure the VPN server:

a. Access the previously made MMC, or access Routing and Remote Access from Administrative Tools.

b. View the server within RRAS and check the confi guration. If it is already con- fi gured (with a green arrow pointing upward), then right click it, select Disable Routing and Remote Access, click Yes, and move on to step 1c. If it isn’t confi gured, move on to step 1c.

c. Right click the server and select Configure and Enable Routing and Remote Access.

d. Click Next for the Welcome screen.

e. Select the third radio button named Custom configuration, as shown in Figure 8-3. Then click Next.

c08DefiningNetworkInfrastructure168 Page 168 12/24/10 12:13:13 PM f-392

c08DefiningNetworkInfrastructure168 Page 168 12/24/10 12:13:13 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

Defining Network Infrastructures and Network Security | 169

Figure 8-3

Selecting Custom configuration

Normally, you would select the third radio button called Virtual private network (VPN access and NAT); however, that will only work if your server has two or more network adapters. For this exercise, we will assume that the server only has one adapter.

f. In the Custom Confi guration screen, check VPN access and click Next.

g. Click Finish to complete the confi guration.

This might create a new policy automatically. If the system asks you to do so, restart the service. When fi nished, the server within RRAS should have a green arrow pointing upward. The VPN server is now ready to accept incoming VPN connections.

By default, the VPN server will hand out IP addresses to the clients. However, you can have a DHCP server hand out addresses as well.

2. Configure user accounts:

a. Access the Computer Management console window. You can do this by navigating to Start > Administrative Tools > Computer Management or by adding the Computer Management snap-in to the MMC.

b. Navigate to System Tools > Local Users and Groups > Users, as shown in Figure 8-4. By default, this will display the Administrator and the Guest Figure 8-4

Accessing the Users folder

c08DefiningNetworkInfrastructure169 Page 169 12/24/10 12:13:14 PM f-392

c08DefiningNetworkInfrastructure169 Page 169 12/24/10 12:13:14 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

170 | Lesson 8

account. From here, you can give permissions to users to allow access to the VPN server. We will use the administrator account as our example.

c. Right click Administrator and select Properties. This displays the General tab of the Administrator Properties dialog box.

d. Click the Dial-in tab.

e. In the Network Access Permission box, select the Allow access radio button.

Then click OK.

f. Make note of the administrator password; you will need it to connect from the client.

3. Configure the VPN client by installing a VPN adapter:

a. Go to the Windows client computer. Verify that it is connected to the same network as the server.

b. Click Start, then right click Network. This displays the Network and Sharing Center window.

c. Click the Set up a new connection or network link.

d. Click Connect to a workplace and click Next.

e. Select the Use my Internet connection (VPN) option.

f. In the Internet address fi eld, type the IP address of the server.

g. Give a name to the VPN connection in the Destination name fi eld. Then click Next.

h. Type in the user name and the password of the administrator account on the server. Click Next.

At this point, the VPN adapter should connect to the VPN server. The adapter in the Network Connections window should read VPN Connection on the second line, as shown in Figure 8-5, which tells you that it is connected. If it was disconnected, the VPN adapter would be grayed out, and it would read Discon- nected. By the way, the third line should read WAN Miniport (PPTP). This tells us that we have made a PPTP connection, which is the default type of connection. To make L2TP connections, you would have to do a bit more confi guring on the server and the client side.

If you do not wish to use the administrator account, make sure you use another account that has administrative rights on the server.

TAKE NOTE

*

If Windows asks you to set up an Internet connection, select the option to set up one later.

TAKE NOTE

*

Figure 8-5

A VPN connection in its con- nected state

i. You can also tell whether you are connected to a VPN server using the com- mand prompt. Access the command prompt and type the following command:

ipconfi g /all

This should show the VPN connection and the Local Area Connection. Note the IP address of the Local Area Connection. Then note the VPN connection IP address. It should be on the same network, and it was applied by the VPN server. An example is shown in Figure 8-6.

c08DefiningNetworkInfrastructure170 Page 170 12/24/10 12:13:17 PM f-392

c08DefiningNetworkInfrastructure170 Page 170 12/24/10 12:13:17 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

Defining Network Infrastructures and Network Security | 171

There you have it: a basic VPN connection. What we did is a simulation because we only did it on a LAN between computers. Still, if the Internet were involved, the process would work the same way. Some companies actually implement LAN VPN connections for added security. Keep in mind that every time you encrypt, encapsulate, or otherwise change data, it slows down the network and uses more resources.

When you are finished with the exercise, reset all systems back to normal.

SHOW VPN FUNCTIONALITY ON A ROUTER

GET READY. VPN devices can also come in the form of appliances and routers. For example, the D-Link DIR-655 router we used previously can be set up to accept incoming VPN con- nections with the PPTP or L2TP protocols. Let’s examine where to go on the router to set this up.

1. Access the D-Link DIR-655 router at the following link:

http://support.dlink.com/emulators/dir655/133NA/login.html 2. Log in (no password is required).

3. Click the Setup link at the top of the screen.

4. Click the Manual Internet Connection setup button.

5. In the Internet Connection Type drop-down menu, select PPTP (Username/

Password). This will modify the rest of the details of the page. Note that you can also select L2TP from this list.

6. Scroll down to PPTP Internet Connection Type.

7. From here, you need to select either static or dynamic IP. If you have received a static IP address from your ISP, select the Static IP radio button and enter the IP information. If you are receiving a dynamic IP from the ISP, select the Dynamic IP radio button. This will gray out the PPTP IP Address, PPTP Subnet Mask, and PPTP Gateway IP Address fields.

Figure 8-6

Ipconfig showing results of VPN adapter

c08DefiningNetworkInfrastructure171 Page 171 12/24/10 12:13:20 PM f-392

c08DefiningNetworkInfrastructure171 Page 171 12/24/10 12:13:20 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05

172 | Lesson 8

At this point, you can have the router forward PPTP requests to a server (for example, the VPN server we set up in the previous exercise). Or, you could simply enter a user- name and password.

8. Enter a username and password. Then verify the password.

9. Save the configuration. This doesn’t really save any information because it is an emulator, but this would work the same way on an actual router. At this point, external users would not be able to connect to your network without a username, password, and VPN adapter utilizing PPTP.

10. Log off the DIR-655.

This is one way for small offices and home offices to create an intranet of their own. By only accepting secure connections from users who know the proper username and password, you weed out the public Internet users. This, in addition to security devices and zones on the perimeter of your network, can help keep your data safe.

■

Understanding Security Devices and Zones

Security devices such as firewalls are the main defense for a company’s networks, whether they are LANs, WANs, intranets, or extranets. Perimeter security zones such as demilitarized zones (DMZs) help keep certain information open to specific users or to the public while keeping the rest of an organization’s data secret.

THE BOTTOM LINE

CERTIFICATION READY How do you define and configure a firewall?

1.1