Secure VPN — The protocols
The Secure VPN tunnel using cryptographic protocols to provide authentication of the sender and the integrity of the message, in order to protect privacy. Once selected, deployed and used, some techniques can provide secure communications over insecure networks. The Secure VPN technologies should be used as a “security overlay” through dedicated network infrastructure. The protocols that implement a secure VPN most popular are:
- IPsec (IP security), commonly used over IPv4 (mandatory part of IPv6).
- PPTP (point-to-point tunneling protocol), developed by Microsoft.
- SSL / TLS used either for tunneling the entire network, as in the OpenVPN project, or to make sure that it is essentially a Web Proxy. The SSL is a framework, very often associated with electronic commerce, which has proved of great flexibility and is therefore used as a security implementations for various (more or less standard) virtual private networks.
- VPN Quarantine: The end of the VPN client machine could be a source of attack, which does not depend on the design of VPN. There are solutions that provide VPN Quarantine services which control the computer remotely. The customer is kept in quarantine until the infection has not been removed.
- MPVPN (Multi Path Virtual Private Network), a registered trademark owned by Ragula System Development Company.
- The ISPs now offers a VPN service for companies that want security and convenience of a VPN. In addition to providing remote workers with secure access to internal network, are sometimes included other security services and management.
These mechanisms by themselves do not implement a virtual network, but only a secure conversation between two terminals. In these cases, the virtual network mechanism must be implemented through a special protocol which is then encapsulated. There is now a fair number of alternative approaches (and of course, mutually incompatible) to this scheme, among which we can mention the following.
- SOCKS Protocol: this approach is the “standard” as SOCKS is an IETF standard for Generic Firewall Traversal defined in RFC 1928.
- OpenVPN provides an executable that creates an encrypted tunnel with another instance of the same program on a remote computer, and can carry the entire TCP / IP stack.
- Another widely used approach uses the SSH protocol, which is able, as OpenVPN to create the tunnel between two machines connected. This feature was created to carry X windows, but has been implemented in a general way, and you can use it to carry any protocol.
- The approach now all firewall vendors is rather to use TLS to secure communication with a proxy to be accessed via browser. The secure channel is implemented in reality, usually through a Java applet or an ActiveX object, which can then be installed in an almost transparent to the end user. The resulting ease of management makes this approach is particularly popular in complex organizations.
Some VPNs use secure encryption algorithms but do not assume that a single trusted entity manages the entire network and then shared the lack of access to the global traffic of the network make sure the channels as the network operator provides each subject only to its VPN.
The protocols that use this philosophy include:
- L2F (Layer 2 Forwarding), developed by Cisco.
- L2TP (Layer 2 Tunnelling Protocol), developed in collaboration between Microsoft and Cisco.
- L2TPv3 (Layer 2 Tunneling Protocol version 3). The Trusted VPNs do not use a “tunneling” and instead rely on the cryptographic security of a single network provider to protect traffic. In a sense, this is an elaboration of a wired network.
- Multi Protocol Label Switching (MPLS) is often used to build a trusted VPN.
Well-structured VPN — Benefits for companies
A well-structured VPN can offer great benefits for a company:
- Extend geographic connectivity
- Improve security where data lines have not been encrypted
- Reduces transaction costs
- Reduce transit time and transportation costs for remote clients
- Simplify the network topology, at least in certain scenarios
- Provides the possibility of global networks
- Provides support network
- Provides compatibility with the broadband networks
- Provides faster ROI (payback time) compared to traditional transportation lines WAN
- Show a good economy of scale
However, since the VPN has thus extended the “mother network” with a wealth of machines and devices, some implementations of security should receive special attention:
The safety to the client must be narrow and strengthened. This was determined by the Central Client Administration and Security Policy Enforcement.
It is necessary for a company that needs that each employee can use their offices outside the VPN, first of all install a firewall certificate. Some organizations with sensitive data mean that employees are using two different WAN connections: one for working on sensitive data and one for all other uses:
- The stairway to the target network should be limited
- The registration policies should be considered and in most cases magazines
In situations where companies or individuals, have legal requirements for keeping information confidential, there may be legal or criminal problems. Two examples are the HIPAA regulations in the U.S. with the data safe, the European Union and the general regulation that apply to all commercial and accounting information, and extends to those who share these data.
One way to reduce the consequences of a theft of a laptop is to use a mobile thin clients are available on the market. This allows employees to remotely access secure and confidential database with less risk of losing or compromising the confidentiality of data.
Tunneling is the transmission of data over a public network, which means that the routing nodes of the public network are not able to detect that the transmission is part of a private network.
Tunneling allows then to use the public network to carry data on behalf of clients authorized to access the private network, causing the end-to-end communication between users remains at logic level confined within the same private network.
Typically, the tunneling is created by encapsulating the data and protocol in the protocol of the public network, so that the data passing through the tunnel are not understandable to others who are possibly looking at the data transmitted.
Solution for the security of a VPN
The most important part of the VPN solution.
The very nature of VPNs – to pass on private data networks – requires attention to potential threats to the data and the impact of those lost. A VPN is concerned with all types of security threats by offering security services in the areas of: Authentication (access control):
Authentication is a process to ensure that a customer or a system are indeed those who claim to be. There are many types of authentication mechanisms, but the most common are:
- Something you know (an ID, password, PIN) 8
- Something you have (e.g., a machine readable symbol. SmartCard)
- Something that you (the retina, fingerprints)
The login and password authentications are generally considered weak. Strong authentication can be obtained by combining two different types of authentication. The actual level of safety of course depends on the context because a smart card can be stolen, and login credentials can not be difficult to detect. Safety data stolen or lost may allow more attacks and require more authentication schemes. No technique offers complete security of authentication, even biometrics (fingerprints, voice prints, retinal mapping) are not completely safe for that matter.
Study: From Wikipedia, the free encyclopedia. The text is available under the Creative Commons.