James D. Brown, CTO, StillSecure

Welcome to part 2 of my multi-part series on security technologies. This time I’ll talk about virtual private networks (VPNs), what they are, why you need them, and how they work.As I stated in my last post on managed firewalls, this is aimed at an audience with basic knowledge of networking and information technology.

 

What is it? 

A VPN comes in two basic flavors: point-to-point (site-to-site), and remote access (road warrior). A point-to-point VPN is designed to connect two networks together over the Internet or other untrusted network, ensuring that both networks are fully authenticated, and no eavesdropping can take place on the traffic sent between them. A remote access VPN is dynamically created by a user who is outside of a network to create a safe, secure temporary tunnel into that network. Again, the VPN ensures that the user and the network are fully authenticated, and all communications between the user and the network are encrypted, so no one can monitor those communications.

What does it do? 

The idea is that the VPN for all intents and purposes extends the protected network and its services to a remote site or remote user. With a remote access VPN, a user connected to a VPN can access remote services as though they were local to her. In the case of a point-to-point VPN, users on either side of the network can access resources on the other side of the VPN connection as though there were a hard-wired network link between them. Because the entire network is extended to a new physical location, VPNs are far more flexible than remote access technologies like Remote Desktop or SSH, which only allow you to directly access a single host in your network.

How does it work? 

You may have heard the term single-tunnel or split-tunnel VPN. Single-tunnel VPNs are configured so that all traffic from a host must pass through the VPN. In this case, a remote user would send every bit of traffic through the VPN, even traffic that’s not destined for the remote network. This means that those Google searches you’re not proud of may end up being tracked by your company’s servers. In a split tunnel, only traffic destined for the remote end of the VPN goes to that VPN while other traffic goes either to another VPN connection or to the Internet. Single-tunnel VPNs are more secure, because compromised endpoints can’t act as a bridge between a remote attacker and the protected network. However, they trade security for increased usage of company resources and nearly always result in a performance penalty when accessing resources outside the protected network.

What is the value?

From all this, it’s pretty obvious where the value is: road warriors can access network resources on your corporate intranet as though they were physically there, and can do so securely. Point-to-point VPNs allow a single network to be extended across multiple physical locations without worrying that some unauthorized person may access those networks.

What else do you need? 

However, as with any security technology, a VPN cannot protect you on its own. In fact, VPNs are fairly unique in that they provide you with absolutely no protection for your network unless you couple them with another security technology: a firewall. The idea is that you use the firewall to lock down your network as much as possible; limiting public access to only those ports that are necessary to offer the services you want to offer, and blocking everything else. When the network is thusly protected, a VPN can allow authorized users to access it securely.

When a VPN is set up, there is one termination point for remote access, or two termination points for a point-to-point VPN. The termination point in a remote access situation acts as a server for clients logging into it. It’s called a termination point because it terminates the VPN tunnel, decrypting the encrypted traffic before it enters the rest of the network. In the case of a point-to-point VPN, both sides of the VPN act as termination points.

While a VPN server does not require a lot of interaction, there are some things that need to be managed on it:

  • For point-to-point VPNs, overall set up can be complex, as it involves setting up certificates and configuration so that both VPN terminators can authenticate each other and handle encryption between them. You want monitoring on both sides, and to have the tunnel repaired in case of problems. When compliance is a concern, you’ll want solid audit logging, tracking changes to either side of the tunnel, and logging any attempted breaches.
  • In a remote access VPN, management gets more difficult. Not only do you need to set up your own server and client certificates, but you need a way to manage them, see who is currently logged in, and how much data they’re using, revoke certificates to handle employee terminations, report on when certificates are issued and when they are revoked. You also need a way to deploy certificates to end users. All this can be invaluable when compliance is an issue.

For added protection (and for compliance), multi-factor authentication is beneficial. This adds additional security factors – something you know, such as PIN – and something you have, a secure token. This means that even if your laptop is stolen, an attacker cannot access your VPN.

The solution – layers of security 

The StillSecure Managed VPN service offers all these capabilities through our easy-to-use RADAR portal. Our Managed VPN service will configure your point-to-point VPNs across multiple sites, and provide you with an easy way to grant and revoke access for your users, fully audited and tracked, so you just hand off a simple report to your auditor.

That about covers it for managed VPN. I’m going to dive into managed intrusion detection and prevention systems (IDPS) next. A firewall, VPN, and IDPS together can protect you from about 80-85% of threats, and together can make for a low cost, but very effective, way to protect your network. When you have StillSecure Managed Security Services provide and manage them for you, you get expert configuration and tuning, reduced costs, full 24×7 coverage, and you benefit from our expert security analysts and their tracking of global threats.

Tags: , ,