Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques. Understand the types of VPN systems.
Define Virtual Private Networks Characteristics of VPNs: Traffic is encrypted to prevent eavesdropping. The remote site is authenticated. Multiple protocols are supported over the VPN. The connection is point to point.
Define Virtual Private Networks To access a central server, VPNs may require authentication or that both ends of the VPN authenticate each other. VPNs can handle various protocols, especially application layer protocols. Each VPN channel is distinct and uses encryption to separate traffic. There are two types of VPNs, user VPNs and site VPNs.
Deploy User VPNs VPNs between individual users’ machines and an organization’s site or network are called User VPNs. User VPNs are used for employees who either travel or telecommute. The VPN server may either be the organization’s firewall or a separate VPN server.
Deploy User VPNs While establishing a VPN, the site will request user authentication. On successful authentication, the user is allowed to access the internal network. Although the user has a VPN connection back to the organization, they still have access to the Internet.
Deploy User VPNs Benefits of User VPNs. Issues with User VPNs. Managing User VPNs.
Benefits of User VPNs Employees who are traveling can access e-mail, files, and internal systems without expensive equipment. Employees working from home can access the network’s services, just as employees working from within the organization’s facilities.
Issues with User VPNs User VPNs, if optimally utilized, can reduce an organization’s costs. Significant security risks and implementation issues must be addressed. The largest concern for security is the employee’s simultaneous connection to the Internet. The risk of malicious code being sent through the computer is high.
Issues with User VPNs Use of Trojan horse program to access an organization’s internal network.
Issues with User VPNs User VPNs require paying the same attention to user management issues as internal systems. The use of a two-factor authentication process is recommended, since VPN permits access to internal resources. Additional support for VPN users must include a personal firewall and updated anti-virus software to protect the internal network.
Managing User VPNs Managing user VPNs is primarily an issue of managing the users and their computer systems. The appropriate user management procedures should be in place and followed during employee separation. A good anti-virus software package must be installed on the user’s computer.
Deploy Site VPNs Site VPNs allow organizations to connect locations without the cost of expensive leased lines. Site VPNs authenticate each other with the use of certificates or shared secrets. Site VPNs save costs.
Deploy Site VPNs Issues: Policies and restrictions allow the organization to limit what a remote site can access or do once connected. VPNs are an extension of the company’s sites. A weak remote site is a risk, as it allows an intruder to access the internal network. A coherent and logical IP addressing scheme should be used for all sites.
Deploy Site VPNs Managing site VPNs: Monitoring the site ensures smooth communication between the sites and compliance with the policies. Routes to remote sites will need to be created on the internal network. They should be well documented to ensure that they are not deleted.
Understand Standard VPN Techniques A VPN comprises four key components: VPN server Encryption algorithms Authentication system VPN protocol
Understand Standard VPN Techniques A proper VPN architecture depends on properly identifying its requirements, including: The length of time for which information should be protected. The number of simultaneous user connections. The types of user connection expected.
Understand Standard VPN Techniques A proper VPN architecture depends on properly identifying its requirements, including (continued): The number of remote site connections. The types of VPNs that will need to connect. The amount of traffic to and from remote sites. The security policy governing the security configuration.
VPN Server The VPN server is the computer system that acts as the end for the VPN. Most VPN software vendors should be able to provide a recommended processor speed and memory configuration based on the number of simultaneous VPN connections. Some vendors also provide a means of fail-over and allow for redundant VPN servers.
VPN Server Firewall policy rules including a VPN DMZ
Encryption Algorithms The encryption used on the VPN should be a well-known, strong algorithm. If an intruder successfully intercepts a VPN communication, it indicates that they: Must have a sniffer on the path traveled by the packets, which captures the entire session. Have substantial computing power to brute-force the key and decrypt it.
Authentication System The VPN authentication system should be a two-factor system. Users can be authenticated either by what they are, have or know. Smart cards with a PIN or password are a good two-factor combination for authenticating users. If an organization chooses to use only passwords for the VPN, they should be strong and changed on a regular basis.
VPN Protocol In general, a standard protocol versus a proprietary protocol should be used with VPN. IPSec is the current standard for VPN. The primary alternative to IPSec is SSL (Secure Socket Layer).
Understand the Types of VPN Systems The primary types of VPN systems are: Hardware systems Software systems Web-based systems
Hardware Systems A hardware appliance should be used as the VPN server. This appliance runs the manufacturer’s software and may include some special hardware to improve the encryption capability of the system.
Hardware Systems Benefits are: Speed: The hardware is most likely optimized to support the VPN and thus will provide a speed advantage over a general- purpose computer system. Increased capacity: This translates into an ability to handle a greater number of simultaneous VPN connections. Security: If the hardware appliance has been specifically built for the VPN application, all extraneous software and processes must be removed from the system.
Software Systems Software VPNs are loaded on a general-purpose computer system. They may be either installed on a system dedicated to the VPN or in conjunction with other software, such as a firewall. Software VPNs can be used in the same manner as the hardware VPNs. Software is available for handling user VPNs as well as site VPNs.
Web-based Systems Using web-based VPNs does not require software to be loaded on the client, thus decreasing the administrative and managerial workload. Web-based VPNs are limited to what applications can be used and how the client connects to them.
Summary VPNs may require authentication to access a central server or that both VPN ends authenticate each other. There are two types of VPNs: user VPNs and site VPNs. While establishing a VPN, the site will request user authentication. Successful authentication allows the user to access the internal network. Although the user has a VPN connection back to the organization, they still have access to the Internet.