Skip to main content

Virtual Private Networking: A Construction, Operation and Utilization Guide

Virtual Private Networking: A Construction, Operation and Utilization Guide

Gilbert Held

ISBN: 978-0-470-85432-7

Apr 2004

306 pages

Out of stock

$150.00

Description

This book provides network managers, LAN administrators and small business operators with all they need to know to "interconnect" multiple locations or travelling employees that need to access a single location. The operation and utilization of virtual private networks is discussed both in theory and practicality, covering the technical aspects associated with encryption and digital certificates as well as the manner by which readers can create VPNs using readily available products from Microsoft, Cisco, Checkpoint and possibly other vendors.

The author was among the first to write about the concept of virtual private networking in a series of articles published over five years ago, and in the intervening years this has become a very hot topic - with the technology being increasing deployed by companies.

Virtual Private Networking, by Gilbert Held, covers the technology and the theory, but also shows readers, through numerous examples, 'how to use ' the technology.

Preface xiii

Acknowledgements xv

Chapter 1 Introduction to Virtual Private Networking 1

1.1 THE VPN CONCEPT 1

1.1.1 DEFINITION 1

1.1.2 TYPES OF VPNS 2

1.1.3 CATEGORIES OF VPNS 4

1.1.4 INFRASTRUCTURE 8

1.1.5 BENEFITS OF USE 9

1.1.6 DISADVANTAGES OF VPNS 12

1.1.7 VPN PROTOCOLS 14

1.1.8 SUMMARY 17

1.1.9 ALTERNATIVES TO VPNS 18

1.1.10 ECONOMIC ISSUES 19

1.1.11 OTHER ALTERNATIVES 20

1.2 BOOK PREVIEW 20

1.2.1 UNDERSTANDING AUTHENTICATION AND CRYPTOLOGY 21

1.2.2 UNDERSTANDING THE TCP/IP PROTOCOL SUITE 21

1.2.3 LAYER 2 VPN TECHNIQUES 21

1.2.4 HIGHER LAYER VPNS 22

1.2.5 VPN HARDWARE AND SOFTWARE 22

1.2.6 SERVICE PROVIDER-BASED VPNS 22

Chapter 2 Understanding Authentication and Encryption 23

2.1 AUTHENTICATION 23

2.1.1 PASSWORD AUTHENTICATION PROTOCOL 24

2.1.2 CHALLENGE-HANDSHAKE AUTHENTICATION PROTOCOL 27

2.1.3 EXTENSIBLE AUTHENTICATION PROTOCOL – TRANSPORT LEVEL SECURITY 30

2.1.4 TOKEN AUTHENTICATION 30

2.2 ENCRYPTION 31

2.2.1 GENERALMETHOD OF OPERATION 31

2.2.2 PRIVATE VERSUS PUBLIC KEY SYSTEMS 33

2.2.3 PUBLIC KEY ENCRYPTION 34

2.2.4 THE RSA ALGORITHM 35

2.2.5 DIGITAL CERTIFICATES 40

2.2.6 HASHING AND DIGITAL SIGNATURES 49

Chapter 3 Understanding the TCP/IP Protocol Suite 53

3.1 FRAME FORMATION 53

3.1.1 HEADER SEQUENCING 54

3.1.2 SEGMENTS AND DATAGRAMS 54

3.1.3 ICMP MESSAGES 55

3.1.4 ON THE LAN 56

3.1.5 DATAFLOW CONTROL FIELDS 56

3.2 THE NETWORK LAYER 57

3.2.1 THE IPV4 HEADER 57

3.2.2 SUBNETTING 61

3.2.3 THE SUBNETMASK 63

3.2.4 THEWILDCARDMASK 63

3.2.5 ICMP 65

3.3 THE TRANSPORT LAYER 69

3.3.1 TRANSPORT LAYER PROTOCOLS 69

3.3.2 THE TCP HEADER 69

3.3.3 THE UDP HEADER 70

3.3.4 SOURCE AND DESTINATION PORT FIELDS 71

3.4 PROXY SERVICES AND NETWORK ADDRESS TRANSLATION 73

3.4.1 PROXY SERVICE 73

3.4.2 NETWORK ADDRESS TRANSLATION 74

3.4.3 TYPES OF ADDRESS TRANSLATION 75

3.4.4 VPN CONSIDERATIONS 76

Chapter 4 Layer 2 Operations 79

4.1 THE POINT-TO-POINT PROTOCOL 79

4.1.1 COMPONENTS 79

4.1.2 PPP ENCAPSULATION 80

4.1.3 LINK CONTROL PROTOCOL OPERATIONS 83

4.1.4 MULTILINK PPP 89

4.2 POINT-TO-POINT TUNNELING PROTOCOL 90

4.2.1 IMPLEMENTATIONMODELS 90

4.2.2 NETWORKING FUNCTIONS 93

4.2.3 ESTABLISHING THE PPTP TUNNEL 95

4.2.4 PPTP ENCAPSULATED PACKETS 95

4.2.5 THE PPTP CONTROL CONNECTION PACKET 96

4.2.6 CONTROL CONNECTION PROTOCOL OPERATION 111

4.2.7 PPTP DATA TUNNELING 112

4.3 LAYER TWO FORWARDING 115

4.3.1 EVOLUTION 115

4.3.2 OPERATION 115

4.3.3 THE L2F PACKET FORMAT 116

4.3.4 TUNNEL OPERATIONS 118

4.3.5 MANAGEMENTMESSAGES 119

4.4 LAYER TWO TUNNELING PROTOCOL 119

4.4.1 OVERVIEW 120

4.4.2 ARCHITECTURALMODELS 120

4.4.3 THE L2TP PACKET FORMAT 121

4.4.4 CONTROLMESSAGES 124

4.4.5 PROTOCOL OPERATIONS 127

Chapter 5 Higher Layer VPNs 133

5.1 UNDERSTANDING IPSEC 133

5.1.1 OVERVIEW 134

5.1.2 TOPOLOGIES SUPPORTED 134

5.1.3 SPECIFYING SESSION PARAMETERS 135

5.1.4 THE SPI 137

5.1.5 PROTOCOLS 137

5.1.6 AUTHENTICATION HEADER 139

5.1.7 ENCAPSULATING SECURITY PAYLOAD 142

5.1.8 OPERATIONS 146

5.1.9 KEYMANAGEMENT 152

5.2 WORKING WITH IPSEC 157

5.2.1 CONFIGURING IPSEC POLICIES 157

5.2.2 ADDING THE IPSEC SNAP-IN 158

5.2.3 CREATING AN IPSEC POLICY 161

5.2.4 WORKING WITH IPSEC FILTERS 172

5.3 SSL AND TLS 187

5.3.1 RATIONALE FOR SSL 187

5.3.2 OVERVIEW OF SSL 188

5.3.3 SSL OPERATION 190

5.3.4 MESSAGE EXCHANGE 190

5.3.5 CIPHER SUITES 194

5.3.6 THE NETILLA SECURITY PLATFORM 197

5.3.7 SUMMARY 201

Chapter 6 VPN Hardware and Software 203

6.1 USING THE ASANTE VPN SECURITY ROUTER 203

6.1.1 OVERVIEW 204

6.1.2 CONFIGURATION ACCESS 204

6.1.3 WIRELESS CONSIDERATIONS 205

6.1.4 VPN OPERATIONS 209

6.1.5 CLIENT-TO-NETWORK 215

6.2 WINDOWS VPN SOFTWARE 216

6.2.1 USING AWINDOWS XP CLIENT 217

6.2.2 CREATING THE VPN 217

6.3 WORKING WITHWINDOWS 2000 SERVER 233

6.3.1 INSTALLING RRAS 234

6.3.2 ENABLING RRAS 234

6.3.3 CONFIGURING RRAS 239

6.3.4 CREATING A TEST ACCOUNT 254

6.3.5 TESTING THE CONNECTION 256

Chapter 7 Service Provider-Based VPNs 261

7.1 RATIONALE FOR USE 262

7.1.1 ECONOMICS 262

7.1.2 PERSONNEL LIMITATIONS 263

7.1.3 RELIABILITY 264

7.1.4 COMMUNICATIONS UNITY 265

7.1.5 MANAGEMENT 266

7.1.6 INSTALLATION AND SUPPORT 266

7.1.7 PACKAGED SECURITY 267

7.2 TRANSPORT FACILITIES AND VPN OPERATION 267

7.2.1 HARDWARE-BASED SWITCHING 268

7.2.2 SOFTWARE-BASED SWITCHING 269

7.3 SERVICE LEVEL AGREEMENTS 271

7.3.1 SLAMETRICS 271

7.3.2 SLA LIMITATIONS 275

7.4 VPN SERVICE PROVIDER OVERVIEW 276

7.4.1 AT&T CORPORATION 277

7.4.2 LEVEL 3 COMMUNICATIONS 279

7.4.3 SPRINT 279

7.4.4 VERIZON 280

Appendix A VPN Checklist 283

Index 287