Virtual Private Networksby Mike Erwin, Charlie Scott, Paul Wolfe
Historically, only large companies could afford secure networks, which they created from expensive leased lines. Smaller folks had to make do with the relatively untrusted Internet. Nowadays, even large companies have to go outside their private nets, because so many people telecommute or log in while they're on the road. How do you provide a low-cost, secure
Historically, only large companies could afford secure networks, which they created from expensive leased lines. Smaller folks had to make do with the relatively untrusted Internet. Nowadays, even large companies have to go outside their private nets, because so many people telecommute or log in while they're on the road. How do you provide a low-cost, secure electronic network for your organization? The solution is a virtual private network: a collection of technologies that creates secure connections or "tunnels" over regular Internet linesconnections that can be easily used by anybody logging in from anywhere. A number of products now exist to help you develop that solution.This book tells you how to plan and build a VPN. It starts with general concerns like costs, configuration, and how a VPN fits in with other networking technologies like firewalls. It continues with detailed descriptions of how to install and use VPN technologies that are available for Windows NT and Unix, such as PPTP and L2TP, Altavista Tunnel, Cisco PIX, and the secure shell (SSH).New features in the second edition include SSH, which is a popular VPN solution for Unix systems, and an expanded description of the IPSec standard, for which several vendors have announced support.Topics include:
- How the VPN compares to other available networking technologies
- Introduction to encryption, firewalls, the IPSec standard, and other technologies that let VPNs work
- Point to Point Tunneling Protocol (PPTP) and L2TP
- The Altavista Tunnel
- The Cisco PIX Firewall
- Secure Shell (SSH)
- Maintenance and troubleshooting
- O'Reilly Media, Incorporated
- Publication date:
- Edition description:
- Second Edition
- Product dimensions:
- 7.03(w) x 9.17(h) x 0.62(d)
Read an Excerpt
Chapter 10: Managing And Maintaining Your VPNIn This Chapter:
- Choosing an ISP
- Solving VPN Problems
- Delivering Quality of Service
- Security Suggestions
- Keeping Yourself UPto-Date
Unlike a firewall or proxy server, where you may set it up once and not touch it for months, your VPN is a more dynamic security mechanism. The main reason for this is that users rarely realize that they're interacting with a firewall or a proxy, while logging into a VPN server may take some interaction on their part. Users with various types of equipment may access your VPN from any point on the Internet at any hour or day. Anyone who has ever run a remote access server knows the various problems dial-up users can have. Many of the same problems that apply to remote users also apply to remote access VPN users. Remote sites that are connecting to a corporate LAN might require less maintenance, however, because with a LAN you often need to set them up once, have them dial in, and that's it. In this chapter, we'll go over the problems that can occur and look for possible debugging information and solutions, as well as list what you should be armed with when working with an ISP on VPN issues.
While this chapter can't address the specifics of your network, we can give you some general security suggestions. It's important to remember that no level of authentication or encryption can protect you if you don't have a sound security policy in place. We briefly touched on this in Chapter 1, Why Build a Virtual Prive Network? Private Network? And Chapter 2, Basic VPN Technologies.
Finally, you'll want to keep up with the latest trends, standards, and security holes in VPN technologies, so that you can ensure that your VPN is up-to-date. We'll go over a list of resources you can use at the end of this chapter and in Appendix B, Resources, Online and Otherwise.
Choosing An IMPChoosing the right ISP for your VPN connection may be one of the most important things you do. To provide the most reliable connection you possibly can, you should use the same ISP for each end of the VPN connection. The first thing to take into consideration is geography. You will want to choose an ISP that has points of presence in all of the places you need. Although local and regional ISPs might be perfect for connections within the same city or even the same state, if you need connectivity across the country you should choose a larger, national provider.
Another consideration for a reliable VPN is a quality of service (QoS) guarantee. This is an agreement between a customer and an ISP that guarantees a certain amount of availability and bandwidth on an ISP's network. Typically QoS guarantees a certain amount of latency for your traffic on the ISP's network, typically measured in tens of milliseconds. Most national ISPs guarantee 99.5% availability on their network. QoS guarantees will appear in your ISP's service level agreement (SLA),with you.
There are also VPN services that ISPs are selling, including GTE, UUNET, and others. With these services, they operate and manage your VPN for you, Prices are variable, and are typically based on the number of sites and the total amount of bandwidth used.
Solving VPN ProblemsThere are numerous points of failure with VPNs. This makes tracking down the cause of a problem more difficult than it might be for a normal WAN or remote access connection. Among the possible problems are connectivity problems, authentication errors, and routing problems.
Connectivity ProblemsAnyone familiar with maintaining or dialing into remote access servers-or into an ISP for that matter-is also familiar with the frustration of trying to pinpoint the problem of a bad connection. The main difficulty with connectivity problems is that they have so many causes. Here are a few possibilities:
- Telco problems
- Bad lines
- Busy switch
- ISP problems
- Busy signals (probably from a user-to-modem ratio that's too high)
- Bad modem or router
- End-user problems
- Bad modem or router
- A modem or router that's incompatible with the ISP's
- Configuration problem
Authentication ErrorsAuthentication problems are common in the realm of dial-up connections, even when VPNs aren't involved. Here are the two most common authentication problems:
- A mismatched usemame or password, which occurs when either the connecting machine or the far end thinks that the usemame or password is something other than what it is. This is sometimes caused by a simple typographical error. Likewise, there could be mismatched keys in a public key system.
- The connecting system and the destination are using different authentication methods. For instance, the connecting machine might be attempting PAP authentication, while the destination system is expecting CHAP.
Routing ProblemsRouting problems occur when you're able to connect successfully to your ISP, but have trouble getting to certain hosts over the Internet, or getting out to the Internet at all. These problems are commonly due to configuration errors. Either the IP address, netmask, or gateway on your system is set incorrectly, or your ISP doesn't have a route for you.
Chances are that any one of the problems discussed in this chapter-authentication, connectivity, or routing-is caused by a configuration mismatch on your equipment, the ISP's equipment, or the equipment on the far end of the connection. The routing problem, however, could also be due to any one of the numerous connection points on the Internet backbone between you and the destination. You, and your ISP, will have little control over these problems, but it's nice to know where the problem is so that you can report it to the proper people.
In Chapter 5, Configuring and Testing Layer 2 Connections, in the section "Troubleshooting Problems," we mentioned two useful utilities for testing routes: ping and traceroute. Both of these tools can be used to troubleshoot problems on other VPNs as well. ping is a utility found on Unix, Windows 95/98, and Windows NT systems. It sends packets to a given destination and awaits a return. It doesn't tell you what route the packets take, but it does tell you if they get there at all and if there's any packet loss. Traceroute is a program on Unix systems. The Windows 95/98/NT equivalent is TRACERT. Traceroute will actually show you the path packets take to their destination. This information can be useful to pinpoint exactly where a problem is occurring.
Traceroute information can sometimes be confusing. Be sure to read up on what the various latencies mean, as well as asterisks, exclamation marks, and other symbols. A good TCP/IP networking book will explain how to read traceroute's output, as will its manual page on a Unix system. Also keep in mind that an ISP or company may be blocking traceroute's UDP packets at their firewall for security reasons, so you -may want to contact them and find out if this is the case. If the problem appears to be with a backbone provider, the best thing to do is still to contact your ISP. They can then contact the backbone provider and see what the problem is.
Dealing With An ISPWorking with an ISP to solve a VPN problem may prove difficult, especially if the ISP doesn't support VPNs. As a network administrator, therefore, you'll want to know your VPN product inside and out. The most important thing to remember when troubleshooting a problem with an ISP is to give them as much information as possible. At a minimum, give them this information:
- What VPN product you're using.
- What the IP address of your system should be.
- What the address of the destination VPN server or router should be (e.g., the address of your PPTP server).
- The TCP or UDP ports that your VPN product uses, in case your ISP has those ports blocked at a firewall.
- Any ping or traceroute output you may have that demonstrates the problem.
Make sure your ISP is someone you trust. During the course of the troubleshooting session you may have to give them security information about your network, or set up a test account for them to attempt to dial into. Here are some suggestions for finding a trustworthy ISP, or building trust with your current one:
- Use a well-established ISP: either a well-known national provider, or a local one that has a good reputation and operating history. Your local Better Business Bureau is a good place to start.
- If possible, always deal with the same support person. This will not only assure you better service-as they'll be familiar with your past problems-but will also keep the number of people you might give sensitive network information to at a minimum.
Compatibility With Other ProductsOther products on your network may interfere with the performance of your VPN. Before investing the time and money to set up a VPN, you should do some research to ensure that your system and network configuration will work with itespecially if you have an elaborate security setup. Here are some caveats when setting up a VPN or adding a new product to your network:
- Some routers may block certain TCP ports out-of-the-box as a security measure. Find out which ports it blocks and make sure that they're not ports your VPN uses. You can usually turn this filtering off.
- As we've already said, some VPN products won't work through a proxy server. The Microsoft Proxy Server, for instance, doesn't work with PPTP. If you already have a proxy server and want to implement a VPN, you may want to multi-home the VPN server between the Internet and your LAN, just as you have the proxy server set up. (See Figure 10-1.) VPN-only traffic routes through the VPN server, while all other traffic routes through the proxy server.
Network Address Translation (NAT) is a protocol many routers support that allows machines to access the Internet even though they have internal IP addresses (set aside in RFC 1918) that are not usable on the wider Internet. Essentially, each machine is given a nonroutable address, while the router has a routable IP address. When each of the machines behind the router wants to access the Internet, it pretends to have the IP address of the router.
If you want to use NAT, we suggest a double-router setup, as shown in Figure 10-2. It shows a gateway router to the Internet and a perimeter network with Internet-routable IP addresses. On the perimeter network is a NATcapable router multi-homed to have interfaces to both the perimeter network and the internal network. The machines on the internal network have only non-Internet routable IP addresses. The VPN server is also multi-homed between the perimeter and internal networks, and will route only VPN traffic to and from those networks. . . .
Meet the Author
Charlie has also coauthored a half-dozen Internet-related books (many with Mike and Paul), on topics ranging from electronic commerce to CGI programming. When he finds spare time, Charlie likes to write (as of yet unpublished) fiction, read, and go to the gym. He also enjoys spending time with his wife, Mary, and their four beautiful felines. Mike Erwin is the president and chief executive officer of OuterNet Connection Strategies, Inc. Mike has served these posts for the last four years, during which he also worked for Apple Computer, Inc., architecting and implementing connectivity, application, scripting, and development support for Apple's Worldwide Support Center. Mike is the coauthor of several other works, including the CGI Bible, Building Web Commerce Sites, and the 60 Minute Guide to VRML. Mike's technology related interests involve encryption algorithms, super computing, Distributed Operating Systems, universe game simulations, and building secondary securities markets on the Net. Before becoming completely immersed in work, Mike used to find that his hobbies included playing hearts, drinking cheap vodka, staying up until dawn, and doodling with oil paints with his left hand. Mike's current favorite things include dabbling with theoretical and particle physics, martial arts training, gambling, securities prospecting, and, of course, sleeping.
Charlie Scott is the senior vice president of OuterNet Connection Strategies, Inc., an Internet Service Provider and outsource company based in Austin, Texas, specializing in innovative and emergent technologies. At OuterNet, he helps create and implement new products for their network operations center and co-location facilities. While an undergraduate at the University of Texas at Austin, Charlie was a research assistant in a cognitive science lab, and planned on going to graduate school in that field. He was eventually able to get his B.A. in psychology. But he always enjoyed working with computers, and his exposure to the Internet at UT deviated him enough to abandon all plans for graduate school and start working with computer networks. The next few years saw him at Texas Instruments, IBM, and Wayne-Dresser before he helped found OuterNet. Charlie has also coauthored a half-dozen Internet-related books (many with Mike and Paul), on topics ranging from electronic commerce to CGI programming. When he finds spare time, Charlie likes to write (as of yet unpublished) fiction, read, and go to the gym. He also enjoys spending time with his wife, Mary, and their four beautiful felines.
Charlie has also coauthored a half-dozen Internet-related books (many with Mike and Paul), on topics ranging from electronic commerce to CGI programming. When he finds spare time, Charlie likes to write (as of yet unpublished) fiction, read, and go to the gym. He also enjoys spending time with his wife, Mary, and their four beautiful felines. Paul Wolfe has done everything from driving M1A1 tanks in Desert Storm to slinging computer chips for Motorola. He now divides his time between his family and OuterNet, as well as writing. He has written four books in the last two years covering such topics as Windows NT Web servers, Internet commerce, VRML, and Virtual Private Networks. He dreams of restoring his 1986 Toyota Tercel to its former glory and racing it on the stock car circuit.
and post it to your social network
Most Helpful Customer Reviews
See all customer reviews >