What is a VPN (Virtual Private Network)?
A VPN, otherwise known as a Virtual Private Network, at its most basic level is simply an encrypted connection between two devices using an internet connection. This means that the data passed between the two devices is unreadable by anyone intercepting the data. Multiple networks can be connected using Virtual Private Networks.
It can be used by personal users in public areas to protect their browsing and emails from anybody attempting to intercept their data and to also conceal the IP they are browsing from.
For businesses it can provide protection for any remote access of company data by employees at either a remote site or by mobile users away from the main site and the secure LAN (Local Area Network). The diagram below illustrates how the remote factory securely accesses the Head Office network using an internet connection at each site with a VPN.
2 Types of VPN's
The two distinct types of VPN employed by businesses are either a site-to-site VPN or a remote access VPN.
The site-to-site VPN is generally used when a business is based in multiple locations. Each location will be protected by a firewall or gateway and these devices can create a VPN between each other which will encrypt outbound traffic when it leaves the safety of the internal LAN and be decrypted as it arrives at the other device and the safety of the remote sites internal LAN. In this configuration host machines (PCs, tablets, smartphones etc) do not require any specialist software and can communicate with machines at remote sites as securely as if they were within the same local subnet.
Benefits of a VPN
The benefits of a site-to-site VPN are that they offload the encryption and processing overheads from individual devices to a dedicated security or router component. It additionally means that there is no requirement for users to log their device in and out of the VPN connection. The site-to-site VPN can also handle all types of mission-critical traffic such as VoIP communications which require low latency and good quality of service.
Some companies use leased lines or MPLS circuits to provide secure connections between different locations however VPNs provide a far more cost effective solution.
The remote access VPN would most commonly be used by individual mobile employees who need to connect to the company’s internal network to access the company’s data. This is achieved by using software on the users device to connect to the company’s firewall and create a secure connection directly between the company’s firewall and the users device.
The advantage of a remote access VPN is the flexibility offered to users meaning they can work from any location securely. Because the VPN encrypts all traffic they can take advantage of public Wi-Fi connections or any location where traffic isn’t generally secured.
Advantages of VPN (Virtual Private Networks):
- Since the messages are encrypted, VPN is secure.
- VPN’s are scalable – Thousands of users can connect to the head office simultaneously through the VPN.
- VPN can be extended to any branch/ individual user who has access to Internet via Internet Leased Lines/ Fixed Broadband/ Mobile Broadband etc.
- VPN’s are cost effective, when compared to private networks like Leased Lines and MPLS Circuits.
- VPN helps to centralise all IT resources and allows for centralised administration of critical IT resources at Data Center’s in the head office.
- Remote/ travelling personnel just need to install a VPN client software to access any corporate resources from any location with basic access to Internet (With SSL VPN technologies, even the client software may not be required, just a standard browser will do).
- VPN’s allow for business continuity and faster response from employees during after office hours, holidays and even disasters.
- VPN’s allow for selective access to vendors and partners via an external portal in order to increase their efficiency and get work done faster.
VPN protocols define how the service handles data transmission over a VPN. The most common protocols are PPTP, L2TP, SSTP, IKEV2, and OpenVPN. Here’s a brief overview:
PPTP (Point-To-Point Tunneling Protocol)This is one of the oldest protocols in use, originally designed by Microsoft. Pros: works on old computers, is a part of the Windows operating system, and it’s easy to set up. Cons: by today’s standards, it’s barely secure. Avoid a provider if this is the only protocol offered.
L2TP/IPsec (Layer 2 Tunneling Protocol)
- This is a combination of PPTP and Cisco’s L2F protocol. The concept of this protocol is sound — it uses keys to establish a secure connection on each end of your data tunnel — but the execution isn’t very safe. The addition of the IPsec protocol improves security a bit, but there are reports of NSA’s alleged ability to break this protocol and see what’s being transmitted. No matter if those are actually true, the fact that there’s a debate at all is perhaps enough to avoid this as well.
SSTP (Secure Socket Tunneling Protocol)
- This is another Microsoft-built protocol. The connection is established with some SSL/TLS encryption (the de facto standard for web encryption these days). SSL’s and TLS’s strength is built on symmetric-key cryptography; a setup in which only the two parties involved in the transfer can decode the data within. Overall, SSTP is a very secure solution.
IKEv2 (Internet Key Exchange, Version 2)
- This is yet another Microsoft-built protocol. It’s an iteration of Microsoft’s previous protocols and a much more secure one at that. It provides you with some of the best security.
- This takes what’s best in the above protocols and does away with most of the flaws. It’s based on SSL/TLS and it’s an open source project, which means that it’s constantly being improved by hundreds of developers. It secures the connection by using keys that are known only by the two participating parties on either end of the transmission. Overall, it’s the most versatile and secure protocol out there.
Most Common VPN's
The two types predominantly used are IPSec and SSL(SSTP), below we cover the advantages of each.
Advantages of IPSec VPN:
- IPSec VPN is an established and field tested technology and has been in use by majority of the customers for a long period now. IPSec VPN is a client based VPN technology and connects to only those sites/ devices which can prove their integrity (This is more applicable for home offices and remote offices where the VPN software client needs to be installed before-hand to establish a secure connectivity back to the head office). So, administrators can be quite sure that the devices connecting to the network are trusted ones.
- Since IPSec VPN inspects and drops a packet at a lower level in the protocol stack (network layer), the packet drop performance is better thereby enabling smooth functioning even in a high capacity usage scenario.
- IPSec VPN’s are the preferred choice of companies for establishing Site to Site VPN and IPSec has found more implementations in this segment. IPSec VPN’s can also establish a Site to Client VPN with devices installed with IPSec clients.
- IPSec VPN basically gives full access to all the head office Intranet applications to branch office/ remote personnel establishing the VPN to HO. So, the user feels as if they are at the office even though they may be working from home. Certain solutions allow selective blocking of certain applications/ devices from being accessed over a remote network.
- IPSec supports multiple methods of authentication and also demonstrates flexibility on choosing the appropriate authentication mechanism thereby making it difficult for intruders to perform attacks like ‘Man in the Middle’ attacks etc.
- Centralised management options for VPN settings are available with IPSec VPN. IPSec can implement automatic fail over to another VPN device in case the original one fails.
Advantages of SSL/TLS VPN's:
- Since SSL/TLS VPN’s support browser based access, corporate resources can be accessed by employees/ partners from any computer with Internet access after proper authentication.
- SSL/TLS VPN’s allow for host integrity checking (checking if the computers trying to establish a VPN connection subscribe to certain standards – like latest OS version with patches, latest version of anti-virus software etc) and remediation (if required) to ensure secure network access.
- Easier to deploy and maintain across a large number of traveling personnel/ remote users as there is no need to install and maintain a VPN client for each machine connecting to the network.
- SSL/TLS VPN can provide granular network access controls for each user/ group of users to limit remote user access to certain designated resources or applications in the corporate network.
- SSL/ TLS VPN supports many types of end point devices like mobile phones, PDA’s, smart phones etc and multiple operating systems.
- Supports multiple methods of user authentication and also integration with centralised authentication mechanisms like Radius/LDAP, Active Directory etc.
- It is possible to have secure user customised web-portals (Extranets) for partners etc with SSL/TLS VPN, as the basic characteristic of SSL/TLS VPN is to provide restricted access to certain applications only, and adding more applications when required, thereby providing granular network access controls.
- SSL/TLS VPN’s are basically designed for Internet browsers and hence do not have any NAT/Firewall traversal issues.
- SSL/TLS VPN’s have exhaustive auditing capabilities which is crucial for regulatory compliance. Log information (regarding which user accessed which resources at what time over which period/date etc) can be taken, stored and analysed with detailed querying and reporting mechanisms.
- SSL VPN’s can cluster VPN devices both within the LAN as well as across the WAN for improved performance, scalability and redundancy.
- SSL VPN’s are better for disaster recovery/ business continuity as it allows for anywhere anytime access to the corporate networks for authorised users.
VPNs are an essential tool for ensuring company data is available securely between each of the company sites and to allow users access while on the move.
The most secure and commonly used protocol being IPSEC VPNs for both site-to-site when used between branch locations and also for remote access VPNs providing mobile users access to the company data.
The use of VPNs is essential in providing a good nights sleep to members of the IT department and senior management safe in the knowledge that any head office data is remotely accessed securely.