ITS Client Support Staff Meeting Sept 14, 2006 - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

ITS Client Support Staff Meeting Sept 14, 2006

Description:

Comcast. Cablevision. Internet. ATT (SBC/SNET) Qwest. CEN. Internet2. NoX ... Comcast user to YSM VPN to www.qwest.com. Which IPSEC profile to use? YNHH ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 28
Provided by: rogervd
Category:

less

Transcript and Presenter's Notes

Title: ITS Client Support Staff Meeting Sept 14, 2006


1
ITS Client Support Staff Meeting Sept 14, 2006
Yale VPN Service Architecture
2
Why use the Yale VPN?
  • Protect all data sent to and from Yale (MM/SMTP).
  • Relay E-Mail to Internet through Yales E-mail
    servers (use Authenticated SMTP over SSL
    instead).
  • Access Internet information or services only
    available from the campus network IP range (proxy
    substitute)
  • Access information and services only available on
    the campus network (including those on Yale
    private IP addresses)
  • Microsoft Networking (MSRPC, File/Print sharing,
    etc.)
  • Unix/Linux RPC/NFS, X Windows
  • Restricted web sites, applications and remote
    console access (SSH, Remote Desktop, VNC, etc).
  • Vulnerable/insecure/unencrypted protocols
    (telnet/ftp/rsh).

3
Yale Campus Network Architecture/Topology
  • 2 Public Class B networks
  • 128.36 Originally CS/Math/Eng Yale College
  • 130.132 Most of rest of campus
  • Private (RFC1918) networks
  • 10 Behind firewalls, YSM wireless, YNHH
  • 172.16-31 Routed on campus network
  • 192.168. Anyone can use privately locally.
  • Other Yale Public networks (Class C)
  • 192.26.88, 192.31.2, 192.35.89, 198.125.138
    (Physics)
  • YNHH Public Networks with Yale Computers
  • 204.90.81, 205.167.18

4
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
5
Yale VPN Current Architecture
  • Two Cisco VPN Concentrators (3030 models)
  • Each has 3 100 Megabit/sec Interfaces
  • Each has 200 -- 400 simultaneous users, more per
    day
  • Both support PPTP IPSEC. SSL L2TP not on.
  • Any Yale user with a valid NetID can use either.
  • VPN.NET.YALE.EDU
  • Entirely (almost) used by non-YSM users with PPTP
  • VPN.MED.YALE.EDU
  • Primarily used by YSM users with Cisco IPSEC
    client.
  • Also used for Med School wireless VPN sessions
    (reqd).

6
VPN Technologies
  • PPTP (Point-to-Point Tunneling Protocol)
  • IPSEC
  • L2TP
  • SSL VPNs
  • SSH (Secure Shell) - Poor Mans VPN
  • Port forwarding, can encrypt and tunnel protocols
    (e.g. X Windows).

7
Yale VPN Supported Protocols
  • PPTP
  • Encrypted, but weaker than IPSEC
  • MSCHAPv2 RADIUS authentication against Yale AD
  • Windows 32 bit, MacOS X, Linux Palm versions
  • Either tunnel all traffic to/thru Yale via VPN,
    or
  • only tunnel 130.132 traffic to Yale thru VPN by
    default
  • Or you can use scripts to route other networks
    to/thru Yale via the VPN tunnel (such as 128.36,
    172.16-31.).
  • We will support PPTP for at least a few more
    years.

8
Yale VPN Supported Protocols
  • IPSEC
  • Strong encryption
  • RADIUS authentication against Yale AD
  • Windows 32 bit, MacOS X, Linux implementations
  • PocketPC - MovianVPN (cost is 75), Palm version
    in testing
  • Either tunnel all traffic to/thru Yale via VPN,
    or
  • only tunnel 130.132 traffic to Yale thru VPN by
    default
  • Or you can use scripts to route other networks
    to/thru Yale via the VPN tunnel (such as 128.36,
    172.16-31.).
  • IPSEC will be the recommended Yale VPN protocol.

9
Yale VPN Not Currently Supported Protocols
  • No plans to support either of these two
    currently.
  • L2TP - Layer Two Tunneling Protocol
  • Microsoft / Cisco merge of L2F and PPTP.
  • Supported in Windows 2000, XP, Server 2003 RRAS.
  • IPSEC would be run on top of L2TP.
  • SSL - Secure Socket Layers
  • clientless VPNs
  • WebVPN

10
Current VPN.NET.YALE.EDU
  • Interfaces
  • Internal 130.132.166.33
  • External 130.132.1.200
  • Unused/Disabled
  • IP Address Ranges
  • 130.132.120.1-255
  • 130.132. 44.1-255
  • 130.132. 45.1-255
  • 4 We should allocate one more.
  • Dont hardcode IP , particularly not on Med
    wireless.

11
Current VPN.MED.YALE.EDU
  • Interfaces
  • Internal 172.21.89.200
  • External 128.36.118.7
  • Wireless 10.10.0.2
  • IP Address Ranges
  • 130.132.117.1-255
  • 128.36.122.1-255
  • 128.36.141.1-255
  • 128.36.124.1-255 (reserved by not in use
    currently)
  • Dont hardcode IP , particularly not on Med
    wireless.

12
Current VPN-TEST.NET.YALE.EDU
  • Interfaces
  • Internal 130.132.251.69
  • External 130.132.1.230
  • Unused/Disabled
  • IP Address Ranges
  • 130.132.252.33-46
  • We could allocate more in an emergency.
  • Dont use for production. You can use for
    testing and non-critical use. We can shut down
    any time.

13
Cisco VPN IPSEC Client
14
Cisco VPN IPSEC Client - Yale/YNHH Profiles
  • YSM Global - ALL traffic from VPN client is
    routed through IPSEC tunnel to YSM VPN server.
  • YSM Split - Only Yale IP Network traffic (128.36,
    130.132, 172.16-31) is tunneled to YSM VPN
    srvr.
  • YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - Use for
    YSM staff to access the YNHH Network from Yale
  • There are new YNHH PCF files (profiles) in
    testing.

15
Which IPSEC profile to use?
  • YSM_Global - No split tunneling
  • Must use when on Yale Med Wireless.
  • Recommended for use when on any wireless net and
    whenever you require a higher level of security.
  • When outside Yale use to access Library
    resources.

16
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Comcast user to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
17
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Comcast user to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
18
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Yale Med WiFi to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
19
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Global Yale Med WiFi to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
20
Which IPSEC profile to use?
  • YSM_Split - Split tunneling
  • Use when you need to access a local network at
    the same time as you are accessing Yale networks.
    The local network could be at home.
  • When outside Yale use split tunneling if you need
    to access non-Yale Internet sites directly for
    performance connectivity reasons.

21
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Split Comcast user to YSM VPN to
www.med.yale.edu
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
22
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
Split Comcast user to YSM VPN to
www.qwest.com
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
23
Which IPSEC profile to use?
  • YNHH
  • You need permission to access the YNHH network.
  • YSM_VPN_CLIENT_TO_ACCESS_YNHH_Network - The
    current PCF for YSM users to access the YNHH
    Network.
  • There are new YNHH PCF files (profiles) in
    testing.
  • There will (is) a profile for Yale users to
    access a YNHH VPN service from the Yale network
    which will be separate from a new profile for
    YNHH users to use when they are on the Internet
    and not at Yale.

24
Comcast
Cablevision
Internet2
Harvard
NoX
Internet
ATT(SBC/SNET)
Qwest
CEN
YNHHnetwork
Bifrost
Lust
YNHH-YaleFirewall
VPN.Net.Yale.EDU
VPN.Med.YALE.EDU
CentralWireless
Med Wireless
25
VPN Service Offering Changes
  • One Single Virtual System Image - Convergence
  • We are syncing both servers (resolving config
    diffs)
  • VPN.YALE.EDU
  • DNS Round Robin record
  • Name switches between the IP s for VPN.MED
    VPN.NET
  • Load Balancing
  • Cisco VPN client can automatically split load
  • Currently we could handle 1,000 VPN clients per
    VPN server -- but we may need more than 2,000 for
    pandemic planning.

26
VPN Service Offering Changes
  • Profile Name Changes (proposals)
  • Yale Library Resources (Global)
  • Yale Med Wireless (Global)
  • Yale Remote Access (Split)
  • Yale with Local Access (Split)
  • Two YNHH Profiles
  • Yale Network to YNHH VPN
  • Non-Yale Network to YNHH VPN

27
Questions?
Write a Comment
User Comments (0)
About PowerShow.com