Granting external access to a network has gone from the realm of the sporadic use of pcAnywhere and a modem on a desktop and dial-in remote access to run corporate applications to fully integrated enterprise networks using VPN connections across the Internet to grant full remote office connectivity.
A Virtual Private Network (VPN) involves the use of a public network infrastructure, such as the Internet, to provide remote user and remote site access to a corporate network via a secure connection. Security is provided through authentication and encryption techniques such as RADIUS, TACACS+, PPTP, L2TP, SSL, and IPsec to protect the data. A VPN typically involves taking the original data and encapsulating it within IP packets that are secured by the given VPN technology, such as IPsec.
As these external access technologies have matured, many companies have turned in particular to VPNs as a method to provide all manner of remote connectivity ”from individual user access, to remote office networks access to the corporate internetwork, to initial connections between companies after an acquisition, and even access between strategic business partners resources and systems.
At the same time, this creates a security issue that must be addressed ”namely, how can we provide the kinds of external access that our users require while ensuring that our network remains as hardened as possible. We are going to look at the unique issues of VPN connectivity and how it can be hardened. After that, we are going to look at providing traditional dial-in remote access connectivity and how those connections can be hardened .
Here are the hardware and software I provide specific configuration examples for in this chapter:
A Cisco Secure VPN 3005 concentrator running Cisco Systems, Inc./VPN 3000 concentrator version 4.0.4.Rel Dec 4, 2003
A Nortel Contivity 1100 extranet switch running version 4.80.124