Archive | VPN Network Tips

VPN Networks and Security

On computer networks, information can be protected by encryption. Encryption means replacing the information with a scrambled string of nonsense. This nonsense can be turned back into the original information using the key shared by the two machines. This encryption is virtually unbreakable and, when it’s used for business communications, it greatly increases the level of safety that the business enjoys. It’s also great for personal communications. VPN services use encryption, among other methods, to keep information safe.

Under the Radar

A VPN is oftentimes described as providing a way for users to create a secure tunnel over a public network. This analogy is actually pretty accurate in terms of describing what’s going on. The information exchanged over the VPN isn’t visible to people on the Internet. This means that people on a VPN connection can reach their work resources, applications on a private computer and many other types of information without having to worry about their information being intercepted. There are plenty of uses for this technology, as you can imagine, but businesses are particularly heavy users.

Untraceable

The other form of security that VPN services provide is that of masking your IP address. Your IP address is the numerical address that servers use to send you the information you request. The VPN service routes you through a server that gives the websites you’re visiting its IP address instead of yours. This prevents those websites from betting personal information from you and, of course, it makes it impossible for anyone snooping to say where you are.

Why This Matters for Security

There are plenty of ways that your IP address can be used against you. If someone with bad intentions knows that there’s a business network set up at your IP address, they have a target. That target might be tested with a port scan, be the subject of DDoS attacks or have all kinds of other mayhem released upon it. Concealing your IP address is a very important way to protect your security online.

Having your data encrypted is also a big part of staying safe online. Until the computer revolution came around, it was impossible for everyday people to get the type of security that’s provided by modern encryption. Today, you can get encryption levels from VPN providers that make it nearly impossible for anyone to see your information.

If you’re interest in upping your levels of security when you’re surfing, consider adding a VPN service to the tools that you use. It’s a powerful, meaningful and effective way of increasing the level of security on your network and, for your employees or for you, it’s an easy way to access the information on your servers from anywhere in the world without exposing them to attack. These services are remarkably affordable and, if you need to access information from remote locations, it’s a great technological feature. Surfing for business or for pleasure is much safer when you have control over your personal information and how it appears to others online.

Posted in VPN Network TipsComments (2)

Internet Security and VPN Network Design

Overview

This article discusses some essential technical concepts associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners using the Internet and secures encrypted tunnels between locations. An Access VPN is used to connect remote users to the enterprise network. The remote workstation or laptop will use an access circuit such as Cable, DSL or Wireless to connect to a local Internet Service Provider (ISP). With a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the ISP using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user must authenticate as a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is located. The ISP initiated model is less secure than the client-initiated model since the encrypted tunnel is built from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F.

The Extranet VPN will connect business partners to a company network by building a secure VPN connection from the business partner router to the company VPN router or concentrator. The specific tunneling protocol utilized depends upon whether it is a router connection or a remote dialup connection. The options for a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a secure connection using the same process with IPSec or GRE as the tunneling protocols. It is important to note that what makes VPN’s very cost effective and efficient is that they leverage the existing Internet for transporting company traffic. That is why many companies are selecting IPSec as the security protocol of choice for guaranteeing that information is secure as it travels between routers or laptop and router. IPSec is comprised of 3DES encryption, IKE key exchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality.

Internet Protocol Security (IPSec)

IPSec operation is worth noting since it such a prevalent security protocol utilized today with Virtual Private Networking. IPSec is specified with RFC 2401 and developed as an open standard for secure transport of IP across the public Internet. The packet structure is comprised of an IP header/IPSec header/Encapsulating Security Payload. IPSec provides encryption services with 3DES and authentication with MD5. In addition there is Internet Key Exchange (IKE) and ISAKMP, which automate the distribution of secret keys between IPSec peer devices (concentrators and routers). Those protocols are required for negotiating one-way or two-way security associations. IPSec security associations are comprised of an encryption algorithm (3DES), hash algorithm (MD5) and an authentication method (MD5). Access VPN implementations utilize 3 security associations (SA) per connection (transmit, receive and IKE). An enterprise network with many IPSec peer devices will utilize a Certificate Authority for scalability with the authentication process instead of IKE/pre-shared keys.

Laptop – VPN Concentrator IPSec Peer Connection

1. IKE Security Association Negotiation

2. IPSec Tunnel Setup

3. XAUTH Request / Response – (RADIUS Server Authentication)

4. Mode Config Response / Acknowledge (DHCP and DNS)

5. IPSec Security Association

Access VPN Design

The Access VPN will leverage the availability and low cost Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The main issue is that company data must be protected as it travels across the Internet from the telecommuter laptop to the company core office. The client-initiated model will be utilized which builds an IPSec tunnel from each client laptop, which is terminated at a VPN concentrator. Each laptop will be configured with VPN client software, which will run with Windows. The telecommuter must first dial a local access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection as an authorized telecommuter. Once that is finished, the remote user will authenticate and authorize with Windows, Solaris or a Mainframe server before starting any applications. There are dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.

Each concentrator is connected between the external router and the firewall. A new feature with the VPN concentrators prevent denial of service (DOS) attacks from outside hackers that could affect network availability. The firewalls are configured to permit source and destination IP addresses, which are assigned to each telecommuter from a pre-defined range. As well, any application and protocol ports will be permitted through the firewall that is required.

Extranet VPN Design

The Extranet VPN is designed to allow secure connectivity from each business partner office to the company core office. Security is the primary focus since the Internet will be utilized for transporting all data traffic from each business partner. There will be a circuit connection from each business partner that will terminate at a VPN router at the company core office. Each business partner and its peer VPN router at the core office will utilize a router with a VPN module. That module provides IPSec and high-speed hardware encryption of packets before they are transported across the Internet. Peer VPN routers at the company core office are dual homed to different multilayer switches for link diversity should one of the links be unavailable. It is important that traffic from one business partner doesn’t end up at another business partner office. The switches are located between external and internal firewalls and utilized for connecting public servers and the external DNS server. That isn’t a security issue since the external firewall is filtering public Internet traffic.

In addition filtering can be implemented at each network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s will be assigned at each network switch for each business partner to improve security and segmenting of subnet traffic. The tier 2 external firewall will examine each packet and permit those with business partner source and destination IP address, application and protocol ports they require. Business partner sessions will have to authenticate with a RADIUS server. Once that is finished, they will authenticate at Windows, Solaris or Mainframe hosts before starting any applications.

Posted in VPN Network TipsComments (13)