VPNs aim to give the remote corporate user the same level of access to corporate computing and data resources as the user would have if she were physically present at the corporate headquarters. By reducing the costs of transporting data traffic and by enabling network connections in locations where they would not be affordable, VPNs reduce the total cost of ownership of a corporate network.
RAS Remote Access
Traditional remote access solutions utilise a dial-up remote access server (RAS). RAS solutions require employees to connect to the corporate network via a direct telephone call to modem banks installed at the network edge. The key differences between dial-up and VPN architectures are:
Fig. 2: Typical Dial-Up Remote Access
Migrating from traditional remote access
Companies that operate their own direct-dial remote access servers assign each client an IP address from the corporate network. In most cases, dynamic addresses are allocated from a pool, enabling reuse and simplifying address administration . Access servers typically use PPP IP Control Protocol (IPCP, RFC 1332) to communicate dynamic addresses to remote clients.
By receiving addresses from the corporate block, remote clients gain a "presence" on the corporate network. These addresses are internally routable and resolvable. They can receive LAN broadcasts and pass through IP filters designed to block outsider access.
Virtual private networks replace the physical connection between remote client and access server by a logical connection–a tunnel over a public network. Depending upon the approach used, this indirection can also limit the corporate network services extended to the remote client. For example, if the client cannot receive broadcasts, the user may not be able to browse the corporate "network neighborhood". When using a foreign address, corporate servers may not be accessible and new routes may be required to direct return traffic.
When migrating from traditional remote access to VPN, any loss of functionality is going to create unhappy users. The trick is to identify and circumvent potential problems before deployment. To do so, one must carefully consider client-side addressing.
Extending PPP across the VPN
Compulsory-mode L2TP involves tunneling from an L2TP access concentrator (LAC) at the ISP POP to an L2TP network server (LNS) at the edge of the corporate network. The ISP provides call termination and proxies PPP from remote clients to the LNS.
Voluntary-mode L2TP extends the tunnel end-to-end, from remote client to LNS. The ISP provides call termination and network connectivity, but LAC functions are performed by client software–for example, the L2TP client in Windows 2000.
In either mode, because PPP flows end-to-end, the LNS can use IPCP to supply dynamic address assignments to remote clients. Extending PPP across the VPN automatically preserves the remote client's "presence" on the corporate network.
Unfortunately, L2TP does not provide the level of security afforded by IPsec. Limitations identified include weak tunnel endpoint authentication, inadequate encryption services, and inability to protect data integrity. Some companies will be satisfied with L2TP. However, those who require strong authentication and confidentiality may require IPsec or L2TP over IPsec.
VPN Remote Access Defined
A remote access VPN uses data security technologies to securely connect remote employees to corporate information resources via the Internet. Figure 1 illustrates a typical remote access VPN.
Fig.1: Typical Remote Access VPN
In a remote access VPN, the employee first connects to the Internet using a standard broadband or dial-up link to any ISP’s local point of presence (POP). VPN client software running on a remote machine then uses a combination of encryption and authentication technologies to establish a secure tunnel over the Internet to a VPN gateway running at the edge of the corporate network. Once the VPN tunnel has been established, all communications between the client and the gateway are secured. This design leverages the Internet for long distance data transport while outsourcing modem termination hardware and last-mile connectivity to the ISP and local phone company respectively.
Remote access makes remote employees more productive and more effective by giving them direct access to information from anywhere in the world. Access to email alone makes a big difference for mobile employees who rely on it as a primary business communication tool. VPNs deliver tangible business benefits with several advantages versus RAS solutions.
The key elements of a remote access VPN include security, performance, high availability, and client management. Organizations should clearly define their specific requirements in each area before selecting and deploying a solution. The remainder of this document defines the challenges associated with each of these elements, and outlines how the Check Point product family meets these challenges.
Security is the foremost concern of any organization considering sending corporate communications over the Internet. In the context of remote access VPNs, relevant security issues include encryption, data authentication, user authentication, access control, and broadband security.
IPSec (Internet Protocol Security)
IPSec is a framework of open standards developed by the IETF (Internet Engineering Task Force) to ensure data privacy, data authentication, and user authentication on public networks. It is a robust standard that has withstood extensive peer
review and emerged as the clear industry standard for Internet VPNs.
One of the advantages of IPSec is that it operates at the network layer, whereas other approaches insert security at the application layer. The benefit of network layer security is that it can be deployed independently of applications running on the network. This means that organizations are able to secure their networks without deploying and coordinating security on an application-by-application basis.
Encryption algorithms are used in a VPN to scramble data prior to transmission over the Internet. This scrambling ensures that third parties cannot inspect data in transit. Only authorized end-points of a VPN tunnel have the ability to decrypt and view data. IPSec specifies 56-bit DES or 168-bit 3DES encryption for data privacy. 3DES provides the strongest security and is recommended for highly sensitive data. DES offers better performance than 3DES, but it is only used where strong security is not required or where export restrictions prevent use of strong encryption.
Data authentication schemes are used to verify that communications have not been modified in transit. IPSec specifies MD5 and SHA-1 for data authentication and VPN-1 supports both of these algorithms. SHA-1 is a slightly stronger security algorithm, although both MD5 and SHA-1 are considered secure and are widely deployed.
Prior to granting access to the corporate network, it is necessary to verify the identity of remote users. Unauthorized individuals cannot be allowed to access the network. This process, called user authentication, is arguably the most important element of any VPN solution. VPN-1 provides a host of user authentication options.
Although cable and xDSL networks offer attractive opportunities to improve telecommuter productivity, each is associated with security issues that should be addressed prior to VPN deployment. Cable modem networks rely on a shared network topology in which computers in the same neighborhood reside on the same physical network segment. This topology makes it trivial for malicious or curious individuals to access their neighbor’s data. The second problem is due to the fact that cable and xDSL networks assign "always on" fixed IP addresses to user machines. An unprotected machine with an "always on" fixed IP address on the Internet makes a very attractive target for hackers. These vulnerabilities mean that a hacker could easily compromise data stored on the client machine. Even worse, a hacker could hijack a VPN tunnel to gain access to the corporate network.
A major concern for most organizations is the manageability of the VPN client software. Common questions include the following. Can the client software be easily distributed to users or is manual software installation required for each remote machine? Will users understand the software or is training required? Will the VPN client result in many help desk calls? Will telecommuters be able to do everything remotely that they can do from the office? The answers to these questions have a significant effect on VPN ROI and should be addressed prior to rollout.
Remote access VPNs deliver tangible business benefits with significant cost savings versus RAS-based solutions. The important factors to consider before selecting and deploying a remote access solution include security, performance, and high availability, After considering all of these issues, you may find it helpful to consider outsourcing the architectural planning stage, so that a detailed plan can be put forth for your implementation. Regardless of how you arrive at your plan, make sure that you do have one .In this overview, we don't consider general security policies such as performing audits, and checking for valid passwords, and so on. These are an entirely different subject, and, as costs permit, are worth spending time on.
in arriving at your final plan, consider the following:
Compatibility and reliability of the VPN client software
Performance needs of the remote applications
IP Address Planning
Planning Firewall Policy Changes (if VPN Server is behind firewall)
Please call 0870 421 4023 to find out how your company can benefit from the complete range of Whitehelm's VPN solutions, or e-mail firstname.lastname@example.org requesting more information.