Automating VPN Management

Similar documents
Securing Wireless LANs with Certificate Services

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Cisco How Virtual Private Networks Work

Provisioning MPLS VPN Cable Services

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Cisco Group Encrypted Transport VPN

Virtual Private Networks (VPNs)

Intranets and Virtual Private Networks (VPNs)

Xceedium Xio Framework: Securing Remote Out-of-band Access

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Tropos Technology Overview

Hillstone IPSec VPN Solution

MTA_98-366_Vindicator930

NSG100 Nebula Cloud Managed Security Gateway

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

the about MPLS security

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Implementing Hub and Spoke topologies in Virtual Private Network using Enhanced Interior Gateway Routing Protocol

Managing Site-to-Site VPNs: The Basics

Use the IPSec VPN Wizard for Client and Gateway Configurations

Virtual Private Networks For Beginners Vpn

ETHERNET SERVICES FOR MULTI-SITE CONNECTIVITY

Managing Site-to-Site VPNs

MPLS in the DCN. Introduction CHAPTER

Cisco Associate-Level Certifications

Secure VPNs for Enterprise Networks

Managing Site-to-Site VPNs: The Basics

Architecting the Network Part 2

NSG50/100/200 Nebula Cloud Managed Security Gateway

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

How does your organization manage Privileged Users?

Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline

Service Managed Gateway TM. Configuring IPSec VPN

VPN. The Remote Access Solution. A Comprehensive Guide to Evaluating: Security Administration Implementation. the virtual leader

Cisco Service Advertisement Framework Deployment Guide

Cisco 5921 Embedded Services Router

CCNA Exploration Network Fundamentals

PCI DSS Compliance. White Paper Parallels Remote Application Server

The high-speed services required for these customers and environments include:

Network+ Guide to Networks 6 th Edition

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Using the Terminal Services Gateway Lesson 10

5 Best Practices for Transitioning from Legacy Voice to VoIP and UC&C

W H I T E P A P E R : O P E N. V P N C L O U D. Implementing A Secure OpenVPN Cloud

Sample excerpt. Virtual Private Networks. Contents

How Cisco ASR 1000 Enables Cisco Business Strategies by Providing Capacity and Resiliency for Collaborative Applications

Choosing the Right. Ethernet Solution. How to Make the Best Choice for Your Business

Implementing Cisco IP Routing (ROUTE)

Network Security and Cryptography. 2 September Marking Scheme

NetMotion Mobility and Microsoft DirectAccess Comparison

MPLS VPN Carrier Supporting Carrier Using LDP and an IGP

Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Network Services Internet VPN

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Chapter 8. Network Troubleshooting. Part II

THE COMPLETE FIELD GUIDE TO THE WAN

VIRTUAL PRIVATE NETWORKS (VPN)

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

MOC 6420A: Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Access Control List Network Solution for Cleveland Branch Offices Kevin O Neal DeVry University NETW208: Accessing the WAN

RADIUS Tunnel Attribute Extensions

Evaluating networking technologies

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Custom Connect. All Area Networks. customer s guide to how it works version 1.0

Configuring the VPN Client

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

FortiGate. on OCB FE Configuration Guide. 6 th December 2018 Version 1.0

NetPro. from Wireless Logic. Available on a per SIM license basis. No CAPEX. Retain your Airtime Contracts with your existing providers

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Network Configuration Example

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

Insurance Industry - PCI DSS

Using a VPN with Niagara Systems. v0.3 6, July 2013

S5 Communications. Rev. 1

Cisco CCNA (ICND1, ICND2) Bootcamp

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

How to Configure a Hybrid WAN in Parallel to An Existing Traditional Wan Infrastructure

The Future of Broadband Wireless Today.

Data Protection and Synchronization for Desktop and Laptop Users VERITAS BACKUP EXEC 9.1 FOR WINDOWS SERVERS DESKTOP AND LAPTOP OPTION

Aerohive and IntelliGO End-to-End Security for devices on your network

MPLS SOLUTION How to Make the Best Choice for Your Business

Course Routing Classification Properties Routing Protocols 1/39

isco Cisco PPPoE Baseline Architecture for the Cisco UAC

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

HP Instant Support Enterprise Edition (ISEE) Security overview

QNAP VPN (Virtual Private Network) Secure network experience

Cisco ISR G2 Management Overview

Virtual Private Networks

Wireless Network Security Fundamentals and Technologies

Secure Industrial Automation Remote Access Connectivity. Using ewon and Talk2M Pro solutions

Virtual Private Networks

Solutions Business Manager Web Application Security Assessment

Logical Network Design (Part II)

Transcription:

Automating VPN Management By Scott Hilton, Vice President Product Management Assured Digital, Inc. Although many network managers, users and executives agree on the benefits of virtual private networking, the processes involved in setting up and managing VPNs are not so well understood. In fact, VPN setup and management have proven problematic for network managers for three reasons. First, the basic setup functions for VPN devices must be performed manually and, often, at the remote installation site. This introduces risks of inconsistent policy settings and potential security breaches. Second, manual setup takes time and introduces complexity into larger systems installations. The VPN configuration that worked in a controlled, laboratory environment may not be able to scale up to the real-world needs of an aggressive rollout schedule. Third, network topologies change continuously, and VPN devices have been severely limited in their abilities to adapt to such changes. For network managers everywhere, VPN management has become a serious concern. Standards, such as the IETF s IPSec security protocol suite, represent a strong beginning. But the larger management challenges posed by production VPNs are more likely to be solved by newer VPN technologies that are putting advanced automation tools to work in second generation products. VPN Benefits Virtual private networking has quickly become an important productivity tool for organizations of all sizes, and across all major industries. The VPN works by building a tunnel -- actually a circuit-like path -- through a common WAN infrastructure such as the Internet. For companies deploying VPNs, the benefits are substantial. First, they take advantage of the lower telecommunications costs and unparalleled flexibility of Internet communications. Second, they preserve the privacy and inherent security of private line and frame relay networks. To the user on a LAN, or the telecommuter dialing into the enterprise via an ISP, encryption and tunneling are completely transparent. Still, VPNs do come at a price, and as some network managers have discovered, that price can include healthy doses of time and effort required to set up and manage the VPNs themselves. Now, thanks to increasing degrees of automation to help with the care, feeding and handling of VPN devices, network managers

are finding their own reasons to like the new technology. Second-Generation Features Although software-based VPN applications are available today, hardware-based VPN architectures have grown popular largely because of their greater performance. First-generation units were typically single-function devices, able only to create tunnels or implement security protocols. They were limited in scalability and difficult to manage in large networks. Newer, second-generation devices have now integrated networking intelligence and management automation with their tunneling and security functions. Second-generation VPN devices generally include basic encryption/decryption units and multi-user concentrators. VPN remote encryption/decryption devices are frequently placed in campus buildings and branch offices; the concentrators go in corporate or division headquarters. Figure 1: A simple VPN setup might look like this, with two VPN edge devices talking to the head-office VPN concentrator. This is all controlled via a management console, with each device consulting its routing tables to make forwarding decisions. The VPN devices typically serve as gateways for users on LAN subnets, and all use the IPSec protocol to create the tunnels and supply the security framework

for the tunneled packets. Securing, Connecting VPN Devices Setting up the VPN devices requires management attention at a number of points in the process: in security, for device authentication, authorization and setting overall security policies, and in network connectivity for configuring, provisioning and managing the devices. Performed manually, these steps require that trained technicians be onsite -- otherwise, setup is left to local office personnel who are unfamiliar with the complexities of security and networking. Automation solves this problem by permitting central setup and safe, automated administration throughout these major setup steps. Figure 2: As the network grows, management automation becomes increasingly critical in a dynamic, meshed environment. Note in the network diagram below that the management console created a second VPN path between Subnet A and Subnet B in order to accommodate an increase in traffic. In an automated system, this scenario can be multiplied hundreds of times and still work effectively and efficiently -- something that is impossible with manual setup. VPN Security: Device Authentication The first step in adding a new VPN device to a network is to authenticate that device s identity. With first-generation units, the network manager or technician would perform authentication manually. The technician would use a sharedsecret password technique to authenticate the new device with another (known) member of the network. This would require traveling to the remote site, or sending the password via diskette or password regular mail.

By contrast, in an automated system the network manager or technician starts by loading the automated management software into a central policy server. From that central site, the management software communicates through a highly secure control protocol to perform device authentication remotely. Device authentication is now a process of exchanging digital certificates, based on the X.509 standard defined by the International Telecommunication Union. The integrity of digital certificates is guaranteed -- and certificates are issued -- by a trusted third-party known as a certificate authority, or CA. This represents an improvement over the password method, but the need for the CA also adds its own measure of complexity. As a solution, some secondgeneration systems further automate and simplify the process by permitting X.509 certificates to be burned into VPN devices at the time of manufacture. These devices now have a hardware-strength cryptographic identity, and they avoid the remote security risk of device substitution, which might foil even the CA-issued certificates. Authorization The next setup step is to determine the new device s database and network access privileges. With a manual installation, authorization is vulnerable because it is performed at the remote site. Anyone who can access the VPN device can modify authorization parameters. In an automated system, authorization is performed from the management console, so it is inherently simpler -- and more secure. Setting Security Policy Security policy can cover a half dozen items, from type of encryption protocol to key rollover interval (encryption keys are rolled over, or changed, at regular intervals). Performed manually, the process is both tedious and risky, since few remote offices have security-savvy technicians on site. An automated system permits security settings to be maintained centrally, then downloaded to new devices as needed; this ensures setup quality and maintains consistency with corporate policy guidelines. Also, automated wizards can be applied to make the job easier. For instance, a security policy wizard might have several strength levels, each based on predetermined corporate policy, plus a custom setting to override the defaults. The highest level setting might be used for highly sensitive applications such as transmitting financial information. It might feature the greatest key strength for encryption (3DES, for example); the shortest-duration rollover interval; per-

packet (rather than per-session) authentication, plus several other parameters -- all selectable via a single mouse-click. Network Connectivity: Device Configuration For device configuration, the network manager or technician sets the device s modes of operations and its network identity. Parameters include the VPN device s IP address and the IP addresses of supported devices and subnets; plus SNMP parameters, default parameters, and routing modes. In an automated system, these parameters can be set centrally, and applied automatically as new devices are introduced. VPN Provisioning VPN Provisioning involves the distribution of the device s network connections and configuration of its routing tables. To do this manually, the technician must possess comprehensive knowledge of the organization s network topologies -- especially difficult in large, heavily networked environments. In branch offices, provisioning might fall to an office worker, inputting instructions from a desktop PC, through a serial cable. In an automated system, provisioning takes place where the network expertise and the network-diagramming tools reside -- centrally. Moreover, the network manager or technician can make use of provisioning templates that simplify the process. And in some systems, the network manager can assign multiple logical VPN connections to a single-port VPN device -- the device will find the most cost-effective path for each new VPN session. Ongoing Device Management By their nature, VPNs should be easy to add, delete and modify. First generation systems carried only limited router intelligence, so changes in network connections or subnet topologies required manual updates of static routing tables. Worse, network failures could go undetected -- except, of course, by the VPN users. Newer VPN systems are using intelligent, dynamic routing protocols such as RIP (Routing Internet Protocol) and OSPF (Open Shortest Path First) to automate the optimization of VPN routes and to implement self-discovery and self-correcting paths. For instance, intelligent VPN devices can now update their own routing tables, based on status messages sent regularly from other intelligent VPN devices. If a device fails, or if its communications link goes down, its status messages stop, and the other devices automatically update their tables to exclude the failed link.

In a RIP-based system, the number of hops required for each VPN connection is part of each device s forwarding decision. With OSPF, other information can be used, including delay, available bandwidth or shortest path. In the case where the network manager provisioned multiple logical VPN paths, the intelligent device consults its table as each new session is activated to determine which available path is most cost-effective and highest-performing. Benefits of Automation Thanks to the management tools and techniques available in second generation VPN systems, the newer encryption/decryption devices come very close to being both self-configuring and self-healing. To become a full-fledged, fully-secured member of a corporate VPN network, for instance, a new VPN device needs nothing more than its own, burned-in X.509 certificate -- its cryptographic identity -- and the IP address of the management server. Once its identity is established by the central system, all other security and network connectivity parameters will be downloaded automatically. When that device joins the active network, it will automatically signal its presence, and other devices will add it to their routing tables. Likewise, if a device fails, the others will learn, automatically, and adjust their tables -- all without network manager intervention. These features eliminate much of the tedium tasks and risks of manual setup and management -- a blessing for network managers. Just as important, VPNs can now be justified for large-scale installations, since central automation contributes mightily to their ability to scale to hundreds or thousands of users. For these users, and their organizations, management automation will play an important role in advancing the cause -- and increasing the benefits -- of virtual private networking in the days ahead. ####

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback