SlideShare a Scribd company logo

Best practices for using VPNs for easy network-to-network protection

Download as PPTX, PDF
Westermo Network Technologies, profile picture
Westermo Network Technologies

The document provides an overview of a Westermo webinar focused on network-to-network protection using VPNs, detailing concepts like VPN types, security protocols, and configuration processes. It outlines various methods for establishing secure connections between sites, including the preparation needed for setup and best practices for maintaining network security. The presentation also highlights upcoming webinars related to network segmentation and perimeter protection strategies.

Technology
Related topics:
Network Security
1 of 28
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Robust Industrial Data Communications – Made Easy Network-to-Network protection Best practices for using VPNs for easy network-to-network protection Westermo webinar
2 Westermo group 2018  Founded in 1975  Industry leading software and hardware development force  Own production in Sweden with state of the art process control  Own sales and support units in 12 key countries, distribution partners in many others
3 Questions  Ask questions in the chat window  Ask question to ”Host”  Questions will be answered in the end of the presentation
4 Presenters Niklas Mörth Product manager, Cybersecurity Dr. Jon-Olov Vatn Network applications expert Topic: Network-to-Network protection Run-time: 45 minutes + questions A webinar recording will be provided after the session is completed.
Robust Industrial Data Communications – Made Easy How to protect site-to-site communication with VPN Dr. Jon-Olov Vatn
6 Outline  Introduction  What do we mean with a VPN?  Network security concepts  VPN standards  How to setup a site-to-site VPN  Preparation  VPN Configuration  Routing, NAT, Firewall, etc.  Q&A
7 Virtual Private Network (VPN) - what is it?  What do we mean?  Secure real-time communication over an insecure network (Internet)  Site-to-site VPN: Connect two or more sites  Remote access VPN: Individual hosts (PCs, etc.) connect to a central site  Private: Enable confidentiality using encryption  Virtual: Build secure network over shared intermediate network (Internet) VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Internet Central Office Branch Office
8 VPN - alternate meanings  Evolution of old “leased line” concept  Private Network (leased line)  => Virtual Private Network  Provider Provisioned VPN (PPVPN)  Not necessarily encrypted!  Home usage  Circumvent geo-restrictions/ geo-blocking  Circumvent censorship VPN to access geo-blocked service
9 Terminology and entities  VPN Gateways  VPN Server Gateway (Alice)  VPN Client Gateway (Bob)  Central Office and Branch Office  Road-warriors  “Site-to-site” or “Remote access” VPN  Firewall  Part of VPN Gateway  External Firewall  Often Both  Backend authentication server Internet VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Alice Bob Site-to-site VPN Internet VPN GW (Server) Alice Bob Remote access VPN AS AS Central Office Central Office Branch Office
10 Extended topologies  Multiple clients  Multiple clients can connect to the server  Mix site-to-site and remote access  Redundant site-to-site  Multiple VPN gateways at each site  Dynamic routing protocols (OSPF/RIP) for automatic failover Alice Charlie Bob Dave Internet Alice2 Bob2 Alice1 Bob1 Internet Central Office Branch Office Branch Office Central Office Branch Office
11 Establishing a secure “tunnel”  Authentication phase  Long term secret  Preshared key (symmetric), KAB  Certificates (asymmetric)  Prove identity  Prepare data transfer phase  Negotiation of cipher suite  Create session key (Ksession)  Data transfer  Protection: Encryption (e.g. AES-128) and Integrity (e.g., SHA1)  Encapsulation (format/layer) of data to be protected Alice Bob KAB Ksession AES SHA-1 Authenticated Key Exchange Based on KAB Data transfer: Data Protection & Encapsulation KAB Ksession AES SHA-1
12 Real-time security protocols  “Real-time” as opposed to asynchronous communication (secure email, etc)  WeOS support two protocols  OpenVPN (SSL VPN)  IPsec VPN  Roughly equivalent service  Encapsulation  OpenVPN: Layer-4 (UDP/TCP)  IPsec: Layer-3 (IP)  Pros of IPsec  Well recognized IETF standard  Relatively good performance  Pros of OpenVPN  Widespread platform support  Easier to setup (in particular if VPN GW is placed behind a 3rd party firewall)
13 Site-to-Site VPN in Nutshell In this example we use OpenVPN  Preparation  OpenVPN configuration  Routing  Firewall and NAT  Hardening of WAN interface Internet VPN GW (Server) VPN GW (Client) Alice Bob Site-to-site VPN AS Central Office Branch Office
14 Preparation (1/3)  Hardware: Alice and Bob  WeOS units, SW-level ”Extended”, for example RFI-2xx  Latest WeOS 4.x release  Or Westermo MRD  IP Plan: In this example we  Use range 10.0.0.0/16 for local networks and VPN  Assign 10.0.0.0/24 for ”VPN Subnet”  Assign 10.0.1.0/24 to Alice and 10.0.2.0/24 to Bob  Plan to grow with more sites (Charlie & Dave) within the same IP range Alice Bob 10.0.2.0/2410.0.1.0/24 IP Plan: range 10.0.0.0/16 VPN: 10.0.0.0/24 Charlie: 10.0.3.0/24 Dave: 10.0.4.0/24 Internet 10.0.0.0/24 Alice: 10.0.1.0/24 Bob: 10.0.2.0/24
15 Preparation (2/3)  Generate Certificates  Easy-RSA scripts (openvpn.net)  Your own Certificate Authority (CA)  Certificates and private keys  CA: CA certificate  Alice: User Certificate (Server)  Bob: User Certificate (Client)  Generate TLS-Authentication key  Enable NTP client  Important to have correct time when using certificates  Use local NTP server or on Internet Internet Alice Bob e.g, ”pool.ntp.org”NTP Server Easy-RSA scripts Alice User Cert (Client)User Cert (Server) CA Bob 10.0.2.0/2410.0.1.0/24
16 Preparation (3/3)  Sign up for DDNS (e.g., DynDNS)  Bob initiates VPN connection to Alice  ”peer alice.example.com”  What if Alice has dynamic address?  Alice should sign up with a DDNS provider  Should Bob also use DDNS?  (Optional) RADIUS or TACACS+ Server  Centralized authentication of VPN clients (Bob, Charlie, Dave)  Alice relays authentication handshake to Backend Authentication Server (AS)  E.g., FreeRADIUS (freeradius.org) Internet Alice Bob e.g, ”DynDNS”DDNS Server IP=1.2.3.4 AS Internet Alice Bob 10.0.2.0/2410.0.1.0/24 10.0.2.0/2410.0.1.0/24
17 OpenVPN configuration  Mode:  Alice: Server  Bob: Client  Client sets peer: alice.example.com  Authentication  Certificates: Upload Cert, Key, CA Cert  (Optional) Identity/password  Specify Cipher Suite  Must be same on Alice/Bob  Encryption: AES-128-CBC or better  Integrity: SHA1 or better
18 OpenVPN configuration: Virtual Subnet  SSL Interface Type  Can be Layer-2 (MAC) or Layer-3 (IP)  Site-to-site: Must use Layer-2  (Remote-access: Layer-2 or Layer-3)  SSL Interface IP address (ssl0)  Server and clients form virtual subnet  Alice: set static, e.g. 10.0.0.1/24  Bob: set ”dynamic” or ”static”  Let Alice assign address to Bob  Specific: CN-binding => 10.0.0.2  Or from pool (10.0.0.100-199)  Assigned as part of tunnel establishment Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2 or ”ssl0 dynamic”
19 OpenVPN configuration: TLS Authentication  Add ”TLS-authentication” key  Extra key used during tunnel establishment (Authentication Phase)  Alice does not respond unless correct key is used by client  ”Stealth”  This limits server exposure to  Port scans  DDOS attacks Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 Limits exposure of Alice’ WAN interface
20 Routing Site-to-Site  Alternative 1: Static routing  Let both Alice and Bob have static IP on tunnel interface (ssl0)  Alice 10.0.0.1  Bob 10.0.0.2  Alice sets static route to Bob’s network ”route 10.0.2.0 via 10.0.0.2”  And Bob does the same ”route 10.0.1.0 via 10.0.0.1” Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2
21 Routing Site-to-Site  Alternative 2: Dynamic routing  Alice and Bob run OSPF or RIP  Here Bob can get address dynamically  Also supports VPN redundancy Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 SSL conf pool 10.0.0.100-199 router rip conf network vlan 1 network ssl0 ssl0 10.0.0.1 ssl0 dynamic router rip conf network vlan 1 network ssl0
22 Firewall and NAT  Firewall rules (towards WAN interface)  NAPT/IP Masquerading (NAT-wall)  Drop by default  Firewall rules towards VPN tunnel  Allow traffic to flow between local interface (vlan1) and tunnel interface (ssl0)  Black-hole route  Alice/Bob may route private traffic unencrypted towards Internet when VPN tunnel is down  Ensure data is dropped if VPN is down Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200 IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200
23 Hardening  WAN interface on Internet  Limit exposure on WAN interface  Consider external FW  On WAN interface, disable  All remote management (perhaps except SSH/HTTPS)  Access to DNS port (firewall filter)  LLDP  Other general good practices (good ”admin” password, disable unused services, etc.) Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf filter deny in vlan2 proto udp dport 53 filter deny in vlan2 proto tcp dport 53 Iface vlan2 Conf no management Allow ssh/https for remote mgmt?
24 Done!
25 WeConnect – Easy VPN management WeConnect delivers easy to use and reliable connections to industrial equipment Made Easy  WeConnect does not require IT experts to deploy, maintain or use Reliable  WeConnect is powered by highly robust and reliable Amazon servers in three locations world-wide Secure  Every user get their own virtual server secured by sophisticated encryption techniques
26 Fundamentals of  Network-to-Network protection 5th December at 9.00 & 15.00 CET  Best practices for using VPNs for easy network-to-network protection  Network segmentation 20th February 2019 at 9.00 & 15.00 CET  Divide your network into different zones to strengthen your security defense  Perimeter protection (TBA)  Protect your industrial network from unsolicited requests  Spoofing protection (TBA)  Defend your network from unauthorized devices
27 Thank you for attending!  An email will be sent to you including  Playback link to Webinar recording  Contact information to your local Westermo dealer Next webinar: February 20th, 2019 Network Segmentation Divide your network into different zones to strengthen your security defense
28 Creating the World’s Most Robust Networks

More Related Content

PPTX
Automotive Cybersecurity: Test Like a Hacker
ForAllSecure
 
PPT
3 google hacking
Syahmi Afiq Nizam
 
PDF
Norma ISO27037.pdf
Francisco749115
 
PPTX
Types of Malware (CEH v11)
EC-Council
 
PDF
Webrtc overview
Olle E Johansson
 
PPTX
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Parsons Behle & Latimer
 
PDF
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
PPTX
iOS Forensics
Tjylen Veselyj
 
Automotive Cybersecurity: Test Like a Hacker
ForAllSecure
 
3 google hacking
Syahmi Afiq Nizam
 
Norma ISO27037.pdf
Francisco749115
 
Types of Malware (CEH v11)
EC-Council
 
Webrtc overview
Olle E Johansson
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Parsons Behle & Latimer
 
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
iOS Forensics
Tjylen Veselyj
 

What's hot (8)

PDF
Marvelmind indoor positioning technologies review
Marvelmind Robotics
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PPTX
Hardware firewall
Subrata Kumer Paul
 
PPTX
Advanced Link 16 Training
Tonex
 
PDF
XSS Magic tricks
GarethHeyes
 
PDF
Autopsy 3.0 - Open Source Digital Forensics Conference
Basis Technology
 
PPT
Ethical Hacking and Network Defense
Rishab garg
 
PDF
Kerio Connect 7 Features and Benefits
Kerio Technologies
 
Marvelmind indoor positioning technologies review
Marvelmind Robotics
 
Web Application Penetration Testing Introduction
gbud7
 
Hardware firewall
Subrata Kumer Paul
 
Advanced Link 16 Training
Tonex
 
XSS Magic tricks
GarethHeyes
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Basis Technology
 
Ethical Hacking and Network Defense
Rishab garg
 
Kerio Connect 7 Features and Benefits
Kerio Technologies
 
Ad

Similar to Best practices for using VPNs for easy network-to-network protection (20)

DOCX
Cisco rv110 w wireless n vpn firewall
IT Tech
 
PDF
presentation_4102_1493726768.pdf
ssuserf0e32f
 
PPTX
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
 
PDF
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld
 
PDF
Meraki Cloud Networking Workshop
Cisco Canada
 
PPT
Data Center Design Guide 4 2
Fiyaz Syed
 
PPTX
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
ir. Carmelo Zaccone
 
PPTX
Wireless Security null seminar
Nilesh Sapariya
 
PPTX
Zaccone Carmelo - IPv6 and security from a user’s point of view
IPv6 Conference
 
PDF
Simple hybrid voice deployments with Sonus
mscug
 
PDF
Simple hybrid voice deployments with Sonus
Adam Hand
 
PPTX
How to secure your industrial network using segmentation and segregation
Westermo Network Technologies
 
PDF
Wireless Feature Update
Cisco Canada
 
DOCX
Site to-multi site open vpn solution-latest
Chanaka Lasantha
 
PDF
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Cohesive Networks
 
PPT
Cisco Security Training on ASA and FTD.ppt
AniruddhSharma65
 
PDF
file-storage-100.pdf
Abhi850745
 
PPT
Introdutction – 802.1x Port-Based Authentication
cszxd
 
PPT
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud
 
PDF
Avaya Session Border Controller (SBC)
Motty Ben Atia
 
Cisco rv110 w wireless n vpn firewall
IT Tech
 
presentation_4102_1493726768.pdf
ssuserf0e32f
 
#CiscoLiveLA 2017 Presentacion de Jerome Henry
ITSitio.com
 
VMworld 2014: vCloud Hybrid Service Networking Technical Deep Dive
VMworld
 
Meraki Cloud Networking Workshop
Cisco Canada
 
Data Center Design Guide 4 2
Fiyaz Syed
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
ir. Carmelo Zaccone
 
Wireless Security null seminar
Nilesh Sapariya
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
IPv6 Conference
 
Simple hybrid voice deployments with Sonus
mscug
 
Simple hybrid voice deployments with Sonus
Adam Hand
 
How to secure your industrial network using segmentation and segregation
Westermo Network Technologies
 
Wireless Feature Update
Cisco Canada
 
Site to-multi site open vpn solution-latest
Chanaka Lasantha
 
Chris Swan's CloudExpo Europe presentation "Keeping control when moving appli...
Cohesive Networks
 
Cisco Security Training on ASA and FTD.ppt
AniruddhSharma65
 
file-storage-100.pdf
Abhi850745
 
Introdutction – 802.1x Port-Based Authentication
cszxd
 
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud
 
Avaya Session Border Controller (SBC)
Motty Ben Atia
 
Ad

More from Westermo Network Technologies (20)

PDF
Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Network Technologies
 
PDF
Westermo Webinar - Geroutete Redundanzen
Westermo Network Technologies
 
PDF
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Westermo Network Technologies
 
PDF
Webinar WeConfig - State of the Art NCM
Westermo Network Technologies
 
PDF
Webinar Serial-over-IP
Westermo Network Technologies
 
PDF
Webinar - Protokollkonvertierung
Westermo Network Technologies
 
PDF
OpenWRT - Überblick
Westermo Network Technologies
 
PDF
DHCP
Westermo Network Technologies
 
PDF
Switchkonfiguration
Westermo Network Technologies
 
PDF
PoE & Lösungen.pdf
Westermo Network Technologies
 
PDF
VPN&Verschlüsselung
Westermo Network Technologies
 
PDF
Mobilfunkanbindungen
Westermo Network Technologies
 
PDF
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
Westermo Network Technologies
 
PDF
Netzwerkmonitoring.pdf
Westermo Network Technologies
 
PDF
Firewall.pdf
Westermo Network Technologies
 
PDF
WeOS 4.32.0 und WeConfig 1.15.pdf
Westermo Network Technologies
 
PDF
WLAN
Westermo Network Technologies
 
PDF
Merlin - Die neue Mobilfunkrouterserie
Westermo Network Technologies
 
PDF
We os 4.31.0 und weconfig 1.14.0
Westermo Network Technologies
 
PDF
Layer 2 Redundanzen
Westermo Network Technologies
 
Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Network Technologies
 
Westermo Webinar - Geroutete Redundanzen
Westermo Network Technologies
 
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Westermo Network Technologies
 
Webinar WeConfig - State of the Art NCM
Westermo Network Technologies
 
Webinar Serial-over-IP
Westermo Network Technologies
 
Webinar - Protokollkonvertierung
Westermo Network Technologies
 
OpenWRT - Überblick
Westermo Network Technologies
 
DHCP
Westermo Network Technologies
 
Switchkonfiguration
Westermo Network Technologies
 
PoE & Lösungen.pdf
Westermo Network Technologies
 
VPN&Verschlüsselung
Westermo Network Technologies
 
Mobilfunkanbindungen
Westermo Network Technologies
 
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
Westermo Network Technologies
 
Netzwerkmonitoring.pdf
Westermo Network Technologies
 
Firewall.pdf
Westermo Network Technologies
 
WeOS 4.32.0 und WeConfig 1.15.pdf
Westermo Network Technologies
 
WLAN
Westermo Network Technologies
 
Merlin - Die neue Mobilfunkrouterserie
Westermo Network Technologies
 
We os 4.31.0 und weconfig 1.14.0
Westermo Network Technologies
 
Layer 2 Redundanzen
Westermo Network Technologies
 

Recently uploaded (20)

PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 

Best practices for using VPNs for easy network-to-network protection

  • 1. Robust Industrial Data Communications – Made Easy Network-to-Network protection Best practices for using VPNs for easy network-to-network protection Westermo webinar
  • 2. 2 Westermo group 2018  Founded in 1975  Industry leading software and hardware development force  Own production in Sweden with state of the art process control  Own sales and support units in 12 key countries, distribution partners in many others
  • 3. 3 Questions  Ask questions in the chat window  Ask question to ”Host”  Questions will be answered in the end of the presentation
  • 4. 4 Presenters Niklas Mörth Product manager, Cybersecurity Dr. Jon-Olov Vatn Network applications expert Topic: Network-to-Network protection Run-time: 45 minutes + questions A webinar recording will be provided after the session is completed.
  • 5. Robust Industrial Data Communications – Made Easy How to protect site-to-site communication with VPN Dr. Jon-Olov Vatn
  • 6. 6 Outline  Introduction  What do we mean with a VPN?  Network security concepts  VPN standards  How to setup a site-to-site VPN  Preparation  VPN Configuration  Routing, NAT, Firewall, etc.  Q&A
  • 7. 7 Virtual Private Network (VPN) - what is it?  What do we mean?  Secure real-time communication over an insecure network (Internet)  Site-to-site VPN: Connect two or more sites  Remote access VPN: Individual hosts (PCs, etc.) connect to a central site  Private: Enable confidentiality using encryption  Virtual: Build secure network over shared intermediate network (Internet) VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Internet Central Office Branch Office
  • 8. 8 VPN - alternate meanings  Evolution of old “leased line” concept  Private Network (leased line)  => Virtual Private Network  Provider Provisioned VPN (PPVPN)  Not necessarily encrypted!  Home usage  Circumvent geo-restrictions/ geo-blocking  Circumvent censorship VPN to access geo-blocked service
  • 9. 9 Terminology and entities  VPN Gateways  VPN Server Gateway (Alice)  VPN Client Gateway (Bob)  Central Office and Branch Office  Road-warriors  “Site-to-site” or “Remote access” VPN  Firewall  Part of VPN Gateway  External Firewall  Often Both  Backend authentication server Internet VPN GW (Server) VPN GW (Client) VPN client (Road Warrior) Alice Bob Site-to-site VPN Internet VPN GW (Server) Alice Bob Remote access VPN AS AS Central Office Central Office Branch Office
  • 10. 10 Extended topologies  Multiple clients  Multiple clients can connect to the server  Mix site-to-site and remote access  Redundant site-to-site  Multiple VPN gateways at each site  Dynamic routing protocols (OSPF/RIP) for automatic failover Alice Charlie Bob Dave Internet Alice2 Bob2 Alice1 Bob1 Internet Central Office Branch Office Branch Office Central Office Branch Office
  • 11. 11 Establishing a secure “tunnel”  Authentication phase  Long term secret  Preshared key (symmetric), KAB  Certificates (asymmetric)  Prove identity  Prepare data transfer phase  Negotiation of cipher suite  Create session key (Ksession)  Data transfer  Protection: Encryption (e.g. AES-128) and Integrity (e.g., SHA1)  Encapsulation (format/layer) of data to be protected Alice Bob KAB Ksession AES SHA-1 Authenticated Key Exchange Based on KAB Data transfer: Data Protection & Encapsulation KAB Ksession AES SHA-1
  • 12. 12 Real-time security protocols  “Real-time” as opposed to asynchronous communication (secure email, etc)  WeOS support two protocols  OpenVPN (SSL VPN)  IPsec VPN  Roughly equivalent service  Encapsulation  OpenVPN: Layer-4 (UDP/TCP)  IPsec: Layer-3 (IP)  Pros of IPsec  Well recognized IETF standard  Relatively good performance  Pros of OpenVPN  Widespread platform support  Easier to setup (in particular if VPN GW is placed behind a 3rd party firewall)
  • 13. 13 Site-to-Site VPN in Nutshell In this example we use OpenVPN  Preparation  OpenVPN configuration  Routing  Firewall and NAT  Hardening of WAN interface Internet VPN GW (Server) VPN GW (Client) Alice Bob Site-to-site VPN AS Central Office Branch Office
  • 14. 14 Preparation (1/3)  Hardware: Alice and Bob  WeOS units, SW-level ”Extended”, for example RFI-2xx  Latest WeOS 4.x release  Or Westermo MRD  IP Plan: In this example we  Use range 10.0.0.0/16 for local networks and VPN  Assign 10.0.0.0/24 for ”VPN Subnet”  Assign 10.0.1.0/24 to Alice and 10.0.2.0/24 to Bob  Plan to grow with more sites (Charlie & Dave) within the same IP range Alice Bob 10.0.2.0/2410.0.1.0/24 IP Plan: range 10.0.0.0/16 VPN: 10.0.0.0/24 Charlie: 10.0.3.0/24 Dave: 10.0.4.0/24 Internet 10.0.0.0/24 Alice: 10.0.1.0/24 Bob: 10.0.2.0/24
  • 15. 15 Preparation (2/3)  Generate Certificates  Easy-RSA scripts (openvpn.net)  Your own Certificate Authority (CA)  Certificates and private keys  CA: CA certificate  Alice: User Certificate (Server)  Bob: User Certificate (Client)  Generate TLS-Authentication key  Enable NTP client  Important to have correct time when using certificates  Use local NTP server or on Internet Internet Alice Bob e.g, ”pool.ntp.org”NTP Server Easy-RSA scripts Alice User Cert (Client)User Cert (Server) CA Bob 10.0.2.0/2410.0.1.0/24
  • 16. 16 Preparation (3/3)  Sign up for DDNS (e.g., DynDNS)  Bob initiates VPN connection to Alice  ”peer alice.example.com”  What if Alice has dynamic address?  Alice should sign up with a DDNS provider  Should Bob also use DDNS?  (Optional) RADIUS or TACACS+ Server  Centralized authentication of VPN clients (Bob, Charlie, Dave)  Alice relays authentication handshake to Backend Authentication Server (AS)  E.g., FreeRADIUS (freeradius.org) Internet Alice Bob e.g, ”DynDNS”DDNS Server IP=1.2.3.4 AS Internet Alice Bob 10.0.2.0/2410.0.1.0/24 10.0.2.0/2410.0.1.0/24
  • 17. 17 OpenVPN configuration  Mode:  Alice: Server  Bob: Client  Client sets peer: alice.example.com  Authentication  Certificates: Upload Cert, Key, CA Cert  (Optional) Identity/password  Specify Cipher Suite  Must be same on Alice/Bob  Encryption: AES-128-CBC or better  Integrity: SHA1 or better
  • 18. 18 OpenVPN configuration: Virtual Subnet  SSL Interface Type  Can be Layer-2 (MAC) or Layer-3 (IP)  Site-to-site: Must use Layer-2  (Remote-access: Layer-2 or Layer-3)  SSL Interface IP address (ssl0)  Server and clients form virtual subnet  Alice: set static, e.g. 10.0.0.1/24  Bob: set ”dynamic” or ”static”  Let Alice assign address to Bob  Specific: CN-binding => 10.0.0.2  Or from pool (10.0.0.100-199)  Assigned as part of tunnel establishment Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2 or ”ssl0 dynamic”
  • 19. 19 OpenVPN configuration: TLS Authentication  Add ”TLS-authentication” key  Extra key used during tunnel establishment (Authentication Phase)  Alice does not respond unless correct key is used by client  ”Stealth”  This limits server exposure to  Port scans  DDOS attacks Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 Limits exposure of Alice’ WAN interface
  • 20. 20 Routing Site-to-Site  Alternative 1: Static routing  Let both Alice and Bob have static IP on tunnel interface (ssl0)  Alice 10.0.0.1  Bob 10.0.0.2  Alice sets static route to Bob’s network ”route 10.0.2.0 via 10.0.0.2”  And Bob does the same ”route 10.0.1.0 via 10.0.0.1” Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 ssl0 10.0.0.1 ssl0 10.0.0.2
  • 21. 21 Routing Site-to-Site  Alternative 2: Dynamic routing  Alice and Bob run OSPF or RIP  Here Bob can get address dynamically  Also supports VPN redundancy Alice Bob 10.0.2.0/2410.0.1.0/24 Internet 10.0.0.0/24 SSL conf pool 10.0.0.100-199 router rip conf network vlan 1 network ssl0 ssl0 10.0.0.1 ssl0 dynamic router rip conf network vlan 1 network ssl0
  • 22. 22 Firewall and NAT  Firewall rules (towards WAN interface)  NAPT/IP Masquerading (NAT-wall)  Drop by default  Firewall rules towards VPN tunnel  Allow traffic to flow between local interface (vlan1) and tunnel interface (ssl0)  Black-hole route  Alice/Bob may route private traffic unencrypted towards Internet when VPN tunnel is down  Ensure data is dropped if VPN is down Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200 IP Firewall Conf nat type napt out vlan2 addfilter filter allow in vlan1 out ssl0 filter allow in ssl0 out vlan1 IP route conf route 10.0.0.0/16 null0 200
  • 23. 23 Hardening  WAN interface on Internet  Limit exposure on WAN interface  Consider external FW  On WAN interface, disable  All remote management (perhaps except SSH/HTTPS)  Access to DNS port (firewall filter)  LLDP  Other general good practices (good ”admin” password, disable unused services, etc.) Alice Bob 10.0.2.0/2410.0.1.0/24 Internet IP Firewall Conf filter deny in vlan2 proto udp dport 53 filter deny in vlan2 proto tcp dport 53 Iface vlan2 Conf no management Allow ssh/https for remote mgmt?
  • 25. 25 WeConnect – Easy VPN management WeConnect delivers easy to use and reliable connections to industrial equipment Made Easy  WeConnect does not require IT experts to deploy, maintain or use Reliable  WeConnect is powered by highly robust and reliable Amazon servers in three locations world-wide Secure  Every user get their own virtual server secured by sophisticated encryption techniques
  • 26. 26 Fundamentals of  Network-to-Network protection 5th December at 9.00 & 15.00 CET  Best practices for using VPNs for easy network-to-network protection  Network segmentation 20th February 2019 at 9.00 & 15.00 CET  Divide your network into different zones to strengthen your security defense  Perimeter protection (TBA)  Protect your industrial network from unsolicited requests  Spoofing protection (TBA)  Defend your network from unauthorized devices
  • 27. 27 Thank you for attending!  An email will be sent to you including  Playback link to Webinar recording  Contact information to your local Westermo dealer Next webinar: February 20th, 2019 Network Segmentation Divide your network into different zones to strengthen your security defense
  • 28. 28 Creating the World’s Most Robust Networks