Need some advice on learning networking

Re: Need some advice on learning networking

For better or worse, I've decided to concentrate on setting up a Remote Access/Virtual Private Network.

First I had to figure out exactly what this is and how to set it up.


First things first. A VPN basically extends your private network over the internet. There are some considerations to take into account when setting this up....like upload speed at the central location. This could cause a bottle neck effect. Also, I'm gonna have to learn about "split tunneling."


In closing, I also need to find out what security concerns I should be aware of.

Should be a good learning experience.


PS - There are 2 kinds of VPN's:

a. Site-to-Site
b. Remote Access

I'll need to read up more on both.

Re: Need some advice on learning networking

VPN is the easiest method for this since it takes out a lot of things that you can't really simulate like ISP agreements, fibre runs, etc.

Overall, VPN is really just a PKI setup and routing rules:

Make sure your VPN IP range(s) are separate from the corporate IP ranges (helps with auditing who's connecting from where)
Do NOT use TCP with VPN: you'll want the 'unreliability' of UDP for this type of connection
If you're working with an AD environment with an internal PKI infrastructure, use that to issue the TLS certs for the VPN connection

Your real fun will be with getting the routing and port forwarding right.

For your SMB example, if you really want to get adventurous try implementing DFS into a Windows environment, which allows you to spread a share over multiple servers in different locations. DFS Namespaces overview | Microsoft Docs

I've only done it once for a customer that had offices in two different cities and wanted to move away from two servers hosting often out of date copies of the same data for each office like their previous IT support had setup. Since then, they've moved to online resources, but it got them over a challenge for several years and DFS still has a place in some environments for things like HR or Engineering data that you wouldn't want online, or could be too large to pull from the net.

Re: Need some advice on learning networking


As always, that's for the insight. What's a PKI setup?


PS - I'm watching a video about IPsec. Basically what to does is:

1.) Encrypt (security)
2.) Data integrity (reliability)


PSS - You have a broad range of knowledge, dude.

Re: Need some advice on learning networking

Here's the video on IPsec if anyone is interested:

Re: Need some advice on learning networking


I almost missed this nugget. I'm glad that I re-read your post. This is nuts. I love it. Gotta learn how to do this.


Reference:

DFS Namespaces overview
01/21/2021
5 minutes to read

Re: Need some advice on learning networking

PKI = Public Key Infrastructure. It's a security method based on a public and private key exchange. It's how HTTPS and most online encryption works.

In an AD network for any internal TLS connection it makes sense to use an internal Certificate Authority since Active Directory member computers will implicitly trust anything using certs issued by it. For connections over the internet, a public CA would be a better option

At this point, most VPN instances in any business are through an appliance of some kind as opposed to a homebrew solution that you used to see in the past. Once the core config is set, the appliance manages almost everything. Cisco has a pretty good solution, though it comes with a hefty price tag.

Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking

One other point I forgot to mention: almost every business customer we have with a VPN has turned off split tunneling. The additional bandwidth costs were worth not needing to worry about people transferring company data to their personal network devices, or malware moving from a personal device to a company owned one that was part of the same network.

Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking


I've continued to do my homework on VPN's and I know I've thanked rthonpm a million times but I need to thank him again. He has really helped to point me in the right direction and save me a lot of time.

This is by far the best tutorial I've seen to date on explaining AH v. EDP and ISAKMP in IPSec tunnels and it hits on many of the concepts that rthonpm talked about.

Warning: It's really detailed and very technical.




<font color="#030303"><span style="font-family: Roboto">

Re: Need some advice on learning networking

Here's my understanding about site to site VPN's and IPSEC.


Let's say that we have 2 offices. One is in Las Vegas and the other is in Nebraska. The Las Vegas is a 192. network and the Nebraska is a 10. network. How can we get connectivity between the 2 networks over the internet?


First we're gonna need a router or firewall that's capable of implementing IPsec and we're gonna need one on each network.


Note: By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec.


How does it all work? Well, it's pretty straight-forward:


We have an edge router in Las Vegas that's on the 192. network and we "tell" this router that if a packet is sourced from the 192. network and it's destined for the 10. network, here's what I want you to do: I want you to take that packet and instead of just forwarding it to your default gateway, I want you to encrypt it and then encapsulate it inside of another packet and send it over to the edge router in Nebraska.


In conclusion, all the internet is gonna see is the public IP addresses of the 2 internet routers because the private IP address are all encapulated inside of the IPsec packets.

Hope that made sense.



EDIT: IPsec supports automated generation and negotiation of keys and security associations using the IKE protocol. You can dig into that if you wish but for now I'm gonna chalk it up to magic. lol

Re: Need some advice on learning networking

One thing that I failed to mention is this:


There's actually 2 tunnels that are built when implementing a VPN/IPsec.

The first tunnel is the IKE tunnel. IKE stands for INTERNET KEY EXCHANGE. You can think of the IKE tunnel as a personal private party line that allows the 2 routers to communicate with each other. They're also gonna use the IKE tunnel to build the IPsec tunnel. That's the tunnel that the packet is gonna be encrypted on and sent between the 2 routers.

There are a lot of moving parts but the Phase 1 tunnel (IKE) is used to exchange secret security keys and we're building another tunnel (IPsec) where data is encrypted, sent over and then decrypted.

Re: Need some advice on learning networking

Learning how to connect 2 remote sites is turning in to a very complex job that requires some in-depth knowledge.


First, I needed to understand the theory behind site-to-site VPN. I have the theory down. The next step is to actually learn to set it up. This is where a person is gonna run into some problems. At least if you're using Cisco routers/firewalls. I suspect the same is true for other brands.


NOTE: Because your company information is going out over the internet to a remote site, security is paramount. And that's a big part of setting up a VPN.

Let's continue....


In order to set this up, it must be done via command line. The syntax looks impossible to remember if you ask me. Unless you're doing this every day. Anyway, that's another story.


Here's an easy way to remember what you need to negotiate between the 2 routers for the Phase 1 tunnel. Remember that IKE (Internet Key Exchange) is the Phase 1 tunnel and this is all about agreeing to security parameters between the 2 routers. If everything isn't the same for both routers, it will not work.


You need to remember the word: HAGLE

H- Hash (Hash is used to check data integrity. Popular hashing algorithms are MD5 and SHA.
A- Authentication (how do we want to make the other device prove who it is: pre-shared keys or digital certificates)
G - Group (Group refers to DH. DH stands for Diffie Helman Group - which is the 2 men who wrote the protocol that is responsible for generating secret security keys.)
L - Lifetime (how long should this tunnel stay up? The shorter the more secure. Default on a Cisco router is 1-day.)
E - Encryption (What type of encryption method do we want to use?)


To accomplish all of those things it requires typing in a LOT of command lines that I won't bore you with at the moment.


As you can see, I still have a ways to go before I really know how to set this up.

Re: Need some advice on learning networking

This is just showing why I stay in system administration instead of networking. Congratulations on getting some of this down, and even if you don't get all of it burned into your memory, most network engineers I know usually have to lookup command syntax unless they do the same stuff every day.

Sent from my BlackBerry using Tapatalk

Re: Need some advice on learning networking


You're probably smart to stay away from this stuff because I really don't think I'll ever use most of this knowledge because if a company is big enough to implement this...they probably have an IT staff and won't need me to do it.


I really didn't understand what I was getting into when I decided to learn routers and switches. But I do find it interesting and I think I've become addicted to seeing it through to the end. If it doesn't kill me first.

Re: Need some advice on learning networking

I have got a raspberry pi that I log into with ssh using public / private keys, no password. The odd thing is you generate the pub/priv keys on the computer that you're logging in from and do this on each computer that you want to access the pi, the odd thing is this seems the opposite to how the internet works.
Explained at about 8 minutes into this video
5 Steps to Secure Linux (protect from hackers) - YouTube

Re: Need some advice on learning networking

Which is fine in an unmanaged environment. Essentially, SSH is using self-signed certificates, which is why on your initial connection you're asked if you want to accept the key. In some larger environments we support, they go as far as having all of their SSH keys generated and signed by an internal certificate authority so that they are implicitly trusted. It takes out the possibility of a rogue server in the environment.

Sent from my BlackBerry using Tapatalk