Unification of corporate networks via ip protocol vpn. Consolidation of networks of remote offices

How to create a single private network for all mobile workers and remote branches

What is a VPN?

Suppose we have two offices in different parts of the city, or in different cities or countries, and each of them is connected to the Internet. To work, say, 1C as a single corporate system, we need to integrate them into a single local network. (Despite the fact that we offer solutions for 1C in the form of distributed databases. Sometimes it’s easier to create single network and connect directly to 1C server as if the server is in your premises)

Of course, you can buy a personal line between two cities, but this solution will most likely be super expensive.
The solution through a virtual private network (VPN - Virtual Private Network) offers us to organize this dedicated line by creating an encrypted tunnel over the Internet. The main advantage of a VPN over dedicated communication lines is saving the company's money when the channel is completely closed.
From the consumer's point of view, VPN is a technology that can be used to organize remote secure access through open Internet channels to servers, databases, and any resources of your corporate network. Let's say an accountant in city A can easily print an invoice on the printer of a secretary in city B to whom the client came. Remote employees connected via VPN from their laptops will also be able to work on the network, as if they were in the physical network of their offices.

Very often, customers, faced with *brakes* of cash registers when using Remote Desktop, come to the need to install a VPN. This will allow you to get rid of sending data for the cash register back and forth to the server using virtual COM via the Internet and will allow you to install a thin client at any point that communicates directly with the cash register, sending only the necessary information to the server via a closed channel. And broadcasting the RDP interface directly to the Internet exposes your company to very high risks.

Connection methods

Methods of organization in VPN it is most expedient to distinguish the following 2 main methods:

• (Client - Network ) Remote access of individual employees to the corporate network of the organization via modem or public network.
• (Network - Network) Combining two or more offices into a single secure virtual network via the Internet

Most manuals, especially for Windows, describe the connection according to the first scheme. At the same time, it must be understood that this connection is not a tunnel, but only allows you to connect to the VPN network. To organize these tunnels, we need only 1 white IP and not according to the number of remote offices, as many mistakenly believe.

The figure shows both options for connecting to the main office A.

Between offices A and B, a channel is organized to ensure the integration of offices into a single network. This ensures that both offices are transparent to any device located in one of them, which solves many problems. For example, the organization of a single numbering capacity within one PBX having IP phones.

All services of office A are available to mobile clients, and when office B is in a single virtual network, its services are also available.

In this case, the method of connecting mobile clients is usually implemented by the PPTP protocol (Point-to-Point Tunneling Protocol) Point-to-point tunneling protocol, and the second IPsec or OpenVPN

PPTP

(Point-to-Point Tunneling Protocol bumagin-lohg) is a point-to-point tunneling protocol, the brainchild of Microsoft and is an extension of PPP (Point-to-Point Protocol), therefore, uses its authentication, compression and encryption mechanisms. The PPTP protocol is built into the remote client Windows Access xp. With the standard choice of this protocol, Microsoft suggests using the MPPE (Microsoft Point-to-Point Encryption) encryption method. You can transfer data without encryption in the clear. PPTP data encapsulation occurs by adding a GRE (Generic Routing Encapsulation) header and an IP header to the data processed by the PPP protocol.

Due to significant security concerns, there is no reason to choose PPTP over other protocols other than the device's incompatibility with other VPN protocols. If your device supports L2TP/IPsec or OpenVPN, then it is better to choose one of these protocols.

It should be noted that almost all devices, including mobile ones, have a client built into the OS (Windows, iOS, Android) that allows you to instantly set up a connection.

L2TP

(Layer Two Tunneling Protocol) is a more advanced protocol that was born as a result of the combination of the PPTP protocols (from Microsoft) and L2F (from Cisco), incorporating all the best of these two protocols. Provides a more secure connection than the first option, encryption occurs using the IPSec protocol (IP-security). L2TP is also built into the client remote access Windows XP, moreover, when automatically determining the type of connection, the client first tries to connect to the server using this protocol, which is more preferable in terms of security.

At the same time, the IPsec protocol has such a problem as negotiating the necessary parameters. Despite the fact that many manufacturers set their default parameters without the possibility of configuration, the hardware using this protocol will be incompatible.

openvpn

An advanced open VPN solution created by "OpenVPN technologies", which is now the de facto standard in VPN technologies. The solution uses SSL/TLS encryption protocols. OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports a large number of different cryptographic algorithms such as 3DES, AES, RC5, Blowfish. As with IPSec, CheapVPN includes extreme high level encryption - AES algorithm with a key length of 256 bits.
OpenVPN - The only solution that allows you to bypass those providers that cut or charge for opening additional protocols other than the WEB. This makes it possible to organize channels that, in principle, impossible to trace and we have such solutions

Now you have some idea of ​​what a VPN is and how it works. If you are a leader - think about it, maybe this is exactly what you were looking for

An example of setting up an OpenVPN server on the pfSense platform

Create a server

• interface: WAN(server network interface connected to the internet)
• Protocol: UDP
• Local port: 1194
• Description: pfSenseOVPN(any convenient name)
• Tunnel Network: 10.0.1.0/24
• Redirect Gateways: Turn on(Disable this option if you do not want all client Internet traffic to be redirected through the VPN server.)
• local network: Leave blank(If you want the local network behind the pfSense server to be accessible to remote VPN clients, specify the address space of that network here. Let's say 192.168.1.0/24)
• Concurrent Connections: 2 (If you purchased an additional OpenVPN Remote Access Server license, enter the number corresponding to the number of licenses purchased)
• Inter-Client Communications: Turn on(If you don't want VPN clients to see each other, disable this option)
• DNS Server 1 (2 etc.): specify the DNS servers of the pfSense host.(You can find their addresses in the section System > General Setup > DNS Servers)

then we create clients and to simplify the configuration procedures for client programs, pfSense provides additional tool – “OpenVPN Client Export Utility”. This tool automatically prepares installation packages and files for clients to avoid manual setting OpenVPN client.

VPN connection between offices covers such business security requirements as:

• Possibility of centralized access to information from offices, as well as from the main office
• Unified corporate Information system
• Enterprise databases with a single entry point
• Corporate email with a single entry point
• Confidentiality of information transferred between offices

If you have any difficulties in setting up or you have not yet decided on VPN technology - call us!

Every year electronic communication is improved, and to information exchange increasingly high demands are placed on the speed, security and quality of data processing.

And here we will take a closer look at a vpn connection: what it is, what a vpn tunnel is for, and how to use a vpn connection.

This material is a kind of introductory word to a series of articles where we will tell you how to create a vpn on various operating systems.

vpn connection what is it?

So, a virtual private network vpn is a technology that provides a secure (closed from external access) logical network connection over a private or public network in the presence of high-speed Internet.

Such a network connection of computers (geographically distant from each other at a considerable distance) uses a point-to-point connection (in other words, "computer-to-computer").

Scientifically, this connection method is called a vpn tunnel (or tunnel protocol). You can connect to such a tunnel if you have a computer with any operating system that has an integrated VPN client that can “forward” virtual ports using the TCP / IP protocol to another network.

What is vpn for?

The main advantage of vpn is that negotiators need a connectivity platform that not only scales quickly, but also (primarily) provides data confidentiality, data integrity, and authentication.

The diagram clearly shows the use of vpn networks.

Beforehand, the rules for connections over a secure channel must be written on the server and router.

how vpn works

When a vpn connection occurs, information about the IP address of the VPN server and the remote route is transmitted in the message header.

Encapsulated data passing over a public or public network cannot be intercepted because all information is encrypted.

The VPN encryption stage is implemented on the sender's side, and the recipient's data is decrypted by the message header (if there is a common encryption key).

After the message is correctly decrypted, a vpn connection is established between the two networks, which also allows you to work in a public network (for example, exchange data with a client 93.88.190.5).

Concerning information security, then the Internet is an extremely unsecured network, and a VPN network with OpenVPN, L2TP / IPSec, PPTP, PPPoE protocols is completely secure and in a safe way data transmission.

What is a vpn channel for?

vpn tunneling is used:

Inside the corporate network;

To unite remote offices, as well as small branches;

For digital telephony service with big set telecommunication services;

To access external IT resources;

To build and implement videoconferencing.

Why do you need a vpn?

vpn connection is required for:

Anonymous work on the Internet;

Application downloads, in the case when the ip address is located in another regional zone of the country;

Safe work in a corporate environment using communications;

Simplicity and convenience of connection setup;

Providing high speed connection without breaks;

Creation of a secure channel without hacker attacks.

How to use vpn?

Examples of how vpn works are endless. So, on any computer in the corporate network, when establishing a secure vpn connection, you can use mail to check messages, publish materials from anywhere in the country, or download files from torrent networks.

Vpn: what is it in the phone?

Access via vpn on your phone (iPhone or any other Android device) allows you to remain anonymous when using the Internet in public places, as well as prevent traffic interception and device hacking.

A VPN client installed on any OS allows you to bypass many settings and rules of the provider (if he has set any restrictions).

Which vpn to choose for the phone?

Android mobile phones and smartphones can use applications from the Google Play market:

• - vpnRoot, droidVPN,
• - tor browser for surfing networks, aka orbot
• - InBrowser, orfox (firefox+tor),
• - SuperVPN Free VPN Client
• - Open VPN Connect
• - Tunnel Bear VPN
• - Hideman VPN

Most of these programs serve for the convenience of "hot" system configuration, placement of launch shortcuts, anonymous Internet surfing, and selection of the type of connection encryption.

But the main tasks of using a VPN on your phone are checking corporate email, creating video conferences with multiple participants, and holding meetings outside the organization (for example, when an employee is on a business trip).

What is vpn on iphone?

Consider which vpn to choose and how to connect it to an iPhone in more detail.

Depending on the type of network supported, when you first start the VPN configuration on iphone, you can select the following protocols: L2TP, PPTP, and Cisco IPSec (in addition, you can “make” a vpn connection using third-party applications).

All of these protocols support encryption keys, user identification with a password and certification.

Among the additional features when setting up a VPN profile on an iPhone, one can note: RSA security, encryption level, and authorization rules for connecting to the server.

For iphone phone from the appstore you should choose:

• - free app Tunnelbear, with which you can connect to VPN servers in any country.
• - OpenVPN connect is one of the best VPN clients. Here, to run the application, you must first import rsa-keys via itunes to your phone.
• - Cloak is a shareware application, because for some time the product can be "used" for free, but to use the program after the demo period expires, you will have to buy it.

Creating a VPN: choosing and configuring equipment

For corporate communication large organizations or clusters of remote offices use hardware capable of maintaining uninterrupted, secure networking.

To implement vpn technologies, the following can act as a network gateway: Unix servers, windows server, network router and network gateway on which VPN is raised.

The server or device used to create a vpn network of an enterprise or a vpn channel between remote offices must perform complex technical tasks and provide a full range of services to users both on workstations and on mobile devices.

Any router or vpn router should provide reliable network operation without “freezes”. And the built-in vpn function allows you to change the network configuration for working at home, in an organization or a remote office.

vpn setup on router

AT general case vpn configuration on the router is carried out using the web interface of the router. On "classic" devices for organizing vpn, you need to go to the "settings" or "network settings" section, where you select the VPN section, specify the protocol type, enter your subnet address settings, masks and specify the range of ip addresses for users.

In addition, for the security of the connection, you will need to specify encoding algorithms, authentication methods, generate negotiation keys and specify DNS servers WINS. In the "Gateway" parameters, you need to specify the ip-address of the gateway (your ip) and fill in the data on all network adapters.

If there are several routers in the network, it is necessary to fill in the vpn routing table for all devices in the VPN tunnel.

Here is a list of hardware equipment used in building VPN networks:

Dlink routers: DIR-320, DIR-620, DSR-1000 with new firmware or D-Link router DI808HV.

Routers Cisco PIX 501, Cisco 871-SEC-K9

Linksys Rv082 Router Supporting About 50 VPN Tunnels

Netgear router DG834G and router models FVS318G, FVS318N, FVS336G, SRX5308

Mikrotik router with OpenVPN function. Example RouterBoard RB/2011L-IN Mikrotik

Vpn equipment RVPN S-Terra or VPN Gate

ASUS RT-N66U, RT-N16 and RT N-10 Routers

ZyXel routers ZyWALL 5, ZyWALL P1, ZyWALL USG

An example of equipment for building VPN on routers is equipment from Cisco Systems. Starting with IOS software release 11.3, Cisco routers support both L2TP and IPSec protocols. In addition to simply encrypting traffic in transit, Cisco supports other VPN features such as authentication at tunnel establishment and key exchange.

An optional ESA Encryption Module can be used to improve router performance. In addition, Cisco System has released a dedicated VPN appliance called the Cisco 1720 VPN Access Router for installation in small to medium sized businesses and large branch offices.

· Software Based VPN

The next approach to building a VPN is purely software-based. When implementing such a solution, specialized software is used that runs on a dedicated computer, and in most cases acts as a proxy server. The computer running this software may be located behind a firewall.

An example of such a solution is Digital's AltaVista Tunnel 97 software. When using this software, the client connects to the Tunnel 97 server, authenticates with it, and exchanges keys. Encryption is based on 56 or 128 bit keys obtained during the connection establishment. Next, the encrypted packets are encapsulated into other IP packets, which in turn are sent to the server. In addition, this software generates new keys every 30 minutes, which greatly increases the security of the connection.

The positive qualities of AltaVista Tunnel 97 are ease of installation and ease of management. The disadvantages of this system can be considered a non-standard architecture (its own key exchange algorithm) and low performance.

· Network OS based VPN

We will consider solutions based on a network OS using an example Windows systems Microsoft's NT. To create a VPN, Microsoft uses the PPTP protocol, which is integrated into the Windows NT system. This solution is very attractive for organizations using Windows as their corporate operating system. It should be noted that the cost of such a solution is much lower than the cost of other solutions. VPN in operation Windows base NT uses the NT user base stored on the Primary Domain Controller (PDC). When connecting to a PPTP server, the user is authenticated using the PAP, CHAP, or MS-CHAP protocols. The transmitted packets are encapsulated in GRE/PPTP packets. To encrypt packets, a non-standard protocol from Microsoft Point-to-Point Encryption is used with a 40 or 128 bit key obtained at the time of connection establishment. The disadvantages of this system are the lack of data integrity checks and the impossibility of changing keys during the connection. Good points are ease of integration with Windows and low cost.

· Hardware Based VPN

The option of building a VPN on special devices can be used in networks that require high performance. An example of such a solution is Radguard's IPro-VPN product. This product uses hardware-based encryption of transmitted information, capable of passing a stream of 100 Mbps. IPro-VPN supports IPSec protocol and ISAKMP/Oakley key management mechanism. Among other things, this device supports network address translation and can be supplemented with a special board that adds firewall functions

2. Protocols of VPN networks

VPN networks are built using data tunneling protocols over the public Internet communications network, with tunneling protocols encrypting data and transmitting it end-to-end between users. As a rule, today the following protocols are used to build VPN networks:

Link layer

2.1 Link layer

At the data link layer, the L2TP and PPTP data tunneling protocols can be used, which use authorization and authentication.

Currently, the most common VPN protocol is Point-to-Point Tunneling Protocol or PPTP. It was developed by 3Com and Microsoft to provide secure remote access to corporate networks via the Internet. PPTP uses existing open TCP/IP standards and relies heavily on the legacy point-to-point PPP protocol. In practice, PPP remains the communication protocol of a PPP connection session. PPTP creates a tunnel through the network to the recipient's NT server and sends the remote user's PPP packets through it. Server and work station use a virtual private network and don't pay attention to how secure or accessible the global network between them is. Server-initiated termination of a connection session, unlike specialized remote access servers, allows administrators to local network do not allow remote users to leave the system Windows Security NT Server.

Although the scope of the PPTP protocol extends only to devices operating under Windows control, it gives companies the ability to interoperate with existing network infrastructures without compromising their own security. Thus, a remote user can connect to the Internet using a local ISP through an analog phone line or ISDN channel and establish a connection to the NT server. At the same time, the company does not have to spend large sums on the organization and maintenance of a modem pool that provides remote access services.

The work of the RRTR is discussed next. PPTP encapsulates IP packets for transmission over an IP network. PPTP clients use the destination port to create a tunnel control connection. This process occurs at the transport layer of the OSI model. After the tunnel is created, the client computer and the server start exchanging service packets. In addition to the PPTP control connection that keeps the link alive, a connection is created to forward the data tunnel. Data is encapsulated before it is sent through the tunnel in a slightly different way than during normal transmission. Encapsulating data before sending it to the tunnel involves two steps:

1. First, a PPP information part is created. Data flows from top to bottom, from application layer OSI to channel.

2. The received data is then sent up the OSI model and encapsulated by protocols upper levels.

Thus, during the second pass, the data reaches the transport layer. However, the information cannot be sent to its destination, since the OSI link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-layer functions normally associated with PPP, i.e. adds a PPP header and ending to a PPTP packet. This completes the creation of the link layer frame.

Next, PPTP encapsulates the PPP frame in a GenericRoutingEncapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IPX, AppleTalk, DECnet to enable them to be transported over IP networks. However, GRE does not have the ability to establish sessions and provide data protection from intruders. This uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the scope of PPTP to only IP networks.

After the PPP frame has been encapsulated in a frame with a GRE header, it is encapsulated in a frame with an IP header. The IP header contains the sender and recipient addresses of the packet. Finally, PPTP adds a PPP header and ending. Appendix 3 shows the data structure for forwarding over a PPTP tunnel. [Annex 3]

The sending system sends data through the tunnel. The receiving system removes all service headers, leaving only the PPP data.

In the near future, an increase in the number of VPNs deployed based on the new layer 2 tunneling protocol Layer2 TunnelingProtocol - L2TP is expected.

L2TP appeared as a result of the merger of the PPTP and L2F (Layer 2 Forwarding) protocols. PPTP allows PPP packets to be transmitted through the tunnel, and SLIP and PPP L2F packets. To avoid confusion and interoperability problems in the telecommunications market, the Internet Engineering TaskForce (IETF) recommended Cisco Systems to merge PPTP and L2F. By all accounts, the L2TP protocol has incorporated the best features of PPTP and L2F. The main advantage of L2TP is that this protocol allows you to create a tunnel not only in IP networks, but also in networks such as ATM, X.25 and Frame Relay. Unfortunately, the Windows 2000 implementation of L2TP only supports IP.

L2TP uses UDP as a transport and uses the same message format for both tunnel management and data forwarding. Microsoft's implementation of L2TP uses UDP packets containing encrypted PPP packets as control messages. Reliability of delivery is guaranteed by the control of the sequence of packets.

The functionality of PPTP and L2TP is different. L2TP can be used not only in IP networks, service messages for creating a tunnel and sending data through it use the same format and protocols. PPTP can only be used over IP networks and needs a separate TCP connection to create and use the tunnel. L2TP over IPSec offers more layers of security than PPTP and can guarantee close to 100% security of business-critical data. The features of L2TP make it a very promising protocol to build virtual networks.

VPN networks are built using data tunneling protocols over the public Internet communications network, with tunneling protocols providing data encryption and end-to-end transmission between users. As a rule, today the following protocols are used to build VPN networks:

• Link layer
• network layer
• transport layer.

1.1 Link layer

At the data link layer, the L2TP and PPTP data tunneling protocols can be used, which use authorization and authentication.

VPN protocol - point-to-point tunneling protocol or Point-to-Point Tunneling Protocol - PPTP. It was developed by 3Com and Microsoft to provide secure remote access to corporate networks via the Internet. PPTP uses existing open TCP/IP standards and relies heavily on the legacy point-to-point PPP protocol.

In practice, PPP remains the communication protocol of a PPP connection session. PPTP creates a tunnel through the network to the recipient's server and transmits the remote user's PPP packets through it.

The server and workstation use a virtual private network and don't care how secure or accessible the global network between them is. Server-initiated termination of a connection session, unlike specialized remote access servers, allows local network administrators not to let remote users through the Windows Server security system.

While PPTP is limited to devices running Windows, it gives companies the ability to interoperate with existing network infrastructures without compromising their own security.

RRTR work.

PPTP encapsulates IP packets for transmission over an IP network. PPTP clients use the destination port to create a tunnel control connection. This process occurs at the transport layer of the OSI model. After the tunnel is created, the client computer and the server start exchanging service packets. In addition to the PPTP control connection that keeps the link alive, a connection is created to forward the data tunnel. Data is encapsulated before it is sent through the tunnel in a slightly different way than during normal transmission. Encapsulating data before sending it to the tunnel involves two steps:

1. First, the PPP information part is created. Data flows from top to bottom, from the OSI application layer to the link layer.
2. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Thus, during the second pass, the data reaches the transport layer. However, the information cannot be sent to its destination, since the OSI link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-layer functions normally associated with PPP, i.e. adds a PPP header and ending to a PPTP packet. This completes the creation of the link layer frame.

Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IPX, AppleTalk, DECnet to enable them to be transported over IP networks. However, GRE does not have the ability to establish sessions and provide data protection from intruders. This uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the scope of PPTP to only IP networks.

After the PPP frame has been encapsulated in a frame with a GRE header, it is encapsulated in a frame with an IP header. The IP header contains the sender and recipient addresses of the packet. Finally, PPTP adds a PPP header and ending.

The sending system sends data through the tunnel. The receiving system removes all service headers, leaving only the PPP data.

L2TP appeared as a result of the merger of the PPTP and L2F (Layer 2 Forwarding) protocols. PPTP allows PPP packets to be transmitted through the tunnel, and SLIP and PPP L2F packets. To avoid confusion and interoperability problems in the telecommunications market, the Internet Engineering Task Force (IETF) committee recommended that Cisco Systems combine PPTP and L2F. By all accounts, the L2TP protocol has incorporated the best features of PPTP and L2F.

The main advantage of L2TP is that this protocol allows you to create a tunnel not only in IP networks, but also in networks such as ATM, X.25 and Frame Relay. Unfortunately, the Windows 2000 implementation of L2TP only supports IP.

L2TP uses UDP as a transport and uses the same message format for both tunnel management and data forwarding. Microsoft's implementation of L2TP uses UDP packets containing encrypted PPP packets as control messages. Reliability of delivery is guaranteed by the control of the sequence of packets.

The functionality of PPTP and L2TP is different. L2TP can be used not only in IP networks, service messages for creating a tunnel and sending data through it use the same format and protocols. PPTP can only be used over IP networks and needs a separate TCP connection to create and use the tunnel. L2TP over IPSec offers more layers of security than PPTP and can guarantee close to 100% security of business-critical data. Features of L2TP make it a very promising protocol for building virtual networks.

The L2TP and PPTP protocols differ from the layer 3 tunneling protocols in a number of ways:

1. Giving corporations the ability to choose how users authenticate and verify their credentials - on their own "territory" or with an Internet service provider. By processing tunneled PPP packets, corporate network servers obtain all the information they need to identify users.
2. Support for switching tunnels - terminating one tunnel and initiating another to one of the many potential terminators. Switching tunnels allows, as it were, to extend the PPP connection to the required endpoint.
3. Providing system administrators corporate network, the ability to implement strategies for assigning access rights to users directly on the firewall and internal servers.

Because tunnel terminators receive PPP packets containing user information, they are able to apply administrator-defined security policies to individual user traffic. (Layer 3 tunneling does not distinguish between packets coming from the ISP, so security policy filters must be applied at end workstations and network devices.) In addition, in the case of using a tunnel switch, it becomes possible to organize a "continuation" of the second layer tunnel to directly relay the traffic of individual users to the corresponding internal servers. Such servers may be tasked with additional packet filtering.

Also at the link layer, MPLS technology can be used to organize tunnels.

From English Multiprotocol Label Switching - multiprotocol label switching - a data transfer mechanism that emulates various properties of circuit-switched networks over packet-switched networks. MPLS operates at a layer that could be placed between the data link layer and the third network layer of the OSI model and is therefore commonly referred to as a network link layer protocol. It was designed to provide a versatile data service for both circuit-switched and packet-switched network customers. With MPLS, you can carry a wide variety of traffic, such as IP packets, ATM, SONET, and Ethernet frames.

VPN solutions at the link level have a rather limited scope, usually within the provider's domain.

1.2 Network layer

Network layer (IP layer). The IPSec protocol is used, which implements data encryption and confidentiality, as well as subscriber authentication. The use of the IPSec protocol allows you to implement full-featured access equivalent to a physical connection to a corporate network. To establish a VPN, each participant must configure certain IPSec parameters, i.e. each client must have software that implements IPSec.

IPSec
Naturally, no company would want to openly share financial or other confidential information on the Internet. VPN channels are protected by powerful encryption algorithms embedded in the IPsec security protocol standards. IPSec or Internet Protocol Security is a standard chosen by the international community, the IETF - Internet Engineering Task Force, which provides the security framework for the Internet Protocol (IP/IPSec protocol provides security on network layer and requires IPSec support only from devices communicating with each other on both sides of the connection. All other devices in between simply provide IP packet traffic.

The method of interaction between persons using IPSec technology is usually defined by the term "secure association" - Security Association (SA). A secure association operates on the basis of an agreement entered into by the parties that use IPSec to protect information transmitted to each other. This agreement governs several parameters: sender and recipient IP addresses, cryptographic algorithm, key exchange order, key sizes, key lifetime, authentication algorithm.

IPSec is a consensus set of open standards that has a core that can be easily extended with new features and protocols. The core of IPSec consists of three protocols:

• AH or Authentication Header - authentication header - guarantees the integrity and authenticity of the data. The main purpose of the AH protocol is to allow the receiving party to verify that:
  • the packet was sent by a party with which a secure association has been established;
  • the contents of the packet were not distorted during its transmission over the network;
    the package is not a duplicate of an already received package.

The first two functions are mandatory for the AH protocol, and the last one is optional when establishing an association. To perform these functions, the AH protocol uses a special header.

Its structure is considered as follows:

1. The next header field indicates the code of the higher-level protocol, that is, the protocol whose message is placed in the data field of the IP packet.
2. The payload length field contains the length of the AH header.
3. The Security Parameters Index (SPI) is used to associate a package with its intended secure association.
4. The Sequence Number (SN) field indicates the sequence number of the packet and is used to protect against spoofing (when a third party tries to reuse intercepted secure packets sent by a truly authenticated sender).
5. The authentication data field, which contains the so-called Integrity Check Value (ICV), is used to authenticate and check the integrity of the packet. This value, also called the digest, is computed using one of the two computationally irreversible MD5 or SAH-1 functions required by the AH protocol, but any other function can be used.

ESP or Encapsulating Security Payload– encrypted data encapsulation – encrypts transmitted data, providing confidentiality, can also support authentication and data integrity;

The ESP protocol solves two groups of problems.

1. The first includes tasks similar to those of the AH protocol - this is the provision of authentication and data integrity based on the digest.
2. The second is the protection of transmitted data by encrypting them from unauthorized viewing.

The header is divided into two parts separated by a data field.

1. The first part, called the ESP header itself, is formed by two fields (SPI and SN), the purpose of which is similar to the fields of the same name in the AH protocol, and is placed before the data field.
2. The remaining service fields of the ESP protocol, called the ESP trailer, are located at the end of the packet.

The two fields of the trailer - the next header and authentication data - are similar to the fields of the AH header. The Authentication Data field is omitted if a decision was made to not use the integrity capabilities of the ESP protocol when establishing a secure association. In addition to these fields, the trailer contains two additional fields - filler and filler length.

The AH and ESP protocols can protect data in two modes:

1. in transport - transmission is carried out with original IP headers;
2. in a tunnel, the original packet is placed in a new IP packet and the transmission is carried out with new headers.

The use of one mode or another depends on the requirements for data protection, as well as on the role played in the network by the node that terminates the secure channel. Thus, a node can be a host (end node) or a gateway (intermediate node).

Accordingly, there are three schemes for using the IPSec protocol:

1. host host;
2. gateway-gateway;
3. host gateway.

The capabilities of the AH and ESP protocols partially overlap: the AH protocol is only responsible for ensuring the integrity and authentication of data, the ESP protocol can encrypt data and, in addition, perform the functions of the AH protocol (in a truncated form). ESP can support encryption and authentication/integrity functions in any combination, i.e. either the entire group of functions, or only authentication/integrity, or only encryption.

IKE or Internet Key Exchange– Internet key exchange – solves the auxiliary problem of automatically providing secure channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.

1.3 Transport layer

The transport layer uses the SSL/TLS or Secure Socket Layer/Transport Layer Security protocol, which implements encryption and authentication between the transport layers of the receiver and transmitter. SSL/TLS can be used to secure TCP traffic, it cannot be used to secure UDP traffic. There is no need to implement special software for SSL/TLS VPN to function, as each browser and mail client equipped with these protocols. Due to the fact that SSL/TLS is implemented at the transport layer, a secure connection is established end-to-end.

The TLS protocol is based on Netscape SSL protocol version 3.0 and consists of two parts - TLS Record Protocol and TLS Handshake Protocol. The difference between SSL 3.0 and TLS 1.0 is minor.

SSL/TLS includes three main phases:

1. iDialogue between the parties, the purpose of which is to choose an encryption algorithm;
2. Key exchange based on public key cryptosystems or certificate based authentication;
3. Transfer of data encrypted using symmetric encryption algorithms.

1.4 VPN implementation: IPSec or SSL/TLS?

Often, the heads of IT departments are faced with the question: which of the protocols to choose for building a corporate VPN network? The answer is not obvious, as each approach has both pros and cons. We will try to analyze and identify when it is necessary to use IPSec, and when SSL / TLS. As can be seen from the analysis of the characteristics of these protocols, they are not interchangeable and can function both separately and in parallel, defining the functional features of each of the implemented VPNs.

The choice of protocol for building a corporate VPN network can be carried out according to the following criteria:

The type of access required for VPN users.

1. Fully functional permanent connection to the corporate network. The recommended choice is IPSec.
2. A temporary connection, such as a mobile user or a user using a public computer, in order to access certain services, such as e-mail or database. The recommended choice is the SSL/TLS protocol, which allows you to organize a VPN for each individual service.

Whether the user is an employee of the company.

1. If the user is a company employee, the device they use to access the corporate network via IPSec VPN can be configured in some specific way.
2. If the user is not an employee of the company whose corporate network is being accessed, it is recommended to use SSL/TLS. This will restrict guest access to certain services only.

What is the security level of the corporate network.

1. High. The recommended choice is IPSec. Indeed, the level of security offered by IPSec is much higher than the level of security offered by the SSL / TLS protocol due to the use of configurable software on the user side and a security gateway on the side of the corporate network.
2. Average. The recommended choice is the SSL/TLS protocol allowing access from any terminal.

The level of security of data transmitted by the user.

1. High, for example, company management. The recommended choice is IPSec.
2. Medium, for example, partner. The recommended choice is the SSL/TLS protocol.
   Depending on the service - from medium to high. The recommended choice is a combination of IPSec (for services requiring a high level of security) and SSL/TLS (for services requiring a medium level of security).

What is more important, rapid VPN deployment or future scalability of the solution.

1. Quickly deploy a VPN network at minimal cost. The recommended choice is the SSL/TLS protocol. In this case, there is no need to implement special software on the user's side, as in the case of IPSec.
2. VPN network scalability - adding access to various services. The recommended choice is the IPSec protocol that allows access to all services and resources of the corporate network.
3. Rapid deployment and scalability. The recommended choice is a combination of IPSec and SSL/TLS: use SSL/TLS in the first phase to access the required services, followed by the implementation of IPSec.

2. Methods for implementing VPN networks

A virtual private network is based on three implementation methods:

• tunneling;
• Encryption;
• Authentication.

2.1 Tunneling

Tunneling provides the transfer of data between two points - the ends of the tunnel - in such a way that the entire network infrastructure lying between them is hidden from the source and destination of the data.

The transport medium of the tunnel, like a ferry, picks up the packets of the used network protocol at the entrance to the tunnel and delivers them unchanged to the exit. Building a tunnel is enough to connect two network nodes so that, from the point of view of the software running on them, they appear to be connected to the same (local) network. However, we must not forget that in fact the “ferry” with data passes through many intermediate nodes (routers) of an open public network.

This state of affairs has two problems. The first is that information transmitted through the tunnel can be intercepted by intruders. If it is confidential (bank card numbers, financial reports, personal information), then the threat of its compromise is quite real, which is already unpleasant in itself.

Worse, attackers have the ability to modify the data transmitted through the tunnel so that the recipient cannot verify their authenticity. The consequences can be the most deplorable. Given the above, we come to the conclusion that the tunnel in its pure form is only suitable for certain types of network computer games and cannot qualify for a more serious application. Both problems are solved modern means cryptographic protection information.

To prevent unauthorized changes to the data packet on its way through the tunnel, the method of electronic digital signature (EDS) is used. The essence of the method is that each transmitted packet is supplied with an additional block of information, which is generated in accordance with an asymmetric cryptographic algorithm and is unique for the contents of the packet and the secret key of the sender's EDS. This block of information is the EDS of the package and allows you to authenticate the data by the recipient who knows the open EDS key sender. Protection of data transmitted through the tunnel from unauthorized viewing is achieved by using strong encryption algorithms.

2.2 Authentication

Security is the main function of a VPN. All data from client computers passes through the Internet to the VPN server. Such a server may be located at a great distance from client computer, and data on the way to the organization's network passes through the equipment of many providers. How to make sure that the data has not been read or changed? To do this, various methods of authentication and encryption are used.

PPTP can use any of the protocols used for PPP to authenticate users.

• EAP or Extensible Authentication Protocol;
• MSCHAP or Microsoft Challenge Handshake Authentication Protocol (versions 1 and 2);
• CHAP or Challenge Handshake Authentication Protocol;
• SPAP or Shiva Password Authentication Protocol;
• PAP or Password Authentication Protocol.

MSCHAP version 2 and Transport Layer Security (EAP-TLS) are considered the best because they provide mutual authentication, i.e. The VPN server and client identify each other. In all other protocols, only the server authenticates clients.

Although PPTP provides a sufficient degree of security, L2TP over IPSec is still more reliable. L2TP over IPSec provides authentication at the user and computer levels, as well as authentication and data encryption.

Authentication is carried out either by an open test (clear text password) or by a request / response scheme (challenge / response). With direct text, everything is clear. The client sends the password to the server. The server compares this to the benchmark and either denies access or says "welcome". Open authentication is practically non-existent.

The request/response scheme is much more advanced. AT general view it looks like this:

• the client sends a request to the server for authentication;
• the server returns a random response (challenge);
• the client removes a hash from his password (a hash is the result of a hash function that converts an input data array of arbitrary length into an output bit string of a fixed length), encrypts the response with it and sends it to the server;
• the server does the same, comparing the result with the client's response;
• if the encrypted response matches, the authentication is considered successful;

In the first step of authenticating VPN clients and servers, L2TP over IPSec uses local certificates obtained from a certificate authority. The client and server exchange certificates and create a secure ESP SA (security association) connection. After L2TP (over IPSec) completes the computer authentication process, user-level authentication is performed. Any protocol can be used for authentication, even PAP, which transmits the username and password in clear text. This is quite secure as L2TP over IPSec encrypts the entire session. However, authenticating the user with MSCHAP, which uses different encryption keys to authenticate the computer and the user, can increase security.

2.3. Encryption

Encryption with PPTP ensures that no one can access the data while it is being sent over the Internet. Two encryption methods are currently supported:

• MPPE or Microsoft Point-to-Point Encryption is only compatible with MSCHAP (versions 1 and 2);
• EAP-TLS and is able to automatically choose the length of the encryption key when negotiating parameters between the client and the server.

MPPE supports 40, 56 or 128 bit keys. Older Windows operating systems only support encryption with a key length of 40 bits, so in a mixed Windows environment, choose the minimum key length.

PPTP changes the value of the encryption key after each received packet. The MMPE protocol was designed for point-to-point links where packets are transmitted sequentially and there is very little data loss. In this situation, the key value for the next packet depends on the results of the decryption of the previous packet. When building virtual networks through public networks, these conditions cannot be met, since data packets often arrive at the recipient in the wrong order in which they were sent. Therefore, PPTP uses packet sequence numbers to change the encryption key. This allows decryption to be performed independently of previous received packets.

Both protocols are implemented in Microsoft Windows, and outside of it (for example, in BSD), VPN operation algorithms can differ significantly. On NT (and systems derived from it). Basic information is given in the table.

Thus, the “tunneling + authentication + encryption” bundle allows you to transfer data between two points through a public network, simulating the operation of a private (local) network. In other words, the considered tools allow you to build a virtual private network.

An additional nice effect of a VPN connection is the ability (and even the need) to use the addressing system adopted in the local network.

Implementation of virtual private network in practice it looks like this. In local computer network The VPN server is installed in the company's office. The remote user (or router, if two offices are connected) using the VPN client software initiates the connection procedure with the server. User authentication occurs - the first phase of establishing a VPN connection. In the case of confirmation of authority, the second phase begins - between the client and the server, the details of securing the connection are negotiated. After that, a VPN connection is organized, which ensures the exchange of information between the client and the server in the form when each data packet passes through the encryption / decryption and integrity check procedures - data authentication.

The main problem of VPN networks is the lack of established standards for authentication and the exchange of encrypted information. These standards are still under development and therefore products from different manufacturers cannot establish VPN connections and automatically exchange keys. This problem entails a slowdown in the spread of VPNs, since it is difficult to force different companies to use the products of one manufacturer, and therefore the process of combining the networks of partner companies into so-called extranet networks is difficult.

Recently, there has been an increased interest in the world of telecommunications virtual private networks(Virtual Private Network - VPN). This is due to the need to reduce the cost of maintaining corporate networks due to cheaper connection of remote offices and remote users through Internet. Indeed, when comparing the cost of services for connecting several networks over the Internet, for example, with Frame Relay networks, one can notice a significant difference in cost. However, it should be noted that when networks are connected via the Internet, the question of the security of data transmission immediately arises, so it became necessary to create mechanisms to ensure the confidentiality and integrity of the transmitted information. Networks built on the basis of such mechanisms are called VPNs.

In addition, very often modern man, developing your business, you have to travel a lot. It can be trips to remote corners of our country or to foreign countries. It is not uncommon for people to need access to their information stored on their home or company computer. This problem can be solved by arranging remote access to it using a modem and a telephone line. The use of a telephone line has its own characteristics. The disadvantages of this solution is that a call from another country costs a lot of money. There is another solution called VPN. The advantages of VPN technology is that the organization of remote access is done not through a telephone line, but through the Internet, which is much cheaper and better. In my opinion technology

VPN has the prospect of being widely adopted around the world.

1. Concept and classification VPN networks, their construction

1.1 What is VPN

VPN(English) virtualPrivatenetwork- virtual private network) - a logical network created on top of another network, such as the Internet. Despite the fact that communications are carried out over public networks using insecure protocols, encryption creates information exchange channels closed from outsiders. VPN allows you to combine, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.

At its core, a VPN has many of the properties of a leased line, but it is deployed within a public network such as the Internet. With the tunneling technique, data packets are broadcast over the public network as if they were a normal point-to-point connection. A kind of tunnel is established between each pair of "sender-receiver of data" - a secure logical connection that allows you to encapsulate data from one protocol into packets of another. The main components of the tunnel are:

initiator

a routed network

· tunnel switch;

one or more tunnel terminators.

By itself, the principle of VPN operation does not contradict the main network technologies and protocols. For example, when establishing a dial-up connection, the client sends a stream of standard PPP packets to the server. In the case of organizing virtual leased lines between local networks, their routers also exchange PPP packets. However, a fundamentally new point is the forwarding of packets through a secure tunnel organized within the public network.

Tunneling allows you to organize the transmission of packets of one

protocol in a logical environment that uses a different protocol. As a result, it becomes possible to solve the problems of interaction between several heterogeneous networks, starting with the need to ensure the integrity and confidentiality of transmitted data and ending with overcoming inconsistencies in external protocols or addressing schemes.

A corporation's existing network infrastructure can be provisioned for VPN use either through software or hardware. The organization of a virtual private network can be compared to laying a cable through global network. Typically, a direct connection between a remote user and a tunnel end device is established using the PPP protocol.

The most common method for creating VPN tunnels is to encapsulate network protocols (IP, IPX, AppleTalk, etc.) in PPP and then encapsulate the generated packets in a tunneling protocol. Usually the latter is IP or (much less often) ATM and Frame Relay. This approach is called layer 2 tunneling, because the “passenger” here is the layer 2 protocol.

An alternative approach - encapsulating network protocol packets directly into a tunneling protocol (eg VTP) is called layer 3 tunneling.

No matter what protocols are used or what goals

persecuted in the organization of the tunnel, the basic technique remains

practically unchanged. Typically, one protocol is used to establish a connection with a remote host, and the other is used to encapsulate data and service information for transmission through a tunnel.

1.2 Classification of VPN networks

VPN solutions can be classified according to several main parameters:

1. By type of medium used:

· ProtectedVPNnetworks. The most common variant of private private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, OpenVPN, and PPTP.

· TrustVPNnetworks. They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues become irrelevant. Examples of such VPN solutions are: MPLS and L2TP. It is more correct to say that these protocols shift the task of providing security to others, for example L2TP, as a rule, is used in tandem with IPSec.

2. By way of implementation:

· VPNnetworks in the form of special software and hardware. Implementation VPN networks carried out using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree of security.

· VPNnetworks as a software solution. use Personal Computer with special software that provides VPN functionality.

· VPNnetworks with an integrated solution. VPN functionality is provided by a complex that also solves the problems of filtering network traffic, organizing a firewall and ensuring quality of service.

3. By appointment:

· Intranet VPN. Used to combine into a single secure network several distributed branches of one organization that exchange data over open channels connections.

· Remote Access VPN. Used to create a secure channel between a corporate network segment (central office or branch office) and a single user who, while working at home, connects to corporate resources with home computer or, while on a business trip, connects to corporate resources using a laptop.

· Extranet VPN. Used for networks to which "external" users (for example, customers or clients) connect. The level of trust in them is much lower than in the company's employees, therefore, it is necessary to provide special “frontiers” of protection that prevent or limit the access of the latter to especially valuable, confidential information.

4. By type of protocol:

There are implementations of virtual private networks under TCP/IP, IPX and AppleTalk. But today there is a trend towards a general transition to the protocol TCP/IP, and the vast majority of VPN solutions support it.

5. By network protocol level:

By network protocol layer, based on a mapping to the layers of the ISO/OSI network reference model.

1.3. Building a VPN

There are various options for building a VPN. When choosing a solution, you need to consider the performance factors of VPN builders. For example, if a router is already running at the limit of its processor power, then adding VPN tunnels and applying encryption / decryption of information can stop the entire network from working due to the fact that this router will not be able to cope with simple traffic, not to mention VPN. Experience shows that it is best to use specialized hardware to build a VPN, but if there is a limitation in funds, then you can pay attention to a purely software solution. Consider some options for building a VPN.

· Firewall based VPN

Most firewall manufacturers support tunneling and data encryption. All such products are based on the fact that the traffic passing through the firewall is encrypted. To software the firewall itself, an encryption module is added. The disadvantage of this method is the dependence of performance on the hardware on which the firewall is running. When using PC-based firewalls, keep in mind that this solution can only be used for small networks with a small amount of transmitted information.

An example of a firewall-based VPN is Check Point Software Technologies' FireWall-1. FairWall-1 uses a standard IPSec-based approach to build VPNs. Traffic entering the firewall is decrypted, after which standard access control rules are applied to it. FireWall-1 running operating systems Solaris and Windows NT 4.0.

· Router based VPN

Another way to build a VPN is to use routers to create secure channels. Since all information coming from the local network passes through the router, it is advisable to assign encryption tasks to this router as well.