VPN Client-to-Lan e Lan-to-Lan con
Windows Small Business Server 2003
installazione, configurazione, sicurezza
Alessandro Appiani
Consultant
Microsoft Certified Partner
Agenda

VPN Basics



VPN a confronto



Client-to-LAN
LAN-to-LAN
VPN in dettaglio




La protezione delle comunicazioni di rete
Encryption overview
tunneling protocol
authentication
encryption
Le tecnologie di Windows Small Business Server 2003
per VPN Client-to-LAN e LAN-to-LAN
Che cosa è una VPN ?

Dal sito di Windows Server 2003
“Microsoft defines a virtual private network as
the extension of a private network that
encompasses links across shared or public
networks like the Internet.”

http://www.microsoft.com/windowsserver2003/techinfo/o
verview/vpnfaq.mspx
Quali problemi abbiamo con una comunicazione di
rete che usa connettività pubblica come Internet?
Identity
Spoofing
Data
Modification
Network
Monitoring
Man-inthe-Middle
Passwordbased
La soluzione: la cifratura dei dati
trasmessi
Encrypted IP Packet
Encrypts
Data at the Application Layer
 SSL
 TLS
Encrypts
Data at the Network Layer
 Tunneling
 IPSec
Protocol
Virtual Private Networks (VPN)
una applicazione delle
tecnologie di encryption
VPN Basics

Una tecnologia di encryption

Un metodo/protocollo di Tunneling

Una modalità di connessione e trasporto
(Client-to-LAN, LAN-to-LAN)

Un insieme di definizioni per
IP Addressing
 Authentication
 Authorization
 Auditing

Crittografia

Encryption Keys & Algorithms

Symmetric Encryption

Public Key Encryption (Asymmetric)
Encryption
Algorithm
Encryption Keys
Key type
Description
La stessa chiave è usata per cifrare e decifrare i
dati
Protegge i dati dall’intercettazione
Symmetric
Consiste in una chiave pubblica e una privata
La chiave privata è protetta e confidenziale, la
chiave pubblica è liberamente distribuibile
Asymmetric
Se viene usata la chiave privata per cifrare dei
dati, gli stessi possono essere decifrati
esclusivamente con la corrispondente chiave
pubblica, e vice versa
How Does Symmetric Encryption Work?
Original Data
Cipher Text
Symmetric encryption:
Usa la stessa chiave per cifrare e decifrare
E’ spesso referenziata come bulk encryption
E’ intrinsicamente vulnerabile per il concetto di
“Shared secret”: la chiave è condivisa
Original Data
Using Symmetric Key Encryption
Shared Secret Key
Encrypting
Application Data
 EFS
 S/MIME
Encryption
Algorithm
Encryption by User1
Encrypting
Communication
Protocols
 IPSec
 TLS
Shared Secret Key
Decryption
Algorithm
Decryption by User2
How Does Public Key Encryption Work?
Requirement
Process
1. The recipient’s public key is retrieved
2. The data is encrypted with a symmetric key
3. The symmetric key is encrypted with the
recipient’s public key
4. The encrypted symmetric key and encrypted
data are sent to the recipient
5. The recipient decrypts the symmetric key
with her private key
6. The data is decrypted with the symmetric
key
Public Key Encryption
2
Data
1 Alice Encrypts
Message with Bob’s
Public Key.
Encrypted Message is
Sent Over Network
3A78
Data
3A78
3 Bob Decrypts Message
with Bob’s Private Key.
Public Key Authentication
2
~*~*~*~
1 Alice Signs Message
with Her Private Key.
Message is Sent Over
Network
~*~*~*~
~*~*~*~
3 Bob Validates Message is From
Alice with Alice’s Public Key.
Dalla teoria alla pratica...
Application-Layer
Application
 Planning Protocols
for
Application-Layer Security
 Planning Secure File
Transmissions
 Planning Secure
Communications for Web
Applications
 Planning Security for E-mail
Applications
SSL/TLS
TCP/UDP
IP/IPSec
Link Layer
Physical
Layer
Requires That
Applications Support
the Encryption
Network-Layer: Virtual Private Network (VPN)
Application
SSL/TLS
TCP/UDP
IP/IPSec
Link Layer
Physical
Layer
Is Transparent
to Applications
VPN Client-to-LAN:
Connecting Remote Users to a Corporate Network
Corporate Network
VPN Server
Computer
Internet
VPN Tunnel
Remote User
VPN LAN-to-LAN:
Connecting Remote Networks to a Local Network
Local Network
VPN Server
Computer
Internet
VPN Tunnel
VPN Server
Computer
Remote Network
VPN a confronto

LAN-to-LAN





prevede l’utilizzo di apparati/server che gestiscono la comunicazione
vpn e fanno da gateway tra le due reti
encryption applicata solo nelle comunicazioni tra i gateway (tunnelendpoint)
encryption simmetrica di tipo “Shared-Key”
IP Addressing  progettare
Client-to-LAN






è una tipica connessione uno (gateway/Access Point) a molti (Client)
encryption applicata nelle comunicazioni tra il gateway ed N client
encryption di tipo “Shared-Key” non adeguata (distribuzione della
chiave in N posti!)
può usare protocolli PPP-based (PPTP, L2TP)
per usare IPsec richiede tecniche di Asymmetric encryption (PKI,
certificati, ...)
IP Addressing  semplice ed integrato
Virtual Private Network Protocols
PPTP*
L2TP**
Internetwork Must Be IP Based
Internetwork Can Be IP, Frame
Relay, X.25, or ATM Based
No Header Compression
Header Compression
No Tunnel Authentication
Tunnel Authentication
Built-in PPP Encryption
Uses IPSec Encryption
Internet
Client
PPTP or L2TP
Server
*PPTP: rfc 2637 - **L2TP: rfc 2661
Selecting a Tunneling Protocol
Features
Tunneling Protocol
PPTP
Support for NAT
X
User Authentication
X
Machine Authentication
Multi-Protocol Support
X
Stronger Security
Support for Non–Windows
2000–based Clients
X
L2TP/
IPSec
IPSec
Tunnel Mode
X
X
X
X
X
X
X
Authentication Protocols
 Standard
Authentication Protocols
 Extensible
Authentication Protocols
Standard Authentication Protocols
Protocol
Security
PAP
Low
The client and server cannot negotiate using
more secure validation
SPAP
Medium
Connecting a Shiva LANRover and Windows
2000–based client or a Shiva client and a
Windows 2000–based remote access server
CHAP
High
You have clients that are not running
Microsoft operating systems
High
You have clients running Windows NT version
4.0 and later or, Microsoft Windows 95 and
later
High
You have dial-up clients running Windows
2000, or VPN clients running Windows NT 4.0
or Windows 98
MS-CHAP
MS-CHAP
v2
Use when
Authentication
Extensible Authentication Protocols
 Allows
the Client and Server to Negotiate the Authentication
Method That They Will Use
 Supports Authentication by Using
 MD5-CHAP
 Transport Layer Security (TLS)
 PEAP, Smartcard, ...
 Ensures
an API
Support of Future Authentication Methods Through
Encryption Protocols
Members of this group dial-in
profile can use IPSec 56-bit
Data Encryption Standard
(DES) or MPPE 40-bit data
encryption
Members of this group dial-in
profile can use IPSec 56-bit
DES or MPPE 56-bit data
encryption
Members of this group dial-in
profile can use IPSec Triple
DES (3DES) or MPPE 128-bit
data encryption
Windows Small Business Server
2003
VPN setup & configuration
To Do List
VPN Client-to-LAN
A VPN extends the capabilities of a private network to
encompass links across shared or public networks, such as the
Internet, in a manner that emulates a point-to-point link
Windows Small
Business Server
VPN Server
VPN Client
1
VPN client calls the
VPN server
3
VPN server checks the
directory to authenticate
and authorize the caller
2
VPN server
answers the call
4
VPN server transfers
data
Windows Small Business Server Remote
Access Wizard
This wizard provides on-screen instructions for configuring
your server for:
VPN connections
Dial-up connections
Both VPN and dial-up connections
After clicking Finish, the wizard:
Configures the server according to your selected settings
Creates the Client Connection Manager configuration file
Configures the remote access policy to allow members of the
Mobile Users group to use remote access
Scenari di esempio e demo
Scenario di connessione router
Interne
t
xDSL
Fibra ottica
ISDN
...
rete pubblica
(es: 193.205.245.24/29)
.2
Internet
Router
(ISP)
azienda.local
rete pubblica (con NAT)
(es: 192.168.1.0/24)
SBS
rete privata
10.0.1.0/24
VPN LAN-to-LAN


IP Addressing
Interoperabilità: cosa c’è dall’altra parte?




Windows Server 2003
Windows Server 2000/2003 + ISA Server
...
Differenti versioni di Windows SBS

Standard
> Windows 2003 Firewall
> Remote Access Wizard (Client-to-LAN)
> No VPN LAN-to-LAN Wizard

Premium
> ISA Server!
> Remote Access Wizard (Client-to-LAN)
> ISA Server wizard per VPN LAN-to-LAN (ISA Server anche dall’altra parte)
Esempio rete VPN LAN-to-LAN
Filiale
Sede
Interne
t
sbs.net
privata
192.168.1.0/24
SBS
(ISA)
.100
Windows 2003
(ISA)
privata
192.168.3.0/24
pubblica
212.212.212.0/24
Sicurezza e controllo

Remote Access Account Lockout (KB816118)

Authorizing VPN Connections (Dial-in)

Remote Access Policy Profile Packet Filtering

Accounting, Auditing, and Monitoring
Riferimenti e risorse

Risorse tecniche per Windows Small Business Server 2003
http://www.microsoft.com/italy/windowsserver2003/sbs/techinfo/def
ault.mspx

Virtual Private Networks for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/networki
ng/vpn/default.mspx

Virtual Private Networking with Windows Server 2003:
Deploying Remote Access VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/t
echnologies/networking/vpndeplr.mspx

Virtual Private Networking with Windows Server 2003:
Deploying Site-to-Site VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/t
echnologies/networking/vpndpls2.mspx
Corsi ed esami

MOC Course 2395: Design, Deploy, and Manage a
Network Solution for a Small and Medium Business
http://www.microsoft.com/traincert/syllabi/2395AFinal.as
p

Exam 70-282: Design, Deploy, and Manage a
Network Solution for a Small- and Medium-Sized
Business
http://www.microsoft.com/learning/exams/70-282.asp