1 / 26

Campus VPN service

Campus VPN service. Trevor Grove CSCF March 4, 2011. Overview. The VPN project What is a VPN and why do I want it (what’s it good for)? What do we have? How do I use it? Technical stuff Questions. The VPN project. The team: Steve Carr (IST-Client Services) Trevor Grove (CSCF)

shino
Download Presentation

Campus VPN service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Campus VPN service Trevor Grove CSCF March 4, 2011

  2. Overview • The VPN project • What is a VPN and why do I want it (what’s it good for)? • What do we have? • How do I use it? • Technical stuff • Questions

  3. The VPN project • The team: • Steve Carr (IST-Client Services) • Trevor Grove (CSCF) • Mike Patterson (IST-IT Security) • Jason Testart (IST) • Shawn Winnington-Ball (IST-CSS Unix) • Hong Zheng (IST-CSS Windows) • And community testers • Summer/Fall 2010; P.O. issued December

  4. The “what” and “why” • VPN: Virtual Private Network • Google “define: vpn” • “tunnels”, “connect to a workplace”, “private connection”, etc. • Using the public Internet to securely connect a remote computer to the uWaterloo network • Make the remote computer appear as if it were physically connected on campus

  5. Why? (What does it do?) • Off-campus computers are subject to network restrictions: • Campus border policies, e.g. Windows file sharing • “uWaterloo-only” websites & resources • Campus “interior” addresses (172.16/12) • ISP restrictions (message sizes, protocol ports) • A VPN connection bypasses these, and makes the client look like it is on campus • Improved telecommuting is a key component to the campus pandemic plan

  6. Why, 2 • VPN connections are encrypted end-to-end • Like https, but for everything: email, file-sharing, web-browsing, remote desktop • Uses same technology as web “ssl” • Provides the basis for improved campus border security • Restrict protocols at the desktop to uWaterloo • Restrict protocols at the border • “I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the 172.16/12 space”

  7. Product selection • Four products investigated: • OpenVPN (hardware costs, no software costs, per-client cost per year) • Microsoft ForefrontUAG (hardware & software costs , no per-client cost) • Juniper SSL VPN Appliance (server costs, per-client cost) • Cisco ASA (server costs, per-client costs) • Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage

  8. So what do we have? • Cisco ASA “(Adaptive Security Appliance”) servers • Specifically, a pair of ASA 5400s, configured in High Availability mode • Licenced for 1,000 simultaneous users (unlimited client installations) • Intended audience: staff, faculty, grad employees • Classified as an “sslvpn”, uses standard https port • No problems with firewalls needing to allow PPTP or GRE

  9. How do I use it? Getting started… • https://cn-vpn.uwaterloo.ca

  10. Getting started, 2

  11. Getting started, 3 • Use AnyConnect to “plug in” on campus:

  12. Getting started, 4

  13. Getting started, 5 • Internet Explorer => Tools => Internet Options => Security

  14. Getting started, 6

  15. Getting started, 7 …annoying Windows “User Account Control” prompt… …possible warnings about “ActiveX installation”…

  16. Getting started, 8

  17. After client installation WatIAM credentials

  18. Ending a session • Use task-bar notification icon (lower right)

  19. Client platforms • Tested under WinXP, Vista, Win7; Mac OSX; Linux Ubuntu 10.04 • For platforms with no ActiveX technology, will need to download installer package and run • Mac OSX seems to be straightforward • Ubuntu slightly complex installation process: • Download installer package & script • Run installer script from commandline • Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari

  20. How does it work? • Before the VPN connection: Internet PC with NICaddress 1.2.3.4 Destination net:129.97/16 172.16/12 ISP potential connectionimpediments

  21. How does it work, 2 • After the VPN connection: Internet PC with NICaddress 1.2.3.4VPN clientassigned address172.16.36/22 Client routes campus addressesvia VPN Destination net:129.97/16 172.16/12 ISP VPN Server:route 172.16.36/22 tocampus nets

  22. Technical details • Installs a network pseudo-device on the client • Client connects to server, receives a VPN tunnel IP address in 172.16.36/22 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : uwaterloo.ca Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes … IPv4 Address. . . . . . . . . . . : 172.16.36.18(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 129.97.2.1 129.97.129.10 …

  23. Technical details, 2 • Client routes uWaterloo traffic through the tunnel, other traffic as usual: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 129.97.15.1 129.97.15.204 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 129.97.0.0 255.255.0.0 On-link 172.16.36.18 2 129.97.2.197 255.255.255.255 129.97.15.1 129.97.15.204 11 129.97.15.204 255.255.255.255 On-link 129.97.15.204 266 129.97.255.255 255.255.255.255 On-link 172.16.36.18 257 172.16.0.0 255.240.0.0 On-link 172.16.36.18 2 172.16.36.0 255.255.252.0 On-link 172.16.36.18 257 172.16.36.18 255.255.255.255 On-link 172.16.36.18 257 172.16.39.255 255.255.255.255 On-link 172.16.36.18 257 172.31.255.255 255.255.255.255 On-link 172.16.36.18 257 ... 255.255.255.255 255.255.255.255 On-link 129.97.15.204 266 255.255.255.255 255.255.255.255 On-link 172.16.36.18 257

  24. Technical details, 3 • Fewer hops via VPN: • With VPN: C:\Users\trg\Desktop>tracert www.uwaterloo.ca Tracing route to info.uwaterloo.ca [129.97.128.40] …: 1 8 ms 58 ms6 ms v602-cr-rt-phy.uwaterloo.ca [172.16.31.194] 2 6 ms4 ms4 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 3 7 ms4 ms5 ms info.uwaterloo.ca [129.97.128.40] Trace complete. • Without VPN: 1 12 ms1 ms1 ms dccore-nsfw02-cscfnet.uwaterloo.ca [129.97.15.1] 2 4 ms4 ms4 ms dc-cs2-csfwnet.uwaterloo.ca [172.19.5.1] 3 5 ms4 ms5 ms dc-cs1-trk1.uwaterloo.ca [172.19.1.18] 4 3 ms2 ms* v720-cn-rt-phy.uwaterloo.ca [129.97.1.77] 5 5 ms4 ms4 ms v1133-cr-rt-phy.uwaterloo.ca [172.16.31.14] 6 4 ms2 ms2 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 7 3 ms4 ms3 ms info.uwaterloo.ca [129.97.128.40] Trace complete.

  25. Technical details, 4 • VPN will not forward non-uWaterloo traffic to off-campus • Relies on client to route uWaterloo traffic via the VPN, other traffic as usual • Session idle timeout (automatic disconnect) of 30 minutes • But be aware of background processes

  26. Questions?

More Related