+ All Categories
Home > Documents > Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By...

Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By...

Date post: 19-Jul-2020
Category:
Upload: others
View: 4 times
Download: 0 times
Share this document with a friend
30
Highly loaded certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019
Transcript
Page 1: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Highly loaded certificate-based VPN

solutionBy Eugeniu CROITOROV, MUM Moldova 2019

Page 2: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

About ME

Name: Eugeniu CROITOROV

Employment: Information Technology and Cyber Security Service (2012-present)

MikroTik experience: from 2013

Certificates:

Page 3: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Which type of VPN is Right for you?

PPTP – obsolete, many security issues

L2TP+IPSec – Use IPSec UDP 500,4500,1701 ports

SSTP – SSL/TLS encryption, Use TCP 443 port

OpenVPN – Opensource, Use TCP 1194 port

Page 4: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

What is SSTP?

Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel.

TCP 443 – Difficult to block because it use the same port as HTTPS

Page 5: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Advantages and disadvantages

ADNAVTAGES

SSTP encryption offers a decent level of security, almost on par with OpenVPN (SSL 3.0 + 256-bit encryption).

SSTP is easy to configure on platforms it is built into.

The SSTP VPN protocol is very difficult to block because it uses TCP port 443 (the same one HTTPS uses).

SSTP offers good speeds if you have enough bandwidth.

DISADNAVTAGES

• SSTP is closed-source and solely owned by Microsoft.

• The SSTP protocol is available on a limited number of platforms –Windows, Linux, Android, and routers.

Page 6: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

The challenge

4000+ VPN clients

Data encryption and integrity

High availability

Scalability

Page 7: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Routeros License level

Page 8: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Routeros License level

Page 9: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Which platform to choose?

36 core 1.4Ghz CPU4GB RAMIPsec hardware accelerationLicense Level6

9 core 1.2Ghz CPU2GB RAMIPsec hardware accelerationLicense Level6

Page 10: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Which platform to choose?

36 core 1.4Ghz CPU4GB RAMIPsec hardware accelerationLicense Level6

9 core 1.2Ghz CPU2GB RAMIPsec hardware accelerationLicense Level6

Page 11: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Cloud hosted router

Virtualized platform

Can run on multiple hypervisors:

VMware

XEN

HyperV

Virtualbox

Others

CHR has full RouterOS features enabled by default but has a different licensing model than other RouterOS versions.

Page 12: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

CHR License

Page 13: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

HOW TO GET SSL CERTIFICATE?

Self-signed certificate

RouterOS

OpenSSL

Commercial SSL certificate

Comodo

Symantec

Unizeto

Free SSL certificate

Let’s Encrypt

SSL For FREE

Page 14: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

HOW TO GET SSL CERTIFICATE?

Page 15: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

HOW TO GET SSL CERTIFICATE?1. Install CertBot using official manuals

https://certbot.eff.org/#ubuntuxenial-other2. Create Certificates manually and put domain TXT record

#certbot certonly --preferred-challenges=dns --manual -d *.$DOMAIN

Page 16: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

HOW TO GET SSL CERTIFICATE?3. Now you need to create a DNS TXT record on your domain name

Page 17: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

HOW TO GET SSL CERTIFICATE?

Page 18: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

HOW TO GET SSL CERTIFICATE?

Page 19: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Mikrotik Configuration

Page 20: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Clock & Time zone setting

Page 21: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Clock & Time zone setting

Page 22: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

IMPORT Certificates

Page 23: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

IMPORT Certificates

1. Fullchain.pem2. Privkey.pem

Page 24: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Create PPP Profile

Page 25: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Enable SSTP Server

Page 26: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Create Firewall Rule

Page 27: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Create domain records

Page 28: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

The topology

Page 29: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

DEMO

Page 30: Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By Eugeniu CROITOROV, MUM Moldova 2019. About ME ... Microsoft. • The SSTP protocol

Thank you!


Recommended