Lesson 3: Designing Remote Access Security for Networks
When designing secure connectivity to remote offices, you must choose a method for connecting the remote office and develop a security plan for the remote office link.
Choosing Remote Office Connectivity Solutions
Your first decision when connecting a remote office to a corporate network is choosing which connection solution to use. You can deploy a dedicated (or private) WAN link or you can implement a VPN over a public network such as the Internet. Your decision will be based on your evaluation of the risks and costs associated with each deployment.
Private WAN links are typically implemented by purchasing or leasing a dedicated telecommunications line between the remote office and the corporate network, as shown in Figure 13.6.
Figure 13.6 Connecting a remote network to the corporate office using a dedicated WAN link
The telecommunication links are typically technologies such as T1, T3, Frame Relay, or Integrated Services Digital Network (ISDN). Advantages of selecting a dedicated WAN solution include guaranteed bandwidth between sites and not sharing the network link with other organizations.
In a VPN solution the organization uses a public network to link the offices. The remote office and the corporate office will still require telecommunication links, but the links will be to the Internet rather than between the offices. Using a public network between the offices carries a risk of data interception. By creating VPNs between the two offices, you reduce the risk because the data is transmitted in an encrypted format.
Making the Decision
Table 13.9 shows the factors you need to consider when deciding whether to implement private or VPN methods for connecting a remote office to a corporate network.
Table 13.9 Choosing a Remote Office Connectivity Solution
| Choose This Connection Solution | To Meet These Business Objectives |
|---|---|
| Dedicated WAN link | To restrict network traffic over the WAN link exclusively to traffic between the two offices. To guarantee bandwidth between the two sites. The cost of a dedicated link isn't prohibitive. International boundaries or local laws don't prevent the establishment of a dedicated network link. |
| VPN over a public network | To leverage existing Internet links to provide network connectivity between sites. To provide connectivity between hardware from different net work vendors over public networks. To reduce the costs associated with connecting offices across international boundaries. |
Applying the Decision
Due to the high costs of establishing a dedicated WAN link between Canada and the United States, Hanson Brothers plans to implement a VPN solution. All data exchanged between the Montréal office and the Warroad office must be encrypted as it's transmitted over the Internet.
Securing Dedicated WAN Connections
Although dedicated WAN connections aren't exposed to the same vulnerabilities as VPN solutions, you should still take the following measures to ensure the security of transmitted data over the WAN connection:
- Limit the types of data that can be transmitted over the WAN link. Configure routers at the remote network and corporate office with packet filters that define the types of network traffic that can cross the dedicated WAN link.
- Limit which computers can transmit data over the WAN link. Configure packet filters to define which IP addresses are allowed to transmit data over the WAN link. You can use this design to limit WAN link usage to servers and prevent unauthorized client computers from connecting to remote servers.
- Encrypt all traffic that's transmitted over the WAN link. You can configure some routers to encrypt data as it's transmitted over the WAN link. Consider encrypting traffic if you want to prevent the company that provides the WAN connection from viewing the transmitted data.
- Require mutual authentication of routers. In some network designs, such as frame relay networks, you can establish multiple connections in the WAN environment. Configuring mutual authentication of routers can limit the connections that can be established between routers.
NOTE
A Windows 2000 server configured with RRAS can act as a router for a dedicated network link. Windows 2000 supports common routing protocols such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) protocol and can interoperate with many third-party routers.
Making the Decision
Table 13.10 outlines the design decisions you face when implementing a dedicated network connection between network offices.
Table 13.10 Designing Security for Dedicated WAN Links
| To | Do the Following |
|---|---|
| Limit which protocols are allowed to traverse the network link | Determine which protocols your organization will permit to traverse the WAN link. Design packet filters to match the allowed protocols or to match the protocols that can't be transmitted over the WAN link. Apply the packet filters at each router and test to ensure that the filters only allow the use of desired protocols. |
| Limit which computers can transmit data over the WAN link | Identify which computers will be allowed to transmit data across the WAN link. Develop packet filters at each router that enforce which computers can transmit data over the WAN link. |
| Ensure that confidential data can't be inspected as it's transmitted | Configure the routers to encrypt data over the WAN link. |
| Limit which routers can connect to another router | Enable mutual authentication between routers to limit which routers can establish connections. |
Applying the Decision
Hanson Brothers plans to use a VPN solution for connecting the Montréal office to the corporate network in Warroad. Since a third-party firewall will be used at the Montréal office, many of the design decisions for dedicated network connections will be applied at the firewall.
Configure the third-party firewall to accept only connections from the remote access server at the Warroad office. This ensures that no other routers, remote access servers, or firewalls can establish connections to the firewall.
Designing VPN Solutions
VPNs allow an organization to leverage existing network links to a public network and use those links to connect remote offices. VPNs ensure that data is protected as it's transmitted over the public network.
VPN solutions between offices can use PPTP, L2TP/IPSec, and IPSec tunnel mode. Your choice depends on the remote access devices deployed at each office, the availability of a Public Key Infrastructure (PKI), and the placement of remote access devices.
For example, Figure 13.7 shows a typical remote access server deployment for securing access to a remote network. In this scenario, the remote access server, also referred to as a tunnel server, is located in the network's Demilitarized Zone (DMZ). The DMZ, or perimeter network, is used to store externally available resources. In this scenario the DMZ is implementing NAT. Since you can't use IPSec to connect through a firewall that's implementing NAT, this network infrastructure supports only a PPTP tunnel connection to the tunnel server.
Figure 13.7 A VPN deployment in a DMZ using private network addressing
NOTE
You can identify when NAT is applied by inspecting the address ranges used on the interfaces of the firewall or perimeter server. If any of the interfaces use RFC 1918 addressing while others use public network addressing, the firewall or perimeter server is performing NAT services.
Alternatively, you could deploy the tunnel server in the network shown in Figure 13.8.
Figure 13.8 A VPN deployment in a DMZ not using private network addressing
In this network the tunnel server is located in a network segment that's using public network addressing. Because the firewall isn't performing NAT on traffic entering the DMZ, the VPN can use PPTP, L2TP/IPSec, or IPSec tunnel mode. The decision in this case will be based on other business factors.
What if the Tunnel Server is the Server Performing NAT?
You can deploy NAT and IPSec tunnels in one circumstance—when the tunnel server is also the server that performs the NAT process, as shown in Figure 13.9.
Figure 13.9 A scenario where ipsec and nat can work together
In this scenario the tunnel servers at the corporate office and the remote network are both performing NAT services for the local networks. The external interfaces connected to the Internet use public network addresses.
If L2TP/IPSec or IPSec tunnel mode is configured between the two tunnel servers, the VPN connection will terminate before the NAT process is performed on any incoming or outgoing packets.
Making the Decision
Table 13.11 shows a decision matrix for determining when to use PPTP, L2TP/IPSec, or IPSec tunnel mode to connect remote offices with a VPN over a public network.
Table 13.11 Determining When to Deploy Tunneling Protocols
| Use the Following VPN Protocol | When |
|---|---|
| PPTP | Either tunnel server is located in a network segment where NAT is performed. Creating VPNs with Windows NT 4.0 RAS servers. Windows NT 4.0 RAS servers only support the use of PPTP. Windows NT 4.0 doesn't support IPS encryption. You require only user authentication for the VPN connection. PPTP connections are established by authenticating the user accounts provided for the connection. |
| L2TP/IPSec | Stronger encryption is required for the connection between sites. Authentication of both a user account and machine account is required. The tunnel servers aren't located behind a firewall or perimeter server that performs NAT. |
| IPSec tunnel mode | The tunnel servers aren't located behind a firewall or perimeter server that performs NAT. Connecting to a third-party firewall or firewall that doesn't support PPTP or L2TP/IPSec. You only require machine authentication between the two tunnel endpoints. |
Applying the Decision
Hanson Brothers will use IPSec tunnel mode for the connection between the Montréal office and the corporate office in Warroad. Hanson Brothers must either ensure that the DMZ uses public network addressing or deploy the tunnel server as a perimeter server so that the NAT process takes place after the tunnel has terminated.
To secure the tunnel server, include the following tasks in the security design plan:
- Configure the IPSec security association to use preshared key authentication. The third-party firewall doesn't support certificate-based authentication. You can't use Kerberos authentication because the third-party firewall can't be a member of the domain. Therefore, preshared key authentication is your only option.
- Configure the third-party firewall to accept only connections from the Windows 2000 tunnel server. This ensures that only the tunnel server can connect to the third-party firewall.
- Configure the third-party as a tunnel endpoint for IPSec communications. The IPSec security association requires two packet filters: a packet filter describing network traffic directed from the Warroad office to the Montréal office using the third-party firewall as the tunnel endpoint and a packet filter describing network traffic from the Montréal office to the Warroad office using the Warroad office tunnel server's external network interface card (NIC) as the tunnel endpoint.
- Configure the tunnel server as a tunnel endpoint for IPSec communications. The IPSec security association requires two packet filters: a packet filter describing network traffic directed from the Warroad office to the Montréal office using the third-party firewall as the tunnel endpoint and a packet filter describing network traffic from the Montréal office to the Warroad office using the Warroad office tunnel server's external NIC as the tunnel endpoint.
- Ensure that the Windows 2000 High Encryption Pack is installed on the tunnel server and that the third-party firewall allows 3DES encryption. This allows the IPSec security association to negotiate the use of 3DES as the encryption algorithm for transmitted data.
Lesson Summary
If your organization requires connectivity to remote offices, you must ensure that security is maintained so that network communications to the remote office don't weaken the overall network security.
Define security to protect all data transmitted between the remote office and the corporate network. This may be as simple as providing authentication between the connecting devices, or it may require the encryption of all data transmitted between the networks. Whatever solution you choose, make sure that it meets your business objectives without weakening network security.
EAN: 2147483647
Pages: 172