Configurare VPN e Accesso
remoto con Small Business
Server 2003
5 maggio 2005 - 10:30
Agenda

VPN Basics



VPN a confronto



Client-to-LAN
LAN-to-LAN
VPN in dettaglio




La protezione delle comunicazioni di rete
Encryption overview
tunneling protocol
authentication
encryption
Le tecnologie di Windows Small Business
Server 2003 per VPN Client-to-LAN
Live Demo...
Che cosa è una VPN ?

Dal sito di Windows Server 2003
“Microsoft defines a virtual private
network as the extension of a
private network that encompasses
links across shared or public
networks like the Internet.”

http://www.microsoft.com/windowsserver2003/t
echinfo/overview/vpnfaq.mspx
Quali problemi abbiamo con una
comunicazione di rete che usa
connettività pubblica come Internet?
Identity
Spoofing
Data
Modification
Network
Monitoring
Man-inthe-Middle
Passwordbased
La soluzione: la cifratura dei dati
trasmessi
Encrypted IP Packet
 Encrypts


SSL
TLS
 Encrypts


Data at the Application Layer
Data at the Network Layer
Tunneling Protocol
IPSec
Virtual Private Networks
(VPN)
una applicazione delle
tecnologie di encryption
VPN Basics




Una tecnologia di encryption
Un metodo/protocollo di Tunneling
Una modalità di connessione e trasporto
(Client-to-LAN, LAN-to-LAN)
Un insieme di definizioni per




IP Addressing
Authentication
Authorization
Auditing
Crittografia

Encryption Keys & Algorithms
Encrypted IP Packet

Una tecnologia molto antica
Encryption Keys
Key type
Description
La stessa chiave è usata per cifrare e decifrare i
dati
Protegge i dati dall’intercettazione
Symmetric
Consiste in una chiave pubblica e una privata
La chiave privata è protetta e confidenziale, la
chiave pubblica è liberamente distribuibile
Asymmetric
Se viene usata la chiave privata per cifrare dei
dati, gli stessi possono essere decifrati
esclusivamente con la corrispondente chiave
pubblica, e vice versa
Utilizzi dell’encryption


implementa la riservatezza delle
comunicazioni
fornisce delle tecniche per realizzare
l’autenticazione dei soggetti della
comunicazione
Symmetric Encryption
Original Data
Cipher Text
Symmetric encryption:
Usa la stessa chiave per cifrare e decifrare
E’ spesso referenziata come bulk encryption
E’ intrinsicamente vulnerabile per il concetto di
“Shared secret”: la chiave è condivisa
Original Data
Utilizzi della symmetric encryption




Cifratura dei canali di trasmissione
Semplicità
Prestazioni
Gestione delle session-key dei protocolli
sicuri



SSL
Kerberos
...
Asymmetric (Public Key) Encryption
Requirement
Process
1. The recipient’s public key is retrieved
2. The data is encrypted with a symmetric
key
3. The symmetric key is encrypted with the
recipient’s public key
4. The encrypted symmetric key and
encrypted data are sent to the recipient
5. The recipient decrypts the symmetric
key with her private key
6. The data is decrypted with the
symmetric key
Utilizzi della Asymmetric encryption

Riservatezza delle comunicazioni (PK
Encryption)





spesso in congiunzione con session key
simmetriche
Identificazione degli estremi (soggetti)
della comunicazione (PK Authentication)
Algoritmi più complessi
Meno efficente della symmetric
Per un uso libero richiede la
distribuzione/pubblicazione delle chiavi
pubbliche
Public Key Encryption
2
Data
1 Alice Encrypts
Message with Bob’s
Public Key.
Encrypted Message is
Sent Over Network
3A78
Data
3A78
3 Bob Decrypts Message
with Bob’s Private Key.
Public Key Authentication
2
~*~*~*~
1 Alice Signs Message
with Her Private Key.
Message is Sent Over
Network
~*~*~*~
~*~*~*~
3 Bob Validates Message is From
Alice with Alice’s Public Key.
Dalla teoria alla pratica...
VPN Client-to-LAN:
Connecting Remote Users to a Corporate
Network
Corporate Network
VPN Server
Computer
Internet
VPN Tunnel
Remote User
VPN LAN-to-LAN:
Connecting Remote Networks to a Local
Network
Local Network
VPN Server
Computer
Internet
VPN Tunnel
VPN Server
Computer
Remote Network
VPN a confronto: LAN-to-LAN




prevede l’utilizzo di apparati/server che
gestiscono la comunicazione vpn e fanno
da gateway tra le due reti
encryption applicata solo nelle
comunicazioni tra i gateway (tunnelendpoint)
encryption simmetrica di tipo “Shared-Key”
IP Addressing  progettare
VPN a confronto: Client-to-LAN






è una tipica connessione uno (gateway/Access
Point) a molti (Client)
encryption applicata nelle comunicazioni tra il
gateway ed N client
encryption di tipo “Shared-Key” non adeguata
(distribuzione della chiave in N posti!)
può usare protocolli PPP-based (PPTP, L2TP)
per usare IPsec richiede tecniche di Asymmetric
encryption (PKI, certificati, ...)
IP Addressing  semplice ed integrato
Virtual Private Network
Protocols
PPTP*
L2TP**
Internetwork Must Be IP Based
Internetwork Can Be IP, Frame
Relay, X.25, or ATM Based
No Header Compression
Header Compression
No Tunnel Authentication
Tunnel Authentication
Built-in PPP Encryption
Uses IPSec Encryption
Internet
Client
PPTP or L2TP
Server
*PPTP: rfc 2637 - **L2TP: rfc 2661
Selecting a Tunneling Protocol
Features
Tunneling Protocol
PPTP
Support for NAT
User Authentication
X
X
Machine Authentication
Multi-Protocol Support
X
Stronger Security
Support for Non–Windows
2000–based Clients
X
L2TP/
IPSec
IPSec
Tunnel Mode
X
X
X
X
X
X
X
Authentication Protocols
Standard
Authentication Protocols
Extensible Authentication Protocols
Standard Authentication
Protocols
Protocol
Security
PAP
Low
The client and server cannot negotiate using
more secure validation
SPAP
Medium
Connecting a Shiva LANRover and Windows
2000–based client or a Shiva client and a
Windows 2000–based remote access server
CHAP
High
You have clients that are not running
Microsoft operating systems
High
You have clients running Windows NT version
4.0 and later or, Microsoft Windows 95 and
later
High
You have dial-up clients running Windows
2000, or VPN clients running Windows NT 4.0
or Windows 98
MS-CHAP
MS-CHAP
v2
Use when
Authentication
Extensible Authentication Protocols
 Allows
the Client and Server to Negotiate the
Authentication Method That They Will Use
 Supports Authentication by Using



MD5-CHAP
Transport Layer Security (TLS)
PEAP, Smartcard, ...
 Ensures
Support of Future Authentication Methods
Through an API
Encryption Protocols
Members of this group dial-in
profile can use IPSec 56-bit
Data Encryption Standard
(DES) or MPPE 40-bit data
encryption
Members of this group dial-in
profile can use IPSec 56-bit
DES or MPPE 56-bit data
encryption
Members of this group dial-in
profile can use IPSec Triple
DES (3DES) or MPPE 128-bit
data encryption
Windows Small Business
Server 2003
VPN setup & configuration
To Do List
VPN Client-to-LAN
A VPN extends the capabilities of a private network to
encompass links across shared or public networks, such as the
Internet, in a manner that emulates a point-to-point link
Windows Small
Business Server
VPN Client
VPN Server
1
VPN client calls the
VPN server
3
VPN server checks the
directory to authenticate
and authorize the caller
2
VPN server
answers the call
4
VPN server transfers
data
Architettura di deployment consigliata
SBS è (anche) un F i r e w a l l ! ! !
Posizioniamolo come tale nella rete
Interne
t
xDSL
Fibra ottica
ISDN
...
rete pubblica
(es: 193.205.245.24/29)
.2
Internet
Router
(ISP)
azienda.local
rete pubblica (con NAT)
(es: 192.168.0.0/24)
SBS
rete privata
192.168.16.0/24
Windows Small Business Server
Remote Access Wizard
This wizard provides on-screen instructions for configuring
your server for:
VPN connections
Dial-up connections
Both VPN and dial-up connections
After clicking Finish, the wizard:
Configures the server according to your selected settings
Creates the Client Connection Manager configuration file
Configures the remote access policy to allow members of the
Mobile Users group to use remote access



RASW
Client config (RWW)
RRAS configuration overview
Sicurezza e controllo




Remote Access Account Lockout
(KB816118)
Authorizing VPN Connections (Dial-in)
Remote Access Policy Profile Packet
Filtering
Accounting, Auditing, and Monitoring
Riferimenti e risorse

Risorse tecniche per Windows Small Business
Server 2003
http://www.microsoft.com/italy/windowsserver2003/sbs/techi
nfo/default.mspx

MOC Course 2395: Design, Deploy, and Manage a
Network Solution for a Small and Medium Business
http://www.microsoft.com/traincert/syllabi/2395AFinal.asp

Exam 70-282: Design, Deploy, and Manage a
Network Solution for a Small- and Medium-Sized
Business
http://www.microsoft.com/learning/exams/70-282.asp
Riferimenti e risorse

Virtual Private Networks for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/n
etworking/vpn/default.mspx

Virtual Private Networking with Windows Server
2003: Deploying Remote Access VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/technologies/networking/vpndeplr.mspx

Virtual Private Networking with Windows Server
2003: Deploying Site-to-Site VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/technologies/networking/vpndpls2.mspx
https://mseventseu.microsoft.com/cui/WelcomeP
age.aspx?Event...
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.