132 Networking: A Beginner’s Guide corporate LAN. Even for users who don’t have DSL or cable modems available in their area, ISDN is usually an option from the local telephone company. (ISDN and DSL technology are discussed in more detail in Chapter 7.) Remote users using DSL or cable modems are “hard-wired” to a particular ISP for their connection, so they need to use a virtual private networking approach to connecting to the LAN. ISDN users, on the other hand, have the choice of either connecting to an ISDN-capable ISP or to ISDN “modems” hosted on the LAN. Through a process called bonding, ISDN users can achieve speeds up to 128 Kbps, although this consumes two B-channels. (and doubles the call charges!) Still, such speeds are better than the 33.6 Kbps that you can otherwise achieve through a modem. Virtual Private Networks A virtual private network (VPN) is a network link formed through the Internet between the remote user connected to an ISP and the company LAN. A VPN connection is carried over a shared or public network—which is almost always the Internet. VPNs use sophisticated packet encryption and other technologies, so the link from the user to the LAN is secure, even though it may be carried over a public network. VPN connections cost much less than dedicated connections, such as the WAN technologies discussed in Chapter 7, because they take advantage of the cost efficiencies of the Internet without compromising security. VPN solutions range from simple ones that can be implemented on a Windows server essentially for free—using the Remote Access Service (RAS) included with Windows NT Server or the equivalent Routing and Remote Access Service (RRAS) in Windows 2000 Server or later—to stand-alone specialized VPN routers that can support hundreds of users. Figure 10-6 shows how a VPN connection works. VPN connections are used in two important ways: N To form WAN connections using VPN technology between two networks that might be thousands of miles apart but which each have some way of accessing the Internet N To form remote access connections that enable remote users to access the LAN through the Internet The emphasis in this chapter is on remote access, but it’s important to know that VPNs support WAN connections in much the same way as they support a remote access connection. The main difference for a WAN VPN connection is that it connects two networks together, rather than a user and a network, and relies on different hardware (typically) than a remote access connection uses. A WAN VPN connection takes advantage of the existing Internet connection for both LANs and might run virtually 24 hours a day. A remote access connection, on the other hand, is usually formed when needed and uses less expensive hardware on the remote side, such as a dialup modem or perhaps a higher-speed Internet connection, such as xDSL, ISDN, or cable modem. 133 Chapter 10: Connections from Afar: Remote Network Access TIP In some circumstances, a VPN might even be an appropriate way to segregate users in a single location from other users, by using the company’s intranet to host the VPN tunnel. Such a scheme might be appropriate, for example, if one group of users accesses data that is so sensitive that it must be separated from the rest of the company in some fashion. In such cases, the sensitive network can be separated from the corporate LAN, except for a firewall that allows VPN connections from the sensitive LAN to the corporate LAN, but not vice versa. This configuration would still allow users on the sensitive LAN to access general corporate network services. A VPN connection has several requirements: N Both sides of the VPN connection must be connected to the Internet, usually using the Point-to-Point Protocol (PPP). (Other public or private networks can also carry VPNs, but this discussion will stick with the Internet because it’s the most frequently used network for this purpose.) N Both sides must have a networking protocol in common. This protocol is usually TCP/IP, but can also be IPX, NetBEUI, or AppleTalk. Figure 10-6. A typical VPN connection 134 Networking: A Beginner’s Guide N Both sides must establish a tunnel through their existing PPP connections, through which their data packets will pass. The tunnel is formed using a tunneling protocol. N Both sides must agree on an encryption technique to use with the data traversing the tunnel. A variety of different encryption techniques are available. So, both sides of a VPN connection must be running compatible VPN software using compatible protocols. For a remote access VPN solution, the software you install depends on the VPN itself. Dedicated VPN solutions also sell client software that you can distribute to your users. Usually, this software carries a per-copy charge, typically around $25 to 50 per remote computer supported. (Some VPNs include unlimited client licenses, but the VPN is licensed to accept only a certain number of connections at a time.) If you are using a Windows server and RRAS service on the server, and some version of Windows 95 or later on the remote computer, you can take advantage of the VPN software included for free with those network operating systems. However, this software must still be set up on each client computer. VPN Protocols The three most popular tunneling protocols used for VPNs are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Protocol Security (IPSec). PPTP is a Microsoft-designed protocol that can handle IP, IPX, NetBEUI, and AppleTalk packets. PPTP is included with Windows, starting with Windows 95, and is also supported by Windows RRAS (a free upgrade to RAS) and by later versions of Windows servers. For a Windows-oriented network, PPTP is the way to go. L2TP is a newer protocol that is an Internet Engineering Task Force standard. It will probably become the most widely supported tunneling protocol because it operates at layer 2 of the OSI model, and thus can handle all layer 3 protocols, such as IP, IPX, and AppleTalk. IPSec, while probably the most secure tunneling protocol, seems to be most popular for LAN-to-LAN VPNs and for UNIX-oriented VPNs, due to its reliance on IP. IPSec is a layer 3 protocol and is limited to handling only IP traffic. TIP While IPSec works only with IP packets, an L2TP VPN can also carry the resulting IPSec packets, because they can be handled like the other major layer 3 packets, such as IP, IPX, and AppleTalk packets. Types of VPNs Four major types of VPNs are in use today. One type uses a router with added VPN capabilities. VPN routers not only can handle normal routing duties, but they can also be configured to form VPNs over the Internet to other similar routers, located on remote networks. This method is used to create VPN WAN links over the Internet, usually between multiple company locations. 135 Chapter 10: Connections from Afar: Remote Network Access Another major type of VPN is one built into a firewall device. Most popular firewalls, such as Check Point’s Firewall-1 or WatchGuard’s Firebox, serve not only as firewall devices, but also as VPN hosts. Firewall VPNs can be used both to support remote users and also to provide WAN VPN links. The benefit of using a firewall-based VPN is that you can administer your network’s security—including both standard firewall security and VPN security—entirely within the firewall. For example, you could configure the firewall to allow connections to the network only when they are made as part of a valid VPN connection. The third major type of VPN includes those offered as part of a network operating system. The best example of this type is Windows RRAS, and Novell’s BorderManager software. These VPNs are most often used to support remote access, and they are generally the least expensive to purchase and install. The fourth major type is the SSL VPN, a relatively new category. This is actually my overall favorite for remote access support. An SSL VPN takes advantage of the Secure Sockets Layer (SSL) encryption technology built into most web browsers to offer VPN services through the web browser. SSL is the same technology used to encrypt information in web pages that use the http:// prefix, such as for shopping or online banking web sites. SSL VPNs bring a number of attractive benefits to supporting remote access: N No client software needs to be installed on the remote computer, except for usually an ActiveX or Java add-in that installs into the browser automatically. N There is essentially no configuration or management required on the remote system. This is an important point, because most VPN client software is very difficult to support. N Provided the users know the web address of the SSL VPN server and have the correct information to authenticate (log in) to the system, they can log in from almost any Internet-connected computer in the world and access a wide range of network services through simple web pages. N Because many common functions, such as file management, can be performed using web pages, SSL VPNs work much better over lower-bandwidth connections than other VPN alternatives. HTML was designed to be stingy in its use of network bandwidth, so many tasks that are slow over a traditional VPN connection are much faster with an SSL VPN. N Most SSL VPNs, in addition to their web-based access features, also allow the user to start a remote node connection on demand, and this remote node connection runs using automatically installing and configuring browser plug-ins. SSL VPNs are typically offered as an appliance—a rack-mountable piece of equipment that contains all of the hardware and software needed to run the VPN. 136 Networking: A Beginner’s Guide This gives rise to the only real drawback to SSL VPNs: They are still fairly expensive for smaller companies, with the smallest configurations starting at $8,000 to $10,000 to support up to 100 simultaneous users. Still, even if you need to support only 20 to 30 remote users, you may find this to be a small price to pay to reduce the administrative burden of a traditional VPN, which is often considerable. At the time of this writing, there are a number of SSL VPN vendors. The pioneer in this space is the NetScreen product family from Juniper Networks (which acquired a product originally launched by a company called Neoteris, which pioneered SSL VPNs). Another leader is the FirePass line of products from F5 Networks. AEP Networks, SonicWALL, and Nokia are some other firms that offer SSL VPNs. Since this product area is evolving rapidly, you should conduct a careful search for products that meet your needs. To give you an idea of how an SSL VPN looks to a remote access user, some screens of a demo version of F5 Network’s FirePass 4000 are shown in this section. Figure 10-7 Figure 10-7. An SSL VPN login screen . 132 Networking: A Beginner’s Guide corporate LAN. Even for users who don’t have DSL or cable modems available in their area, ISDN is usually an option from the local telephone company. (ISDN and. hardware (typically) than a remote access connection uses. A WAN VPN connection takes advantage of the existing Internet connection for both LANs and might run virtually 24 hours a day. A. software needs to be installed on the remote computer, except for usually an ActiveX or Java add-in that installs into the browser automatically. N There is essentially no configuration or management