Remote Access VPN Deployments
As workforces become increasingly mobile in nature, this changes the dynamics of a secure IP network. Remote Access VPN deployments have become the central focus of secure connectivity in enterprise mobility, allowing secure Layer 3 communications to any VPN endpoint that has an internet connection to the appropriate VPN concentrator. We've discussed some of the business drivers for enterprise adoption of RAVPN deployments during our introduction to VPNs in Chapter 1. Now we will explore some common architectures for delivering RAVPN services to the enterprise.
RAVPN Architectural Overview
As we discussed in Chapter 1, "Introduction to VPN Technologies," the two core elements that comprise an RAVPN topology are VPN concentrators and VPN clients. These two elements communicate with one another over a predefined media at Layer 3 of the OSI Model. As such, these two entities can be connected over any media that will support Layer 3 between concentrator and client, including dial-up networks, Internet connections using DSL, and 802.11 wireless media. Because the underlying communications are relatively independent on the IPsec portion of the RAVPN, we will discuss clients and concentrators communicating with one another over a ubiquitous Internet connection, and will discuss RAVPN design in greater detail in Chapter 10, "Further Architectural Options for IPsec."
RAVPN Clients
RAVPN clients typically come in two general flavors, hardware-based clients and software-based clients. Software-based VPN clients run locally on the user's remote workstation or laptop, and they are used to connect to a centrally managed VPN concentrator, typically located on the enterprise campus. The strength of software-based VPN clients is rooted in the mobility that they provide. When deployed on a user's laptop, a software-based VPN client can securely extend confidential communications from the campus to anywhere that a VPN client can access Layer 3 communications. Software-based VPN clients are therefore useful for tunneling data from centrally located campus resources to the end user. However, they do have limitations, and because of these limitations, the use of hardware-based VPN clients is merited in some situations. Specifically, software-based VPN clients terminate VPN connectivity locally on teleworkers' laptops and do not allow for the secure networking of other Layer 3 devices at the remote end of the VPN (such as a hardware-based IP Phone) over that VPN. Additionally, software-based clients will not support the termination of GRE locally, and therefore they will not typically support multicast data flows. Hardware-based clients, though inherently less mobile, address many of the functional limitations found in software-based IPsec VPN clients.
Hardware-based VPN clients are typically found in small, remote locations that do not have dedicated connectivity to a central hub IPsec router. These devices are commonly found at home offices that have DSL- or cable-modem connectivity to the Internet. The hardware-based VPN client maintains the IPsec VPN (and GRE tunnel termination) to the concentrator, while allowing cleartext IP communications locally within the small home office or branch. Therefore, hardware-based VPN components add a networked element to the SOHO (small office, home office) or small branch environment that allows users to extend voice, video, and data securely from the campus.
In order to deliver both mobility and breadth of services to remote teleworkers, it is very common to see users deploy both software-based VPN clients and hardware-based VPN clients at the same time. Having the hardware-based VPN connectivity extends virtually all IP services available on the campus to relatively fixed remote locations. Software-based VPN communications allows users to extend communications in highly mobile scenarios. All of these services must be accommodated on the concentrator side of the VPN. For this reason, the variation in RAVPN topology is most commonly seen at the concentrator end of the design, which is what we will focus the remainder of this chapter's RAVPN discussion on.
Standalone VPN Concentrator Designs
Due to the nature of IPsec and firewalls, the placement of the VPN concentrator in a DMZ design is critical to the success of the greater RAVPN architecture. Figures 3-7 through 3-10 outline several DMZ topologies that we will use to explore common design issues which must be addressed in RAVPN design. Each of these designs pertains to an IPsec VPN concentrator deployment for effective termination of client IPsec VPN tunnels in an RAVPN environment.
Figure 3-7 VPN Concentrator Placement in Single-DMZ Design
VPN Concentrator on Outside Network with Single DMZ
The DMZ layout illustrated in Figure 3-7 is one of the most common, and most effective, designs in RAVPN/DMZ integration. This design allows for increased security, because inside traffic from the VPN concentrator is firewalled from the firewall's DMZ interface to its inside interface.
Also, the firewall can add an additional layer of proxy authentication AAA authentication in conjunction with an ACS server located on the inside network, offering a comprehensive authentication, authorization, and accounting solution for traffic types all the way up to Layer 7. The processing of traffic inbound from the DMZ can be further inspected for network attacks using either the PIX IOS-based signature set or a compatible, more comprehensive, signature set maintained on an external Network Intrusion Detection Systems (NIDS) appliance.
As we will also see with the design in Figure 3-8, there are no IPsec-specific modifications that need to be added to the firewall ACL configuration. Likewise, there are no additional Network Address Translation (NAT) considerations to account for on the firewall. This design does, however, require marginally increased filtering capability on the firewall, as cleartext traffic from the IPsec VPN concentrator is now being processed on the DMZ interface on its way to the inside network.
Figure 3-8 Parallel VPN Concentrator and Firewall DMZ Design
VPN Concentrator and Firewall in Parallel
Placing the VPN concentrator in parallel with the firewall eliminates the possibility of human error when opening up holes in the firewall ACL to allow IPsec traffic from inbound VPN clients to the concentrator (as with the design illustrated in Figure 3-10). Figure 3-8 provides an illustration of a standard DMZ design that places the VPN concentrator in parallel with the firewall.
Additionally, this topology presents no computational overhead on the firewall for processing IPsec traffic in to the VPN concentrator. Instead, that traffic is focused solely on the VPN concentrator. Likewise, the concentrator is not burdened by non-VPN traffic, as would be the case if the concentrator were placed in series with the firewall on the outside network.
The parallel configuration described in the design of Figure 3-8 also simplifies the NAT configuration on both the firewall and the DMZ. Although IPsec itself can accommodate environments where addresses are being translated, this topology eliminates the NAT processing of VPN traffic firewall and concentrator. Therefore, for RAVPN IPsec tunnels, the need for vendor-specific IPsec extensions such as NAT-T (IPsec NAT Transparency) is avoided.
VPN Concentrator with Dual DMZs to Firewall
Using two DMZ interfaces for inside and outside VPN traffic, as described in the design shown in Figure 3-9, can also be an effective means by which to integrate a VPN concentrator into a DMZ. This design should be deployed when increased protection of the VPN concentrator itself is desired. Designs similar to this one are also commonly found when the enterprise does not have control over the Internet gateway directly outside of the DMZ, as would be the case when the enterprise contracts with a service provider that wishes to maintain the Internet gateway itself. In such a case, the enterprise would rely on the firewall, as opposed to the Internet gateway, to switch packets to the appropriate directly connected interface. As a result, it would be the firewall's responsibility to forward VPN traffic directly connected to DMZ1 interface and allowed NAT'd (if necessary) enterprise traffic directly to the inside interface.
Figure 3-9 VPN Concentrator with Dual DMZs to Firewall
Figure 3-10 What to Avoid in DMZ/VPN Concentrator Topologies
Locating the VPN concentrator's outside interface behind the DMZ inserts a layer of filtering and authentication of IPsec traffic before the concentrator, thereby adding another layer of hardening to the design. There are also tradeoffs to the design, because the outside ACL of the firewall must be altered to allow ISAKMP, ESP, and AH traffic through to the concentrator. In addition to punching holes through the ACL to accommodate VPN traffic, this design also increases the computation overhead associated with VPN traffic on the firewall, because traffic is processed twice (once on the outside interface, and again as traffic is received from the concentrator on the second DMZ interface).
What to Avoid in DMZ/VPN Concentrator Topologies
We will use the design shown in Figure 3-10 to highlight a few things to avoid when positioning a VPN concentrator in a DMZ. The fourth design places the concentrator in a position that requires VPN traffic to be processed serially between the firewall and concentrator with little additional value. Although the concentrator is located in a more secure environment (Location A), the concentrator can be secured just as effectively by placing it in the DMZ. Additionally, when placing the concentrator in the DMZ, traffic can be sent directly from the outside interface to the concentrator itself without NAT. Alternatively, the location in this design will likely require NAT, leading to a more complicated firewall configuration and increased processing overhead.
Locating the VPN concentrator serially outside of the firewall (moving the concentrator from Location A to Location B, as shown in Example 3-10) can have an equally adverse effect. This type of design requires that all traffic be processed by the concentrator, as opposed to just the VPN traffic, leading to increased overhead. While this alteration eliminates the need to NAT inbound VPN traffic, it does place the concentrator in a relatively unsecured location, presenting the opportunity for denial of service (DoS) attacks for all network traffic destined to the enterprise (single point of failure).
Clustered VPN Concentrator Designs
The RAVPN designs we have discussed thus far only assume the use of a single VPN concentrator. However, all of these designs can be hardened further through the deployment of multiple concentrators in the appropriate location, commonly referred to as "clustering." The deployment of a VPN cluster offers redundancy locally at the concentrator level, and it also allows for increased scalability in terms of the number of inbound IPsec VPN tunnels from VPN clients that the design can support. Figure 3-11 illustrates a typical clustered IPsec VPN concentrator deployment in a DMZ design.
Figure 3-11 Clustered RAVPN Concentrator Deployment
The clustered design presented in Figure 3-11 is a variation on the recommended RAVPN/DMZ shown in Figure 3-7. The altered design allows for triple redundancy relative to the original design, and it also allows the design to scale up to three times the amount of VPN tunnels during peak traffic hours for the remote access to central enterprise resources. We will discuss this design and several other effective designs for RAVPN High Availability in Chapter 9, "Solutions for Remote Access VPN High Availability."