260 likes | 398 Views
Campus VPN service. Trevor Grove CSCF March 4, 2011. Overview. The VPN project What is a VPN and why do I want it (what’s it good for)? What do we have? How do I use it? Technical stuff Questions. The VPN project. The team: Steve Carr (IST-Client Services) Trevor Grove (CSCF)
E N D
Campus VPN service Trevor Grove CSCF March 4, 2011
Overview • The VPN project • What is a VPN and why do I want it (what’s it good for)? • What do we have? • How do I use it? • Technical stuff • Questions
The VPN project • The team: • Steve Carr (IST-Client Services) • Trevor Grove (CSCF) • Mike Patterson (IST-IT Security) • Jason Testart (IST) • Shawn Winnington-Ball (IST-CSS Unix) • Hong Zheng (IST-CSS Windows) • And community testers • Summer/Fall 2010; P.O. issued December
The “what” and “why” • VPN: Virtual Private Network • Google “define: vpn” • “tunnels”, “connect to a workplace”, “private connection”, etc. • Using the public Internet to securely connect a remote computer to the uWaterloo network • Make the remote computer appear as if it were physically connected on campus
Why? (What does it do?) • Off-campus computers are subject to network restrictions: • Campus border policies, e.g. Windows file sharing • “uWaterloo-only” websites & resources • Campus “interior” addresses (172.16/12) • ISP restrictions (message sizes, protocol ports) • A VPN connection bypasses these, and makes the client look like it is on campus • Improved telecommuting is a key component to the campus pandemic plan
Why, 2 • VPN connections are encrypted end-to-end • Like https, but for everything: email, file-sharing, web-browsing, remote desktop • Uses same technology as web “ssl” • Provides the basis for improved campus border security • Restrict protocols at the desktop to uWaterloo • Restrict protocols at the border • “I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the 172.16/12 space”
Product selection • Four products investigated: • OpenVPN (hardware costs, no software costs, per-client cost per year) • Microsoft ForefrontUAG (hardware & software costs , no per-client cost) • Juniper SSL VPN Appliance (server costs, per-client cost) • Cisco ASA (server costs, per-client costs) • Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage
So what do we have? • Cisco ASA “(Adaptive Security Appliance”) servers • Specifically, a pair of ASA 5400s, configured in High Availability mode • Licenced for 1,000 simultaneous users (unlimited client installations) • Intended audience: staff, faculty, grad employees • Classified as an “sslvpn”, uses standard https port • No problems with firewalls needing to allow PPTP or GRE
How do I use it? Getting started… • https://cn-vpn.uwaterloo.ca
Getting started, 3 • Use AnyConnect to “plug in” on campus:
Getting started, 5 • Internet Explorer => Tools => Internet Options => Security
Getting started, 7 …annoying Windows “User Account Control” prompt… …possible warnings about “ActiveX installation”…
After client installation WatIAM credentials
Ending a session • Use task-bar notification icon (lower right)
Client platforms • Tested under WinXP, Vista, Win7; Mac OSX; Linux Ubuntu 10.04 • For platforms with no ActiveX technology, will need to download installer package and run • Mac OSX seems to be straightforward • Ubuntu slightly complex installation process: • Download installer package & script • Run installer script from commandline • Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari
How does it work? • Before the VPN connection: Internet PC with NICaddress 1.2.3.4 Destination net:129.97/16 172.16/12 ISP potential connectionimpediments
How does it work, 2 • After the VPN connection: Internet PC with NICaddress 1.2.3.4VPN clientassigned address172.16.36/22 Client routes campus addressesvia VPN Destination net:129.97/16 172.16/12 ISP VPN Server:route 172.16.36/22 tocampus nets
Technical details • Installs a network pseudo-device on the client • Client connects to server, receives a VPN tunnel IP address in 172.16.36/22 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : uwaterloo.ca Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes … IPv4 Address. . . . . . . . . . . : 172.16.36.18(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 129.97.2.1 129.97.129.10 …
Technical details, 2 • Client routes uWaterloo traffic through the tunnel, other traffic as usual: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 129.97.15.1 129.97.15.204 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 129.97.0.0 255.255.0.0 On-link 172.16.36.18 2 129.97.2.197 255.255.255.255 129.97.15.1 129.97.15.204 11 129.97.15.204 255.255.255.255 On-link 129.97.15.204 266 129.97.255.255 255.255.255.255 On-link 172.16.36.18 257 172.16.0.0 255.240.0.0 On-link 172.16.36.18 2 172.16.36.0 255.255.252.0 On-link 172.16.36.18 257 172.16.36.18 255.255.255.255 On-link 172.16.36.18 257 172.16.39.255 255.255.255.255 On-link 172.16.36.18 257 172.31.255.255 255.255.255.255 On-link 172.16.36.18 257 ... 255.255.255.255 255.255.255.255 On-link 129.97.15.204 266 255.255.255.255 255.255.255.255 On-link 172.16.36.18 257
Technical details, 3 • Fewer hops via VPN: • With VPN: C:\Users\trg\Desktop>tracert www.uwaterloo.ca Tracing route to info.uwaterloo.ca [129.97.128.40] …: 1 8 ms 58 ms6 ms v602-cr-rt-phy.uwaterloo.ca [172.16.31.194] 2 6 ms4 ms4 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 3 7 ms4 ms5 ms info.uwaterloo.ca [129.97.128.40] Trace complete. • Without VPN: 1 12 ms1 ms1 ms dccore-nsfw02-cscfnet.uwaterloo.ca [129.97.15.1] 2 4 ms4 ms4 ms dc-cs2-csfwnet.uwaterloo.ca [172.19.5.1] 3 5 ms4 ms5 ms dc-cs1-trk1.uwaterloo.ca [172.19.1.18] 4 3 ms2 ms* v720-cn-rt-phy.uwaterloo.ca [129.97.1.77] 5 5 ms4 ms4 ms v1133-cr-rt-phy.uwaterloo.ca [172.16.31.14] 6 4 ms2 ms2 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 7 3 ms4 ms3 ms info.uwaterloo.ca [129.97.128.40] Trace complete.
Technical details, 4 • VPN will not forward non-uWaterloo traffic to off-campus • Relies on client to route uWaterloo traffic via the VPN, other traffic as usual • Session idle timeout (automatic disconnect) of 30 minutes • But be aware of background processes