Virtual private networks (VPNs) were created to address two different problems: the high cost of dedicated leased lines needed for branch office communications and the need to allow employees a method of securely connecting to the headquarters' networks when they were on business out of town or working from home.
How a VPN works
A VPN uses a special protocol to establish a virtual channel between two machines or two networks. Imagine if you could blow a soap bubble in the shape of a tube and only you and your friend could talk through it. The bubble is temporary and when you want to have another conversation, you would have to create another bubble. That's kinda like a VPN's channel. This channel is actually a temporary direct session. This is what is commonly referred to as tunneling. |
Then the VPN also exchanges a set of shared secrets to create an encryption key. The traffic traveling along the established channel is wrapped with an encrypted package that has an address on the outside of the package, but the contents are hidden from view. It's sort of like a candy wrapper. You can see the candy, but you don't really know what the candy looks like on the inside. The same thing happens with the encrypted traffic. The original contents are hidden from view, but it has enough information to get it to its destination. After the data reaches its destination, the wrapper is safely removed.
Setting up a VPN
You can set up a VPN two ways: The first way is normally used between networks and firewalls or encrypting routers to do the encrypting and decrypting of the traffic. In this set up there is no need for special software on the desktop or client computers. The second method is to have a firewall, encrypting router, or VPN server at the destination end and special VPN client software on the desktop or laptop computers. It all depends on whether the VPN is a two-way operation or a one-way operation.
Determine the relationship
In a two-way relationship you have two networks that want to work together and each has basically the same VPN setup as the other. The request to establish a VPN connection can come from either direction. No special software is needed on the desktop computers because all the encrypting and decrypting is done at the entry and exit points of the network. Both networks also have key management systems so they can both create secret keys for a VPN session. It's important that the two networks have compatible VPN components or they won't be successful in talking to one another.
In a one-way relationship, the destination network has the VPN setup and there is no agreement with another network to share. In that case, the computer wanting to make the connection with the network has to have VPN client software and the request can only be made in one direction — from the client to the network. The client software can request and authenticate itself, but the secret key making mechanisms are only on the network. The client computer will have a secret key stored on itself, but it cannot create new keys.
Generally, the one-way system is used for remote users who are dialing in from home or while they are traveling on the road. They dial up through their ISP and the mechanisms for establishing and maintaining VPN connections is all contained at the destination network. If someone with a laptop without the VPN client software tried to connect to the company's network, he wouldn't get too far because he wouldn't have the client software or a secret key. Additionally, the unauthorized user would not be listed on the VPN's database of authorized users. However, once someone dials in and is authenticated, their access is the same as if they were sitting in the same building as the destination network.
Inside or outside?
You can set up the VPN endpoint at various locations. The endpoint is where the VPN traffic comes into your network. In some cases, the endpoint is also the firewall as many firewalls come with VPN capabilities nowadays. The endpoint can also be in front of the firewall, in a DMZ off one side to the firewall, or inside of the firewall. Each of these configurations has its pluses and minuses.
If you choose to put your VPN in front of the firewall, the mechanism does all of the encrypting and decrypting on its own. That means there is no need to allow an open VPN tunnel through your firewall. All of the traffic through the firewall will have been pre-filtered and formatted so the firewall can read it. However, if the VPN fails or is taken down, you'll be faced with a situation where all the traffic goes out unencrypted, or no traffic at all gets out. It depends on whether or not your VPN will fail in the open or closed position.
A VPN on the firewall would seem like a good solution because, again, you don't need to leave an open tunnel through the firewall. The firewall will handle all the encryption, decryption, and its regular job of the examination of traffic. This type of solution puts an enormous burden on the poor little firewall, though. Encryption and decryption is labor-intensive for a computer, as is the examination of traffic, and that could result in a bottleneck for traffic.
Another method is to put the VPN on the inside of the firewall. This relieves the firewall and/or the router of having to handle the encryption and decryption of the traffic, but you have to allow a VPN tunnel to pass through the firewall. A firewall cannot read encrypted traffic and it will allow that traffic to pass through unchallenged. Of course, the traffic will still be stopped by the VPN mechanism, but by that time, it's already in the internal network.
Securing the client
Probably the easiest way to break a VPN's security is to get a hold of a laptop that is used to dial in for a VPN connection. The stolen laptop will have the VPN client software, the UserID, and the secret key all stored on one machine. A smart laptop owner will not have saved the password for the VPN tunnel on his computer. If he has, the thief has just gotten himself a free ticket to wander around in your network! |
Users who use laptops to establish VPN connections with your network need to be given lessons in maintaining good security. They should have up-to-date anti-virus software installed and ensure that it runs every time they start their computer. Additionally, the laptop should have personal firewall software set up. Some VPN clients already include personal firewalls, so you'll have to check with your vendor as to whether yours does or doesn't. The personal firewall can ensure that only the VPN client is making the connection and that it's not actually a Trojan horse program masquerading as the VPN client. Another good precaution is to enable the BIOS password. That way, if the computer is stolen, it cannot even be started up without the password.
No comments:
Post a Comment