VPN Client-to-Lan e Lan-to-Lan con Windows Small Business Server 2003 installazione, configurazione, sicurezza Alessandro Appiani Consultant Microsoft Certified Partner
Jan 13, 2016
VPN Client-to-Lan e Lan-to-Lan con Windows Small Business Server
2003installazione, configurazione, sicurezza
Alessandro AppianiConsultant
Microsoft Certified Partner
Agenda
VPN Basics La protezione delle comunicazioni di rete Encryption overview
VPN a confronto Client-to-LAN LAN-to-LAN
VPN in dettaglio tunneling protocol authentication encryption
Le tecnologie di Windows Small Business Server 2003 per VPN Client-to-LAN e LAN-to-LAN
Che cosa è una VPN ?
Dal sito di Windows Server 2003
“Microsoft defines a virtual private network as the extension of a private
network that encompasses links across shared or public networks like the
Internet.”
http://www.microsoft.com/windowsserver2003/techinfo/overview/vpnfaq.mspx
Quali problemi abbiamo con una comunicazione di rete che usa connettività pubblica come Internet?
NetworkNetworkMonitoringMonitoringNetworkNetwork
MonitoringMonitoring
DataDataModificationModification
DataDataModificationModification
IdentityIdentitySpoofingSpoofingIdentityIdentity
SpoofingSpoofingMan-in-Man-in-
the-Middlethe-MiddleMan-in-Man-in-
the-Middlethe-Middle
Password-Password-basedbased
Password-Password-basedbased
Encrypts Data at the Application Layer SSL TLS
Encrypts Data at the Network Layer Tunneling Protocol IPSec
La soluzione: la cifratura dei dati trasmessi
Encrypted IP Packet
Virtual Private Networks (VPN)
una applicazione delle tecnologie di encryption
VPN Basics
Una tecnologia di encryption Un metodo/protocollo di Tunneling Una modalità di connessione e trasporto
(Client-to-LAN, LAN-to-LAN) Un insieme di definizioni per
IP Addressing Authentication Authorization Auditing
Crittografia
Encryption Keys & Algorithms Symmetric Encryption Public Key Encryption (Asymmetric)
Encryption Encryption AlgorithmAlgorithm
Encryption Keys
Key type Description
Symmetric
La stessa chiave è usata per cifrare e decifrare i dati
Protegge i dati dall’intercettazione
Asymmetric
Consiste in una chiave pubblica e una privata
La chiave privata è protetta e confidenziale, la chiave pubblica è liberamente distribuibile
Se viene usata la chiave privata per cifrare dei dati, gli stessi possono essere decifrati esclusivamente con la corrispondente chiave pubblica, e vice versa
How Does Symmetric Encryption Work?
Original DataOriginal Data Cipher TextCipher Text Original DataOriginal Data
Symmetric encryption:Symmetric encryption:
Usa la stessa chiave per cifrare e decifrare
E’ spesso referenziata come bulk encryption
E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa
Usa la stessa chiave per cifrare e decifrare
E’ spesso referenziata come bulk encryption
E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa
Using Symmetric Key Encryption
Encrypting Application Data EFS S/MIME
Encrypting Communication Protocols IPSec TLS
Shared Secret KeyShared Secret Key
Encryption by User1
Encryption Encryption AlgorithmAlgorithm
Shared Secret KeyShared Secret Key
Decryption by User2
Decryption Decryption AlgorithmAlgorithm
How Does Public Key Encryption Work?
Requirement Process1. The recipient’s public key is
retrieved
2. The data is encrypted with a symmetric key
3. The symmetric key is encrypted with the recipient’s public key
4. The encrypted symmetric key and encrypted data are sent to the recipient
5. The recipient decrypts the symmetric key with her private key
6. The data is decrypted with the symmetric key
Public Key Encryption
Encrypted Message is Sent Over NetworkEncrypted Message is Sent Over Network
2222
3A783A78Alice Encrypts Message with Bob’s Public Key.
Alice Encrypts Message with Bob’s Public Key.
1111DataData
3A783A78
Bob Decrypts Message with Bob’s Private Key.Bob Decrypts Message with Bob’s Private Key.
3333
Data
Public Key Authentication
Message is Sent Over NetworkMessage is Sent Over Network
2222
~*~*~*~~*~*~*~Alice Signs Message with Her Private Key.Alice Signs Message with Her Private Key.
1111
~*~*~*~
~*~*~*~~*~*~*~
Bob Validates Message is From Alice with Alice’s Public Key.Bob Validates Message is From Alice with Alice’s Public Key.
3333
Dalla teoria alla pratica...
Application-Layer
Planning Protocols for Application-Layer Security
Planning Secure File Transmissions
Planning Secure Communications for Web Applications
Planning Security for E-mail Applications Requires That
Applications Support the Encryption
ApplicationApplication
SSL/TLSSSL/TLS
TCP/UDPTCP/UDPTCP/UDPTCP/UDP
IP/IPSecIP/IPSecIP/IPSecIP/IPSec
Link LayerLink LayerLink LayerLink Layer
Physical Physical LayerLayer
Physical Physical LayerLayer
Network-Layer: Virtual Private Network (VPN)
Is Transparent to Applications
ApplicationApplicationApplicationApplication
SSL/TLSSSL/TLSSSL/TLSSSL/TLS
TCP/UDPTCP/UDPTCP/UDPTCP/UDP
IP/IPSecIP/IPSec
Link LayerLink LayerLink LayerLink Layer
Physical Physical LayerLayer
Physical Physical LayerLayer
VPN Client-to-LAN:Connecting Remote Users to a Corporate Network
VPN Tunnel
VPN ServerComputer
Remote UserRemote User
InternetInternet
Corporate NetworkCorporate Network
VPN LAN-to-LAN:Connecting Remote Networks to a Local Network
VPN Tunnel
VPN ServerComputer
Remote NetworkRemote Network
InternetInternet
Local NetworkLocal Network
VPN ServerComputer
VPN a confronto
LAN-to-LAN prevede l’utilizzo di apparati/server che gestiscono la
comunicazione vpn e fanno da gateway tra le due reti encryption applicata solo nelle comunicazioni tra i gateway
(tunnel-endpoint) encryption simmetrica di tipo “Shared-Key” IP Addressing progettare
Client-to-LAN è una tipica connessione uno (gateway/Access Point) a
molti (Client) encryption applicata nelle comunicazioni tra il gateway ed N
client encryption di tipo “Shared-Key” non adeguata
(distribuzione della chiave in N posti!) può usare protocolli PPP-based (PPTP, L2TP) per usare IPsec richiede tecniche di Asymmetric encryption
(PKI, certificati, ...) IP Addressing semplice ed integrato
Virtual Private Network Protocols
Client Server
PPTP*PPTP*
Internetwork Must Be IP BasedInternetwork Must Be IP Based
No Header CompressionNo Header Compression
No Tunnel AuthenticationNo Tunnel Authentication
Built-in PPP EncryptionBuilt-in PPP Encryption
L2TP**L2TP**
Internetwork Can Be IP, Frame Relay, X.25, or ATM Based
Internetwork Can Be IP, Frame Relay, X.25, or ATM Based
Header CompressionHeader Compression
Tunnel AuthenticationTunnel Authentication
Uses IPSec EncryptionUses IPSec Encryption
InternetInternet
PPTP or L2TP
*PPTP: rfc 2637 - **L2TP: rfc 2661
Selecting a Tunneling Protocol
FeaturesFeaturesFeaturesFeaturesTunneling ProtocolTunneling Protocol
L2TP/L2TP/ IPSecIPSec
PPTPPPTP IPSecIPSec Tunnel Mode Tunnel Mode
Support for NAT X
User Authentication X X
Machine Authentication X X
Multi-Protocol Support X X X
Stronger Security X XSupport for Non–Windows 2000–based Clients X
Authentication Protocols
Standard Authentication Protocols Extensible Authentication Protocols
Standard Authentication Protocols
ProtocolProtocolProtocolProtocol SecuritySecuritySecuritySecurity
PAPPAP LowLow
SPAPSPAP MediumMedium
CHAPCHAP HighHigh
MS-CHAPMS-CHAP HighHigh
Use whenUse whenUse whenUse when
The client and server cannot negotiate using more secure validationThe client and server cannot negotiate using more secure validation
Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server
Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server
You have clients that are not running Microsoft operating systemsYou have clients that are not running Microsoft operating systems
You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later
You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later
MS-CHAPv2
MS-CHAPv2 HighHigh
You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98
You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98
Authentication
Extensible Authentication Protocols
Allows the Client and Server to Negotiate the Authentication Method That They Will Use
Supports Authentication by Using MD5-CHAP Transport Layer Security (TLS) PEAP, Smartcard, ...
Ensures Support of Future Authentication Methods Through an API
Encryption Protocols
Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data
encryption
Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data
encryption
Members of this group dial-in profile can use IPSec 56-bit
DES or MPPE 56-bit data encryption
Members of this group dial-in profile can use IPSec 56-bit
DES or MPPE 56-bit data encryption
Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit
data encryption
Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit
data encryption
Windows Small Business Server 2003
VPN setup & configuration
To Do List
VPN Client-to-LAN
VPN Client
A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link
A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link
33 VPN server checks the directory to authenticate and authorize the caller
VPN server checks the directory to authenticate and authorize the caller
22 VPN server answers the callVPN server answers the call 44 VPN server transfers
data VPN server transfers data
VPN client calls the VPN serverVPN client calls the VPN server11
Windows Small Business ServerWindows Small Business Server
VPN Server
Windows Small Business Server Remote Access Wizard
This wizard provides on-screen instructions for configuring your server for:This wizard provides on-screen instructions for configuring your server for:
VPN connections
Dial-up connections
Both VPN and dial-up connections
VPN connections
Dial-up connections
Both VPN and dial-up connections
After clicking Finish, the wizard:After clicking Finish, the wizard:
Configures the server according to your selected settings
Creates the Client Connection Manager configuration file
Configures the remote access policy to allow members of the Mobile Users group to use remote access
Configures the server according to your selected settings
Creates the Client Connection Manager configuration file
Configures the remote access policy to allow members of the Mobile Users group to use remote access
Scenari di esempio e demo
Scenario di connessione router
Internet
InternetRouter(ISP) SBS
rete pubblica(es: 193.205.245.24/29)
rete privata10.0.1.0/24
.2
xDSLFibra ottica
ISDN...
rete pubblica (con NAT)(es: 192.168.1.0/24)
azienda.local
VPN LAN-to-LAN
IP Addressing Interoperabilità: cosa c’è dall’altra parte?
Windows Server 2003 Windows Server 2000/2003 + ISA Server ...
Differenti versioni di Windows SBS Standard
> Windows 2003 Firewall> Remote Access Wizard (Client-to-LAN)> No VPN LAN-to-LAN Wizard
Premium> ISA Server!> Remote Access Wizard (Client-to-LAN)> ISA Server wizard per VPN LAN-to-LAN (ISA Server anche
dall’altra parte)
Esempio rete VPN LAN-to-LAN
Internet
Sede
sbs.net
SBS(ISA)
Filiale
privata192.168.1.0/24
.100
pubblica212.212.212.0/24
Windows 2003(ISA) privata
192.168.3.0/24
Sicurezza e controllo
Remote Access Account Lockout (KB816118) Authorizing VPN Connections (Dial-in) Remote Access Policy Profile Packet Filtering Accounting, Auditing, and Monitoring
Riferimenti e risorse
Risorse tecniche per Windows Small Business Server 2003http://www.microsoft.com/italy/windowsserver2003/sbs/techinfo/default.mspx
Virtual Private Networks for Windows Server 2003http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNshttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx
Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site VPNshttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx
Corsi ed esami
MOC Course 2395: Design, Deploy, and Manage a Network Solution for a Small and Medium Businesshttp://www.microsoft.com/traincert/syllabi/2395AFinal.asp
Exam 70-282: Design, Deploy, and Manage a Network Solution for a Small- and Medium-Sized Businesshttp://www.microsoft.com/learning/exams/70-282.asp