Configurare VPN e Accesso Configurare VPN e Accesso remoto con Small Business remoto con Small Business

Server 2003Server 2003

5 maggio 2005 - 10:305 maggio 2005 - 10:30

AgendaAgenda VPN BasicsVPN Basics

La protezione delle comunicazioni di reteLa protezione delle comunicazioni di rete Encryption overviewEncryption overview

VPN a confrontoVPN a confronto Client-to-LANClient-to-LAN LAN-to-LANLAN-to-LAN

VPN in dettaglioVPN in dettaglio tunneling protocoltunneling protocol authenticationauthentication encryptionencryption

Le tecnologie di Windows Small Business Le tecnologie di Windows Small Business Server 2003 per VPN Client-to-LANServer 2003 per VPN Client-to-LAN

Live Demo...Live Demo...

Che cosa è una VPN ?Che cosa è una VPN ?

Dal sito di Windows Server 2003Dal sito di Windows Server 2003

““Microsoft defines a virtual private Microsoft defines a virtual private network as the extension of a network as the extension of a

private network that encompasses private network that encompasses links across shared or public links across shared or public networks like the Internet.”networks like the Internet.”

http://www.microsoft.com/windowsserver2003/thttp://www.microsoft.com/windowsserver2003/techinfo/overview/vpnfaq.mspxechinfo/overview/vpnfaq.mspx

Quali problemi abbiamo con una Quali problemi abbiamo con una comunicazione di rete che usa comunicazione di rete che usa connettività pubblica come Internet?connettività pubblica come Internet?

NetworkNetworkMonitoringMonitoringNetworkNetwork

MonitoringMonitoring

DataDataModificationModification

DataDataModificationModification

IdentityIdentitySpoofingSpoofingIdentityIdentity

SpoofingSpoofingMan-in-Man-in-

the-Middlethe-MiddleMan-in-Man-in-

the-Middlethe-Middle

Password-Password-basedbased

Password-Password-basedbased

Encrypts Data at the Encrypts Data at the ApplicationApplication Layer Layer SSLSSL TLSTLS

Encrypts Data at the Encrypts Data at the NetworkNetwork Layer Layer Tunneling ProtocolTunneling Protocol IPSecIPSec

La soluzione: la cifratura dei dati La soluzione: la cifratura dei dati trasmessitrasmessi

Encrypted IP Packet

Virtual Private Networks Virtual Private Networks (VPN)(VPN)

una applicazione delle una applicazione delle tecnologie di encryptiontecnologie di encryption

VPN BasicsVPN Basics

Una tecnologia di encryptionUna tecnologia di encryption Un metodo/protocollo di TunnelingUn metodo/protocollo di Tunneling Una modalità di connessione e trasportoUna modalità di connessione e trasporto

(Client-to-LAN, LAN-to-LAN)(Client-to-LAN, LAN-to-LAN) Un insieme di definizioni perUn insieme di definizioni per

IP AddressingIP Addressing AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing

CrittografiaCrittografia

Encryption Keys & AlgorithmsEncryption Keys & Algorithms

Una tecnologia molto anticaUna tecnologia molto antica

Encrypted IP Packet

Encryption KeysEncryption Keys

Key typeKey type DescriptionDescription

SymmetricSymmetric

La stessa chiave è usata per cifrare e decifrare i La stessa chiave è usata per cifrare e decifrare i datidati

Protegge i dati dall’intercettazioneProtegge i dati dall’intercettazione

AsymmetricAsymmetric

Consiste in una chiave pubblica e una privataConsiste in una chiave pubblica e una privata

La chiave privata è protetta e confidenziale, la La chiave privata è protetta e confidenziale, la chiave pubblica è liberamente distribuibilechiave pubblica è liberamente distribuibile

Se viene usata la chiave privata per cifrare dei Se viene usata la chiave privata per cifrare dei dati, gli stessi possono essere decifrati dati, gli stessi possono essere decifrati esclusivamente con la corrispondente chiave esclusivamente con la corrispondente chiave pubblica, e vice versapubblica, e vice versa

Utilizzi dell’encryptionUtilizzi dell’encryption

implementa la riservatezza delle implementa la riservatezza delle comunicazionicomunicazioni

fornisce delle tecniche per realizzare fornisce delle tecniche per realizzare l’autenticazione dei soggetti della l’autenticazione dei soggetti della comunicazionecomunicazione

Symmetric EncryptionSymmetric Encryption

Original DataOriginal Data Cipher TextCipher Text Original DataOriginal Data

Symmetric encryption:Symmetric encryption:

Usa la stessa chiave per cifrare e decifrare

E’ spesso referenziata come bulk encryption

E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa

Usa la stessa chiave per cifrare e decifrare

E’ spesso referenziata come bulk encryption

E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa

Utilizzi della symmetric encryptionUtilizzi della symmetric encryption

Cifratura dei canali di trasmissioneCifratura dei canali di trasmissione SemplicitàSemplicità PrestazioniPrestazioni Gestione delle session-key dei protocolli Gestione delle session-key dei protocolli

sicurisicuri SSLSSL KerberosKerberos ......

Asymmetric (Public Key) EncryptionAsymmetric (Public Key) Encryption

RequirementRequirement ProcessProcess

1.1. The recipient’s public key is retrievedThe recipient’s public key is retrieved

2.2. The data is encrypted with a symmetric The data is encrypted with a symmetric keykey

3.3. The symmetric key is encrypted with the The symmetric key is encrypted with the recipient’s public keyrecipient’s public key

4.4. The encrypted symmetric key and The encrypted symmetric key and encrypted data are sent to the recipientencrypted data are sent to the recipient

5.5. The recipient decrypts the symmetric The recipient decrypts the symmetric key with her private keykey with her private key

6.6. The data is decrypted with the The data is decrypted with the symmetric keysymmetric key

Utilizzi della Asymmetric encryptionUtilizzi della Asymmetric encryption

Riservatezza delle comunicazioni (PK Riservatezza delle comunicazioni (PK Encryption)Encryption) spesso in congiunzione con session key spesso in congiunzione con session key

simmetrichesimmetriche

Identificazione degli estremi (soggetti) Identificazione degli estremi (soggetti) della comunicazione (PK Authentication)della comunicazione (PK Authentication)

Algoritmi più complessiAlgoritmi più complessi Meno efficente della symmetricMeno efficente della symmetric Per un uso libero richiede la Per un uso libero richiede la

distribuzione/pubblicazione delle chiavi distribuzione/pubblicazione delle chiavi pubblichepubbliche

Public Key EncryptionPublic Key Encryption

Encrypted Message is Sent Over NetworkEncrypted Message is Sent Over Network

2222

3A783A78Alice Encrypts Message with Bob’s Public Key.

Alice Encrypts Message with Bob’s Public Key.

1111DataData

3A783A78

Bob Decrypts Message with Bob’s Private Key.Bob Decrypts Message with Bob’s Private Key.

3333

Data

Public Key AuthenticationPublic Key Authentication

Message is Sent Over NetworkMessage is Sent Over Network

2222

~*~*~*~~*~*~*~Alice Signs Message with Her Private Key.Alice Signs Message with Her Private Key.

1111

~*~*~*~

~*~*~*~~*~*~*~

Bob Validates Message is From Alice with Alice’s Public Key.Bob Validates Message is From Alice with Alice’s Public Key.

3333

Dalla teoria alla pratica...Dalla teoria alla pratica...

VPN Client-to-LAN:VPN Client-to-LAN:Connecting Remote Users to a Corporate Connecting Remote Users to a Corporate NetworkNetwork

VPN Tunnel

VPN ServerComputer

Remote UserRemote User

InternetInternet

Corporate NetworkCorporate Network

VPN LAN-to-LAN:VPN LAN-to-LAN:Connecting Remote Networks to a Local Connecting Remote Networks to a Local NetworkNetwork

VPN Tunnel

VPN ServerComputer

Remote NetworkRemote Network

InternetInternet

Local NetworkLocal Network

VPN ServerComputer

VPN a confronto: VPN a confronto: LAN-to-LANLAN-to-LAN prevede l’utilizzo di apparati/server che prevede l’utilizzo di apparati/server che

gestiscono la comunicazione vpn e fanno gestiscono la comunicazione vpn e fanno da gateway tra le due retida gateway tra le due reti

encryption applicata solo nelle encryption applicata solo nelle comunicazioni tra i gateway (tunnel-comunicazioni tra i gateway (tunnel-endpoint)endpoint)

encryption simmetrica di tipo “Shared-Key”encryption simmetrica di tipo “Shared-Key” IP Addressing IP Addressing progettare progettare

VPN a confronto: Client-to-LANVPN a confronto: Client-to-LAN

è una tipica connessione uno (gateway/Access è una tipica connessione uno (gateway/Access Point) a molti (Client)Point) a molti (Client)

encryption applicata nelle comunicazioni tra il encryption applicata nelle comunicazioni tra il gateway ed N clientgateway ed N client

encryption di tipo “Shared-Key” non adeguata encryption di tipo “Shared-Key” non adeguata (distribuzione della chiave in N posti!)(distribuzione della chiave in N posti!)

può usare protocolli PPP-based (PPTP, L2TP)può usare protocolli PPP-based (PPTP, L2TP) per usare IPsec richiede tecniche di Asymmetric per usare IPsec richiede tecniche di Asymmetric

encryption (PKI, certificati, ...)encryption (PKI, certificati, ...) IP Addressing IP Addressing semplice ed integrato semplice ed integrato

Virtual Private Network Virtual Private Network ProtocolsProtocols

Client Server

PPTP*PPTP*

Internetwork Must Be IP BasedInternetwork Must Be IP Based

No Header CompressionNo Header Compression

No Tunnel AuthenticationNo Tunnel Authentication

Built-in PPP EncryptionBuilt-in PPP Encryption

L2TP**L2TP**

Internetwork Can Be IP, Frame Relay, X.25, or ATM Based

Internetwork Can Be IP, Frame Relay, X.25, or ATM Based

Header CompressionHeader Compression

Tunnel AuthenticationTunnel Authentication

Uses IPSec EncryptionUses IPSec Encryption

InternetInternet

PPTP or L2TP

*PPTP: rfc 2637 - **L2TP: rfc 2661

Selecting a Tunneling ProtocolSelecting a Tunneling Protocol

FeaturesFeaturesFeaturesFeaturesTunneling ProtocolTunneling Protocol

L2TP/L2TP/ IPSecIPSec

PPTPPPTP IPSecIPSec Tunnel Mode Tunnel Mode

Support for NAT XX

User Authentication XX XX

Machine Authentication XX XX

Multi-Protocol Support XX XX XX

Stronger Security XX XXSupport for Non–Windows 2000–based Clients XX

Authentication ProtocolsAuthentication Protocols

Standard Authentication ProtocolsStandard Authentication ProtocolsExtensible Authentication ProtocolsExtensible Authentication Protocols

Standard Authentication Standard Authentication ProtocolsProtocols

ProtocolProtocolProtocolProtocol SecuritySecuritySecuritySecurity

PAPPAP LowLow

SPAPSPAP MediumMedium

CHAPCHAP HighHigh

MS-CHAPMS-CHAP HighHigh

Use whenUse whenUse whenUse when

The client and server cannot negotiate using more secure validationThe client and server cannot negotiate using more secure validation

Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server

Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server

You have clients that are not running Microsoft operating systemsYou have clients that are not running Microsoft operating systems

You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later

You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later

MS-CHAPv2

MS-CHAPv2 HighHigh

You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98

You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98

AuthenticationAuthentication

Extensible Authentication ProtocolsExtensible Authentication Protocols

Allows the Client and Server to Negotiate the Allows the Client and Server to Negotiate the Authentication Method That They Will UseAuthentication Method That They Will Use

Supports Authentication by UsingSupports Authentication by Using MD5-CHAPMD5-CHAP Transport Layer Security (TLS)Transport Layer Security (TLS) PEAP, Smartcard, ...PEAP, Smartcard, ...

Ensures Support of Future Authentication Methods Ensures Support of Future Authentication Methods Through an APIThrough an API

Encryption ProtocolsEncryption Protocols

Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data

encryption

Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data

encryption

Members of this group dial-in profile can use IPSec 56-bit

DES or MPPE 56-bit data encryption

Members of this group dial-in profile can use IPSec 56-bit

DES or MPPE 56-bit data encryption

Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit

data encryption

Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit

data encryption

Windows Small Business Windows Small Business Server 2003Server 2003

VPN setup & configurationVPN setup & configuration

To Do ListTo Do List

VPN Client-to-LANVPN Client-to-LAN

VPN Client

A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link

A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link

33 VPN server checks the directory to authenticate and authorize the caller

VPN server checks the directory to authenticate and authorize the caller

22 VPN server answers the callVPN server answers the call 44 VPN server transfers

data VPN server transfers data

VPN client calls the VPN serverVPN client calls the VPN server11

Windows Small Business ServerWindows Small Business Server

VPN Server

Architettura di deployment Architettura di deployment consigliataconsigliata

Internet

InternetRouter(ISP) SBS

rete pubblica(es: 193.205.245.24/29)

rete privata192.168.16.0/24

.2

xDSLFibra ottica

ISDN...

rete pubblica (con NAT)(es: 192.168.0.0/24)

azienda.local

SBS è (anche) un F i r e w a l l ! ! !Posizioniamolo come tale nella rete

Windows Small Business Server Windows Small Business Server Remote Access WizardRemote Access Wizard

This wizard provides on-screen instructions for configuring your server for:This wizard provides on-screen instructions for configuring your server for:

VPN connections

Dial-up connections

Both VPN and dial-up connections

VPN connections

Dial-up connections

Both VPN and dial-up connections

After clicking Finish, the wizard:After clicking Finish, the wizard:

Configures the server according to your selected settings

Creates the Client Connection Manager configuration file

Configures the remote access policy to allow members of the Mobile Users group to use remote access

Configures the server according to your selected settings

Creates the Client Connection Manager configuration file

Configures the remote access policy to allow members of the Mobile Users group to use remote access

RASWRASW Client config (RWW)Client config (RWW) RRAS configuration overviewRRAS configuration overview

Sicurezza e controlloSicurezza e controllo

Remote Access Account Lockout Remote Access Account Lockout (KB816118)(KB816118)

Authorizing VPN Connections (Dial-in)Authorizing VPN Connections (Dial-in) Remote Access Policy Profile Packet Remote Access Policy Profile Packet

FilteringFiltering Accounting, Auditing, and MonitoringAccounting, Auditing, and Monitoring

Riferimenti e risorseRiferimenti e risorse

Risorse tecniche per Windows Small Business Risorse tecniche per Windows Small Business Server 2003Server 2003http://www.microsoft.com/italy/windowsserver2003/sbs/techihttp://www.microsoft.com/italy/windowsserver2003/sbs/techinfo/default.mspxnfo/default.mspx

MOC Course 2395: Design, Deploy, and Manage a MOC Course 2395: Design, Deploy, and Manage a Network Solution for a Small and Medium BusinessNetwork Solution for a Small and Medium Businesshttp://www.microsoft.com/traincert/syllabi/2395AFinal.asphttp://www.microsoft.com/traincert/syllabi/2395AFinal.asp

Exam 70-282: Design, Deploy, and Manage a Exam 70-282: Design, Deploy, and Manage a Network Solution for a Small- and Medium-Sized Network Solution for a Small- and Medium-Sized BusinessBusinesshttp://www.microsoft.com/learning/exams/70-282.asphttp://www.microsoft.com/learning/exams/70-282.asp

Riferimenti e risorseRiferimenti e risorse

Virtual Private Networks for Windows Server 2003Virtual Private Networks for Windows Server 2003http://www.microsoft.com/windowsserver2003/technologies/nhttp://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspxetworking/vpn/default.mspx

Virtual Private Networking with Windows Server Virtual Private Networking with Windows Server

2003: Deploying Remote Access VPNs2003: Deploying Remote Access VPNshttp://www.microsoft.com/technet/prodtechnol/windowsserverhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndeplr.mspx2003/technologies/networking/vpndeplr.mspx

Virtual Private Networking with Windows Server Virtual Private Networking with Windows Server

2003: Deploying Site-to-Site VPNs2003: Deploying Site-to-Site VPNshttp://www.microsoft.com/technet/prodtechnol/windowsserverhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx2003/technologies/networking/vpndpls2.mspx

https://msevents-https://msevents-eu.microsoft.com/cui/eu.microsoft.com/cui/WelcomePage.aspx?Event...WelcomePage.aspx?Event...

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.