What is a secure private connection through a public network or the Internet called?

Publisher Summary

With the incredible advance of the Internet, it has become more and more popular to set up virtual private networks (VPNs) within organizations. VPNs have been around for many years and have branched out into more and more varieties. A VPN is a set of tools which allow networks at different locations to be securely connected, using a public network as the transport layer The key to this technology is the ability to route communications over a public network to allow access to office servers, printers, or data warehouses in an inexpensive manner. As high-speed Internet has grown and become prevalent throughout the world, VPNs over the public Internet have become common. Not all VPNs had security in the early days. Packets of information are transmitted as clear text and can be easily seen. To keep the network systems secure, the information must be encrypted. Throughout the past 20 years, different encryption schemes have gained and lost favor. Some are too easy to break with the advanced speed of current computers; others require too much processing power at the router level, thus making their implementation expensive.

Client Access VPNs (Virtual Private Network)

A virtual private network (VPN) establishes a private network connection through a public network, like the Internet. Some consider it a form of tunnelling. There are many types of VPNs. VPNs are often used to join two networks together. But what we want to looks at are client access VPNs. Client access VPNs are an extremely popular tool for providing external users access to a corporate network. The two most used technologies for this are IPSec VPNs and SSL VPNs.

IPSec VPNs use the IPSec protocol to create the VPN tunnel. IPSec VPNs operate at the network layer of the OSI model. When a client connects through an IPSec VPN, he or she has virtually full access to the network. Clients appear as just another node on the network. IPSec VPNs have been around for a long time. For years, IPSec VPNs were the standard for client access VPNs.

SSL VPNs have just begun to grow in popularity fairly recently. SSL VPNs use general SSL traffic over port 443 to establish the VPN connection. This is very useful when a user must initiate a connection from within a protected network. Many networks, especially corporate networks, filter what traffic is allowed to leave out through the firewall. In most cases, however, SSL over port 443 is allowed. SSL VPNs are considered most secure than IPSec VPNs because you have more control over what users can access. Another advantage SSL VPNs have over IPSec VPNs is the fact that most SSL VPNs can provide clientless access. Most IPSec VPNs require that some sort of VPN client software be installed on client systems in order for them to access the VPN.

Abstract

A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. Secure Sockets Layer (SSL) virtual private networks (VPN) provide secure remote access to an organization's resources. This chapter discusses the fundamental technologies and features of VPNs. It describes SSL and how it fits within the context of layered network security. It presents a phased approach to VPN planning and implementation that can help in achieving successful VPN deployments. It also compares the VPN technology with Internet Protocol Security (IPsec) VPNs and other VPN solutions. This information is particularly valuable for helping organizations to determine how best to deploy VPNs within their specific network environments. Because a VPN can be used over existing networks such as the Internet, it can facilitate the secure transfer of sensitive data across public networks. An SSL VPN consists of one or more VPN devices to which users connect using their web browsers. The traffic between the web browser and the VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. This type of VPN may be referred to as either an SSL VPN or a TLS VPN. This chapter uses the term SSL VPN. SSL VPNs provide remote users with access to Web applications and client/server applications, and connectivity to internal networks. Despite the popularity of SSL VPNs, they are not intended to replace IPsec VPNs. The two VPN technologies are complementary and address separate network architectures and business needs. VPNs offer versatility and ease of use because they use the SSL protocol, which is included with all standard web browsers, so the client usually does not require configuration by the user. VPNs also offer granular control for a range of users on a variety of computers, accessing resources from many locations.

Virtual Private Networking (VPN)

Virtual Private Network (VPN) is a technology that allows establishment of an encrypted remote connection between two computers or networks. A VPN utilizes public networks to conduct private data communications. Most VPN implementations use the Internet as the public infrastructure and a variety of specialized protocols to support private communications through the Internet. VPN follows a client and server approach. VPN clients authenticate users, encrypt data, and otherwise manage sessions, with VPN servers utilizing a technique called tunneling. To achieve this, the office IP video surveillance networks connect to the Internet through the VPN gateway, the role of which can be played by both router and computer. Using VPN, the secured connection is established between the office networks, via the Internet using the so-called VPN tunnel. Before leaving one office network, the data is encrypted. At the other end of the tunnel, in another office, the data is decrypted.

A Note on VPN Quarantine

VPN Quarantine allows you to pre-qualify VPN clients before allowing them access to the corporate network. The pre-qualification process can include checking that the VPN client has the latest security updates, hotfixes, anti-virus signatures, anti-spyware signatures, and more.

The ISA firewall's VPN-Q implementation is more a platform for development than a feature that can be used by the average ISA firewall administrator“out of the box.”

Frederic Esnouf's Quarantine Security Suite is an effective solution to the VPN-Q problem.

Avanade also provides a framework that you can use to create a functional VPN-Q solution using the ISA firewall.

Virtual Private Networks

VPNs are encrypted communications between one endpoint and another, and they come in two varieties, point to point VPNs or remote access VPNs. In a point to point VPN you are connecting one building to another over the Internet; you will either use a VPN concentrator (dedicated VPN device), a firewall, or a router on each end. This allows users on each side of the point to point connection to access resources on the other side of the connection. This also makes it possible to create a LAN over multiple locations and share resources like active directory and DHCP servers, thus reducing the cost of resources needed in a company. The remote access VPNs allow individual people from any location that has connectivity to the Internet to connect to the corporate office and the resources contained therein. With a remote access VPN you have your PC or laptop computer with a wired, wireless, or modem connection to the Internet and you use client software (either native to the device, or provided by the VPN provider, like Cisco VPN client). You configure the client with the Internet Protocol (IP) address of the VPN connector at the companies’ location. You then authenticate using a username and password, once connected you have whatever rights you have to resources as allowed by the VPN policy (See Firewall Policies and VPN Configurations, Syngress, ISBN: 978-1-59749-088-7) Some of the encryption technologies used in VPN connections are Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES).

Summary

VPNs have quickly come to supplant traditional WAN technologies such as frame relay, leased lines, and dialup networks. They reduce the total cost of ownership of the WAN by eliminating recurring costs associated with those technologies and using the underlying and nascent IP technology a company has deployed. IPSec is the one of the most commonly used VPNs. Other methodologies to secure communication include SSL VPN, SSH Tunnel, and Layer 2 solutions.

SSL VPN, being the clientless VPN, is the most versatile VPN, whereas SSH Tunnel helps to secure nonsecure protocols. Each of these techniques to secure communication has its advantages and disadvantages; the best scheme to secure a channel depends on a user or an organization.

Virtual Private Network (VPN)

A VPN is a private network that uses public infrastructure and maintains privacy through the use of an encrypted tunnel. Many organizations now use a VPN in conjunction with their wireless network. They often do this by allowing no access to internal or external resources from the WLAN until a VPN tunnel is established. When configured and deployed correctly, a VPN can be a very effective means of WLAN security. Unfortunately, in certain circumstances, VPNs in conjunction with wireless networks are deployed in a manner that can allow a penetration tester (or attacker) to bypass the VPN’s security mechanisms.

IP Addressing Support for VPN Gateways

Unlike voluntary VPN tunnels, compulsory tunnels are configured only between intermediary machines (the VPN gateways). Consequently, we need to let each VPN gateway know which LAN addresses are available, and how to reach them. This can be accomplished by setting static routes or through the use of a routing protocol to advertise the routes available. For example, in Figure 7.21, we saw a LAN address in the 10.0.1.0/24 subnet for VPN Gateway One.

VPN Gateway Two is on the 10.0.2.0/24 subnet. In order for our clients on both LANs to be able to reach one another, each VPN server will require routes to its counterpart’s LANs. This means that VPN Gateway One will have to know that requests from its LAN clients for any address in the 10.0.2.0/24 subnet should be directed to VPN Gateway Two via the VPN tunnel interface. Likewise, for traffic to come back from VPN Gateway Two’s LAN, a route will have to be available on VPN Gateway Two for the 10.0.1.0/24 subnet via the VPN tunnel interface.

Exam Warning

Although the major focus of this chapter is not on IP addressing in particular, you must have a strong understanding of TCP/IP fundamentals to understand how VPNs work. All of our modern Internet-connected networks use TCP/IP as a transport mechanism. If you connect remote LANs through the Internet, IP addressing is the basis of the underlying infrastructure. The 70-291 exam will test your fundamental knowledge of TCP/IP Understand the difference between public and private IP addresses and the implications of private addressing with regard to Internet connectivity (NAT).

Another option that we have available is to use dynamic routing instead of our static routes. We will fully address dynamic routing and the various routing protocols available on Windows Server 2003 in the next chapter, where we discuss the routing protocols that are supported, the configuration options for those protocols, and the factors to consider in selecting which protocol to use. We will address some of the basics of dynamic routing later in this chapter.

Calling routers receive IP addresses the same way that standard remote access clients receive their addresses. The answering router either can allocate an address from the DHCP server, an address may be allocated from a static address pool, or the calling router user account may have a specifically assigned address. If an address is not available for the calling router, a connection will still be established and the router will operate without an address. This process is known as an unnumbered connection. Be aware that the routing protocols provided by Windows Server 2003 RRAS do not support route advertisements over unnumbered connections, however. This means an unnumbered connection will need static routing configured for proper operation. When assigning addresses, each L2TP and PPTP port must have an IP address available for it, as well as an address for the calling router.

In the next section, we will look at the configuration options for our VPN gateways in greater detail.

Summary

VPN will help scale network security in a way that will be more manageable and reliable. With the use of IPSec within the VPN, you are addressing the concerns of network security from end to end. This provides a secure means for the transmission of data to and from your intended source.

Since VPNs are so widely used now by companies for WANs to Remote Access, we should soon see them in all wireless devices. Wireless is quickly becoming as secure as a remote user using a VPN to connect to a corporate LAN.

With Cisco leading the way in the use of IPSec with their line of IOS Routers, PIX firewalls, and VPN Concentrators, network security breaches should be reduced. With the multivendor interoperability possibilities that Cisco is currently working on, you will see VPNs being widely used by all network administrators.