|
Electronic, Inc. is a fictional electronics design and manufacturing
company with a main corporate campus in New York and branch offices
and distribution business partners throughout the United States.
Electronic, Inc. has implemented a VPN solution by using RAS3000
to connect remote access users, branch offices, and business partners.
Electronic, Inc. used Celestix RAS3000 and Windows XP to leverage
the connectivity of the Internet to connect remote users, branch
offices, and business partners. Electronic, Inc.’s RAS3000,
used in conjunction with the Two-factor Authentication, Internet
Authentication Service, provide centralized authentication, authorization,
accounting, and administration of remote access policies for a VPN,
remote access and wireless security solution.
Based on the common configuration of the RAS3000, the following
VPN configurations are described:
- VPN remote access for employees.
- On-demand branch office access.
- Persistent branch office access.
Extranet for business partners.
Note: The example companies, organizations,
products, people, and events depicted herein are fictitious. No
association with any real company, organization, product, person,
or event is intended or should be inferred.
VPN Remote Access for Employees
Remote access for Electronic, Inc. employees is deployed by using
remote access VPN connections across the Internet. Electronic, Inc.
also enforces security with audit trail by connecting access points
to the RAS3000. Figure 1 shows the Electronic, Inc. RAS VPN server
that provides remote access and wireless security via VPN connections
.
Figure 1 The Electronic, Inc. VPN server
that provides remote access VPN connections
Electronic, Inc. enhances VPN access security through hardware-based
two-factor authentication by using USB token. Storing or generating
users’ private keys and certificates on an USB token or smart
card significantly enhances VPN access security. USB token provides
strong two-factor authentication, portability, and convenience in
one compact USB device. For remote access to a secured site, users
simply insert a personal USB token and enter their unique USB token
password. Microsoft’s native PKI support enables full challenge-response
authentication. The USB token password is set by the user, and enables
operations with the user’s private keys, held on the USB token.
On-Demand Branch Office
The Portland and Dallas branch offices of Electronic, Inc. are connected
to the corporate office by using on-demand site-to-site VPN connections.
Both the Portland and Dallas offices contain a small number of employees
who only need occasional connectivity with the corporate office.
The routers in the Portland and Dallas offices are equipped with
an ISDN adapter that dials a local Internet service provider to
gain access to the Internet, and then a site-to-site VPN connection
is made across the Internet. When the VPN connection is idle for
five minutes, the routers at the branch offices terminate the VPN
connection. Figure 2 shows the Electronic, Inc. VPN server that
provides on-demand branch office connections.
Figure 2 The Electronic, Inc. RAS3000 that
provides on-demand branch office connections
Persistent Branch Office
The Chicago and Phoenix branch offices of Electronic, Inc. are connected
to the corporate office by using persistent site-to-site VPN connections
that stay connected 24 hours a day. The routers in the Chicago and
Phoenix offices are equipped with T1 WAN adapters that have a permanent
connection to a local Internet service provider to gain access to
the Internet.
The VPN connection is a two-way initiated connection. The connection
is initiated from either the branch office router or the VPN server.
Two-way initiated connections require the creation of demand-dial
interfaces, remote access policies, IP address pools, and packet
filters on the routers on both sides of the connection.
Figure 3 shows the Electronic, Inc. VPN server that provides persistent
branch office connections.
Figure 3 Electronic, Inc. RAS3000 that provides persistent branch
office connections
Extranet for Business Partners
The network administrator for Electronic, Inc. has created an extranet,
a portion of the Electronic, Inc. private network that is available
to business partners through secured VPN connections. The Electronic,
Inc. extranet is the network attached to the Electronic, Inc. RAS3000
and contains a file server and a Web server. Parts distributors
Tasmanian Traders and Parnell Aerospace are Electronic, Inc. business
partners and connect to the Electronic, Inc. extranet by using on-demand,
site-to-site VPN connections. An additional remote access policy
is used to ensure that the business partners can only access the
extranet file server and Web server.
To simplify configuration, the VPN connection is a one-way initiated
connection. The business partner's router always initiates the connection.
Figure 4 shows the Electronic, Inc. VPN server that provides extranet
connections for business partners.
Figure 4 Electronic, Inc. RAS3000 provides
extranet connections for business partners. |
