Lesson 11-Virtual Private Networks

Overview

Define Virtual Private Networks (VPNs).

Deploy User VPNs.

Deploy Site VPNs.

Understand standard VPN techniques.

Understand the types of VPN systems.

Define Virtual Private Networks

Characteristics of VPNs:

Traffic is encrypted to prevent eavesdropping.

The remote site is authenticated.

Multiple protocols are supported over the VPN.

The connection is point to point.

Define Virtual Private Networks

To access a central server, VPNs may require authentication or

that both ends of the VPN authenticate each other.

VPNs can handle various protocols, especially application layer

protocols.

Each VPN channel is distinct and uses encryption to separate

traffic.

There are two types of VPNs, user VPNs and site VPNs.

Deploy User VPNs

VPNs between individual users’ machines and an

organization’s site or network are called User VPNs.

User VPNs are used for employees who either travel or

telecommute.

The VPN server may either be the organization’s firewall or

a separate VPN server.

Deploy User VPNs

While establishing a VPN, the site will request user

authentication.

On successful authentication, the user is allowed to access

the internal network.

Although the user has a VPN connection back to the

organization, they still have access to the Internet.

Deploy User VPNs

Benefits of User VPNs.

Issues with User VPNs.

Managing User VPNs.

Benefits of User VPNs

Employees who are traveling can access e-mail, files, and

internal systems without expensive equipment.

Employees working from home can access the network’s

services, just as employees working from within the

organization’s facilities.

Issues with User VPNs

User VPNs, if optimally utilized, can reduce an

organization’s costs.

Significant security risks and implementation issues must

be addressed.

The largest concern for security is the employee’s

simultaneous connection to the Internet. The risk of

malicious code being sent through the computer is high.

Issues with User VPNs

Use of Trojan horse program to access an organization’s internal network.

Issues with User VPNs

User VPNs require paying the same attention to user

management issues as internal systems.

The use of a two-factor authentication process is

recommended, since VPN permits access to internal

resources.

Additional support for VPN users must include a personal

firewall and updated anti-virus software to protect the internal

network.

Managing User VPNs

Managing user VPNs is primarily an issue of managing the

users and their computer systems.

The appropriate user management procedures should be in

place and followed during employee separation.

A good anti-virus software package must be installed on the

user’s computer.

Deploy Site VPNs

Site VPNs allow organizations to connect locations without

the cost of expensive leased lines.

Site VPNs authenticate each other with the use of

certificates or shared secrets.

Site VPNs save costs.

Deploy Site VPNs

Issues:

Policies and restrictions allow the organization to limit what a

remote site can access or do once connected.

VPNs are an extension of the company’s sites. A weak remote

site is a risk, as it allows an intruder to access the internal

network.

A coherent and logical IP addressing scheme should be used

for all sites.

Deploy Site VPNs

Managing site VPNs:

Monitoring the site ensures smooth communication between

the sites and compliance with the policies.

Routes to remote sites will need to be created on the internal

network. They should be well documented to ensure that they

are not deleted.

Understand Standard VPN Techniques

A VPN comprises four key components:

VPN server

Encryption algorithms

Authentication system

VPN protocol

Understand Standard VPN Techniques

A proper VPN architecture depends on properly identifying its

requirements, including:

The length of time for which information should be protected.

The number of simultaneous user connections.

The types of user connection expected.

Understand Standard VPN Techniques

A proper VPN architecture depends on properly identifying

its requirements, including (continued):

The number of remote site connections.

The types of VPNs that will need to connect.

The amount of traffic to and from remote sites.

The security policy governing the security configuration.

VPN Server

The VPN server is the computer system that acts as the end

for the VPN.

Most VPN software vendors should be able to provide a

recommended processor speed and memory configuration

based on the number of simultaneous VPN connections.

Some vendors also provide a means of fail-over and allow

for redundant VPN servers.

VPN Server

Firewall policy rules including a VPN DMZ

Encryption Algorithms

The encryption used on the VPN should be a well-known,

strong algorithm.

If an intruder successfully intercepts a VPN communication,

it indicates that they:

Must have a sniffer on the path traveled by the packets, which

captures the entire session.

Have substantial computing power to brute-force the key and

decrypt it.

Authentication System

The VPN authentication system should be a two-factor system.

Users can be authenticated either by what they are, have or

know.

Smart cards with a PIN or password are a good two-factor

combination for authenticating users.

If an organization chooses to use only passwords for the VPN,

they should be strong and changed on a regular basis.

VPN Protocol

In general, a standard protocol versus a proprietary

protocol should be used with VPN. IPSec is the current

standard for VPN.

The primary alternative to IPSec is SSL (Secure Socket

Layer).

Understand the Types of VPN Systems

The primary types of VPN systems are:

Hardware systems

Software systems

Web-based systems

Hardware Systems

A hardware appliance should be used as the VPN server.

This appliance runs the manufacturer’s software and may

include some special hardware to improve the encryption

capability of the system.

Hardware Systems

Benefits are:

Speed: The hardware is most likely optimized to support the

VPN and thus will provide a speed advantage over a general-

purpose computer system.

Increased capacity: This translates into an ability to handle a

greater number of simultaneous VPN connections.

Security: If the hardware appliance has been specifically built

for the VPN application, all extraneous software and processes

must be removed from the system.

Software Systems

Software VPNs are loaded on a general-purpose computer

system.

They may be either installed on a system dedicated to the

VPN or in conjunction with other software, such as a

firewall.

Software VPNs can be used in the same manner as the

hardware VPNs. Software is available for handling user VPNs as

well as site VPNs.

Web-based Systems

Using web-based VPNs does not require software to be

loaded on the client, thus decreasing the administrative

and managerial workload.

Web-based VPNs are limited to what applications can be

used and how the client connects to them.

Summary

VPNs may require authentication to access a central server or

that both VPN ends authenticate each other.

There are two types of VPNs: user VPNs and site VPNs.

While establishing a VPN, the site will request user

authentication. Successful authentication allows the user to

access the internal network.

Although the user has a VPN connection back to the

organization, they still have access to the Internet.