Configurare VPN e Accesso Configurare VPN e Accesso remoto con Small Business remoto con Small Business
Server 2003Server 2003
5 maggio 2005 - 10:305 maggio 2005 - 10:30
AgendaAgenda VPN BasicsVPN Basics
La protezione delle comunicazioni di reteLa protezione delle comunicazioni di rete Encryption overviewEncryption overview
VPN a confrontoVPN a confronto Client-to-LANClient-to-LAN LAN-to-LANLAN-to-LAN
VPN in dettaglioVPN in dettaglio tunneling protocoltunneling protocol authenticationauthentication encryptionencryption
Le tecnologie di Windows Small Business Le tecnologie di Windows Small Business Server 2003 per VPN Client-to-LANServer 2003 per VPN Client-to-LAN
Live Demo...Live Demo...
Che cosa è una VPN ?Che cosa è una VPN ?
Dal sito di Windows Server 2003Dal sito di Windows Server 2003
““Microsoft defines a virtual private Microsoft defines a virtual private network as the extension of a network as the extension of a
private network that encompasses private network that encompasses links across shared or public links across shared or public networks like the Internet.”networks like the Internet.”
http://www.microsoft.com/windowsserver2003/thttp://www.microsoft.com/windowsserver2003/techinfo/overview/vpnfaq.mspxechinfo/overview/vpnfaq.mspx
Quali problemi abbiamo con una Quali problemi abbiamo con una comunicazione di rete che usa comunicazione di rete che usa connettività pubblica come Internet?connettività pubblica come Internet?
NetworkNetworkMonitoringMonitoringNetworkNetwork
MonitoringMonitoring
DataDataModificationModification
DataDataModificationModification
IdentityIdentitySpoofingSpoofingIdentityIdentity
SpoofingSpoofingMan-in-Man-in-
the-Middlethe-MiddleMan-in-Man-in-
the-Middlethe-Middle
Password-Password-basedbased
Password-Password-basedbased
Encrypts Data at the Encrypts Data at the ApplicationApplication Layer Layer SSLSSL TLSTLS
Encrypts Data at the Encrypts Data at the NetworkNetwork Layer Layer Tunneling ProtocolTunneling Protocol IPSecIPSec
La soluzione: la cifratura dei dati La soluzione: la cifratura dei dati trasmessitrasmessi
Encrypted IP Packet
Virtual Private Networks Virtual Private Networks (VPN)(VPN)
una applicazione delle una applicazione delle tecnologie di encryptiontecnologie di encryption
VPN BasicsVPN Basics
Una tecnologia di encryptionUna tecnologia di encryption Un metodo/protocollo di TunnelingUn metodo/protocollo di Tunneling Una modalità di connessione e trasportoUna modalità di connessione e trasporto
(Client-to-LAN, LAN-to-LAN)(Client-to-LAN, LAN-to-LAN) Un insieme di definizioni perUn insieme di definizioni per
IP AddressingIP Addressing AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing
CrittografiaCrittografia
Encryption Keys & AlgorithmsEncryption Keys & Algorithms
Una tecnologia molto anticaUna tecnologia molto antica
Encrypted IP Packet
Encryption KeysEncryption Keys
Key typeKey type DescriptionDescription
SymmetricSymmetric
La stessa chiave è usata per cifrare e decifrare i La stessa chiave è usata per cifrare e decifrare i datidati
Protegge i dati dall’intercettazioneProtegge i dati dall’intercettazione
AsymmetricAsymmetric
Consiste in una chiave pubblica e una privataConsiste in una chiave pubblica e una privata
La chiave privata è protetta e confidenziale, la La chiave privata è protetta e confidenziale, la chiave pubblica è liberamente distribuibilechiave pubblica è liberamente distribuibile
Se viene usata la chiave privata per cifrare dei Se viene usata la chiave privata per cifrare dei dati, gli stessi possono essere decifrati dati, gli stessi possono essere decifrati esclusivamente con la corrispondente chiave esclusivamente con la corrispondente chiave pubblica, e vice versapubblica, e vice versa
Utilizzi dell’encryptionUtilizzi dell’encryption
implementa la riservatezza delle implementa la riservatezza delle comunicazionicomunicazioni
fornisce delle tecniche per realizzare fornisce delle tecniche per realizzare l’autenticazione dei soggetti della l’autenticazione dei soggetti della comunicazionecomunicazione
Symmetric EncryptionSymmetric Encryption
Original DataOriginal Data Cipher TextCipher Text Original DataOriginal Data
Symmetric encryption:Symmetric encryption:
Usa la stessa chiave per cifrare e decifrare
E’ spesso referenziata come bulk encryption
E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa
Usa la stessa chiave per cifrare e decifrare
E’ spesso referenziata come bulk encryption
E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa
Utilizzi della symmetric encryptionUtilizzi della symmetric encryption
Cifratura dei canali di trasmissioneCifratura dei canali di trasmissione SemplicitàSemplicità PrestazioniPrestazioni Gestione delle session-key dei protocolli Gestione delle session-key dei protocolli
sicurisicuri SSLSSL KerberosKerberos ......
Asymmetric (Public Key) EncryptionAsymmetric (Public Key) Encryption
RequirementRequirement ProcessProcess
1.1. The recipient’s public key is retrievedThe recipient’s public key is retrieved
2.2. The data is encrypted with a symmetric The data is encrypted with a symmetric keykey
3.3. The symmetric key is encrypted with the The symmetric key is encrypted with the recipient’s public keyrecipient’s public key
4.4. The encrypted symmetric key and The encrypted symmetric key and encrypted data are sent to the recipientencrypted data are sent to the recipient
5.5. The recipient decrypts the symmetric The recipient decrypts the symmetric key with her private keykey with her private key
6.6. The data is decrypted with the The data is decrypted with the symmetric keysymmetric key
Utilizzi della Asymmetric encryptionUtilizzi della Asymmetric encryption
Riservatezza delle comunicazioni (PK Riservatezza delle comunicazioni (PK Encryption)Encryption) spesso in congiunzione con session key spesso in congiunzione con session key
simmetrichesimmetriche
Identificazione degli estremi (soggetti) Identificazione degli estremi (soggetti) della comunicazione (PK Authentication)della comunicazione (PK Authentication)
Algoritmi più complessiAlgoritmi più complessi Meno efficente della symmetricMeno efficente della symmetric Per un uso libero richiede la Per un uso libero richiede la
distribuzione/pubblicazione delle chiavi distribuzione/pubblicazione delle chiavi pubblichepubbliche
Public Key EncryptionPublic Key Encryption
Encrypted Message is Sent Over NetworkEncrypted Message is Sent Over Network
2222
3A783A78Alice Encrypts Message with Bob’s Public Key.
Alice Encrypts Message with Bob’s Public Key.
1111DataData
3A783A78
Bob Decrypts Message with Bob’s Private Key.Bob Decrypts Message with Bob’s Private Key.
3333
Data
Public Key AuthenticationPublic Key Authentication
Message is Sent Over NetworkMessage is Sent Over Network
2222
~*~*~*~~*~*~*~Alice Signs Message with Her Private Key.Alice Signs Message with Her Private Key.
1111
~*~*~*~
~*~*~*~~*~*~*~
Bob Validates Message is From Alice with Alice’s Public Key.Bob Validates Message is From Alice with Alice’s Public Key.
3333
Dalla teoria alla pratica...Dalla teoria alla pratica...
VPN Client-to-LAN:VPN Client-to-LAN:Connecting Remote Users to a Corporate Connecting Remote Users to a Corporate NetworkNetwork
VPN Tunnel
VPN ServerComputer
Remote UserRemote User
InternetInternet
Corporate NetworkCorporate Network
VPN LAN-to-LAN:VPN LAN-to-LAN:Connecting Remote Networks to a Local Connecting Remote Networks to a Local NetworkNetwork
VPN Tunnel
VPN ServerComputer
Remote NetworkRemote Network
InternetInternet
Local NetworkLocal Network
VPN ServerComputer
VPN a confronto: VPN a confronto: LAN-to-LANLAN-to-LAN prevede l’utilizzo di apparati/server che prevede l’utilizzo di apparati/server che
gestiscono la comunicazione vpn e fanno gestiscono la comunicazione vpn e fanno da gateway tra le due retida gateway tra le due reti
encryption applicata solo nelle encryption applicata solo nelle comunicazioni tra i gateway (tunnel-comunicazioni tra i gateway (tunnel-endpoint)endpoint)
encryption simmetrica di tipo “Shared-Key”encryption simmetrica di tipo “Shared-Key” IP Addressing IP Addressing progettare progettare
VPN a confronto: Client-to-LANVPN a confronto: Client-to-LAN
è una tipica connessione uno (gateway/Access è una tipica connessione uno (gateway/Access Point) a molti (Client)Point) a molti (Client)
encryption applicata nelle comunicazioni tra il encryption applicata nelle comunicazioni tra il gateway ed N clientgateway ed N client
encryption di tipo “Shared-Key” non adeguata encryption di tipo “Shared-Key” non adeguata (distribuzione della chiave in N posti!)(distribuzione della chiave in N posti!)
può usare protocolli PPP-based (PPTP, L2TP)può usare protocolli PPP-based (PPTP, L2TP) per usare IPsec richiede tecniche di Asymmetric per usare IPsec richiede tecniche di Asymmetric
encryption (PKI, certificati, ...)encryption (PKI, certificati, ...) IP Addressing IP Addressing semplice ed integrato semplice ed integrato
Virtual Private Network Virtual Private Network ProtocolsProtocols
Client Server
PPTP*PPTP*
Internetwork Must Be IP BasedInternetwork Must Be IP Based
No Header CompressionNo Header Compression
No Tunnel AuthenticationNo Tunnel Authentication
Built-in PPP EncryptionBuilt-in PPP Encryption
L2TP**L2TP**
Internetwork Can Be IP, Frame Relay, X.25, or ATM Based
Internetwork Can Be IP, Frame Relay, X.25, or ATM Based
Header CompressionHeader Compression
Tunnel AuthenticationTunnel Authentication
Uses IPSec EncryptionUses IPSec Encryption
InternetInternet
PPTP or L2TP
*PPTP: rfc 2637 - **L2TP: rfc 2661
Selecting a Tunneling ProtocolSelecting a Tunneling Protocol
FeaturesFeaturesFeaturesFeaturesTunneling ProtocolTunneling Protocol
L2TP/L2TP/ IPSecIPSec
PPTPPPTP IPSecIPSec Tunnel Mode Tunnel Mode
Support for NAT XX
User Authentication XX XX
Machine Authentication XX XX
Multi-Protocol Support XX XX XX
Stronger Security XX XXSupport for Non–Windows 2000–based Clients XX
Authentication ProtocolsAuthentication Protocols
Standard Authentication ProtocolsStandard Authentication ProtocolsExtensible Authentication ProtocolsExtensible Authentication Protocols
Standard Authentication Standard Authentication ProtocolsProtocols
ProtocolProtocolProtocolProtocol SecuritySecuritySecuritySecurity
PAPPAP LowLow
SPAPSPAP MediumMedium
CHAPCHAP HighHigh
MS-CHAPMS-CHAP HighHigh
Use whenUse whenUse whenUse when
The client and server cannot negotiate using more secure validationThe client and server cannot negotiate using more secure validation
Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server
Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server
You have clients that are not running Microsoft operating systemsYou have clients that are not running Microsoft operating systems
You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later
You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later
MS-CHAPv2
MS-CHAPv2 HighHigh
You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98
You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98
AuthenticationAuthentication
Extensible Authentication ProtocolsExtensible Authentication Protocols
Allows the Client and Server to Negotiate the Allows the Client and Server to Negotiate the Authentication Method That They Will UseAuthentication Method That They Will Use
Supports Authentication by UsingSupports Authentication by Using MD5-CHAPMD5-CHAP Transport Layer Security (TLS)Transport Layer Security (TLS) PEAP, Smartcard, ...PEAP, Smartcard, ...
Ensures Support of Future Authentication Methods Ensures Support of Future Authentication Methods Through an APIThrough an API
Encryption ProtocolsEncryption Protocols
Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data
encryption
Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data
encryption
Members of this group dial-in profile can use IPSec 56-bit
DES or MPPE 56-bit data encryption
Members of this group dial-in profile can use IPSec 56-bit
DES or MPPE 56-bit data encryption
Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit
data encryption
Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit
data encryption
Windows Small Business Windows Small Business Server 2003Server 2003
VPN setup & configurationVPN setup & configuration
To Do ListTo Do List
VPN Client-to-LANVPN Client-to-LAN
VPN Client
A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link
A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link
33 VPN server checks the directory to authenticate and authorize the caller
VPN server checks the directory to authenticate and authorize the caller
22 VPN server answers the callVPN server answers the call 44 VPN server transfers
data VPN server transfers data
VPN client calls the VPN serverVPN client calls the VPN server11
Windows Small Business ServerWindows Small Business Server
VPN Server
Architettura di deployment Architettura di deployment consigliataconsigliata
Internet
InternetRouter(ISP) SBS
rete pubblica(es: 193.205.245.24/29)
rete privata192.168.16.0/24
.2
xDSLFibra ottica
ISDN...
rete pubblica (con NAT)(es: 192.168.0.0/24)
azienda.local
SBS è (anche) un F i r e w a l l ! ! !Posizioniamolo come tale nella rete
Windows Small Business Server Windows Small Business Server Remote Access WizardRemote Access Wizard
This wizard provides on-screen instructions for configuring your server for:This wizard provides on-screen instructions for configuring your server for:
VPN connections
Dial-up connections
Both VPN and dial-up connections
VPN connections
Dial-up connections
Both VPN and dial-up connections
After clicking Finish, the wizard:After clicking Finish, the wizard:
Configures the server according to your selected settings
Creates the Client Connection Manager configuration file
Configures the remote access policy to allow members of the Mobile Users group to use remote access
Configures the server according to your selected settings
Creates the Client Connection Manager configuration file
Configures the remote access policy to allow members of the Mobile Users group to use remote access
RASWRASW Client config (RWW)Client config (RWW) RRAS configuration overviewRRAS configuration overview
Sicurezza e controlloSicurezza e controllo
Remote Access Account Lockout Remote Access Account Lockout (KB816118)(KB816118)
Authorizing VPN Connections (Dial-in)Authorizing VPN Connections (Dial-in) Remote Access Policy Profile Packet Remote Access Policy Profile Packet
FilteringFiltering Accounting, Auditing, and MonitoringAccounting, Auditing, and Monitoring
Riferimenti e risorseRiferimenti e risorse
Risorse tecniche per Windows Small Business Risorse tecniche per Windows Small Business Server 2003Server 2003http://www.microsoft.com/italy/windowsserver2003/sbs/techihttp://www.microsoft.com/italy/windowsserver2003/sbs/techinfo/default.mspxnfo/default.mspx
MOC Course 2395: Design, Deploy, and Manage a MOC Course 2395: Design, Deploy, and Manage a Network Solution for a Small and Medium BusinessNetwork Solution for a Small and Medium Businesshttp://www.microsoft.com/traincert/syllabi/2395AFinal.asphttp://www.microsoft.com/traincert/syllabi/2395AFinal.asp
Exam 70-282: Design, Deploy, and Manage a Exam 70-282: Design, Deploy, and Manage a Network Solution for a Small- and Medium-Sized Network Solution for a Small- and Medium-Sized BusinessBusinesshttp://www.microsoft.com/learning/exams/70-282.asphttp://www.microsoft.com/learning/exams/70-282.asp
Riferimenti e risorseRiferimenti e risorse
Virtual Private Networks for Windows Server 2003Virtual Private Networks for Windows Server 2003http://www.microsoft.com/windowsserver2003/technologies/nhttp://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspxetworking/vpn/default.mspx
Virtual Private Networking with Windows Server Virtual Private Networking with Windows Server
2003: Deploying Remote Access VPNs2003: Deploying Remote Access VPNshttp://www.microsoft.com/technet/prodtechnol/windowsserverhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx2003/technologies/networking/vpndeplr.mspx
Virtual Private Networking with Windows Server Virtual Private Networking with Windows Server
2003: Deploying Site-to-Site VPNs2003: Deploying Site-to-Site VPNshttp://www.microsoft.com/technet/prodtechnol/windowsserverhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx2003/technologies/networking/vpndpls2.mspx
https://msevents-https://msevents-eu.microsoft.com/cui/eu.microsoft.com/cui/WelcomePage.aspx?Event...WelcomePage.aspx?Event...
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.