Title: ITS Client Support Staff Meeting Sept 14, 2006
1ITS Client Support Staff Meeting Sept 14, 2006
Yale VPN Service Architecture
2Why use the Yale VPN?
- Protect all data sent to and from Yale (MM/SMTP).
- Relay E-Mail to Internet through Yales E-mail
servers (use Authenticated SMTP over SSL
instead). - Access Internet information or services only
available from the campus network IP range (proxy
substitute) - Access information and services only available on
the campus network (including those on Yale
private IP addresses) - Microsoft Networking (MSRPC, File/Print sharing,
etc.) - Unix/Linux RPC/NFS, X Windows
- Restricted web sites, applications and remote
console access (SSH, Remote Desktop, VNC, etc). - Vulnerable/insecure/unencrypted protocols
(telnet/ftp/rsh).
3Yale Campus Network Architecture/Topology
- 2 Public Class B networks
- 128.36 Originally CS/Math/Eng Yale College
- 130.132 Most of rest of campus
- Private (RFC1918) networks
- 10 Behind firewalls, YSM wireless, YNHH
- 172.16-31 Routed on campus network
- 192.168. Anyone can use privately locally.
- Other Yale Public networks (Class C)
- 192.26.88, 192.31.2, 192.35.89, 198.125.138
(Physics) - YNHH Public Networks with Yale Computers
- 204.90.81, 205.167.18
4Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
5Yale VPN Current Architecture
- Two Cisco VPN Concentrators (3030 models)
- Each has 3 100 Megabit/sec Interfaces
- Each has 200 -- 400 simultaneous users, more per
day - Both support PPTP IPSEC. SSL L2TP not on.
- Any Yale user with a valid NetID can use either.
- VPN.NET.YALE.EDU
- Entirely (almost) used by non-YSM users with PPTP
- VPN.MED.YALE.EDU
- Primarily used by YSM users with Cisco IPSEC
client. - Also used for Med School wireless VPN sessions
(reqd).
6VPN Technologies
- PPTP (Point-to-Point Tunneling Protocol)
- IPSEC
- L2TP
- SSL VPNs
- SSH (Secure Shell) - Poor Mans VPN
- Port forwarding, can encrypt and tunnel protocols
(e.g. X Windows).
7Yale VPN Supported Protocols
- PPTP
- Encrypted, but weaker than IPSEC
- MSCHAPv2 RADIUS authentication against Yale AD
- Windows 32 bit, MacOS X, Linux Palm versions
- Either tunnel all traffic to/thru Yale via VPN,
or - only tunnel 130.132 traffic to Yale thru VPN by
default - Or you can use scripts to route other networks
to/thru Yale via the VPN tunnel (such as 128.36,
172.16-31.). - We will support PPTP for at least a few more
years.
8Yale VPN Supported Protocols
- IPSEC
- Strong encryption
- RADIUS authentication against Yale AD
- Windows 32 bit, MacOS X, Linux implementations
- PocketPC - MovianVPN (cost is 75), Palm version
in testing - Either tunnel all traffic to/thru Yale via VPN,
or - only tunnel 130.132 traffic to Yale thru VPN by
default - Or you can use scripts to route other networks
to/thru Yale via the VPN tunnel (such as 128.36,
172.16-31.). - IPSEC will be the recommended Yale VPN protocol.
9Yale VPN Not Currently Supported Protocols
- No plans to support either of these two
currently. - L2TP - Layer Two Tunneling Protocol
- Microsoft / Cisco merge of L2F and PPTP.
- Supported in Windows 2000, XP, Server 2003 RRAS.
- IPSEC would be run on top of L2TP.
- SSL - Secure Socket Layers
- clientless VPNs
- WebVPN
10Current VPN.NET.YALE.EDU
- Interfaces
- Internal 130.132.166.33
- External 130.132.1.200
- Unused/Disabled
- IP Address Ranges
- 130.132.120.1-255
- 130.132. 44.1-255
- 130.132. 45.1-255
- 4 We should allocate one more.
- Dont hardcode IP , particularly not on Med
wireless.
11Current VPN.MED.YALE.EDU
- Interfaces
- Internal 172.21.89.200
- External 128.36.118.7
- Wireless 10.10.0.2
- IP Address Ranges
- 130.132.117.1-255
- 128.36.122.1-255
- 128.36.141.1-255
- 128.36.124.1-255 (reserved by not in use
currently) - Dont hardcode IP , particularly not on Med
wireless.
12Current VPN-TEST.NET.YALE.EDU
- Interfaces
- Internal 130.132.251.69
- External 130.132.1.230
- Unused/Disabled
- IP Address Ranges
- 130.132.252.33-46
- We could allocate more in an emergency.
- Dont use for production. You can use for
testing and non-critical use. We can shut down
any time.
13Cisco VPN IPSEC Client
14Cisco VPN IPSEC Client - Yale/YNHH Profiles
- YSM Global - ALL traffic from VPN client is
routed through IPSEC tunnel to YSM VPN server. - YSM Split - Only Yale IP Network traffic (128.36,
130.132, 172.16-31) is tunneled to YSM VPN
srvr. - YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - Use for
YSM staff to access the YNHH Network from Yale - There are new YNHH PCF files (profiles) in
testing.
15Which IPSEC profile to use?
- YSM_Global - No split tunneling
- Must use when on Yale Med Wireless.
- Recommended for use when on any wireless net and
whenever you require a higher level of security. - When outside Yale use to access Library
resources.
16Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Comcast user to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
17Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Comcast user to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
18Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Yale Med WiFi to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
19Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Yale Med WiFi to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
20Which IPSEC profile to use?
- YSM_Split - Split tunneling
- Use when you need to access a local network at
the same time as you are accessing Yale networks.
The local network could be at home. - When outside Yale use split tunneling if you need
to access non-Yale Internet sites directly for
performance connectivity reasons.
21Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Split Comcast user to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
22Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Split Comcast user to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
23Which IPSEC profile to use?
- YNHH
- You need permission to access the YNHH network.
- YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - The
current PCF for YSM users to access the YNHH
Network. - There are new YNHH PCF files (profiles) in
testing. - There will (is) a profile for Yale users to
access a YNHH VPN service from the Yale network
which will be separate from a new profile for
YNHH users to use when they are on the Internet
and not at Yale.
24Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
25VPN Service Offering Changes
- One Single Virtual System Image - Convergence
- We are syncing both servers (resolving config
diffs) - VPN.YALE.EDU
- DNS Round Robin record
- Name switches between the IP s for VPN.MED
VPN.NET - Load Balancing
- Cisco VPN client can automatically split load
- Currently we could handle 1,000 VPN clients per
VPN server -- but we may need more than 2,000 for
pandemic planning.
26VPN Service Offering Changes
- Profile Name Changes (proposals)
- Yale Library Resources (Global)
- Yale Med Wireless (Global)
- Yale Remote Access (Split)
- Yale with Local Access (Split)
- Two YNHH Profiles
- Yale Network to YNHH VPN
- Non-Yale Network to YNHH VPN
27Questions?