CHAPTER 10 Virtual Private Networks 167 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. P rivate networks have been used by organizations to communicate with remote sites and with other organizations. Private networks are made up of lines leased from the various phone companies and ISPs. The lines are point to point and the bits that travel on these lines are segregated from other traffic because the leased lines create a real circuit between the two sites. There are many benefits to private networks: ▼ Information is kept “within the fold.” ■ Remote sites can exchange information instantaneously. ▲ Remote users do not feel so isolated. Unfortunately, there is also a big disadvantage: cost. Private networks cost a lot of money. Using slower lines can save some money but then the remote users start to notice the lack of speed and some of the advantages begin to evaporate. With the increasing use of the Internet, many organizations have moved to Virtual Private Networks (VPN). VPNs offer organizations many of the advantages of private networks with a lower cost. However, VPNs introduce a whole new set of issues and risks for an organization. Properly architected and implemented, VPNs can be advanta- geous to the organization. Poorly architected and implemented, all the information that passes across the VPN might as well be posted on the Internet. DEFINING VIRTUAL PRIVATE NETWORKS So, we are going to send sensitive organization information across the Internet in such a way as to reduce the need for leased lines and still maintain the confidentiality of the traf- fic. How do we separate our traffic from everyone else’s? The short answer is that we use encryption. All kinds of traffic flow across the Internet. Much of that traffic is sent in the clear so that anyone watching the traffic can see exactly what is going by. This is true for most mail and Web traffic as well as telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer Protocol - Secure (HTTPS) traffic is encrypted and thus cannot be examined by someone reading the packets. However, SSH and HTTPS traffic does not constitute a VPN. VPNs have several characteristics: ▼ Traffic is encrypted so as to prevent eavesdropping. ■ The remote site is authenticated. ■ Multiple protocols are supported over the VPN. ▲ The connection is point to point. Since neither SSH nor HTTPS can handle multiple protocols, neither is a real VPN. VPN packets are mixed in with the regular traffic flow on the Internet and segregated be - cause only the end points of the connection can read the traffic. 168 Network Security: A Beginner’s Guide Let’s look more closely at each of the characteristics of a VPN. We have already stated that VPN traffic is encrypted to prevent eavesdropping. The encryption must be strong enough to guarantee the confidentiality of the traffic for the length of time the traffic is valuable. Passwords may only be valuable for 30 days (assuming a 30-day change pol - icy); however, sensitive information may be valuable for years. Therefore, the encryption algorithm and the VPN implementation must prevent an unauthorized individual from decrypting the traffic for some number of years. The second characteristic is that the remote site is authenticated. This characteristic may require that some users be authenticated to a central server or it may require that both ends of the VPN be authenticated to each other. The authentication mechanism used will be governed by policy. It may require that users authenticate with two factors or with dynamic passwords. For mutual authentication, both sites may be required to demon - strate knowledge of a shared secret that is preconfigured. VPNs are built to handle different protocols, especially at the application layer. For example, a remote user may use SMTP to communicate with a mail server while also us - ing NetBIOS to communicate with a file server. Both of these protocols would run over the same VPN channel or circuit (see Figure 10-1). Point to point means that the two end points of the VPN set up a unique channel be- tween them. Each end point may have several VPNs open with other end points simulta- neously but each is distinct from the others and separated by the encryption. Chapter 10: Virtual Private Networks 169 Figure 10-1. VPNs handle multiple protocols VPNs are generally separated into two types: user VPNs and site VPNs. The differ - ence between them is the way the two types are used, not because of the way traffic is seg - regated by each type. The remainder of this chapter discusses each type of VPN in detail. USER VPNS User VPNs are virtual private networks between an individual user machine and an or - ganization site or network. Often user VPNs are used for employees who travel or work from home. The VPN server may be the organization’s firewall or it may be a separate VPN server. The user connects to the Internet via a local ISP dial-up, DSL line, or cable modem and initiates a VPN to the organization site via the Internet. The organization’s site requests the user to authenticate and, if successful, allows the user access to the organization’s internal network as if the user were within the site and physically on the network. Obviously, the network speeds will be slower since the limit - ing factor will be the user’s Internet connection. User VPNs may allow the organization to limit the systems or files that the remote user can access. This limitation should be based on organization policy and depends on the capabilities of the VPN product. While the user has a VPN back to the organization’s internal network, he or she also has a connection to the Internet and can surf the Web or perform other activities like a normal Internet user. The VPN is handled by a separate application on the user’s com- puter (see Figure 10-2). Benefits of User VPNs There are two primary benefits of user VPNs: ▼ Employees who travel can have access to e-mail, files, and internal systems wherever they are without the need for expensive long distance calls to dial-in servers. ▲ Employees who work from home can have the same access to network services as employees who work from the organization facilities without the requirement for expensive leased lines. Both of these benefits can be figured into cost savings. Whether the costs are long-dis - tance charges, leased-line fees, or staff time to administer dial-in servers, there is a cost savings. For some users there may also be a speed increase over dial-in systems. Home users with DSL or cable modems should see a speed increase over 56K dial-up lines. More and more hotel rooms are also being equipped with network access connections so speed should also increase for employees who travel. 170 Network Security: A Beginner’s Guide TEAMFLY Team-Fly ® NOTE: A speed increase over a 56K dial-up line is not guaranteed. The overall speed of the connection depends upon many things, including the user’s Internet connection, the organization’s Internet connec- tion, congestion on the Internet, and the number of simultaneous connections to the VPN server. Issues with User VPNs The proper use of user VPNs can reduce the costs to an organization but user VPNs are not a panacea. There are significant security risks and implementation issues that must be dealt with. Perhaps the biggest single security issue with the use of a VPN by an employee is the simultaneous connection to other Internet sites. Normally, the VPN software on the user’s computer determines if the traffic should be sent to the organization via the VPN or to some other Internet site in the clear. If the user’s computer has been compromised with a Trojan Horse program, it may be possible for some external, unauthorized user to use the employee’s computer to connect to the organization’s internal network (see Fig - ure 10-3). This type of attack takes some sophistication but is far from impossible. User VPNs require the same attention to user-management issues as internal systems. In some cases, the users of the VPN can be tied to user IDs on a Windows NT domain or to some other central user-management system. This capability makes user management Chapter 10: Virtual Private Networks 171 Figure 10-2. User VPN configuration simpler but administrators must still be cognizant of which users require remote VPN ac- cess and which do not. If the VPN user management is not tied to a central user-manage- ment system, the user-management procedures for the organization must take this into account when employees leave the organization. Users must authenticate themselves before using the VPN. Since the VPN allows re - mote access to the organization’s internal network, this authentication should require two factors. One factor may be the user’s computer itself. If so, the second factor must be something the user knows or something she is. In either case, the second factor must not be something that can reside on or with the computer. Organizations must also be concerned with traffic loads. The primary load point will be the VPN server at the organization site. The key parameter for loads is the number of simultaneous connections that are expected. As each connection comes up, the VPN server is expected to be able to decrypt additional traffic. While the processor may be able to handle large traffic volumes, it may not be able to encrypt and decrypt a large number of packets without significant delay. Therefore, the VPN server should be sized based on the number of simultaneous connections that are expected. One other issue may impact how an organization uses a user VPN. This issue is the use of NAT at the remote end of the connection. If the organization expects its employees to attempt to use a VPN from sites that are behind firewalls, this may become an issue. 172 Network Security: A Beginner’s Guide Figure 10-3. Use of a Trojan Horse program to access an organization’s internal network For example, if Organization A is a consulting company with employees working at Or - ganization B, A might like its employees to be able to connect back for mail and file access. However, if they are working from computers attached to B’s internal network and B uses dynamic NAT to hide the addresses of internal systems, this may not be possible. If your organization chooses to use its VPN in this matter, you should check the capabilities of the VPN software in this regard. Managing User VPNs Managing user VPNs is primarily an issue of managing the users and user computer sys - tems. Appropriate user-management procedures should be in place and followed during employee separation. Obviously, the proper VPN software versions and configurations must be loaded on user computers. If the computers are owned by the organization, this becomes part of the standard software load for the computer. If the organization allows employees to use the VPN from their home computers, the organization will need to increase overall support to these users as different computers and ISPs may require different configurations. One key aspect of the user VPN that should not be forgotten is the use of a good anti-virus software package on the user’s computer. This software package should have its signatures updated on a regular basis (at least monthly) to guard against viruses and Trojan Horse programs being loaded on the user’s computer. SITE VPNS Site VPNs are used by organizations to connect remote sites without the need for expen- sive leased lines or to connect two different organizations that wish to communicate for some business purpose. Generally, the VPN connects one firewall or border router with another firewall or border router (see Figure 10-4). To initiate the connection, one site attempts to send traffic to the other. This causes the two VPN end points to initiate the VPN. The two end points will negotiate the parameters of the connection depending on the policies of the two sites. The two Chapter 10: Virtual Private Networks 173 Figure 10-4. Site-to-site VPN across the Internet . must be loaded on user computers. If the computers are owned by the organization, this becomes part of the standard software load for the computer. If the organization allows employees to use