campus vpn service trevor grove cscf march 4, 2011

Campus VPN service

Trevor GroveCSCF

March 4, 2011

Overview

• The VPN project• What is a VPN and why do I want it (what’s it

good for)?• What do we have?• How do I use it?• Technical stuff• Questions

The VPN project

• The team:– Steve Carr (IST-Client Services) – Trevor Grove (CSCF) – Mike Patterson (IST-IT Security) – Jason Testart (IST)– Shawn Winnington-Ball (IST-CSS Unix) – Hong Zheng (IST-CSS Windows)

• And community testers• Summer/Fall 2010; P.O. issued December

The “what” and “why”

• VPN: Virtual Private Network– Google “define: vpn”– “tunnels”, “connect to a workplace”, “private

connection”, etc.– Using the public Internet to securely connect a

remote computer to the uWaterloo network– Make the remote computer appear as if it were

physically connected on campus

Why? (What does it do?)

• Off-campus computers are subject to network restrictions:– Campus border policies, e.g. Windows file sharing– “uWaterloo-only” websites & resources– Campus “interior” addresses (172.16/12)– ISP restrictions (message sizes, protocol ports)

• A VPN connection bypasses these, and makes the client look like it is on campus

• Improved telecommuting is a key component to the campus pandemic plan

Why, 2

• VPN connections are encrypted end-to-end– Like https, but for everything: email, file-sharing, web-

browsing, remote desktop– Uses same technology as web “ssl”

• Provides the basis for improved campus border security– Restrict protocols at the desktop to uWaterloo– Restrict protocols at the border

• “I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the 172.16/12 space”

Product selection

• Four products investigated:– OpenVPN (hardware costs, no software costs, per-

client cost per year)– Microsoft ForefrontUAG (hardware & software costs ,

no per-client cost)– Juniper SSL VPN Appliance (server costs, per-client

cost)– Cisco ASA (server costs, per-client costs)

• Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage

So what do we have?

• Cisco ASA “(Adaptive Security Appliance”) servers – Specifically, a pair of ASA 5400s, configured in High

Availability mode• Licenced for 1,000 simultaneous users (unlimited

client installations)– Intended audience: staff, faculty, grad employees

• Classified as an “ssl vpn”, uses standard https port– No problems with firewalls needing to allow PPTP or

GRE

How do I use it? Getting started…

• https://cn-vpn.uwaterloo.ca

Getting started, 2

Getting started, 3

• Use AnyConnect to “plug in” on campus:

Getting started, 4

Getting started, 5

• Internet Explorer => Tools => Internet Options => Security

Getting started, 6

Getting started, 7

…annoying Windows “User Account Control” prompt…

…possible warnings about“ActiveX installation”…

Getting started, 8

After client installation

WatIAM credentials

Ending a session

• Use task-bar notification icon (lower right)

Client platforms

• Tested under WinXP, Vista, Win7; Mac OSX; Linux Ubuntu 10.04– For platforms with no ActiveX technology, will need

to download installer package and run– Mac OSX seems to be straightforward– Ubuntu slightly complex installation process:

• Download installer package & script• Run installer script from commandline

• Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari

How does it work?

• Before the VPN connection:

InternetISPDestination net:

129.97/16172.16/12

PC with NICaddress 1.2.3.4

potential connectionimpediments

How does it work, 2

• After the VPN connection:

PC with NICaddress 1.2.3.4

VPN clientassigned address

172.16.36/22

Client routes campus addresses

via VPN

InternetISPDestination net:

129.97/16172.16/12

VPN Server:route

172.16.36/22 to

campus nets

Technical details

• Installs a network pseudo-device on the client• Client connects to server, receives a VPN tunnel IP address in

172.16.36/22Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : uwaterloo.ca Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes … IPv4 Address. . . . . . . . . . . : 172.16.36.18(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 129.97.2.1 129.97.129.10 …

Technical details, 2

• Client routes uWaterloo traffic through the tunnel, other traffic as usual:IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 129.97.15.1 129.97.15.204 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 129.97.0.0 255.255.0.0 On-link 172.16.36.18 2 129.97.2.197 255.255.255.255 129.97.15.1 129.97.15.204 11 129.97.15.204 255.255.255.255 On-link 129.97.15.204 266 129.97.255.255 255.255.255.255 On-link 172.16.36.18 257 172.16.0.0 255.240.0.0 On-link 172.16.36.18 2 172.16.36.0 255.255.252.0 On-link 172.16.36.18 257 172.16.36.18 255.255.255.255 On-link 172.16.36.18 257 172.16.39.255 255.255.255.255 On-link 172.16.36.18 257 172.31.255.255 255.255.255.255 On-link 172.16.36.18 257... 255.255.255.255 255.255.255.255 On-link 129.97.15.204 266 255.255.255.255 255.255.255.255 On-link 172.16.36.18 257

Technical details, 3

• Fewer hops via VPN:– With VPN:

C:\Users\trg\Desktop>tracert www.uwaterloo.caTracing route to info.uwaterloo.ca [129.97.128.40] …: 1 8 ms 58 ms 6 ms v602-cr-rt-phy.uwaterloo.ca [172.16.31.194] 2 6 ms 4 ms 4 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 3 7 ms 4 ms 5 ms info.uwaterloo.ca [129.97.128.40]Trace complete.

– Without VPN: 1 12 ms 1 ms 1 ms dccore-nsfw02-cscfnet.uwaterloo.ca [129.97.15.1] 2 4 ms 4 ms 4 ms dc-cs2-csfwnet.uwaterloo.ca [172.19.5.1] 3 5 ms 4 ms 5 ms dc-cs1-trk1.uwaterloo.ca [172.19.1.18] 4 3 ms 2 ms * v720-cn-rt-phy.uwaterloo.ca [129.97.1.77] 5 5 ms 4 ms 4 ms v1133-cr-rt-phy.uwaterloo.ca [172.16.31.14] 6 4 ms 2 ms 2 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 7 3 ms 4 ms 3 ms info.uwaterloo.ca [129.97.128.40]

Trace complete.

Technical details, 4

• VPN will not forward non-uWaterloo traffic to off-campus– Relies on client to route uWaterloo traffic via the

VPN, other traffic as usual• Session idle timeout (automatic disconnect) of

30 minutes– But be aware of background processes

Questions?