Hide Notes 

Slide 1: VPN Client-to-Lan e Lan-to-Lan con Windows Small Business Server 2003 installazione, configurazione, sicurezza Alessandro Appiani Consultant Microsoft Certified Partner
Slide 2: Agenda  VPN Basics La protezione delle comunicazioni di rete  Encryption overview   VPN a confronto Client-to-LAN  LAN-to-LAN   VPN in dettaglio tunneling protocol  authentication  encryption   Le tecnologie di Windows Small Business Server 2003 per VPN Client-to-LAN e LAN-to-LAN
Slide 3: Che cosa è una VPN ?  Dal sito di Windows Server 2003 “Microsoft defines a virtual private network as the extension of a private network that encompasses links across shared or public networks like the Internet.”  http://www.microsoft.com/windowsserver2003/techinfo/over
Slide 4: Quali problemi abbiamo con una comunicazione di rete che usa connettività pubblica come Internet? Identity Spoofing Data Modification Man-inthe-Middle Network Monitoring Passwordbased
Slide 5: La soluzione: la cifratura dei dati trasmessi Encrypted IP Packet Encrypts Data at the Application Layer  SSL  TLS Encrypts Data at the Network Layer  Tunneling Protocol  IPSec
Slide 6: Virtual Private Networks (VPN) una applicazione delle tecnologie di encryption
Slide 7: VPN Basics     Una tecnologia di encryption Un metodo/protocollo di Tunneling Una modalità di connessione e trasporto (Client-to-LAN, LAN-to-LAN) Un insieme di definizioni per     IP Addressing Authentication Authorization Auditing
Slide 8: Crittografia    Encryption Keys & Algorithms Symmetric Encryption Public Key Encryption (Asymmetric) Encryption Algorithm
Slide 9: Encryption Keys Key type Description La stessa chiave è usata per cifrare e decifrare i dati Protegge i dati dall’intercettazione Symmetric Consiste in una chiave pubblica e una privata La chiave privata è protetta e confidenziale, la chiave pubblica è liberamente distribuibile Se viene usata la chiave privata per cifrare dei dati, gli stessi possono essere decifrati esclusivamente con la corrispondente chiave pubblica, e vice versa Asymmetric
Slide 10: How Does Symmetric Encryption Work? Original Data Cipher Text Original Data Symmetric encryption: Usa la stessa chiave per cifrare e decifrare E’ spesso referenziata come bulk encryption E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa
Slide 11: Using Symmetric Key Encryption Shared Secret Key Encrypting  EFS  S/MIME Application Data Encryption Algorithm Encryption by User1 Shared Secret Key Encrypting  IPSec  TLS Communication Protocols Decryption Algorithm Decryption by User2
Slide 12: How Does Public Key Encryption Work? Requirement Process 1. The recipient’s public key is retrieved 2. The data is encrypted with a symmetric key 3. The symmetric key is encrypted with the recipient’s public key 4. The encrypted symmetric key and encrypted data are sent to the recipient 5. The recipient decrypts the symmetric key with her private key 6. The data is decrypted with the symmetric key
Slide 13: Public Key Encryption 2 Data 1 Alice Encrypts Message with Bob’s Public Key. Encrypted Message is Sent Over Network 3A78 Data 3A78 3 Bob Decrypts Message with Bob’s Private Key.
Slide 14: Public Key Authentication 2 Message is Sent Over Network ~*~*~*~ 1 Alice Signs Message with Her Private Key. ~*~*~*~ ~*~*~*~ 3 Bob Validates Message is From Alice with Alice’s Public Key.
Slide 15: Dalla teoria alla pratica...
Slide 16: Application-Layer Application  Planning  Planning  Planning Protocols for Application-Layer Security Secure File Transmissions Secure Communications for Web Applications Security for E-mail Applications SSL/TLS TCP/UDP IP/IPSec Link Layer Physical Layer  Planning Requires That Applications Support the Encryption
Slide 17: Network-Layer: Virtual Private Network (VPN) Application SSL/TLS TCP/UDP IP/IPSec Link Layer Physical Layer Is Transparent to Applications
Slide 18: VPN Client-to-LAN: Connecting Remote Users to a Corporate Network Corporate Network VPN Server Computer Internet VPN Tunnel Remote User
Slide 19: VPN LAN-to-LAN: Connecting Remote Networks to a Local Network Local Network VPN Server Computer Internet VPN Tunnel VPN Server Computer Remote Network
Slide 20: VPN a confronto  LAN-to-LAN prevede l’utilizzo di apparati/server che gestiscono la comunicazione vpn e fanno da gateway tra le due reti  encryption applicata solo nelle comunicazioni tra i gateway (tunnelendpoint)  encryption simmetrica di tipo “Shared-Key”  IP Addressing  progettare   Client-to-LAN       è una tipica connessione uno (gateway/Access Point) a molti (Client) encryption applicata nelle comunicazioni tra il gateway ed N client encryption di tipo “Shared-Key” non adeguata (distribuzione della chiave in N posti!) può usare protocolli PPP-based (PPTP, L2TP) per usare IPsec richiede tecniche di Asymmetric encryption (PKI, certificati, ...) IP Addressing  semplice ed integrato
Slide 21: Virtual Private Network Protocols PPTP* Internetwork Must Be IP Based No Header Compression No Tunnel Authentication Built-in PPP Encryption L2TP** Internetwork Can Be IP, Frame Relay, X.25, or ATM Based Header Compression Tunnel Authentication Uses IPSec Encryption Internet Client PPTP or L2TP Server *PPTP: rfc 2637 - **L2TP: rfc 2661
Slide 22: Selecting a Tunneling Protocol Tunneling Protocol L2TP/ PPTP IPSec IPSec Tunnel Mode Features Support for NAT User Authentication Machine Authentication Multi-Protocol Support Stronger Security Support for Non–Windows 2000–based Clients X X X X X X X X X X X
Slide 23: Authentication Protocols  Standard Authentication Protocols Authentication Protocols  Extensible
Slide 24: Standard Authentication Protocols Protocol PAP Security Low Use when The client and server cannot negotiate using more secure validation Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server You have clients that are not running Microsoft operating systems You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98 SPAP Medium CHAP MS-CHAP MS-CHAP v2 High High High
Slide 25: Authentication
Slide 26: Extensible Authentication Protocols  Allows the Client and Server to Negotiate the Authentication Method That They Will Use Authentication by Using MD5-CHAP  Transport Layer Security (TLS)  PEAP, Smartcard, ...   Supports  Ensures Support of Future Authentication Methods Through an API
Slide 27: Encryption Protocols Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data encryption Members of this group dial-in profile can use IPSec 56-bit DES or MPPE 56-bit data encryption Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit data encryption
Slide 28: Windows Small Business Server 2003 VPN setup & configuration
Slide 29: To Do List
Slide 30: VPN Client-to-LAN A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link Windows Small Business Server VPN Server VPN Client 1 2 VPN client calls the VPN server VPN server answers the call 3 4 VPN server checks the directory to authenticate and authorize the caller VPN server transfers data
Slide 31: Windows Small Business Server Remote Access Wizard This wizard provides on-screen instructions for configuring your server for: VPN connections Dial-up connections Both VPN and dial-up connections After clicking Finish, the wizard: Configures the server according to your selected settings Creates the Client Connection Manager configuration file Configures the remote access policy to allow members of the Mobile Users group to use remote access
Slide 38: Scenari di esempio e demo
Slide 39: Scenario di connessione router Internet xDSL Fibra ottica ISDN ... rete pubblica (es: 193.205.245.24/29) .2 azienda.local Internet Router (ISP) rete pubblica (con NAT) (es: 192.168.1.0/24) SBS rete privata 10.0.1.0/24
Slide 40: VPN LAN-to-LAN   IP Addressing Interoperabilità: cosa c’è dall’altra parte? Windows Server 2003  Windows Server 2000/2003 + ISA Server  ...   Differenti versioni di Windows SBS  Standard > Windows 2003 Firewall > Remote Access Wizard (Client-to-LAN) > No VPN LAN-to-LAN Wizard  Premium > ISA Server! > Remote Access Wizard (Client-to-LAN) > ISA Server wizard per VPN LAN-to-LAN (ISA Server anche dall’altra parte)
Slide 41: Esempio rete VPN LAN-to-LAN Filiale Sede sbs.net Interne t SBS (ISA) .100 privata 192.168.1.0/24 Windows 2003 (ISA) privata 192.168.3.0/24 pubblica 212.212.212.0/24
Slide 53: Sicurezza e controllo     Remote Access Account Lockout (KB816118) Authorizing VPN Connections (Dial-in) Remote Access Policy Profile Packet Filtering Accounting, Auditing, and Monitoring
Slide 54: Riferimenti e risorse    Risorse tecniche per Windows Small Business Server 2003 Virtual Private Networks for Windows Server 2003 Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNs Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site VPNs http://www.microsoft.com/italy/windowsserver2003/sbs/techinfo/default.m http://www.microsoft.com/windowsserver2003/technologies/networking/v http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techn  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techn
Slide 55: Corsi ed esami  MOC Course 2395: Design, Deploy, and Manage a Network Solution for a Small and Medium Business http://www.microsoft.com/traincert/syllabi/2395AFinal.asp  Exam 70-282: Design, Deploy, and Manage a Network Solution for a Small- and Medium-Sized Business http://www.microsoft.com/learning/exams/70-282.asp