Virtual Private Networking

Virtual private networking
Definition: A VPN utilizes public telecommunications networks to conduct private data communications. Most VPN implementations use the Internet as the public infrastructure and a variety of specialized protocols to support private communications through the Internet.

VPN follows a client and server approach. VPN clients authenticate users, encrypt data, and otherwise manage sessions with VPN servers utilizing a technique called tunneling.

VPN clients and VPN servers are typically used in these three scenarios:

    1. to support remote access to an intranet,
    2. to support connections between multiple intranets within the same organization, and
    3. to join networks between two organizations, forming an extranet.

The main benefit of a VPN is the lower cost needed to support this technology compared to alternatives like traditional leased lines or remote access servers.

VPN users typically interact with simple graphical client programs.

These applications support creating tunnels, setting configuration parameters, and connecting to and disconnecting from the VPN server. VPN solutions utilize several different network protocols including PPTP, L2TP, IPsec, and SOCKS.

VPN servers can also connect directly to other VPN servers. A VPN server-to-server connection extends the intranet or extranet to span multiple networks.

Many vendors have developed VPN hardware and software products. Some of these do not interoperate due to the immaturity of some VPN standards.

How To Set up VPN Connections in Windows XP

  1. Open the Windows Control Panel.
  2. Open the Network Connections item in Control Panel. A list of existing dial-up and LAN connections will appear.
  3. Choose the 'Create a new connection' item from the left-hand side of the window. The Windows XP New Connection Wizard will appear on the screen.
  4. First click Next to begin the wizard, then choose the 'Connect to the network at my workplace' item from the list and click Next.
  5. On the Network Connection page of the wizard, choose the 'Virtual Private Network connection' option and click Next.
  6. Enter a name for the new VPN connection in the 'Company Name' field and click Next. The name chosen need not match the name of an actual business.
  7. Choose an option on the 'Public Network' screen and click Next. The default option, 'Automatically dial this initial connection' can be used if the VPN connection will always be initiated when the computer is not already connected to the Internet. Otherwise, choose the 'Do not dial the initial connection' option. This option requires that the public Internet connection be established first, before this new VPN connection will be initiated.
  8. Enter the name or IP address of the VPN remote access server to connect to, and click Next. Company network administrators will provide this information.
  9. Choose an option on the "Connection Availability" screen and click Next. The default option, 'My Use Only,' ensures that Windows will make this new connection available only to the currently logged on user. Otherwise, choose the 'Anyone's use' option.
  10. Click Finish to complete the wizard. The new VPN connection information has been saved.
How to route an incoming VPN client back to LAN?

Most of us use the MMC to administer Windows 2000 RRAS. But what happens when you need to route an incoming VPN client back to the net and you're using NAT with private, non-routable addresses? Users of the company's VPN used complain about losing internet access while using VPN. The usual way to avoid this is to have the user go to the advanced TCP/IP properties of the VPN connection and uncheck the box that says Use default gateway on remote network.

Adding the internal interface to NAT puts an end to that issue (but does raise security concerns, so that has to be taken into consideration) and that's where the NETSHELL command can help.

If you take a look of the interfaces available under the IP routing section of the RRAS console on a Windows 2000 server, you'll generally see the NIC's listed, the loopback interface, and a card called the internal interface. That internal connection is the virtual interface that VPN clients connect to, and you'll notice that you can't add it to the NAT protocol via the GUI. Time for the command line.

Open the command prompt, type NETSH to open the NETSHELL program. Now type

Done. You'll now notice that the internal interface is listed under the NAT protocol. At this point, VPN clients can now route to the net as well as your LAN. You can configure all RRAS functions using the netsh command.

VPN tunnelling

Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.

For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.

Types of VPN Tunneling

VPN supports two types of tunneling - voluntary and compulsory. Both types of tunneling are commonly used.

In voluntary tunneling, the VPN client manages connection setup.

The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.

VPN Tunneling Protocols

Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP)

Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. The initial releases of PPTP for Windows by Microsoft contained security features that some experts claimed were too weak for serious use. Microsoft continues to improve its PPTP support, though.


Layer Two Tunneling Protocol (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, the best features of it and PPTP were combined to create new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI model -- thus the origin of its name.

Internet Protocol Security (IPsec)

IPsec is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution, or it can used simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model.

1 comments

Network Setup

Connecting Two Computers Directly With Cable

The traditional method to network two computers involves making a dedicated link by plugging one cable into the two systems. Several alternatives exist for networking two computers in this manner:
  • Ethernet crossover cable
  • Null modem serial cable or parallel peripheral cable
  • Special-purpose USB cables
Ethernet - Of the above choices, the Ethernet method is preferred as it supports a reliable, high-speed connection with minimal configuration required. Additionally, Ethernet technology offers the most general-purpose solution, allowing networks with more than two computers to be built fairly easily later. If one of your computers possesses an Ethernet adapter but the other has USB, an Ethernet crossover cable can still be used by first plugging a USB-to-Ethernet converter unit into the computer's USB port.
Setting up network using a hardware router/gateway/firewall device

In this scenario, you install a hardware router/gateway/firewall device, connect the public side to your cable/DSL modem, connect the private side to a hub, connect all PCs to the hub, configure all PCs for your private network.

While the costliest solution, by far the safest, most reliable, and most scalable one. Highly recommended.

Advantages:

  • All PCs are protected by firewall (indicated by the color green)
  • File sharing between PCs is safe
  • No additional ISP cost
  • Connect many PCs to home network without additional cost
  • Easy PC configuration due to DHCP server in gateway device
  • Optional additional functionality with gateway-integrated wireless access point, print server, DMZ, content filtering, and more

Connecting Two Computers Wirelessly

In recent years, wireless solutions have enjoyed increasing popularity for home networking. As with cabled solutions, several different wireless technologies exist to support basic two computer networks:
  • Wi-Fi
  • Bluetooth
  • infrared
Wi-Fi
Definition: Wi-Fi is the industry name for wireless LAN (WLAN) communication technology related to the IEEE 802.11 family of wireless networking standards.Wi-Fi connections can reach a greater distance than the wireless alternatives listed above. Many newer computers, especially laptops, now contain built-in Wi-Fi capability, making it the preferred choice in most situations. Wi-Fi can be used either with or without a network fixture. With two computers, Wi-Fi networking minus a fixture (also called ad-hoc mode) is especially simple to set up.

Bluetooth technology supports reasonably high-speed wireless connections between two computers without the need for a network fixture. Bluetooth is more commonly used when networking a computer with a consumer handheld device like a cell phone. Most desktop and older computers do not possess Bluetooth capability. Bluetooth works best if both devices are in the same room in close proximity to each other. Consider Bluetooth if you have interest in networking with handheld devices and your computers lack Wi-Fi capability.

Infrared networking existed on laptops years before either Wi-Fi or Bluetooth technologies became popular. Infrared connections only work between two computers, do not require a fixture, and are reasonably fast. Being very simple to set up and use, consider infrared if your computers support it and you lack the desire to invest effort in Wi-Fi or Bluetooth.

Setup a wireless network

Follow these four simple steps to set up a wireless network.

Step 1: Connect your wireless access points to your broadband Internet connection.

Typically, your broadband Internet connection will include a router, which allows you to share your Internet connection among the computers on your network. On a wired network, a standard router shares your Internet connection with your company computers via Ethernet cables that connect computers to the router, often via hubs or switches. On a wireless network however, the access point broadcasts the signal wirelessly to all of your computers instead of requiring them to be hardwired to your router.

To turn your wired connection into a wireless one, simply connect your wireless access point to your router and it will be ready to share your Internet connection.

Step 2: Ensure all of your computers are wirelessly equipped.

For your desktop, notebook, handheld, and tablet PCs to communicate over your wireless network, they will need to support the wireless LAN protocol called Wi-Fi (or 802.11). Many of today's business computers come fully equipped with integrated Wi-Fi, so they are ready to access your wireless network as soon as you get your access point up and running.

wifi adapter If your computers and handhelds don't have built-in Wi-Fi support, you can quickly and easily install a Wi-Fi adapter. Adapter cards slip quickly and easily into PCI slots on a desktop case or the PC card slot on a notebook, Tablet PC, or handheld and give your computer wireless access just as if it were built in.
It is important that the wireless radios on your computers are compatible with your access points. 802.11b and 802.11g are compatible technologies, so a notebook with support for 802.11b can communicate with an access point that supports 802.11g. However, 802.11a devices are only compatible with other 802.11a devices, so you can't mix and match them with 802.11b or 802.11g devices.

Once you have your access point and your computers configured, you can begin sending and receiving information over your wireless network.

Step 3: Configure the SSID on your access points and wireless computers.


Wi-Fi access points use a special value called a SSID (Service Set Identifier) to distinguish wireless networks from one another. Access points often arrive preconfigured with defaults set by the manufacturer. If you don't change these values (which are well known), it's easy for outsiders to detect and attempt to access a wireless LAN. You should always immediately reset your SSIDs following the normal rules for strong passwords (not easy to guess, mixture of letters, numbers, and other characters, and so forth). See the documentation that came with your access point and wireless card for details on how to set SSIDs on your network.

Step 4: Configure your access point and cards for maximum security.

After you have all of your hardware up and working, but before you begin using your wireless network to communicate sensitive data, be sure to carefully review the security options and configurations available to you. HP offers the latest in wireless security, including data encryption and user authentication, but it's up to you to take advantage of it. We designed our wireless products to be simple to set up, security included, so all you need to do is take a few moments to review the documentation that came with your access point to benefit from its full security support.

1 comments

Introduction to networking

Introduction to networking

Networking is the practice of linking computing devices together with hardware and software that supports data communications across these devices.

Importance of networking

Information and communication are two of the most important strategic issues for the success of every enterprise.
While today nearly every organization uses a substantial number of computers and communication tools , they are often still isolated. While managers today are able to use applications like wordprocessors or spreadsheets, not very many of them use computer-based tools to communicate with other departments or information retrieval programs.
To overcome these obstacles in an effective usage of information technology, computer networks are necessary. They are a new kind of organization of computer systems produced by the need to merge computers and communications. At the same time they are the means to converge the two areas; the unnecessary distinction between tools to process and store information and tools to collect and transport information can disappear. Computer networks can manage to put down the barriers between information held on several (not only computer) systems. Only with the help of computer networks can a borderless communication and information environment be built.

Types of networking

Computers with a wireless connection to a network also use a network card (see Advice Sheet 20 for more information on wireless networking). for example a computer network in a company's department
  • MANs (Metropolitan Area Networks),
for example a cable television network within a city
  • WANs (Wide Area Networks, Long Haul Networks),

for example an ISDN network

OSI Reference model

The Open System Interconnection (OSI) Reference Model was developed by the International Standards Organization (ISO). It is an attempt to build a framework of layers, in which various protocols in computer networking fit.

The OSI model consists of seven layers which are:

  1. The Physical Layer: transmits raw data bits over a communication channel (mostly mechanical and electrical issues)
  2. The Data Link Layer: guarantees to the network layer that there are no transmission errors by breaking the input datastream up into frames and sending back acknowledgement frames
  3. The Network Layer: controls the operation of the involved subnet; main issues are routing (determine a way from source to destination) and dealing with problems of heterogenous networks, e. g. different size requirements of transmitted data blocks
  4. The Transport Layer: splits up data from the session layer if necessary (segmentation) and ensures that the pieces arrive correctly
  5. The Session Layer: allows users on different computer systems to establish a session between them, i. e. they are able to transfer files or log into a remote system; the conditions of communication are laid down, for example full-duplex or half-duplex
  6. The Presentation Layer: unlike the layers before it is concerned with the syntax and semantics of the transmitted information; it is concerned with all aspects of information representation such as data encoding, data compression and encryption
  7. The Application Layer: contains a variety of commonly needed protocols like handling with different terminal types and file systems; a label to identify the communication process, its origin and destination application is added to the transmitted information

0 comments
Subscribe to: Comments (Atom)