Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By...

Highly loaded certificate-based VPN

solutionBy Eugeniu CROITOROV, MUM Moldova 2019

About ME

Name: Eugeniu CROITOROV

Employment: Information Technology and Cyber Security Service (2012-present)

MikroTik experience: from 2013

Certificates:

Which type of VPN is Right for you?

PPTP – obsolete, many security issues

L2TP+IPSec – Use IPSec UDP 500,4500,1701 ports

SSTP – SSL/TLS encryption, Use TCP 443 port

OpenVPN – Opensource, Use TCP 1194 port

What is SSTP?

Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel.

TCP 443 – Difficult to block because it use the same port as HTTPS

Advantages and disadvantages

ADNAVTAGES

SSTP encryption offers a decent level of security, almost on par with OpenVPN (SSL 3.0 + 256-bit encryption).

SSTP is easy to configure on platforms it is built into.

The SSTP VPN protocol is very difficult to block because it uses TCP port 443 (the same one HTTPS uses).

SSTP offers good speeds if you have enough bandwidth.

DISADNAVTAGES

• SSTP is closed-source and solely owned by Microsoft.

• The SSTP protocol is available on a limited number of platforms –Windows, Linux, Android, and routers.

The challenge

4000+ VPN clients

Data encryption and integrity

High availability

Scalability

Routeros License level

Which platform to choose?

36 core 1.4Ghz CPU4GB RAMIPsec hardware accelerationLicense Level6

Which platform to choose?

Cloud hosted router

Virtualized platform

Can run on multiple hypervisors:

VMware

HyperV

Virtualbox

Others

CHR has full RouterOS features enabled by default but has a different licensing model than other RouterOS versions.

CHR License

HOW TO GET SSL CERTIFICATE?

Self-signed certificate

RouterOS

OpenSSL

Commercial SSL certificate

Comodo

Symantec

Unizeto

Free SSL certificate

Let’s Encrypt

SSL For FREE

HOW TO GET SSL CERTIFICATE?1. Install CertBot using official manuals

https://certbot.eff.org/#ubuntuxenial-other2. Create Certificates manually and put domain TXT record

#certbot certonly --preferred-challenges=dns --manual -d *.$DOMAIN

HOW TO GET SSL CERTIFICATE?3. Now you need to create a DNS TXT record on your domain name

Mikrotik Configuration

Clock & Time zone setting

IMPORT Certificates

1. Fullchain.pem2. Privkey.pem

Create PPP Profile

Enable SSTP Server

Create Firewall Rule

Create domain records

The topology

Thank you!

Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By...

Documents

Transcript of Highly loaded certificate-based VPN solution · 2019-09-13 · certificate-based VPN solution By...

Configure AnyConnect VPN on FTD using Cisco ISE as a ... · Configure Anyconnect VPN on FTD (use the Root CA Certificate) ... In our example below, employees will open the AnyConnect

VPN . VPN Virtual private network.

Computer Net Lab/Praktikum Datenverarbeitung 2 1 Overview VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls.

UNIFIED INTELLIGENCE. CENTRALISED CONTROL. · • Security Management Services: Mobile VPN, certificate management, key management, device management, and identity management •

Site-to-Site VPN · Site-to-Site VPN Avirtualprivatenetwork(VPN)isanetworkconnectionthatestablishesasecuretunnelbetweenremote peersusingapublicsource,suchastheInternetorothernetwork

IPSec VPN: Authentication by certificate · Reference:sns-en-IPSec_VPN_Authentication_Certificates_Technical_Note. Tableofcontents IPSecVPN:Authenticationbycertificate 3 Implementation

Configuring PKI Using the IPSec VPN SPA...† Configuring certificate enrollment, which is the pr ocess of obtaining a certificate from a certificate authority (CA). Certificate enrollment

49266610 Eugeniu Coseriu Introduce Re in Lingvistica

Curs geologie aplicata - Eugeniu Marchidanu

CCNP Security · 2012. 4. 26. · To install a self-signed certificate using the ASDM, navigate to Configuration > Remote Access VPN > Certificate Management > Identity Certificates

22-6 filetaoyuan dental associa tion 104 9 a 33-1 vpn)xb vpn) vpn vpnáå ' vpn

Subject: VPN connection between Apple VPN Client and ... · ... VPN connection between Apple VPN Client ... I was using certificate generated on my Windows 2008 ... Our intention

IP Desktop Softphone (Windows) for Alcatel-Lucent ...€¦ · GA Gateway Appliance VPN Virtual Private Networking AOM Add-On Module CA Certificate Authority CTL Certificate Trust

System i: Security Digital Certificate Manager - IBM · Digital Certificate Manager (DCM)... Creating.1 ... feature, to centrally manage ... Virtual Private Network (VPN) connection

IPSec VPN: Authentication by certificate

(VPN) Virtual Private Network Certificate Authorities...Virtual Private Network (VPN) Certificate Authorities VMware, Inc. 6 Regardless of the ASA firewall equipment or proprietary

Eugeniu Agapii Thesis

Configure AnyConnect VPN Phone with Certificate ... › docs › cisco › 115785-anyconnect-vpn-00.pdf · LSCs: Cisco Certificate Authority Proxy Function (CAPF) - Authenticate IP

Understanding and Configuring VPC Peering, VPN, and ... · PDF fileAWS VPC Access Hardware-based VPN Direct Connect VPN CloudHub Software VPN. VPN Types Corporate Datacenter Internet

VPN Tracker for Mac OS X · For certificate authentication you need a CA with private key, so one VPN Tracker Professional Edition is required in order to sign certificates. Only