Date post: | 13-Jan-2016 |
Category: |
Documents |
Upload: | gervais-walton |
View: | 214 times |
Download: | 0 times |
1
hp education serviceseducation.hp.com
Virtual Private Networks
Version B.00H7076S Module 2 Slides
2 © 2001 Hewlett-Packard Company
H7076S B.00
The Security Problem with IP Today
Users in San Francisco
K-CLASS
Server in Chicago
• It is trivial to snoop on Internet traffic, including passwords sent over the network.
• It is fairly easy to forge IP packets and impersonate another user or machine.
• Malicious people exist who actually do these things.
Bad Guy
3 © 2001 Hewlett-Packard Company
H7076S B.00
What Is a Virtual Private Network?
VPN Serverfor Site A
VPN Serverfor Site B
Non-Encrypted
Link
Encrypted
LinkLegend
Internet
Site AIntrane
t
Site BIntrane
t
This mobile client uses encrypted linkswhen communicating
w/ systems in site A and B.
The nodes in site A and B use non- encrypted linkswhen performing Intranet
communications.
The nodes use encryptedlinks when communicating
across the Internet.
4 © 2001 Hewlett-Packard Company
H7076S B.00
Types of VPNs HP Solution
• Network-to-Network– Replace expensive dedicated leased
line WAN charges for site-to-site data connectivity
• Network-to-Host (Remote Access)– Replace expensive modem pools,
ISDN per-minute charges
• Host-to-Host– End-to-End security to protect
sensitive data for intra- or inter-network communications
IPSec/9000
Types of Virtual Private Networks
Extranet
e-Firewall
5 © 2001 Hewlett-Packard Company
H7076S B.00
Extranet VPNe-Firewall with Mobile client option
K-CLASS
K-CLASS
K-CLASS
The GlobalInternet
Firewall and Encryption Devices
CorporateHQ Site
Business Partner
Branch Host
Encrypted “tunnels” Laptop computer
e-Firewall
HP-UX IPSec/9000
HP Solutions for VPNs
6 © 2001 Hewlett-Packard Company
H7076S B.00
Value Prop: Low Cost, Quick Setup of WAN Connectivity
K-CLASS
K-CLASS
K-CLASS
K-CLASS
Firewall and Encryption Devices
CorporateHeadquarters
BusinessPartner
FieldOffice
OverseasSite
Multiple Encrypted “tunnels”
Network-to-Network VPNs
The GlobalInternet
7 © 2001 Hewlett-Packard Company
H7076S B.00
Mobile LaptopUser
K-CLASS
VPN Gateway Device
CorporateHQ Site
Dialup Line
Telecommuter at Home
Small Office User
ISDN or DSLConnections
All connectionsinitiated by remote user
Encryption occurson Software Client
Remote Access VPNs
The GlobalInternet
8 © 2001 Hewlett-Packard Company
H7076S B.00
DMZ
The GlobalInternet
CorporateHQ Site
Secure App Server
Secure App Server
BusinessPartnerSecure App Server
• End-to-End Security– Within the Enterprise– Through the Internet
Web Server
Host-to-Host VPNs
9 © 2001 Hewlett-Packard Company
H7076S B.00
Product Advantages DisadvantagesApplicationLevelSecurity
Public Domain
S/W(socks)hp Extraet
VPN
Close integrationwith the application
NetworkLevelSecurity
hp IPFilter/9000hp IPSec/9000hp e-Firewall
No need to modifyapplications
May need to modifyfirewall configuration
Link LevelSecurity
PPTP, L2TP Easy to implement Not scalable
VPN Software Products
May need to modifythe application
10 © 2001 Hewlett-Packard Company
H7076S B.00
K-CLASS
VPN Gateway Device
CorporateHQ Site
Telecommuter at Home
Small Office User
ISDN or DSL or Dial upConnections
Hacker
If I can get into their host, maybeI can go through their VPN.I wonder which ports are open? They probably have no firewall.
The Global
Internet
System Firewall needed!!
Why a System Firewall?
11 © 2001 Hewlett-Packard Company
H7076S B.00
HP IPFilter/9000 – B9901AA Features supported by Hewlett-Packard:
• Full-fledged statefull inspection firewall• Free product• Workstations and servers• HP-UX 11.0 and 11i
Features not supported by Hewlett-Packard(features supported in public domain):
• Perimeter firewall• Network address translation
Hewlett-Packard’s Solution
12 © 2001 Hewlett-Packard Company
H7076S B.00
Intranet
Packets destined for our machine not part of a VPN connection that we initiated.
IPFilter rules pass orblock depending uponthe rules.
System Firewall Installed
Matched passrules
Matched block rules
Bit Bucket
How a System Firewall Works
13 © 2001 Hewlett-Packard Company
H7076S B.00
Hardware and Software Requirements
• Hewlett-Packard 9000 series 800 or 700
• HP-UX 11.0 or 11i operating system
• Dynamically loadable kernel module support
• Commands to verify:
#uname –a
#kmsystem –q dlkm
14 © 2001 Hewlett-Packard Company
H7076S B.00
Patches Required
• PHNE_22397 (or newer replacement for 32-bit or 64 bit 11.0)
• PHCO_22899 (or newer replacement for 32-bit 11.0)
• PHCO_22989 (or newer replacement for 32-bit 11i)
• Command to verify:
#swlist –l product patch_name
15 © 2001 Hewlett-Packard Company
H7076S B.00
Installation
• Use SD-UX to install product number B9901AA
• Available on application CD AP0301
• Command to use:
#swinstall
• Configuration file and start-up scripts installed:
/etc/rc.config.d/ipfconf
/sbin/init.d/pfilboot
/sbin/init.d/ipfboot
16 © 2001 Hewlett-Packard Company
H7076S B.00
Verification of Installation
To verify the product was installed correctly afterreboot:
#kmadmin –s#ps –ef | grep ipmon
Logs to look at if installation unsuccessful:
/etc/rc.log/var/adm/sw/swagent.log/var/adm/sw/swinstall.log
17 © 2001 Hewlett-Packard Company
H7076S B.00
Filter Rules
• Rules are processed from top to bottom
• Last match takes effect
• Installing and Administering IPFilter/9000 or the Public Domain HOWTO document for detailed explanations.
• Rule File:
/etc/opt/ipf/ipf.conf
• Default file is empty, implied contents:
pass in all
pass out all