ITS Client Support Staff Meeting Sept 14, 2006

1
ITS Client Support Staff Meeting Sept 14, 2006
Yale VPN Service Architecture
2
Why use the Yale VPN?

• Protect all data sent to and from Yale (MM/SMTP).
• Relay E-Mail to Internet through Yales E-mail
  servers (use Authenticated SMTP over SSL
  instead).
• Access Internet information or services only
  available from the campus network IP range (proxy
  substitute)
• Access information and services only available on
  the campus network (including those on Yale
  private IP addresses)
• Microsoft Networking (MSRPC, File/Print sharing,
  etc.)
• Unix/Linux RPC/NFS, X Windows
• Restricted web sites, applications and remote
  console access (SSH, Remote Desktop, VNC, etc).
• Vulnerable/insecure/unencrypted protocols
  (telnet/ftp/rsh).

3
Yale Campus Network Architecture/Topology

• 2 Public Class B networks
• 128.36 Originally CS/Math/Eng Yale College
• 130.132 Most of rest of campus
• Private (RFC1918) networks
• 10 Behind firewalls, YSM wireless, YNHH
• 172.16-31 Routed on campus network
• 192.168. Anyone can use privately locally.
• Other Yale Public networks (Class C)
• 192.26.88, 192.31.2, 192.35.89, 198.125.138
  (Physics)
• YNHH Public Networks with Yale Computers
• 204.90.81, 205.167.18

4
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
5
Yale VPN Current Architecture

• Two Cisco VPN Concentrators (3030 models)
• Each has 3 100 Megabit/sec Interfaces
• Each has 200 -- 400 simultaneous users, more per
  day
• Both support PPTP IPSEC. SSL L2TP not on.
• Any Yale user with a valid NetID can use either.
• VPN.NET.YALE.EDU
• Entirely (almost) used by non-YSM users with PPTP
• VPN.MED.YALE.EDU
• Primarily used by YSM users with Cisco IPSEC
  client.
• Also used for Med School wireless VPN sessions
  (reqd).

6
VPN Technologies

• PPTP (Point-to-Point Tunneling Protocol)
• IPSEC
• L2TP
• SSL VPNs
• SSH (Secure Shell) - Poor Mans VPN
• Port forwarding, can encrypt and tunnel protocols
  (e.g. X Windows).

7
Yale VPN Supported Protocols

• PPTP
• Encrypted, but weaker than IPSEC
• MSCHAPv2 RADIUS authentication against Yale AD
• Windows 32 bit, MacOS X, Linux Palm versions
• Either tunnel all traffic to/thru Yale via VPN,
  or
• only tunnel 130.132 traffic to Yale thru VPN by
  default
• Or you can use scripts to route other networks
  to/thru Yale via the VPN tunnel (such as 128.36,
  172.16-31.).
• We will support PPTP for at least a few more
  years.

8
Yale VPN Supported Protocols

• IPSEC
• Strong encryption
• RADIUS authentication against Yale AD
• Windows 32 bit, MacOS X, Linux implementations
• PocketPC - MovianVPN (cost is 75), Palm version
  in testing
• Either tunnel all traffic to/thru Yale via VPN,
  or
• only tunnel 130.132 traffic to Yale thru VPN by
  default
• Or you can use scripts to route other networks
  to/thru Yale via the VPN tunnel (such as 128.36,
  172.16-31.).
• IPSEC will be the recommended Yale VPN protocol.

9
Yale VPN Not Currently Supported Protocols

• No plans to support either of these two
  currently.
• L2TP - Layer Two Tunneling Protocol
• Microsoft / Cisco merge of L2F and PPTP.
• Supported in Windows 2000, XP, Server 2003 RRAS.
• IPSEC would be run on top of L2TP.
• SSL - Secure Socket Layers
• clientless VPNs
• WebVPN

10
Current VPN.NET.YALE.EDU

• Interfaces
• Internal 130.132.166.33
• External 130.132.1.200
• Unused/Disabled
• IP Address Ranges
• 130.132.120.1-255
• 130.132. 44.1-255
• 130.132. 45.1-255
• 4 We should allocate one more.
• Dont hardcode IP , particularly not on Med
  wireless.

11
Current VPN.MED.YALE.EDU

• Interfaces
• Internal 172.21.89.200
• External 128.36.118.7
• Wireless 10.10.0.2
• IP Address Ranges
• 130.132.117.1-255
• 128.36.122.1-255
• 128.36.141.1-255
• 128.36.124.1-255 (reserved by not in use
  currently)
• Dont hardcode IP , particularly not on Med
  wireless.

12
Current VPN-TEST.NET.YALE.EDU

• Interfaces
• Internal 130.132.251.69
• External 130.132.1.230
• Unused/Disabled
• IP Address Ranges
• 130.132.252.33-46
• We could allocate more in an emergency.
• Dont use for production. You can use for
  testing and non-critical use. We can shut down
  any time.

13
Cisco VPN IPSEC Client
14
Cisco VPN IPSEC Client - Yale/YNHH Profiles

• YSM Global - ALL traffic from VPN client is
  routed through IPSEC tunnel to YSM VPN server.
• YSM Split - Only Yale IP Network traffic (128.36,
  130.132, 172.16-31) is tunneled to YSM VPN
  srvr.
• YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - Use for
  YSM staff to access the YNHH Network from Yale
• There are new YNHH PCF files (profiles) in
  testing.

15
Which IPSEC profile to use?

• YSM_Global - No split tunneling
• Must use when on Yale Med Wireless.
• Recommended for use when on any wireless net and
  whenever you require a higher level of security.
• When outside Yale use to access Library
  resources.

16
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Comcast user to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
17
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Comcast user to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
18
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Yale Med WiFi to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
19
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Yale Med WiFi to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
20
Which IPSEC profile to use?

• YSM_Split - Split tunneling
• Use when you need to access a local network at
  the same time as you are accessing Yale networks.
  The local network could be at home.
• When outside Yale use split tunneling if you need
  to access non-Yale Internet sites directly for
  performance connectivity reasons.

21
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Split Comcast user to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
22
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Split Comcast user to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
23
Which IPSEC profile to use?

• YNHH
• You need permission to access the YNHH network.
• YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - The
  current PCF for YSM users to access the YNHH
  Network.
• There are new YNHH PCF files (profiles) in
  testing.
• There will (is) a profile for Yale users to
  access a YNHH VPN service from the Yale network
  which will be separate from a new profile for
  YNHH users to use when they are on the Internet
  and not at Yale.

24
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
25
VPN Service Offering Changes

• One Single Virtual System Image - Convergence
• We are syncing both servers (resolving config
  diffs)
• VPN.YALE.EDU
• DNS Round Robin record
• Name switches between the IP s for VPN.MED
  VPN.NET
• Load Balancing
• Cisco VPN client can automatically split load
• Currently we could handle 1,000 VPN clients per
  VPN server -- but we may need more than 2,000 for
  pandemic planning.

26
VPN Service Offering Changes

• Profile Name Changes (proposals)
• Yale Library Resources (Global)
• Yale Med Wireless (Global)
• Yale Remote Access (Split)
• Yale with Local Access (Split)
• Two YNHH Profiles
• Yale Network to YNHH VPN
• Non-Yale Network to YNHH VPN

27
Questions?