| A virtual private network is a secure communication channel constructed within the framework of a public network infrastructure. The term virtual private network refers to a private network that is physically deployed across a public network, such as the Internet. The term virtual implies a logical network, as opposed to a physical dedicated network. The term private network implies that the communication among the users is confidential and cannot be seen by others, similar to a dedicated leased-line situation. A VPN provides the same benefits as a dedicated leased-line (privacy), without having to pay for a leased line (companies can use the Internet). A well-secured network environment contains three critical security elements: -
Barriers : Barriers limit access to the systems and networks based on filter conditions. Often referred to as firewalls, barriers limit access based on IP addresses, port addresses, protocol types, usernames, or passwords. -
Encryption : Encryption prevents eavesdroppers from viewing network traffic as it travels between the source and destination systems. Encryption is needed to guarantee data integrity and privacy. -
Intrusion : Intrusion detection tools continually monitor to determine if someone has gained or is trying to gain unauthorized access to the system. Intrusion detection tools are the sensors that alert IT managers when security access violations occur. Three key technologies used in providing VPN solutions include but are not limited to: -
IPsec/9000 : Hewlett-Packard's IPSec product supports elements for network security, such as confidentiality, authentication, integrity, non- repudiation , packet filtering, management, and administration with access control. The IPSec product is built on industry standards and is designed to provide interoperable, high quality, cryptographically based security for IP packet traffic. IPSec addresses these security problems: -
- Packet tampering -
- Spoofing -
- Capture of critical data, such as passwords and credit card numbers , sent over the network in clear text IPSec provides a secure encrypted user session between two end-systems running HP-UX. IPSec does not adversely affect other users, hosts , or Internet components that do not employ IPSec to protect their traffic. -
IPFilter : HP-UX IPFilter (B9901AA) is a stateful system firewall that filters IP packets to control packet flow in or out of a machine. It works as a security defense by cutting down on the number of exposure points on a machine. HP-UX IPFilter is based on ipfilter v3.5 alpha 5 from the open source community (see http://caligula.anu.edu.au/~avalon/ for more detail). It can be run either as DLKM or as statically linked modules. These are the key benefits of IPFilter: -
- It allows control of incoming TCP connections through the Dynamic Connection Allocation (DCA) feature. -
- It supports the Network Address Translation (NAT) feature, which lets an intermediate HP-UX system act as a translator of IP addresses and network ports. -
- It explicitly permits or denies a packet from passing through, based on the following: -
IP address or a range of IP addresses -
IP protocol (IP/TCP/UDP) -
IP fragments -
IP options -
IP security classes -
TCP ports and port ranges -
UDP ports and port ranges -
ICMP message type and code -
Combination of TCP flags -
Interface -
- It sends back ICMP error/TCP reset for blocked packets. -
- It keeps packet state information for TCP, UDP, and ICMP. -
- It keeps fragment state information for any IP packet, applying the same rule to all fragments. -
- It drops all fragmented traffic if specified by rule. -
- It redirects packets for forensic analysis if specified by rule. -
- It creates extensive logs when required. -
HP-UX AAA Server : The HP-UX AAA Server is used for Authentication, Authorization, and Accounting of user network access at the entry point to a network. The HP-UX AAA Server provides user authentication for network access devices by utilizing the industry standard Remote Authentication Dial-In User Service (RADIUS) protocol. This product also provides RADIUS-based authorization and accounting (access) log files that can be used by billing and accounting applications. A key feature for enterprise-wide authentication is the support for LDAP version 3 compliant directories as well as Oracle databases. We look at both IPSec and IPFilter in detail in Chapter 30, "A New Breed of Security Tools." A key feature of a VPN is to ensure that all communications over any external networks (the Internet) are kept private. Public-key cryptography is a key element in such a design. Keys need to be distributed in such as way as to be secure as well as accessible. Within an organization, an LDAP server within the DMZ of the organization can provide a mechanism whereby corporate-wide information (the public keys of the partners you are communicating with) is made available to everyone within the organization. This avoids internal clients having to access the Internet to obtain public keys for remote partners. External to the corporation, Certification Authorities will manage the distribution and secure handling of each organization's public keys. A full discussion of PKI (Public Key Infrastructure) is handled in Chapter 30. As always, http://docs.hp.com provides an invaluable source of information on all these topics. Figure 23-10 shows a stylized view of a possible VPN solution. NOTE: Not all devices are shown in the name of simplicity. Figure 23-10. Example VPN solution. 
|
