Читать книгу CompTIA Network+ Review Guide - Ferguson Bill - Страница 19

The next step toward creating your functional network architecture is selecting the networking services that you will use on your network. This will largely be determined by the size and scope of your network and what you are connecting. For example, if you are connecting devices that are not at the same location, you might want to use protocols that are specific for that type of connection. Some protocols that you might consider would include VPN, IPsec, RAS, unified voice services, and others. In this section, I will discuss these technologies and how they relate to your network architecture.

1.3.1 VPN

A virtual private network (VPN) is not really private since it runs through an unsecure network. However, a VPN is made virtually private using an encapsulation protocol, also called a tunneling protocol. You can accomplish this using SSL and cryptography. There are also other protocols that are specifically designed to provide a tunnel that encapsulates a well-known protocol, for example, IP, with a secure protocol known only by the sender and receiver.

Site to Site/Host to Site/Host to Host

For most companies with multiple locations, the prospect of installing dedicated leased lines, such as T-1s or T-3s, to each of their locations is cost prohibitive and unnecessary. It’s unnecessary with today’s networks because it’s possible to use the Internet as a secure connection between the locations. Tunneling is a process of encapsulating one protocol within another so as to provide a secure communication through an unsecure medium, typically the Internet. The processes and protocols used to create tunnels have changed over the past 15 years, and some tunnels are therefore more secure than others. Some tunneling protocols also encrypt the data contained in the packets, while others do not. As you will see, you can use these tunneling protocols to move data securely from one datacenter to another datacenter (site to site), from a remote computer to a datacenter (host to site), or even from one remote computer to another remote computer (host to host). In the following sections, I’ll discuss the protocols used for tunneling and the security they provide in each of these scenarios.

Protocols

Protocols have been defined in many ways. Some say that protocols are an expected behavior between two parties. Others say that protocols establish a set of rules by which the two parties can communicate. Network protocols fall into both of these definitions. They are the rules that determine the expected behavior of communication between one device and another one. In order for devices to communicate effectively, they must share the same protocol. If two devices know a protocol that other devices don’t, they can then communicate to each other through a medium that would otherwise be considered unsecure. Therefore, if I were to encapsulate one protocol inside another, I would create a tunnel on which only the computers that know the outer protocol could communicate. This is what is referred to as a tunneling protocol. In this section, I will discuss the various protocols that can be used as tunneling protocols between two devices.

IPsec

Internet Protocol Security (IPsec) is a framework of protocols designed to authenticate connections and encrypt data during communication between two computers. It operates at the Network layer of the OSI model and provides security for protocols that operate at the higher layers of the OSI model. Because of this, you can use IPsec to secure practically all TCP/IP-related communications, including tunnels.

The function of IPsec is to ensure that data on the network is safe from being viewed, accessed, or modified by anyone except the intended receiver. IPsec can be used to provide security within networks as well as between networks. To be more specific, IPsec has three main security services:

Data Verification This ensures that the data received is actually from the source from which it appears to have originated.

Protection from Data Tampering This ensures that the data has not been changed in any way during the transmission between the sending computer and the receiving computer.

Privacy of Transactions This ensures that the data that is sent is readable only by the intended receiver.

There are two main modes of IPsec: transport mode and tunnel mode. Transport mode is used to send and receive encrypted data within the same network. Tunnel mode is used to send encrypted data between networks. It includes an encryption mechanism as well as an authentication mechanism.

GRE

Generic Routing Encapsulation (GRE) is a protocol developed by Cisco systems that you can use to encapsulate many Network layer protocols to be delivered on point-to-point links in your IP network. It works by encapsulating the original payload (inner packet) into an outer IP packet that can be sent through the tunnel. De-encapsulation takes place at the other end of the tunnel, so the inner packet can be delivered without the destination machine ever being aware that an outer IP packet existed. This makes GRE a flexible tool that can even be used to send multicast and IPv6 packets through an otherwise normal IPv4 structure.

SSL VPN

The Secure Sockets Layer (SSL) protocol uses cryptography to provide secure authentication and communication privacy over the Internet. It is typically used for e-commerce. When used in conjunction with a VPN on a site that is allowing e-commerce, the advantage SSL offers is that many of the filters are already configured. In other words, if a site wants to allow e-commerce using SSL, then the ports for SSL already must be allowed through any firewalls or other network filters. This means that an SSL-based VPN might be much easier to configure than one that requires that a new protocol and its ports be allowed through the firewalls of the network.

PTP/PPTP

The Point-to-Point Tunneling Protocol (PPTP) is used to create a secure tunnel between two points on a network over which other protocols such as the Point-to-Point Protocol (PPP) can be used. This tunneling functionality provides the basis for many VPNs. Although PPTP is a widely used tunneling protocol, other tunneling protocols, such as L2TP with IPsec, provide even greater security. PPTP also cannot authenticate the end of the tunnel and thereby prevent a man-in-the-middle attack, but L2TP can. Because of these disadvantages of PPTP, it has been largely replaced by L2TP.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) provides a centralized system for authentication, authorization, and accounting. Remote access servers become clients of another server referred to as a RADIUS server. The authentication of the users is then actually performed by the RADIUS server based on certificates, Kerberos, or some other type of authentication. RADIUS uses UDP to broadcast the communication between the remote access servers (RASs) and the RADIUS server. The RAS becomes a go-between that opens the door, or doesn’t, for the client computer to come in and use the resource. Also, because all requests are centralized through the RADIUS server, accounting for those requests is also centralized. RADIUS is supported on all Microsoft Servers. When RADIUS is used with wireless networks, IEEE 802.1x, and WPA, the result is WPA for Enterprise.

RAS

Remote Access Service (RAS) is a remote access solution that is included with Microsoft Windows Server products. Its main function is to give users the same access to the network from a remote location as if they were actually sitting at their desks, although sometimes the access is much slower. RAS is implemented in Windows NT Server as RAS and in Windows 2000 Server, Windows Server 2003, and Windows Server 2008 as Routing and Remote Access Server (RRAS), but both product implementations offer the same basic functionality – remote access connectivity to a LAN environment. RAS servers can provide dial-up connections using modems as well as VPN connections using WAN miniports. Figure 1.4 shows an RRAS server on Windows Server 2008.

FIGURE 1.4 An RRAS server on Windows Server 2008

TACACS+

Terminal Access Controller Access Control System+ (TACACS+) is a service that is similar to RADIUS but uses TCP to communicate between the RAS and the TACACS+ server. It was developed by Cisco Systems to address the need for a more scalable AAA solution. The fact that it uses TCP (a connection-oriented protocol) instead of UDP (a connectionless protocol) offers several advantages, namely that the RAS server receives an acknowledgment from the TACACS+ server that the authentication request has been received and is being processed. Also, because the two can communicate with a connection-oriented protocol, more sophisticated security mechanisms can be employed. For example, while RADIUS encrypts only the password in the packet that is passed from the RAS to the RADIUS server, TACACS+ encrypts the entire body of the packet, including the information regarding the username and the service that the user is requesting. This makes TACACS+ a much more secure service than RADIUS. Of course, TACACS+ also keeps an accounting of all requests from a RAS, and that accounting can also be secured.