Overview: Virtual Private Networks and Security IssuesMore and more businesses today are crossing borders and going wireless. With this trend comes a rise in the number of remote offices and mobile users, which has inadvertently increased the external security threat towards corporate networks.
Protecting the corporate network from external hackers and internal abuse presents a tough challenge. Throw the internet into the equation and it becomes even more complex.
Businesses are often quick to adopt wireless networking tools to increase efficiency but they tend to overlook the impact on the overall security of their networks, which leaves the corporate office, remote offices and mobile workers equally vulnerable to attacks.
At the enterprise level, organisations are more aware of the threats posed by internet usage than small- to mid-sized businesses.
A poll conducted last year by WatchGuard Technologies, Inc., revealed that the lack of technical knowledge by teleworkers is the number one security threat to the corporate network.
Teleworkers tend to stay connected for longer periods from a single point while on the move and this gives hackers more time and opportunity to infiltrate their systems and access the corporate network.
For small- to mid-sized companies, the odds stack further against them as they typically do not have the resources for enterprise-grade network security, resulting in their networks and workers even more vulnerable to threats.
So, how can a company protect its network, remote offices and workers in a highly effective yet cost-efficient way?
Remote access to a corporate network poses a security threat that can be met with many solutions. Virtual private networks are the most effective way to ensure business communications over the internet remain private and secure.
VPNs are especially attractive as they are designed to provide the security of a private, dedicated, lease-lined network, without the cost of actually owning one.
The concept involves use of the public network (internet) to establish a VPN on top of it and can be extended to connect multiple locations/offices. Remote offices and mobile workers just need to connect to a local Internet Service Provider (ISP) and go through the internet to reach the corporate network.
A VPN allows users to set up private “conversations” with their home offices utilising normal internet connection. It uses cryptography to scramble data so it is unreadable as it travels over the internet, providing privacy over public lines.
Today, VPNs are rapidly moving from being just a trendy phase to being essential for wired businesses.
Creating Secure VPNsImplementing a VPN requires on-going commitment to manage and maintain the system. When deciding on a VPN solution, companies have to consider issues on interoperability, scalability, management and total cost of ownership.
To address interoperability issues, standards organisations have developed a worldwide criterion called IPSec (Internet Protocol Security), which defines the rules by which devices from several vendors can work effectively together. IPSec-certified products are guaranteed to interoperate.
Companies should also consider what their security needs would be two to three years from where they currently are at. The best VPN technology will have the ability to mature in scope as the company grows without high costs in deployment, management and maintenance.
For a VPN solution to be effective, it should have a simplified management interface, the ability to aggregate logs from numerous sources, and advanced features that work in multimode networks. Low initial deployment costs might not translate into low overall costs if the VPN ends up being time-consuming to manage and difficult to maintain.
VPNs are created through security schemes applied to internet communications. A virtual network is not physical, but forms on demand through software that establishes a point-to-point session between secure clients. VPN connections are therefore like private, controlled phone calls and can be set up, managed and disconnected by either party.
A virtual private network makes use of the internet’s physical base of routers, ATM (asynchronous transfer mode) switches, and digital and analog lines without sacrificing security. Companies can choose to set up their VPNs to involve encryption only, or strengthen their transmission security by adding user authentication or a firewall.
Encryption transforms data into a form that is unreadable to unauthorised users, while user authentication verifies the identity of users requesting access to network resources.
Moreover, firewalls provided added protection from intrusion and abuse.
VPNs can be best used to protect mobile workers, branch/remote offices and extranets. VPN solutions like WatchGuard’s combine all three elements – encryption, authentication and firewall – to ensure highest-level security for an extended network.
Fig. 1: Protecting remote offices and telecommuter sites
Companies can use one of the three models (refer to Table 1) to connect remote sites and mobile users to their corporate networks – client-based VPN software (Mobile User VPN or MUVPN), mixed vendor site-to-site VPN solution (IPSec-capable routers) or single vendor solution with integrated firewall.
When choosing a VPN solution, companies should ask themselves a few questions to evaluate how best they can connect their users. These include:
• Policy control – Do you allow full access to your entire network or restrict access? • Troubleshooting – How difficult is it to correct things that go wrong on the remote end?• Logging – Does the endpoint support common logging with your VPN gateway/firewall?• Traffic segmentation – Can business and family traffic be separated?• Authentication – How can you be sure traffic coming through the tunnel is from your employee and not a hacker? • Total cost of ownership (TCO) – What is your cost of acquisition, deployment and maintenance?
Mobile User VPNWith mobile users, the worry is that someone will tap into the exchange of information between the user and network. Alternatively, someone could deposit malicious code on the remote user’s computer while it is connected to the internet from outside the company’s firewall.
The simplest of the three basic options is the MUVPN, which is ideal for a small number of teleworkers or if a premium is placed on the ability to connect from anywhere.
With a MUVPN, traffic is segmented and connection information is logged at the VPN gateway and MUVPN client. MUVPN also provides strong authentication for all connections. However, remote users either get all or none of the corporate network. To troubleshoot, the MUVPN client must use third-party remote management software. Costs associated with initial deployment will depend on how complex a company’s roll-out plan is. No routine maintenance is required but the MUVPN secures only the traffic in the tunnel. As such, it would be wise to install antivirus software and a personal firewall too.
Third-party IPSec-capable Firewalls/RoutersWith third-party IPSec-capable firewall/router, the low cost of acquisition can be complimented by low cost of ownership. In a typical architecture, a low cost firewall/router is connected to the main VPN gateway with a manually configured IPSec tunnel. Policy controls are imposed at the main VPN termination point to reduce deployment complexity and all tunnel traffic should be blocked by the firewall.
IPSec-capable routers may or may not support traffic logging and may not have “debug” level logs available. If they do, the information from both sets of logs must be integrated. Few inexpensive IPSec-capable routers can segment traffic or provide user authentication. In maintaining the system, standardising on a single vendor and management system will cost less than implementing a mix of brands.
Single Vendor SolutionA single solution is easier to manage. Products from a single vendor are generally made to work together, have a common log format, tighter IPSec integration, special tunnel management tools and lower maintenance costs.
With a single vendor solution, tunnel traffic is managed by the VPN gateway, centralising control and simplifying management. Devices from a single vendor have a common management suite, terminology and log etc., making them easier to debug. More sophisticated remote office devices can separate traffic from the home and office. They can also authenticate employees before allowing them access to the internet or a tunnel. Initial acquisition is generally more expensive but companies will see lower maintenance, deployment and management costs.
Model | Strengths | Weaknesses |
Client-based VPN software (Mobile User VPN or MUVPN | Inexpensive; can be used anywhere tunnel traffic is allowed. | No remote management or logging; remote system must be secured separately. |
Mixed vendor site-to-site VPN solution (IPSec-capable routers) | Inexpensive initial acquisition; can use whatever is “at hand”. Many IPSec-capable routers come with firewall capabilities. | More expensive to configure and manage; manual tunnel setup is required; logging is not uniform; troubleshooting problems requires integration of two dissimilar data sets. |
Single vendor solution with integrated firewall | Less expensive to manage; integrated logging, reporting and troubleshooting facilitated by common log format and timing; unified management interface/paradigm; added functionality such as content filtering is often available. | More expensive in initial acquisition, vendor products might not be available worldwide. |
Table 1: Three models for connecting remote sites to the corporate network
