Virtual Private Network - Essay Example

VPN – Virtual Private Network Security threats to information systems are becoming more and more sophisticated as technology continually evolves and improves. No longer are the firewall, anti-virus, intrusion protection and a host of other security measures and countermeasures enough to protect the confidentiality, integrity and availability of information systems assets and resources. Some of the threats or attacks faced by a network environment include: denial-of-service attacks, address spoofing, session hijacking, sniffers, compromise key attacks, data modifications, man-in-the-middle, replay attacks, brute force, password guessers and dictionary attacks, and social attacks (Fortenberry, 2001).” Thus, more effective ways of combating the threats especially in terms of access to the network are extremely important in order to determine that those who access an information systems infrastructure are authorized and recognized by the system. One of the technologies available in protecting the information systems environment is via the deployment of a virtual private network or VPN. “A virtual private network (VPN) is a private communications network often used by companies or organizations, to communicate confidentially over a public network. VPN traffic can be carried over a public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service providers private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider. A VPN can send data e.g. voice, data or video, or a combination of these media, across secured and encrypted private channels between two points. (Wikipedia, 2007)” The encryption methodology in VPN is an end-to-end system whereby “the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories: Symmetric-key encryption and Public-key encryption. A well-designed VPN can greatly benefit a company by: Extending geographic connectivity Improving security Reducing operational costs versus traditional WAN Reducing transit time and transportation costs for remote users Improving productivity Simplifying network topology Providing global networking opportunities Providing telecommuter support Providing broadband networking compatibility Providing faster ROI (return on investment) than traditional WAN (Tyson, 2007)” Aside from a well-designed VPN, the advantages of implementing and deploying a VPN in an enterprise means “cost savings because organizations no longer have to use expensive leased or frame relay lines and are able to connect remote users to their corporate networks via a local ISP instead of via expensive 800-number or long distance calls to resource-consuming modem banks. The security provided by VPNs is the highest level of security using advanced encryption and authentication protocols that protect data from unauthorized access. In terms of scalability, VPNs allow corporations to utilize remote access infrastructure within ISPs. Therefore, corporations are able to add a virtually unlimited amount of capacity without adding significant infrastructure. Further, VPNs are compatibility with Broadband Technology thus allowing mobile workers, telecommuters and day extenders to take advantage of high-speed, broadband connectivity, such as DSL and Cable, when gaining access to their corporate networks, providing workers significant flexibility and efficiency. (Netgear, 2006)” A VPN can either be provider or customer provisioned whose difference lie on whether the infrastructure servicing and management is done by the service provider or customer itself. Whether provider or customer provisioned, VPNs fall into either of the two broad categories namely site-to-site and remote access. “Site-to-site VPNs allow connectivity between an organization’s geographically dispersed sites (such as a head office and branch offices). The two types of site-to-site VPN are Intranet VPNs (Allow connectivity between sites of a single organization) and Extranet VPNs (Allow connectivity between organizations such as business partners or a business and its customers. Remote access VPNs (also called access VPNs) allow mobile or home-based users to access an organization’s resources remotely. (What is VPN?, 2006)” The figures below are examples of the three types of VPNs (Tyson, 2007): Source: http://computer.howstuffworks.com/vpn.htm A VPN works by creating an encrypted tunnel between two or more locations and since the data sent are encrypted, reading the packets sent would be difficult unless the encryption key is available. A VPN server in a secure location, once setup, can immediately communicate with client servers from different locations via the encrypted tunnel. “The gateway typically verifies that you are an approved user by checking your password. Then the VPN software creates the tunnel and adds a header to your data packet that the Internet can understand. When the packet reaches the gateway endpoint, the gateway pulls off the Internet header and routes the packet to its final destination. (Virtual Private Network, 2000)” Aside from the encrypted nature of communications, VPNs other security implementation are multi-layered such that “the initial single packet of information sent from the client to the server contains a PSK (Pre-Shared Key) only if this key is both present and correct will the VPN server respond (Café Networks, 2007).” Depending upon the type of encryption used, the authentication response could be up to 2048-bit certificate that authenticates a client to the host. Once the thee-way handshake has been accomplished, validated and verified, an encrypted tunnel is enabled between the client and the server. Additional security precautions and countermeasures in VPNs may include tunnel renegotiation or validation for a given time – i.e. every 30 minutes – for as long as the communication is open. This “ensures the encryption keys used rotate before enough data has been transferred to enable any possibility of the VPN being hacked. (Café Networks, 2007)” Secure VPNs follow a number of protocols namely (Wikipedia, 2007): IPsec (IP security) - commonly used over IPv4, and an obligatory part of IPv6. SSL/TLS used either for tunneling the entire network stack, as in the OpenVPN project, or for securing what is, essentially, a web proxy. SSL is a framework more often associated with ecommerce, but it has been built-upon by vendors like Aventail and Juniper to provide remote access VPN capabilities. A major practical advantage of an SSL-based VPN is that it can be accessed from any public wireless access point that allows access to SSL-based e-commerce websites, whereas other VPN protocols may not work from such public access points. OpenVPN, an open standard VPN. Clients and servers are available for all major operating systems. PPTP (Point-to-Point Tunneling Protocol), developed jointly by a number of companies, including Microsoft. L2TP (Layer 2 Tunneling Protocol), which includes work by both Microsoft and Cisco. L2TPv3 (Layer 2 Tunneling Protocol version 3), a new release. VPN-Q The machine at the other end of a VPN could be a threat and a source of attack; this has no necessary connection with VPN designs and has been usually left to system administration efforts. There has been at least one attempt to address this issue in the context of VPNs. On Microsoft ISA Server, an application called QSS (Quarantine Security Suite) is available. MPVPN (Multi Path Virtual Private Network). MPVPN is a registered trademark owned by Ragula Systems Development Company When VPNs started coming out of the market, they were mostly application-base systems that are installed and configured in available servers. Of late, VPNs come in hybrid or a combination of software and hardware. “The latest wave of virtual private networks feature self-contained hardware solutions. Since they are now self-contained, this VPN hardware does not require an additional connection to a network and therefore cuts down on the use of a file server and LAN, which makes everything run a bit more smoothly. These new VPNs are small and easy to set up and use, but still contain all of the necessary security and performance features. (Virtual Private Networks, 2007)” Eventually, VPNs could evolve into smaller and more portable systems that could be set up in a better and faster plug and play mode. “As virtual private networks continue to evolve, so do the number of outlets that can host them. Several providers have experimented with running VPNs over cable television networks. This solution offers high bandwidth and low costs, but less security. Other experts see wireless technology as the future of virtual private networks. (Virtual Private Networks, 2007)” Implementation of a VPN should not be a one-off thing. VPNs should be part of the “security team” posture of the enterprise in order to ensure a robust and hardened system. This means that firewalls, intrusion prevention systems and other devices must be able to “talk to one another” to ensure that maximum security is being met by the information systems infrastructure. By doing all these, optimum utilization of not only VPN deployment but other systems are realized to the fullest. Bibliography: Andersson, L., Madsen, T. Acreo, A.B. “Provider Provisioned Virtual Private Network (VPN) Terminology.” Network Working Group – Request for Comments: 4026 Category: Informational. March 2005. 13 March 2007. . Café Networks Limited. Welcome to our Virtual Private Network (VPN) MicroSite. 2007. 13 March 2007. . Fortenberry, Thaddeus. Basic Virtual Private Network Deployment. 19 January 2001. 13 March 2007. . Netgear. VPN. 2006. 13 March 2007. . Tyson, Jeff. “How Virtual Private Networks Work.” HowStuffWorks, Inc. 2007. 13 March 2007. . “Virtual Private Network.” PC World. 27 March 2000. 13 March 2007. . Virtual Private Networks. 2007. 13 March 2007. . What Is a Virtual Private Network? 04 July 2006. 13 March 2007. . Wikipedia. Virtual Private Network. 06 March 2007. 13 March 2007. . Read More