Campus VPN service Trevor Grove CSCF March 4
- Slides: 26
Campus VPN service Trevor Grove CSCF March 4, 2011
Overview • The VPN project • What is a VPN and why do I want it (what’s it good for)? • What do we have? • How do I use it? • Technical stuff • Questions
The VPN project • The team: – Steve Carr (IST-Client Services) – Trevor Grove (CSCF) – Mike Patterson (IST-IT Security) – Jason Testart (IST) – Shawn Winnington-Ball (IST-CSS Unix) – Hong Zheng (IST-CSS Windows) • And community testers • Summer/Fall 2010; P. O. issued December
The “what” and “why” • VPN: Virtual Private Network – Google “define: vpn” – “tunnels”, “connect to a workplace”, “private connection”, etc. – Using the public Internet to securely connect a remote computer to the u. Waterloo network – Make the remote computer appear as if it were physically connected on campus
Why? (What does it do? ) • Off-campus computers are subject to network restrictions: – Campus border policies, e. g. Windows file sharing – “u. Waterloo-only” websites & resources – Campus “interior” addresses (172. 16/12) – ISP restrictions (message sizes, protocol ports) • A VPN connection bypasses these, and makes the client look like it is on campus • Improved telecommuting is a key component to the campus pandemic plan
Why, 2 • VPN connections are encrypted end-to-end – Like https, but for everything: email, file-sharing, web -browsing, remote desktop – Uses same technology as web “ssl” • Provides the basis for improved campus border security – Restrict protocols at the desktop to u. Waterloo – Restrict protocols at the border • “I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the 172. 16/12 space”
Product selection • Four products investigated: – Open. VPN (hardware costs, no software costs, perclient cost per year) – Microsoft Forefront. UAG (hardware & software costs , no per-client cost) – Juniper SSL VPN Appliance (server costs, per-client cost) – Cisco ASA (server costs, per-client costs) • Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage
So what do we have? • Cisco ASA “(Adaptive Security Appliance”) servers – Specifically, a pair of ASA 5400 s, configured in High Availability mode • Licenced for 1, 000 simultaneous users (unlimited client installations) – Intended audience: staff, faculty, grad employees • Classified as an “ssl vpn”, uses standard https port – No problems with firewalls needing to allow PPTP or GRE
How do I use it? Getting started… • https: //cn-vpn. uwaterloo. ca
Getting started, 2
Getting started, 3 • Use Any. Connect to “plug in” on campus:
Getting started, 4
Getting started, 5 • Internet Explorer => Tools => Internet Options => Security
Getting started, 6
Getting started, 7 …annoying Windows “User Account Control” prompt… …possible warnings about “Active. X installation”…
Getting started, 8
After client installation Wat. IAM credentials
Ending a session • Use task-bar notification icon (lower right)
Client platforms • Tested under Win. XP, Vista, Win 7; Mac OSX; Linux Ubuntu 10. 04 – For platforms with no Active. X technology, will need to download installer package and run – Mac OSX seems to be straightforward – Ubuntu slightly complex installation process: • Download installer package & script • Run installer script from commandline • Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari
How does it work? • Before the VPN connection: PC with NIC address 1. 2. 3. 4 ISP Internet potential connection impediments Destination net: 129. 97/16 172. 16/12
How does it work, 2 • After the VPN connection: PC with NIC address 1. 2. 3. 4 VPN client assigned address 172. 16. 36/22 Client routes campus addresses via VPN ISP Internet Destination net: 129. 97/16 172. 16/12 VPN Server: route 172. 16. 36/22 to campus nets
Technical details • Installs a network pseudo-device on the client • Client connects to server, receives a VPN tunnel IP address in 172. 16. 36/22 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : uwaterloo. ca Description. . . : Cisco Any. Connect VPN Virtual Miniport Adapter for Windows x 64 Physical Address. . : 00 -05 -9 A-3 C-7 A-00 DHCP Enabled. . . : No Autoconfiguration Enabled. . : Yes … IPv 4 Address. . . : 172. 16. 36. 18(Preferred) Subnet Mask. . . : 255. 252. 0 Default Gateway. . : DNS Servers. . . : 129. 97. 2. 1 129. 97. 129. 10 …
Technical details, 2 • Client routes u. Waterloo traffic through the tunnel, other traffic as usual: IPv 4 Route Table ====================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0. 0 129. 97. 15. 1 129. 97. 15. 204 266 127. 0. 0. 0 255. 0. 0. 0 On-link 127. 0. 0. 1 306 127. 0. 0. 1 255 On-link 127. 0. 0. 1 306 127. 255 On-link 127. 0. 0. 1 306 129. 97. 0. 0 255. 0. 0 On-link 172. 16. 36. 18 2 129. 97. 2. 197 255 129. 97. 15. 1 129. 97. 15. 204 11 129. 97. 15. 204 255 On-link 129. 97. 15. 204 266 129. 97. 255 255 On-link 172. 16. 36. 18 257 172. 16. 0. 0 255. 240. 0. 0 On-link 172. 16. 36. 18 2 172. 16. 36. 0 255. 252. 0 On-link 172. 16. 36. 18 257 172. 16. 36. 18 255 On-link 172. 16. 36. 18 257 172. 16. 39. 255 On-link 172. 16. 36. 18 257 172. 31. 255 255 On-link 172. 16. 36. 18 257. . . 255. 255 On-link 129. 97. 15. 204 266 255 On-link 172. 16. 36. 18 257
Technical details, 3 • Fewer hops via VPN: – With VPN: C: UserstrgDesktop>tracert www. uwaterloo. ca Tracing route to info. uwaterloo. ca [129. 97. 128. 40] …: 1 8 ms 58 ms 6 ms v 602 -cr-rt-phy. uwaterloo. ca [172. 16. 31. 194] 2 6 ms 4 ms re 1 -0 -cr-sa. uwaterloo. ca [172. 16. 31. 75] 3 7 ms 4 ms 5 ms info. uwaterloo. ca [129. 97. 128. 40] Trace complete. – Without VPN: 1 2 3 4 5 6 7 12 4 5 3 5 4 3 ms ms 1 4 4 2 4 ms ms Trace complete. 1 4 5 * 4 2 3 ms ms ms dccore-nsfw 02 -cscfnet. uwaterloo. ca [129. 97. 15. 1] dc-cs 2 -csfwnet. uwaterloo. ca [172. 19. 5. 1] dc-cs 1 -trk 1. uwaterloo. ca [172. 19. 1. 18] v 720 -cn-rt-phy. uwaterloo. ca [129. 97. 1. 77] v 1133 -cr-rt-phy. uwaterloo. ca [172. 16. 31. 14] re 1 -0 -cr-sa. uwaterloo. ca [172. 16. 31. 75] info. uwaterloo. ca [129. 97. 128. 40]
Technical details, 4 • VPN will not forward non-u. Waterloo traffic to off-campus – Relies on client to route u. Waterloo traffic via the VPN, other traffic as usual • Session idle timeout (automatic disconnect) of 30 minutes – But be aware of background processes
Questions?
Poland national anthem lyrics
Kelvin grove campus
Ipsec vs ssl vpn
Vpn slides
Uf vpn login
Vpn router wiki
Phil knight tricked us all
Shawn steck
Trevor dyck
Trevor mullings
Steps in conducting field work
Perceptive computing
Trevor johnson comcast
Trevor spends 45 minutes a day in front of an intense light
Trevor hartnett
Trevor siggers
Trevor darrell
Parts of a business letter quiz
Trevor steedman
Trauma healing centers
Bradley trevor greive
Trevor moore scdc
Trevor nightingale
Trevor de clercq
Trevor kletz quotes
Graham greene destructors
Trevor mein
