Netopia R2020 사용자 설명서
Virtual Private Networks 9-19
A
A
A
Allllllllo
o
o
ow
w
w
wiiiin
n
n
ng
g
g
g V
V
V
VP
P
P
PN
N
N
Nssss tttth
h
h
ho
o
o
ou
u
u
ug
g
g
gh
h
h
h aa
a
a ffffiiiirrrree
e
ew
w
w
waa
a
allllllll
An administrator interested in securing a network will usually combine the use of VPNs with the use of a firewall
or some similar mechanism. This is because a VPN is not a complete security solution, but rather a component
of overall security. Using a VPN will add security to transactions carried over a public network, but a VPN alone
will not prevent a public network from infiltrating a private network. Therefore, you should combine use of a
firewall with VPNs, where the firewall will secure the private network from infiltration from a public network, and
the VPN will secure the transactions that must cross the public network.
or some similar mechanism. This is because a VPN is not a complete security solution, but rather a component
of overall security. Using a VPN will add security to transactions carried over a public network, but a VPN alone
will not prevent a public network from infiltrating a private network. Therefore, you should combine use of a
firewall with VPNs, where the firewall will secure the private network from infiltration from a public network, and
the VPN will secure the transactions that must cross the public network.
A strict firewall may not be provisioned to allow VPN traffic to pass back and for th as needed. In order to ensure
that a firewall will allow a VPN, cer tain attributes must be added to the firewall's provisioning. The provisions
necessar y var y slightly between ATMP and PPTP, but both protocols operate on the same basic premise: there
are control and negotiation operations, and there is the tunnelled traffic that carries the payload of data
between the VPN endpoints. The difference is that ATMP uses UDP to handle control and negotiation, while
PPTP uses TCP. Then both ATMP and PPTP use GRE to carr y the payload.
that a firewall will allow a VPN, cer tain attributes must be added to the firewall's provisioning. The provisions
necessar y var y slightly between ATMP and PPTP, but both protocols operate on the same basic premise: there
are control and negotiation operations, and there is the tunnelled traffic that carries the payload of data
between the VPN endpoints. The difference is that ATMP uses UDP to handle control and negotiation, while
PPTP uses TCP. Then both ATMP and PPTP use GRE to carr y the payload.
For PPTP negotiation to work, TCP packets inbound and outbound destined for por t 1723 must be allowed.
Likewise, for ATMP negotiation to work, UDP packets inbound and outbound destined for por t 5150 must be
allowed. Source por ts are dynamic, so, if possible, make this flexible, too. Additionally, PPTP and ATMP both
require a firewall to allow GRE bi-directionally.
Likewise, for ATMP negotiation to work, UDP packets inbound and outbound destined for por t 5150 must be
allowed. Source por ts are dynamic, so, if possible, make this flexible, too. Additionally, PPTP and ATMP both
require a firewall to allow GRE bi-directionally.
The following sections illustrate a sample filtering setup to allow either PPTP or ATMP traffic to cross a firewall:
■
■
Make your own appropriate substitutions. For more information on filters and firewalls, see Chapter 14,
“Security.”
“Security.”
PPTP Example
To enable a firewall to allow PPTP traffic, you must provision the firewall to allow inbound and outbound TCP
packets specifically destined for por t 1723. The source por t may be dynamic, so often it is not useful to apply
a compare function upon this por tion of the control/negotiation packets. You must also set the firewall to allow
inbound and outbound GRE packets, enabling transpor t of the tunnel payload.
packets specifically destined for por t 1723. The source por t may be dynamic, so often it is not useful to apply
a compare function upon this por tion of the control/negotiation packets. You must also set the firewall to allow
inbound and outbound GRE packets, enabling transpor t of the tunnel payload.
From the Main Menu navigate to Display/Change IP Filter Set, and from the pop-up menu select Basic Firewall.
Main
Menu
System
Filter
Sets
IP Filter
Sets
Display/Change
IP Filter Set
Configuration
Basic
Firewall