Color Switcher: Default (Blue) | Red | Gray

Virtual Private Networks

VPN_Conf.jpg

Virtual Private Networks Consultant Team

Does your organization have more than one office or a partner located half way around the world? Computer Repair Tech2go Virtual Private Network team has spearheaded the integration of VPN since 2002. Our Virtual Privvate Networks consultant team has inter-connected numerous organizations with heterogeneous Microsoft, Mac, Linux networks spanning branch offices, telecommuters, partners and global clients.

The promise of Virtual Private Networks is here

Secure network communications between all branches and remote users without long distance charges or leased lines.

Whether you lean towards a Cisco VPN solution, or positioning the end point of your VPN outside your firewall, inside your firewall, or on the firewall, Computer Repair Tech2go Virtual Private networks consultant team can help you build a rationale and make the right decision. In addition to strict VPN architecture challenges, our VPN consultant team can consult with you on integration of strong authentication, and PKI solutions into your network security infrastructure to make one truly seamless Virtual Private Network.

Finally, when hiring CRT2GO Virtual Private Networks consultant team, keep in mind that you are hiring cost-effective proprietary remote set-ups tools and the ability to manage and execute VPN deployments through our worldwide implementation partner network.

Small business and larger organization alike can benefit from our Virtual Private Networks consulting expertise

Find out how inexpensively a VPN can tie your location and users together here. call (800-280-9733)

Other services you may be interested in:

VPN FAQ Technical Issues

Amavor Central Support VPN consultant team has compiled this VPN FAQ to help you answer most basic technical questions. Whatever solution you eventually choose and given the complexity of the issues involved we strongly recommend that you work with a VPN consultant or VPN consulting firm, and humbly invite you to contact our VPN consultant team for specific VPN questions or for a FREE ON-SITE EVALUATION

Technical Questions

What is PPP?

  PPP stands for Point-to-Point Protocol, a method of connecting a computer to the Internet. PPP is more stable than the older SLIP protocol and provides error checking features. Depending on the specific type, PPP may include the following features: demand-dial, redial, scripting, load sharing, packet filtering, header compression, IP routing and even tunneling.

What is PPTP?

 PPTP stands for Point-to-Point Tunneling Protocol. It's a tunneling protocol designed to encapsulate the LAN protocols IPX and AppleTalk within IP, for transmission across the Internet or other IP-based networks. Originally developed by a consortium of major network players (Microsoft, Ascend, 3Com, ECI Telemetric and U.S. Robotics) as a generic encapsulation mechanism, with security features being added later rather built-in from the ground up, PPTP proprietary systems have flourished but Microsoft's remain the most widely implemented version. Flawed with numerous security concerns, PPTP is nowhere near providing the safety and privacy level required for VPN. Hence the emergence of protocols like RADIUS that can use PPTP to provide a gateway to NT domain security while not solely relying on it for flawed security functions such as key encryption.

What is MPPE?

MPPE stands for Microsoft Point-To-Point Encryption Protocol. As the name implies, MPPE is an end-to-end encryption scheme representing Point to Point Protocol (PPP) packets in an encrypted form. The functioning is rather simple: a client negotiates PPP with the ultimate tunnel terminator to initiate an encrypted session. PPP packets are then encrypted using the MPPE protocol prior to injection into the PPTP tunnel. Because the encrypted tunnel is end-to-end, interim tunnel switches do not have the ability to decrypt the packets. MPPE supports the standard PPTP included in Microsoft Dial-Up Networking with integrated encryption. A 40-bit version of MPPE is included with Windows95 and Windows NT; a 128-bit version is also available.

What is MPPC?

 MPPC stands for Microsoft Point-To-Point Compression Protocol. The MPPC algorithm is designed to optimize processor utilization and bandwidth utilization in order to support large number of simultaneous connections. The MPPC algorithm is optimized to work efficiently in typical PPP scenarios (1500 byte MTU, etc.). It uses an LZ-based algorithm with a sliding window history buffer, keeping a continuous history so that after 8192 bytes of data has been transmitted compressed there is always 8192 bytes of history to use for compressing, except when the history is flushed.

What is IPSec?

IPsec is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer, and has seen a tremendous growth and widespread deployment with the advent of VPNs. IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. Back to FAQ

How does IPsec relate to VPNs?

IPSec is an evolving standard for secure private communications over the Internet. A set of protocols developed by the IETF to support secure exchange of packets at the IP layer, and has seen a tremendous growth and widespread deployment with the advent of VPNs. IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates.

Normal IPv4 packets consist of headers and payload, both of which contain information of value to an attacker. The header contains source and destination IP addresses, which are required for routing but may be spoofed or altered in what are known as "man-in-the-middle" attacks; the payload consists of information which may be confidential to a particular organization.

IPSec provides mechanisms to protect both header and payload data. The IPSec Authentication Header (AH) digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, verifying the identity of the source and destination machines and the integrity of the payload. The IPSec Encapsulating Security Payload (ESP) guarantees the integrity and confidentiality of the data in the original message by combining a secure hash and encryption of either the original payload by itself, or the headers and payload of the original packet.

What is NAT?

NAT stands for Network Address Translation. It is an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the LAN meets the Internet makes all necessary IP address translations. NAT provides a basic type of firewall by hiding internal IP addresses, therefore enabling a company to use more internal IP addresses. It also allows a company to combine multiple ISDN connections into a single Internet connection for bandwidth improvement and connection redundancy.

Is IPSec compatible with NAT?

One common identifying characteristic used for VPN gateway devices is external IP addresses. If the two VPN gateways exchange signed certificates that bind each gateway's identity to its IP address, NAT address rewriting will cause IKE negotiation to fail. NAT is basically incompatible with Authentication Header (AH) protocol, whether used in transport or tunnel mode. An IPSec VPN using AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. Why this bothers NAT is the last part: a NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and will complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been altered for nefarious purposes.

Some vendors now provide IPSec client that allow connections through NAT. They usually are called term it "IPSec over UDP". This may be somewhat less secure than true IPSec. Native IPSec requires that there be no change to the headers and NAT obviously breaks that rule. But IPSec over UDP addresses a very practical concern - that many users of broadband Internet access are starting to be required by their ISPs to use NAT. PPTP seems to depend on whose NAT you are passing through. It seems to work fine going through some firewalls while others do not appear to work at all when NAT'ing to a single routable IP address - hence overloading/PAT'ing. Back to FAQ

How does RADIUS work?

RADIUS stand for Remote Access Dial-In User Service. Though not an official standard but rather a specification maintained by the IETF, it's commonly accepted as an Internet standard protocol providing a central point of administration for users on a large number of remote access servers and other devices. For IT managers, the main attraction of RADIUS is that it allows them to simplify administration of user authentication by maintaining a centralized database of access rights. Used by many Internet Service Providers, RADIUS performs user authentication, authorization and accounting to computers on a network. For instance when you dial in to an ISP and enter your username and password, often this information is actually passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system.

While RADIUS servers track a user's log-on and log-off information, it has been hard to correlate that data across multiple RASes because there has been no simple way to extract and compare just that portion of a much larger RADIUS accounting database. IT managers who wanted to use the information for other purposes, such as tracking usage patterns to aid in planning equipment upgrades, needed to write customized programs. Within the last year, several RAS companies have taken steps to change this situation. They introduced software that takes the usage information from a RADIUS database and links it with business processes such as customer billing and network trend analysis. Some vendors marry the information in a RADIUS database to security features of their own products to give a manager more targeted access control. For instance, this allows a manager to combine user authentication information in a RADIUS database with a caller ID feature in a RAS to offer a call-blocking feature. The remote access server determines the phone number from which a user has dialed into the company. If that number does not match the authorized numbers in RADIUS for which that user is allowed to dial in from, the call is automatically blocked.

What is AAA?

As far as VPNs are concerned, AAA stands for Authentication, Authorization, and Accounting. Those three functions are the key to intelligently controlling access, enforcing policies, auditing usage, and providing the information necessary to do billing for services available on the Internet.

Authentication is the process of determining who the user is. It can take the form of assuring that data has come from its claimed source, or of corroborating the claimed identity of a communicating party. Authorization is the process of enforcing policies - of determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization is in the context of authentication; once you have authenticated a user, they may be authorized different types of access or activity. Accounting is the tracking of which services are used, by whom, when, and for how long. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

How does VPN integrate with Firewalls?

Most corporate networks have included a firewall prior to deploying VPN. Whether the VPN tunnel should be terminated on the firewall, or directly on the private network depends on your security requirements and network architecture. Typical configurations for remote access-enabled VPNs include parallel firewall/VPN and VPN-behind-firewall setups. Ending the VPN tunnel in front of firewall devices is less popular while combination devices develop rapidly and may soon prove to be the gest solution overall. As always each implementation has its benefits and drawbacks:

VPN/Firewall parallel setup

Although the easiest to implement this setup creates a secondary gateway to your private network. VPN products with blocking features will stop unauthorized traffic and minimize security risks. Depending on your network setup, NAT-capable devices may be required as the VPN must redirect traffic based on its content.

VPN-behind-firewall

To implement this configuration you must ensure that your firewall will let VPN connections go through using traffic filtering methods. In some cases you may not be able to use multiple Ethernet interfaces which most VPN devices provide. Known as One-Arm-Routing, this setup is definitely more secure but also demand a smart-enough firewall while overall bandwidth and performance may not be optimal.

Firewall-behind-VPN

This setup basically terminates the secure connection on the public part of the network, letting groups of IP addresses pass through a hole intended for them. This can give greater flexibility in terms of controlling final destination and access to data, although many VPN products have this capability as well. This setup is intended more for partner/supplier secure communications rather than for remote access users.

Combined Firewall/VPN

Some VPN products can process encryption while enforcing security policies typically taken care of by firewalls. But although hardware-based devices relying on ASIC chips and tightened OS's can centralize all network security services in one appliance, there is a price for this simplified system potentially in terms of upfront costs, and often performance and capabilities. In other words, while this may be a good solution for emergency, small or geographically mobile setups, combination devices cannot yet fit all needs: high-traffic networks and intensive applications will benefit more from a parallel approach. But keep on eye on solutions such as Checkpoint's or Netscreen which slowly bridge the gap between dedicated and combination devices.