Internet security and VPN network design


This article describes some important technical concepts related to VPN. A virtual private network (VPN) integrates remote employees using the Internet, corporate offices, and business partners to protect encrypted tunnels between locations. Access VPNs are used to connect external users to the corporate network. The remote workstation or laptop connects to your local Internet service provider (ISP) using access circuits such as cable, DSL, and wireless. Using a client-initiated model, software on remote workstations uses IPSec, Layer 2 Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP) for laptop-to-ISP encryption. Build a tunnel. The user must authenticate as a VPN user authorized by the ISP. When complete, your ISP will build an encrypted tunnel to your corporate VPN router or concentrator. TACACS, RADIUS, or Windows servers authenticate remote users as employees who have access to the enterprise network. Once complete, the remote user should check with the local Windows domain server, Unix server, or mainframe host, depending on the location of the network account. ISP-initiated models are less secure than customer-initiated models because encrypted tunnels are built only from the ISP to the corporate VPN router or VPN concentrator. Secure VPN password management software tunnels are also built with L2TP or L2F.

A VPN extranet connects your trading partner to your enterprise network by creating a secure VPN connection from your trading partner’s router to your corporate VPN router or concentrator. The specific tunnel protocol used depends on whether it is a router connection or an external dial-up connection. Extranet VPN options connected to the router are IPSec or Generic Routing Encapsulation (GRE). Dial-up extranet connection uses L2TP or L2F. An intranet VPN uses the same process that uses IPSec or GRE as a tunnel protocol to connect corporate offices over a secure connection. It’s important to note that making a VPN very cost-effective and efficient is that it leverages the existing Internet to forward business traffic. Therefore, many companies choose IPSec as their security protocol of choice to ensure that their information is secure when navigating between routers or between laptops and routers. IPSec consists of 3DES encryption, IKE key exchange authentication, and MD5 path authentication to provide authentication, authorization, and confidentiality.
Internet Protocol Security (IPSec)

The behavior of IPSec is noteworthy. This is because it is a common security protocol used today in virtual private networks. IPSec is specified in RFC2401 and was developed as an open standard for the secure transfer of IP over the public Internet. The packet structure consists of embedded IP headers / IPSec headers / security loads. IPSec provides 3DES encryption services and MD5 authentication. In addition, there is Internet Key Exchange (IKE) and ISAKMP to automate the distribution of private keys between IPSec peer devices (hubs and routers). These protocols are required to negotiate one-way or two-way security associations. The IPSec Security Association consists of an encryption algorithm (3DES), a hash algorithm (MD5), and an authentication method (MD5). Access to the VPN implementation uses three security associations (SAs) per connection (send, receive, and IKE). Enterprise networks with many IPSec peer devices use certificate authorities for scalability of the authentication process instead of IKE / pre-shared keys.
Laptop-VPN Concentrator IPSec Peer Connection

1. Negotiation by IKE Security Association

2.2. IPSec tunnel setup

3. XAUTH Request / Response-(RADIUS Server Authentication)

4. Mode configuration response / recognition (DHCP and DNS)

5. IPSec Security Association

Access to VPN layout

VPN access uses availability and cheap internet to connect to headquarters using WiFi, DSL, and cable access lanes from local internet service providers. The biggest problem is that you need to protect your business data as it travels from the switchboard operator to your company’s headquarters over the Internet. Build an IPSec tunnel from each customer’s laptop using the customer-initiated model and exit with a VPN concentrator. Each laptop consists of VPN client software that runs on Windows. Teleworkers must first dial their local access number and check with their ISP. The RADIUS server validates each dial-up connection as an authorized telecommunicator. When complete, the remote user validates and validates on a Windows, Solaris, or mainframe server before launching the application. If you have two VPN concentrators and one of them is unavailable, it is configured for Virtual Routing Redundancy Protocol (VRRP) failover.
Each hub is connected between an external router and a firewall