Virtual Private Networks
`
`Second Edition
`
`Charlie/Sicott, Paul Wolfe, and Mike Erwin
`
`Beijing - Cambridge - Fambam - Kim: - Paris - Selmstopol - Taipei‘ - Tokyo
`
`OiRE|LLY“
`
`Petitioner Apple Inc. - Exhibit 1074, Cover
`
`Petitioner Apple Inc. - Exhibit 1074, Cover
`
`
`
`Second Edition
`
`Charlie/Sicott, Paul Wolfe, and Mike Erwin
`
`Beijing - Cambridge - Fambam - Kim: - Paris - Selmstopol - Taipei‘ - Tokyo
`
`OiRE|LLY“
`
`Petitioner Apple Inc. - Exhibit 1074, Cover
`
`Petitioner Apple Inc. - Exhibit 1074, Cover
`
`
`
`W‘,
`
`'25;
`.5 6“ ?’_
`/rr=;f
`
`;:.i»-ii’;-.:‘»
`
`Virtoat Private tttetworirs, Second Edition
`by Charlie Scott. Paul Wolfe, and Mike Erwin
`
`Copyright © 1999, 1998 O‘Reilly & Associates, Inc. All rights reserved.
`Printed in the United States of America.
`
`Published by C}‘Reill}: 8; Associates. Inc., 101 Morris Street, Sebastopol. CA 95473.
`
`Edifflf.‘ Andy Oram
`
`Production Editor: Jane F.llin
`
`Printing History:
`
`March 1998:
`
`January 1999:
`
`First Edition.
`
`Second Edition.
`
`Nutshell Handbook, the Nutshell Handbook logo, anti the O'Rei||_v logo are registered
`trademarks of O'Reilly 8: Associates, Inc. Many of the designations used by manufacturers
`and sellers to distinguish their products are claimed as trademarks. Where those designations
`appear in this book, and O’Reilly St Associates. Inc. was aware of a trademark claim. the
`designations have been printed in caps or initial caps.
`
`The association between the image of puffins and the topic of virtual private networks is a
`trademark of O‘Reilly 8: Associates, Inc.
`
`While every precaution has been taken in the preparation of this book. the publisher assumes
`no responsibility for errors or omissions. or for damages resulting from the use of the
`infomiation contained herein.
`
`This book is printed on acid—free paper with 83% recycled content. 15% post—consumer waste.
`O‘Reilly & Associates is committed to using paper with the highest recycled content available
`consistent with high quality.
`
`ISBN:
`
`'i—56592—T329—7
`
`lb‘.-’99l
`
`Petitioner Apple Inc. - Exhibit 1074, Copyright
`
`Petitioner Apple Inc. - Exhibit 1074, Copyright
`
`
`
`U-""."'; «'3, ,.
`
`'
`
`Table of Contents
`
`Preface ................................................................................................................... .. ix
`
`1. Why Build a Virtual Private Network? ........................................... .. I
`What Does a VPN Do? ................................................................................... .. 2
`
`Security Risks of the Internet ..........................
`
`............................................ .. 4
`
`How VPNs Solve Internet Security Issues ..................................................... .. 5
`VPN Solutions ................................................................................................. .. 8
`A Note on IP Address and Domain Naine Conventions
`
`Used in This Book ....................................................................................... .. 10
`
`2. Basic I/GPN Technologies ..................................................................... .. I
`Firewall Deployment
`................................................................................... .. I2
`
`Encryption and Authentication .................................................................... .. 22
`
`VPN Protocols .............................................................................................. .. 32
`
`Methodologies for Cornpromising VT’Ns
`
`.................................................... .. 37
`
`Patents and Legal Rarnifications .................................................................. .. 43
`
`3. Wide Area, Remote Access, and the VPN ..................................... .. 45
`General WAN, RAS, and VPN Concepts ..................................................... .. 45
`VPN Versus WAN ......................................................................................... .. 47
`
`VPN Versus RAS ........................................................................................... .. 55
`
`4.
`
`Implementing Layer 2 Connections .............................................. .. 62
`Differences Between PPTP, L2F. and LZTP ................................................ .. 63
`How PPTP Works ........................................................................................ .. 64
`
`Features of PPTP .......................................................................................... .. 74
`
`Petitioner Apple Inc. - Exhibit 1074, p. V
`
`Petitioner Apple Inc. - Exhibit 1074, p. v
`
`
`
`in‘
`
`Table of Contents
`
`5. Configuring and Testing Layer 2 Connections .......................... .. 76
`Installing and Configuring PPTP on 21 Windows NT RAS Server .............. .. 77
`
`Configuring PPTP for Dial-up Networking on :1 Windows NT Client
`Configuring PPTP for Dial-up Networking on a Windows 95
`or 98 Client
`................................................................................................... .. 87
`
`...... .. 84
`
`Enabling PPTP on Remote Access Switches ............................................... .. 90
`
`Making the Calls ........................................................................................... .. 93
`
`Troubleshooting Problems .......................................................................... .. 93
`
`Using PPTP with Other Security Measures ................................................. .. 97
`
`6.
`
`99
`Implementing tls-eAltaWsta Tunnel 98
`Advantages of the AltaVista Tunnel System ............................................. .. 100
`Altavista Tunnel Liniitations ......................
`............................................. .. I02
`
`How the Altavista Tunnel \X*'orks .............................................................. .. 103
`VPNs and AItaVista .................................................................................... .. I08
`
`7. Configuring and Testing the Alta Vista Tunnel ........................ .. I 19
`Getting Busy ...............................................................
`............................. .. I19
`
`Installing the AltaVista Tunnel
`
`.................................................................. .. 1 l9
`
`123
`Configuring the AltaVjsta Tunnel Extranet and Telecommuter Server
`131
`Configuring the Alt21Vi.sta Telecomrnuter Client
`Troubleshooting Problems ........................................................................ .. 131
`
`135
`8. Creating a VPN with the Unix Secure Shell
`The SSH Software ....................................................................................... .. 136
`Building and Installing SSH ....................................................................... .. I38
`
`SSH Components ....................................................................................... .. 139
`Creating a VPN with PPP and SSH ............................................................ .. 144
`
`Troubleshooting Problems ........................................................................ .. I5 7
`A Performance Evaluation ......................................................................... .. I60
`
`9. The Clsco PIX Firewall ...................................................................... ,. 162
`The Cisco PIX Firewall
`.............................................................................. .. 162
`
`The PIX in Action ....................................................................................... .. 163
`Configuring the PIX as 2 Gateway ............................................................ .. I69
`
`Configuring the Other VPN Capabilities ................................................... .. I 77
`
`10. Managing and .Mm'ntaz'nz'ng Your VPN ..................................... .. I80
`Choosing an ISP ......................................................................................... .. I81
`
`Solving VPN Problems ............................................................................... .. I81
`
`Petitioner Apple Inc. - Exhibit 1074, p. Vi
`
`Petitioner Apple Inc. - Exhibit 1074, p. vi
`
`
`
`Table ofchrxtenrs
`
`_
`
`nit‘
`
`Delivering Quality of Service .................................................................... .. 186
`
`Security Stiggestions .......................................................
`
`......................... .. J87
`
`Keeping You nsclf 1_lp—lo-1)a1c ...........................................................
`
`...... .. I90
`
`I}. A VPNScenario .........................................................................
`
`..... .. 191
`
`The Topology ............................................................................................. .. I91
`CL'ntr:1lOffiCt:
`...........................................................
`............................... .. 192
`
`Large Branctli Office ................................................................................... .. 193
`Small Branch Offices .................................................................................. .. 193
`Remote Access Llsers ................................................................................. .. 194
`
`A ‘-.'\letw('}rk 1)i21grar1'1 ................................................................................... .. I95
`
`A. Emerging Internet Technologies ................................................... .. 197
`
`8. Resources, Online and Otbem.:z'se ................................................ .. 201'
`
`Index .................................................................................................................. .. 205
`
`Petitioner Apple Inc. - Exhibit 1074, p. Vii
`
`Petitioner Apple Inc. - Exhibit 1074, p. vii
`
`
`
`66
`
`Cbapter 4: Implementing Layer 2 Connections
`
`Essentially, this all takes place just as if she were dialing into the RAS server
`via a directly connected modern.
`
`3. The PPTP session can then tunnel the protocols that dial-up users are allowed
`to use. In Sara N."s case, TCP/IP is one of those protocols, and the NT RAS
`server assigns her machine the internal corporate IP address of 2.1.1.129.
`
`Looking at Figure 4-1, you can follow these events and see where the client's orig-
`inal Point—to—Point Protocol (PPP) session is encapsulated by the PPTP tunnel. This
`figure is a simplified version of what the actual topology looks like~——routers at the
`ISP and corporate LAN, for instance, have been removed.
`
`41-ih
`
`PPP 53”
`
`PPTP Cali
`
`Remote User:
`
`"saran'
`
`
`ISP Remote Access Switch
`(WIPPTP)
`
`
`
`HAS server
`
`{PPTP-Enabled)
`
`
`
`Corporate LAN
`
`Figure 4-1. Dialing into an ISP that supports PPTP
`
`Once the PPTP is completed and the sales manager is authenticated. she has
`access to the corporate network as if she were on the LAN. She can then check
`
`her email and access files on her desktop machine using file sharing.
`
`This material may be protected by Copyright law (Title 17 U.S. Cede)
`
`_ _
`
`1
`
`7 p _
`
`Petitioner Apple Inc. - Exhibit 1074, p. 66
`
`
`
`How PPTP Wor{z_.r
`
`67
`
`Dz'czlz'ng into cm ISP That Does:/z’t Support PPTP
`
`In order for an ISP to support PPTP, they must be using one of the remote access
`switches we mentioned at the beginning of this chapter. Not every ISP uses those
`brands of remote access switches, and some don't use these devices at all. Instead
`they might use modems connected to a rnultiport serial card in a Unix system, or
`some other terminal server device. Others might have the appropriate hardware,
`but choose not to implement PPTT’ because they don’t want to be forced to do
`technical support for tunneled connections. Whatever the reason, there’s a chance
`that your ISP may not offer P1’-‘TP; however, that doesn't mean that you can't use it.
`
`This scenario requires two things: first, you again need to have a Windows NT 4.0
`RAS server with PPTT’ installed on your network, and it must be accessibie from
`the Internet; second. your Windows NT Workstation, Windows 95, or Windows 98
`client machine must have the PPTP protocol and Dial—Up Networking installed.
`
`We'll use Sara N. for this example as well. This time, however, she's dialing into
`an ISP that doesn't support PPTP.
`In addition, she's running Windows NT 4.0
`Workstation on her laptop computer. The sequence of events for a tunneling ses-
`sion with a non—PPTP-enabled provider is as follows:
`
`1. Sara dials into her ISP using a dial-up networking profile for her account and
`establishes a standard PPP connection.
`
`2. After the PPP connection has been made, Sara uses Dial—Up Networking again
`to “dial“ into the PPTP RAS server at the corporate office. In this dial-up pro-
`file. however, she puts the IP address of the RAS server, 2.1.1.60, in the phone
`number field, and selects the dial device to be a VPN port set up through Dial-
`Up Networking (we'll explain in Chapter 5 how to set this up).
`
`3. A PPTP connection is made through Sara’s PPP connection over the Internet
`and to the RAS server. The RAS server then logs her into the corporate net-
`work using the username and password she supplied. The RAS server assigns
`her the internal IP address of 2.1.1.129. and she is then granted access to the
`corporate network.
`
`Figure 4-2 shows how the second PPTP call is encapsulated through the initial PPP
`connection to the ISP.
`
`Again. once the PPTP connection is made, Sara N. will have access to the corpo-
`rate LAN just as if she were connected to it via a network card or dial-up RAS con-
`nection.
`
`Petitioner Apple Inc. - Exhibit 1074, p. 67
`
`Petitioner Apple Inc. - Exhibit 1074, p. 67
`
`
`
`68
`
`Chapter 4: Implementing Layer 2 Connections
`
`4—b-
`PPP ca”
`
`Remote User:
`
`PPTP Gail
`
`ISP Remote Mean Switch
`(without PPTP)
`
`
`
`HA8 Senior
`(PPTP-Enabled)
`
`
`
`Corporate LAN
`
`Figure 4-2. Connecting to a corporate RAS server via an ISP that doesn ‘I support PPTP
`
`Where PPTP Fits into Our Scenario
`
`In Figure 4-3 we have a representation of a corporate office network with a T1
`connection to the Internet. The router that connects to the Internet
`is also a
`packet-filtration firewall. User Sara N. wants to check her corporate email, and is
`dialing into her ISP, which is using a PPTP—enabled remote access switch. After
`she connects to the switch, it starts a PPTP call to the RAS server specified in her
`user profile. In this figure, a lightly shaded line extends the PPTP session back to
`the client, rather than just to the remote access switch. Sara uses this line when
`she has to dial into an ISP that doesn't support PPTP, and initiates the PPTP ses-
`sion on her workstation with a second RAS call.
`
`Petitioner Apple Inc. - Exhibit 1074, p. 68
`
`Petitioner Apple Inc. - Exhibit 1074, p. 68
`
`
`
`How PPTP W0 rks
`
`_
`
`69
`
`Virtual Private Network
`
`2.1.1.129
`{assigned by RAS}
`
`{PPTP continues to """"""" H
`E client if ESP doesn't;
`support it)
`
`
`
`
`
`
`
`PPTPTunneiedConnection
`
`Figztre 4-3. A fitlt’ dfagrarn ofa PPTP r.‘mmer;t:'or: we-.~r' the Internet
`
`On the corporate router and firewall. the TCP/IP port on which PPTP creates a
`socket (1723) must be open to both inbound and outbound traffic. If the rest of
`the network is protected by a firewall that disallows inbound and outbound Inter-
`net traffic. then 3 single point of entry to the LAN it: established, which is pro-
`tected by the user-based authentication.
`
`_|
`
`I Petitioner App1_e_Inc. - Exhibit 1074, p. 69
`
`Petitioner Apple Inc. - Exhibit 1074, p. 69
`
`
`
`70
`
`Chapter =.f.'__In:,0ieme_:_rating Layer .2 Connections
`
`Dz'ssectz'ng at PPTP Packer
`
`The PPTP encapsulation technique is based on another Internet standard called
`the Generic Routing Encapsulation (GRE) protocol, which can be used to tunnel
`protocols over the Internet. (if you're interested, see RFCs 1701 and 1702.) The
`PPTP version, known as GREV2, adds extensions for specific features such as Call
`ID and connection speed,
`
`A PPTP packet is made up of a delivery header, an IP header. a GREVZ header,
`and the payload packet. The delivery header is the framing protocol for whatever
`medium the packet is traveling over, whether it's Ethernet. frame relay. or PPP.
`The IP header contains information essential
`to the IP datagrani, such as the
`packet length and the source and destination addresses. The GREv2 header con-
`tains information on the type of packet encapsulated, as well as PPTP-specific data
`that pertains to the connection between the client and server. Finally, the payload
`packet is the encapsulated datagrani itself. In the case of PPP, this datagram is the
`original PPP session data that is sent between the client and server, and within it
`can be IP, IPX, or NetBEUI packets. Figure 4-4 illustrates the layers of PPTP encap-
`sulation.
`
`
`
`
`
`
`
`
`
`Figure 4-4. Tfaefimr layers Qfa PPTPpacke! being Imnsported across the Internet
`
`The encapsulation process
`
`The encapsulation process for a user dialing into an ISP that supports PPTP is as
`follows:
`
`1. The user dials into the ISP‘s remote access switch using PPP. Between the cli-
`ent and the remote access switch flow PPP packets that are surrounded by the
`PPP protocol—speciiic frames being delivered.
`
`2. At the switch, the media—specific frames are stripped away, and the call trig-
`gers the remote access switch to open up a PPTP tunneling session over the
`Internet between itself and the PPTP—enabled NT RAS server specified in the
`user's profile. The remote access switch encapsulates the PPP payload packet
`within a GREv2 header, then an IP header. Finally. the packet gets a delivery
`header before going out of the switch. Throughout the packets journey. the
`
`Petitioner Apple Inc. - Exhibit 1074, p. 70
`
`Petitioner Apple Inc. - Exhibit 1074, p. 70
`
`
`
`i_f3’_ow PPTP Works
`
`_
`
`_
`
`71
`
`delivery header may change depending on the type of media through which
`the packet is being sent. For instance. it may go from Ethernet, to frame relay,
`to Ethernet again, to PPP over ISDN, and to Ethernet yet again before finally
`reaching its destination at the RAS server.
`
`5. The RAS server treats the incoming PPTP connection as an incoming call, just
`as if it were coming in over a modern. It strips off the delivery header. the IP
`header, and the GREv2 header from the payload packet. It then handles the
`PPP connection as it normally would if the user were coming in over a
`modem connection. The RAS server validates the PPP client using whatever
`authentication method is required on the RAS server: Microsoft encrypted
`authentication, encrypted authentication. or any authentication type (includ-
`ing clear text).
`
`. Before packets from the client reach the LAN, PPP framing is removed from
`the enclosed IP. NetBF.UI, or IPX datagrams. Figure 4-5 is a diagram of those
`protocol layers that are active during each portion of the connection for dial-
`ing into ISP:-I that support PPTP.
`
`Virtual Private Hatwork
`
`Ciientsysrem
`
`Dial-up
`tine
`
`E %
`‘if a
`5- §5. st:
`
`"The Internet"
`
`
`
`.12».
`
`.
`
`
`
`‘I
`
`at
`
`Corporate
`LAN
`
`5:3
`E :3
`at E
`
`
`
`
`
`:
`
`Bsihrary flatlla Header [Various Yypui
`:
`V
`PPP Framing Media Hatmr
`BIIEVZ Hauler
`Wm
`IP. IPx.amI IMIEIII magnum
`'
`
`Fi'gm'e 4-5. Active protocol layers during .52 PPTI“ connetmm
`
`In a situation where the RAS user is dialing into an ISP that doesn't support PPTP,
`much of the process is the same. The only change would be in step 2. Instead of
`the remote access switch starting the PPTP session with the RAS server, the client
`makes a PPTP connection to the RAS server using Dial—Up Networking (as we said
`earlier}. The PPTP packets are therefore sent through the standard PPP connec-
`tion the client is making with the ISP‘s remote access switch. At that point in the
`connection, the client's PPP datagram is encapsulated by PPTP which is, in turn,
`
`Petitioner Apple Inc. - Exhibit 1074, p. 71
`
`Petitioner Apple Inc. - Exhibit 1074, p. 71
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
