DOCSLIB.ORG

Virtual Private Networks: Secure Remote Access Over the Internet

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Virtual Private Networks: Secure Remote Access Over the Internet 51-10-38 DATA COMMUNICATIONS MANAGEMENT VIRTUAL PRIVATE NETWORKS: SECURE REMOTE ACCESS OVER THE INTERNET John R. Vacca INSIDE Remote User Access over the Internet; Connecting Networks over the Internet; Connecting Computers over the Intranet; User Authentication; Address Management; Data Encryption; Key Management; Multiprotocol Support; Point-to-Point Tunneling Protocol (PPTP); Layer 2 Tunneling Protocol (L2TP); IP Security Protocol (IPSec); Integrated RAS-VPN Clients; Proxy Servers; Information Technology Groups (ITGs); Secure Internet Access; High-Speed Internet Access; RAS Reporting; Internet Usage Chargeback INTRODUCTION The components and resources of one network over another network are connected via a Virtual Private Network (VPN). As shown in Exhibit 1, VPNs accomplish this by allowing the user to tunnel through the Inter- PAYOFF IDEA net or another public network in a There is no doubt about it: Virtual Private Net- manner that lets the tunnel partici- works (VPNs) are hot. Secure remote access pants enjoy the same security and over the Internet and telecommuting needs are features formerly available only in escalating. Distributed enterprise models like ex- private networks. tranets are also increasing. The use of VPN tech- nologies by enterprises or corporations require Using the routing infrastructure pragmatic, secure Internet remote access solu- provided by a public internetwork tions that must be easy to use, economical, and (such as the Internet), VPNs allow flexible enough to meet all of their changing telecommuters, remote employees needs. In this article, the reader will learn how en- terprises or corporations like Microsoft; UUnet like salespeople, or even branch of- Technologies, Inc., Telco Research, and ATCOM, fices to connect in a secure fashion Inc. are saving more than $28 million every year to an enterprise server located at the by using VPNs to do secure remote access over edge of the enterprise local area net- the Internet by their traveling employees and work (LAN). The VPN is a point-to- sales reps. The reader will also learn how to make secure Internet remote access information tech- point connection between the user’s nology (IT) solutions easy to use and easy to man- computer and an enterprise server age by telecommunications managers (TMs). 08/99 Auerbach Publications © 1999 CRC Press LLC EXHIBIT 1 — Virtual Private Network from the user’s perspective. It also appears as if the data is being sent over a dedicated private link because the nature of the intermediate in- ternetwork is irrelevant to the user. As previously mentioned, while maintaining secure communications, VPN technology also allows an en- terprise to connect to branch offices or to other enterprises (extranets) over a public internetwork (such as the Internet). The VPN connection across the Internet logically operates as a wide area network (WAN) link between the sites. In both cases, the secure connection across the inter- network appears to the user as a private network communication (de- spite the fact that this communication occurs over a public internetwork); hence the name Virtual Private Network. VPN technology is designed to address issues surrounding the current enterprise trend toward increased telecommuting, widely distributed glo- bal operations, and highly interdependent partner operations. Here, workers must be able to connect to central resources and communicate with each other. And, enterprises need to efficiently manage inventories for just-in-time production. An enterprise must deploy a reliable and scalable remote access solu- tion to provide employees with the ability to connect to enterprise com- puting resources regardless of their location. Enterprises typically choose one of the following: • an IT department-driven solution, where an internal information sys- tems department is charged with buying, installing, and maintaining enterprise modem pools and a private network infrastructure • value-added network (VAN) solutions, where an enterprise pays an outsourced enterprise to buy, install, and maintain modem pools and a telco infrastructure The optimum solution in terms of cost, reliability, scalability, flexible administration and management, and demand for connections is provid- ed by neither of these traditional solutions. Therefore, it makes sense to find a middle ground where the enterprise either supplements or replac- es its current investments in modem pools and its private network infra- structure with a less-expensive solution based on Internet technology. In this manner, the enterprise can focus on its core competencies with the assurance that accessibility will never be compromised, and that the most economical solution will be deployed. The availability of an Inter- net solution enables a few Internet connections (via Internet service providers, or ISPs) and deployment of several edge-of-network VPN server computers to serve the remote networking needs of thousands or even tens of thousands of remote clients and branch offices, as de- scribed next. VPN Common Uses The next few subsections of this article describe in more detail common VPN situations. Secure Remote User Access over the Internet. While maintaining privacy of information, VPNs provide remote access to enterprise re- sources over the public Internet. A VPN that is used to connect a remote user to an enterprise intranet is shown in Exhibit 2. The user first calls a local ISP Network Access Server (NAS) phone number, rather than mak- ing a leased-line, long-distance (or 1-800) call to an enterprise or out- sourced NAS. The VPN software creates a virtual private network between the dial-up user and the enterprise VPN server across the Inter- net using the local connection to the ISP. Connecting Networks over the Internet. To connect local area net- works at remote sites, there exist two methods for using VPNs: using dedicated lines to connect a branch office to an enterprise LAN, or a dial- up line to connect a branch office to an enterprise LAN. Using Dedicated Lines to Connect a Branch Office to an Enterprise LAN. Both the branch office and the enterprise hub routers can use a local dedicated circuit and local ISP to connect to the Internet, rather than us- ing an expensive long-haul dedicated circuit between the branch office and the enterprise hub. The local ISP connections and the public Internet are used by the VPN software to create a virtual private network between the branch office router and the enterprise hub router. Using a Dial-Up Line to Connect a Branch Office to an Enterprise LAN. The router at the branch office can call the local ISP, rather than having a router at the branch office make a leased-line, long-distance or (1-800) call to an enterprise or outsourced NAS. Also, in order to create a VPN between the branch office router and the enterprise hub router across the Internet, the VPN software uses the connection to the local ISP as shown in Exhibit 3. The facilities that connect the branch office and enterprise offices to the Internet are local in both cases. To make a connection, both cli- ent/server, and server/server VPN cost savings are largely predicated on the use of a local access phone number. It is recommended that the en- terprise hub router that acts as a VPN server be connected to a local ISP with a dedicated line. This VPN server must be listening 24 hours per day for incoming VPN traffic. Connecting Computers over an Intranet The departmental data is so sensitive that the department’s LAN is phys- ically disconnected from the rest of the enterprise internetwork in some EXHIBIT 2 — Using a VPN to Connect Remote Client Private LAN EXHIBIT 3 — Using a VPN to Connect Two Remote Sites enterprise internetworks. All of this creates information accessibility problems for those users not physically connected to the separate LAN, although the department’s confidential information is protected. VPNs allow the department’s LAN to be separated by a VPN server (see Exhibit 4), but physically connected to the enterprise internetwork. One should note that the VPN server is not acting as a router between the enterprise internetwork and the department LAN. A router would in- terconnect the two networks, thus allowing everyone access to the sen- sitive LAN. The network administrator can ensure that only those users on the enterprise internetwork who have appropriate credentials (based on a need-to-know policy within the enterprise) can establish a VPN with the VPN server and gain access to the protected resources of the depart- ment by using a VPN. Additionally, all communication across the VPN can be encrypted for data confidentiality. Thus, the department LAN can- not be viewed by those users who do not have the proper credentials. BASIC VPN REQUIREMENTS Normally, an enterprise desires to facilitate controlled access to enterprise resources and information when deploying a remote networking solution. In order to easily connect to enterprise local area network (LAN) resourc- es, the solution must allow freedom for authorized remote clients. And, in order to share resources and information (LAN-to-LAN connections), the solution must also allow remote offices to connect to each other. Finally, as the data traverses the public Internet, the solution must ensure the pri- vacy and integrity of data. Also, in the case of sensitive data traversing an enterprise internetwork, the same concerns apply. A VPN solution should therefore provide all of the following at a minimum: • Address management: the solution must assign a client’s address on the private net, and must ensure that private addresses are kept private EXHIBIT 4 — Using a VPN to Connect to Two Computers on the Same LAN Using a VPN to Connect Two • Data encryption: data carried on the public network must be ren- dered unreadable to unauthorized clients on the network • Key management: the solution must generate and refresh encryption keys for the client and server • Multiprotocol support: the solution must be able to handle common protocols used in the public network; these include Internet Protocol (IP), Internet Packet Exchange (IPX), etc.
Load more

Recommended publications
  • Cryptography
    Pattern Recognition and Applications Lab CRYPTOGRAPHY Giorgio Giacinto [email protected] University of Cagliari, Italy Spring Semester 2019-2020 Department of Electrical and Electronic Engineering Cryptography and Security • Used to hide the content of a message • Goals – Confidentiality – Authenticity – Integrity • The text is modified by an encryption function – An interceptor should not be able to understand all or part of the message content http://pralab.diee.unica.it 2 Encryption/Decryption Process Key Key (Optional) (Optional) Original Plaintext Encryption Ciphertext Decryption Plaintext http://pralab.diee.unica.it 3 Keys and Locks http://pralab.diee.unica.it 4 Keys L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M http://pralab.diee.unica.it 5 Keys L F A Y B D E T C A R C S E E T Y H G S O U S U D H R D F C E I D B T E M E P Q X N R C I D S F T U A E T C A U R M F N P E C J N A C R D B E M K C I O P F B E W U X I Y M C R E P F N O G I D C N T M http://pralab.diee.unica.it 6 Steganography - = http://pralab.diee.unica.it https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1 7 Definitions • Cryptography algorithm C = E(K,M) A function E with two inputs – a message M – a key K that outputs – the encrypted message C The algorithm is based on a shared secret between the sender and the receiver K The Encryption Key http://pralab.diee.unica.it 8 Symmetric
    [Show full text]
  • Your Performance Task Summary Explanation
    Lab Report: 13.3.4 Configure Remote Wipe Your Performance Your Score: 0 of 1 (0%) Pass Status: Not Passed Elapsed Time: 17 seconds Required Score: 100% Task Summary Actions you were required to perform: In Remotely wipe Maggie's iPad Explanation In this lab, your task is to assist Maggie with a remote wipe as follows: Log in to icloud.com using the following credentials: Apple ID: [email protected] Password: maggieB123 Using Find iPhone, select her iPad and erase it. Enter a phone number and message to be displayed on the iPad. Complete this lab as follows: 1. In the URL field in Chrome, enter icloud.com and press Enter. 2. Maximize the window for easier viewing. 3. In the Sign in to iCloud field, enter [email protected] and press Enter. 4. Enter maggieB123 and press Enter. 5. Select Find iPhone. 6. Select All Devices. 7. Select Maggie's iPad. 8. Select Erase iPad. 9. Select Erase. 10. In the Enter AppleID to continue field, enter [email protected] and press Enter. 11. Enter maggieB123 and press Enter. 12. In the Number field, enter a phone number of your choosing to be displayed on the iPad. 13. Click Next. 14. Enter a message of your choosing to be displayed on the iPad. 15. Click Done. 16. Click OK. Lab Report: 13.3.6 Require a Screen Saver Password Your Performance Your Score: 0 of 3 (0%) Pass Status: Not Passed Elapsed Time: 8 seconds Required Score: 100% Task Summary Actions you were required to perform: In Enable the screen saver In Enable the screen saver after 10 minutes In Show the logon screen when the computer wakes Explanation In this lab, your task is to complete the following: Enable the screen saver (you choose the screen saver type to use).
    [Show full text]
  • President's Corner
    TAPR PSR #137 Winter 2018 President’s Corner By Steve Bible, N7HPR TAPR will be at the HamSCI Workshop <https://tinyurl.com/y8errhsu > on February 23 and 24 at the New Jersey Institute of Technology in Newark. I, along with a handful of other TAPR officers and board members will attend the workshop, which will focus on the results of the 2017 Great American Eclipse ham radio ionospheric experiment and the development of a Personal Space Weather station. As in the past, TAPR will be at Hamvention <http://www.hamvention.org> in May with a suite of booths, our highly regarded TAPR Forum and the annual TAPR- AMSAT Banquet, President’s Corner 01 In the fall, the 37th annual ARRL/TAPR Digital Communications Conference PulsePuppy 02 (DCC) will take place September 14-16 in Albuquerque, New Mexico. The Greg Jones Memorial Endowment 03 conference invites technical papers for presentation at the conference and for Phase 4 Space Kickoff 04 publication in the Conference Proceedings (presentation at the conference is not XC-3006 06 required for publication). Papers are due by July 31, 2018, to Maty Weinberg, Evangelizing Ham Radio Data Modes 07 Set Up an IPv6 Gateway on Packet 08 ARRL, 225 Main St., Newington, CT 06111 or via e-mail to [email protected]. The TAPR Wear Available 10 Conference website <http://www.tapr.org/dcc> has full details. Aruba on a Sloper 11 Hope to see you in Newark, Xenia and Albuquerque! N7DRB SK 12 Write Here! 13 73, On the Net 13 Steve Bible, N7HPR, President TAPR The Fine Print 14 ### Our Membership App 15 TAPR is a community that provides leadership and resources to radio amateurs for the purpose of advancing the radio art.
    [Show full text]
  • N2N: a Layer Two Peer-To-Peer VPN
    N2N: A Layer Two Peer-to-Peer VPN Luca Deri1, Richard Andrews2 ntop.org, Pisa, Italy1 Symstream Technologies, Melbourne, Australia2 {deri, andrews}@ntop.org Abstract. The Internet was originally designed as a flat data network delivering a multitude of protocols and services between equal peers. Currently, after an explosive growth fostered by enormous and heterogeneous economic interests, it has become a constrained network severely enforcing client-server communication where addressing plans, packet routing, security policies and users’ reachability are almost entirely managed and limited by access providers. From the user’s perspective, the Internet is not an open transport system, but rather a telephony-like communication medium for content consumption. This paper describes the design and implementation of a new type of peer-to- peer virtual private network that can allow users to overcome some of these limitations. N2N users can create and manage their own secure and geographically distributed overlay network without the need for central administration, typical of most virtual private network systems. Keywords: Virtual private network, peer-to-peer, network overlay. 1. Motivation and Scope of Work Irony pervades many pages of history, and computing history is no exception. Once personal computing had won the market battle against mainframe-based computing, the commercial evolution of the Internet in the nineties stepped the computing world back to a substantially rigid client-server scheme. While it is true that the today’s Internet serves as a good transport system for supplying a plethora of data interchange services, virtually all of them are delivered by a client-server model, whether they are centralised or distributed, pay-per-use or virtually free [1].
    [Show full text]
  • Ipv4 WAN (Internet) Layer 2 Tunneling Protocol (L2TP) Configuration on RV120W and RV220W
    IPv4 WAN (Internet) Layer 2 Tunneling Protocol (L2TP) Configuration on RV120W and RV220W Objectives Layer 2 Tunneling Protocol (L2TP) establishes a Virtual Private Network (VPN) that allows remote hosts to connect to one another through a secure tunnel. It does not provide any encryption or confidentiality by itself but relies on an encryption protocol that it passes within the tunnel to provide privacy. One of its biggest advantages is that it encrypts the authentication process which makes it more difficult for someone to "listen in" on your transmission to intercept and crack the data. L2TP does not only provide confidentiality but also data integrity. Data integrity is protection against modification of date between the time it left the sender and the time it reached the recipient. This document explains how to configure the IPv4 WAN (Internet) for use with Layer 2 Tunneling Protocol (L2TP) on the RV120W and RV220W. Applicable Devices • RV120W • RV220W Software Version • v1.0.4.17 IPv4 WAN (Internet) L2TP Configuration Step 1. Log in to the web configuration utility and choose Networking > WAN (Internet) > IPv4 WAN(Internet). The IPv4 WAN (Internet) page opens: Step 2. Choose L2TP from the Internet Connection Type drop-down list. Step 3. Enter the username provided from ISP in the User Name field. Step 4. Enter the password provided from ISP in the password field. Step 5. (Optional) Enter the secret pass phrase if provided by the ISP in the Secret field. Step 6. Click the desired radio button for the Connection Type: • Keep Connected — This keeps the device connected to the network for all the time.
    [Show full text]
  • Security & Savings with Virtual Private Networks
    Everybody’s connecting. Security & Savings with Virtual Private Networks In today’s New Economy, small businesses that might have dealt with just local or regional concerns now have to consider global markets and logistics. Many companies even have facilities spread across the country or throughout the world. At the same time security concerns of their network from hackers, Denial-of-Service (DoS) attacks and sending data over the Internet have become more widespread. Whether companies have a local, national, or global presence, they all need one thing: a way to maintain fast, secure, and reliable communications wherever their offices and workers are located. Until recently, such communications were only available by using leased telephone lines to maintain a Wide Area Network (WAN). Leased lines enabled companies to expand their private network beyond their immediate geographic area. Moreover, a WAN provided advantages over a public network like the Internet when it came to reliability, performance, and security. Unfortunately, leased lines are expensive to maintain, with costs rising as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a cost-effective way to extend their networks. The continuing popularity with the Internet has led to the evolution of Virtual Private Networks (VPNs). A VPN is a connection that allows private data to be sent securely over a shared or public network, such as the Internet. In fact, one of the driving forces behind VPNs is the Internet and its global presence. With VPNs, communication links between users and sites can be achieved quickly, inexpensively, and safely across the world.
    [Show full text]
  • Application Note
    Remote Access Serial Communications - Serial Server RFL eXmux 3500® IP Access Multiplexer The RFL eXmux 3500 is a hardened IP Access Multiplexer engineered for mission critical infrastructures that seamlessly transport voice, serial, video and Ethernet data communications over Ethernet/IP or MPLS networks. The eXmux 3500 is a Layer 2 device with an integrated managed Ethernet switch which allows the eXmux 3500 to be used either in a private network with other eXmux 3500’s or as part of a larger Ethernet/IP/MPLS network. Both fiber (using SFPs) and RJ-45 connections are available for the eXmux 3500; uplink speeds of up to a Gigabit are possible. This application note illustrates the eXmux-3500 IP access multiplexer basic remote access communications with remote devices that has serial (RS232, DB9) interface functionality using the Serial Server IU as depicted in Figure 1 below. LAN 1 LAN 2 PC-1 PC-2 IP Address=10.10.12.100 Remote Access Using Serial Server IP Address=10.10.11.100 ethernet ethernet Ethernet/IP Network P1 P5 P5 P1 SSrv Port 1 eXmux 3500-1 eXmux 3500-2 SSrv Port 2 IP address=10.10.12.12 IP Address=10.10.11.12 RS-232 comm port RS-232 comm port Figure 1…Remote Access Communication Topology Serial Server IU Implementation The Serial Server (SSrv) is an IP-based interface unit (IU) of the eXmux 3500 that supports remote communications to a serial device connected either RS-232 or RS-485/4W using either standard Telnet (Unsecured) or SSH (Secure Shell - Tunneling) IP applications.
    [Show full text]
  • Ipv6 — an Introduction
    IPv6 — An introduction Owen DeLong [email protected] Portions Copyright © 2009-2014 by Hurricane Electric, used under license to Owen DeLong More IPv4 NAT Are you fscking kidding me? ©2014 Black Lotus Communications IPv6 Transition -- How ready are we? n Things that are ready Backbones CMTS Systems (DOCSIS 3) MacOS (10.4+) Linux (2.6 Kernels) Windows (7, 2008, XP (limited)) WiMax (specification, head end equipment) LTE (some) CPE (very limited) Early Adopters and some industry experts Black Lotus Me ©2014 Black Lotus Communications IPv6 Transition -- How ready are we? ▪ Things that are NOT ready ➢ PON Systems ➢ DSL Systems ➢ CMTS Systems (DOCSIS 2) ➢ WDS/EVDO/HSPA ➢ WIMAX (handsets, providers) ➢ Older Windows (XP and earlier) ➢ Embedded systems ➢ Printers ➢ Home entertainment devices ➢ CPE (most) ➢ Most IT staff and management ©2014 Black Lotus Communications An Important Decision ▪ Which Approach will you take? IPv4 is just fine. IPv4/IPv6 Dual Stack Now We just need MOAR NAT!! My dual stack network is running great! ©2014 Black Lotus Communications What we’ll cover ▪ Basics of IPv6 ▪ IPv6 Addressing Methods ➢ SLAAC ➢ DHCP ➢ Static ➢ Privacy ▪ Linux Configuration for Native Dual Stack ▪ IPv6 without a native backbone available ▪ Free IPv6? ©2014 Black Lotus Communications Some additional topics ▪ Routing ▪ Firewalls ▪ DNS ▪ Reverse DNS ▪ Troubleshooting ▪ Staff Training ©2014 Black Lotus Communications Basics: IPv4 vs. IPv6 Property IPv4 Address IPv6 Address Bits 32 128 Total address 3,758,096,384 unicast 42+ Undecilion assignable
    [Show full text]
  • GPRS Tunneling Protocol (GTP) Processing
    TECHNOLOGY BRIEF GPRS Tunneling Protocol (GTP) Processing GPRS Tunneling Protocol or GTP for short is a mechanism used exclusively in cellular SUMMARY networks to tunnel IP packets through a mobile network core. The protocol was Comprehensive discussion of GTP introduced in the late 1990s when the first generation of packetized data—known protocol and how an Accolade as General Packet Radio Services or GPRS—was adopted. GPRS is often referred to adapter can help with GTP as 2.5G because it runs over GSM (2nd Generation or 2G mobile technology). GTP deduplication has moved on from those humble beginnings and is used in an updated form in KEY POINTS both 4G (LTE) and emerging 5G cellular networks. The main benefit of GTP is that • GTP is used exclusively in mobile a user’s IP address can be decoupled from routing and related decisions within networks a mobile network core. This is what allows a cellular customer to move around • Accolade ANIC adapters can fully from base station to base station and still maintain uninterrupted connectivity parse GTP packets and offer to external networks such as the Internet. It also allows for multiple services such value added capabilities such as as VoLTE (Voice over LTE) to be provisioned on the same device. In short, GTP is a deduplication crucial tunneling protocol that is indispenable in all modern mobile networks. HOW IT WORKS Figure 1 depicts a mobile phone (referred to as “user equipment” or “UE” in the industry) accessing an Internet web server with IP address 74.125.71.104. The phone or UE is initially connected to base station #1 (referred to as an eNodeB or “eNB” in LTE) and generates a simple IP packet to access the web server.
    [Show full text]
  • Analysis of Recent Attacks on Ssl/Tls Protocols A
    ANALYSIS OF RECENT ATTACKS ON SSL/TLS PROTOCOLS A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY DUYGU OZDEN¨ IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY SEPTEMBER 2016 Approval of the thesis: ANALYSIS OF RECENT ATTACKS ON SSL/TLS PROTOCOLS submitted by DUYGU OZDEN¨ in partial fulfillment of the requirements for the de- gree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Bulent¨ Karasozen¨ Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Murat Cenk Supervisor, Cryptography, METU Examining Committee Members: Assoc. Prof. Dr. Murat Cenk Cryptography, METU Assoc. Prof. Dr. Ali Doganaksoy˘ Mathematics, METU Asst. Prof. Dr. Fatih Sulak Mathematics, ATILIM UNIVERSITY Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: DUYGU OZDEN¨ Signature : v vi ABSTRACT ANALYSIS OF RECENT ATTACKS ON SSL/TLS PROTOCOLS Ozden,¨ Duygu M.S., Department of Cryptography Supervisor : Assoc. Prof. Dr. Murat Cenk September 2016, 46 pages Transport Layer Security(TLS) and its predecessor Secure Socket Layer(SSL) are two important cryptographic, certificate based protocols that satisfy secure communication in a network channel. They are widely used in many areas such as online banking systems, online shopping, e-mailing, military systems or governmental systems.
    [Show full text]
  • AWS Site-To-Site VPN User Guide AWS Site-To-Site VPN User Guide
    AWS Site-to-Site VPN User Guide AWS Site-to-Site VPN User Guide AWS Site-to-Site VPN: User Guide Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS Site-to-Site VPN User Guide Table of Contents What is Site-to-Site VPN ..................................................................................................................... 1 Concepts ................................................................................................................................... 1 Working with Site-to-Site VPN ..................................................................................................... 1 Site-to-Site VPN limitations ......................................................................................................... 2 Pricing ...................................................................................................................................... 2 How AWS Site-to-Site VPN works ........................................................................................................ 3 Site-to-Site VPN Components .....................................................................................................
    [Show full text]
  • CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 16
    CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 16 Network Security I Objectives ▪ Understand – Architecture of the Internet protocol suite (TCP/IP) ▪ CSE123 in 20mins – Common weaknesses in networking protocols – Available mitigations and their limitations Review: Internet Protocol Suite ▪ Application Layer – Examples: SMTP, FTP, SSH, HTTP, etc. ▪ Transport Layer: Port-addressed host-to-host communications (on LAN or WAN). – User Datagram Protocol (UDP): single packet transmission with no reliability or ordering mechanisms. – Transmission Control Protocol (TCP): connection establishment, reliable transmission, and flow-control. ▪ Internet Layer (IP): Fragmentation, reassembly, and end-to-end (across network boundaries) routing of data packets. – Provides a uniform interface that hides the underlying network topology. ▪ Link Layer: Transmission of data frames within a local network (without intervening routers). – Example: Ethernet ▪ Physical Layer: Transmission of raw bits (rather than logical data packets) over a physical data link connecting network nodes. – Example: 100BASE-T – [Technically not part of the Internet Protocol Model, but is still there] Review: Internet Protocol Suite https://en.wikipedia.org/wiki/Internet_protocol_suite Review: Internet Protocol Suite https://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP Protocol Stack by Example ▪ ROUGHLY, what happens when I click on a URL while UCSD’s network? My computer www.yahoo.com Application Layer (HTTP) ▪ Turn click into HTTP GET request GET http://www.yahoo.com/r/mp HTTP/1.1 Host: www.yahoo.com Connection:keep-alive … Application Layer (Name Resolution) ▪ Where is www.yahoo.com? What’s the address for www.yahoo.com My computer Oh, you can find it at 64.58.76.177 132.239.9.64 Local DNS server 132.239.51.18 Transport Layer (TCP) ▪ Break message into packets (TCP segments) ▪ Should be delivered reliably & in-order GET http://www.yahoo.com/r/mp HTTP/1.1 Host: www.yahoo.com Connection:keep-alive … 3 yahoo.c 2 p://www.
    [Show full text]