WhiteHelm End to End Network Security
Remote Access VPN

 

Summary

VPNs aim to give the remote corporate user the same  level of access to corporate  computing and data resources  as the user would have  if she were physically  present at the corporate  headquarters. By reducing the costs of transporting  data traffic and by enabling network connections in locations where they would not be affordable, VPNs  reduce the total cost of  ownership of a corporate  network.

RAS  Remote Access

Traditional  remote access solutions utilise a dial-up remote access server (RAS). RAS solutions require employees  to connect to the corporate network via a direct telephone call to modem banks installed  at the network edge. The  key differences between  dial-up and VPN architectures are:

  1. Direct dial-up does not leverage  the Internet for long distance connections,
  2. Modem  banks are supported by  the corporation rather  than the ISP, and
  3. Encryption technologies are not required due to the fact that traffic traverses non-shared (switched)  links. Figure 2 illustrates  a dial-up remote access solution.

Fig. 2: Typical Dial-Up Remote  Access

Migrating  from traditional remote access

Companies  that operate their own  direct-dial remote access servers assign each client an IP address from the corporate network. In most cases, dynamic addresses are allocated from a pool, enabling reuse and simplifying address administration.  Access servers typically  use PPP IP Control Protocol (IPCP, RFC 1332) to communicate  dynamic addresses to remote  clients.

By receiving addresses from the corporate block, remote  clients gain a "presence" on the corporate network.  These addresses are internally routable and resolvable. They can receive LAN broadcasts  and pass through IP filters designed to block outsider  access.

Virtual  private networks replace  the physical connection between remote client and  access server by a logical  connection–a tunnel  over a public network.  Depending upon the approach used, this indirection can also limit the corporate  network services extended to the remote client. For  example, if the client  cannot receive broadcasts,  the user may not be able to browse the corporate  "network neighborhood". When using a foreign address,  corporate servers may not  be accessible and new routes  may be required to direct return traffic.

When migrating from traditional remote access to VPN, any  loss of functionality is  going to create unhappy users. The trick is to  identify and circumvent potential problems before  deployment. To do so, one must carefully consider  client-side addressing.

Extending  PPP across the VPN

Compulsory-mode  L2TP involves tunneling from an L2TP access concentrator (LAC) at the ISP POP to  an L2TP network server (LNS) at the edge of the corporate network. The ISP provides call termination  and proxies PPP from remote clients to the LNS.

Voluntary-mode L2TP extends the tunnel  end-to-end, from remote client to LNS. The ISP provides call termination  and network connectivity,  but LAC functions are performed by client software–for example, the L2TP client in Windows 2000.

In either mode, because PPP flows end-to-end,  the LNS can use IPCP to supply dynamic address assignments  to remote clients. Extending PPP across the VPN automatically  preserves the remote client's "presence" on the corporate  network.

Unfortunately, L2TP does not provide the  level of security afforded  by IPsec. Limitations identified  include weak tunnel endpoint authentication, inadequate encryption services, and inability to protect data  integrity. Some companies will be satisfied with L2TP. However, those who require strong authentication  and confidentiality may require IPsec or L2TP over IPsec.

VPN  Remote Access Defined

A  remote access VPN uses  data security technologies  to securely connect remote  employees to corporate  information resources via  the Internet. Figure 1  illustrates a typical remote  access VPN.

Fig.1: Typical Remote Access VPN

In a remote access VPN, the employee first connects  to the Internet using a standard broadband or dial-up  link to any ISP’s local point of presence  (POP). VPN client software  running on a remote machine then uses a combination  of encryption and authentication  technologies to establish a secure tunnel over the Internet to a VPN gateway  running at the edge of  the corporate network.  Once the VPN tunnel has been established, all communications between the client and  the gateway are secured.  This design leverages the Internet for long distance data transport while outsourcing modem termination hardware and last-mile connectivity to the ISP and local phone company respectively.

Business Case

Remote access makes remote employees  more productive and more  effective by giving them  direct access to information  from anywhere in the world. Access to email alone makes  a big difference for mobile employees who rely on it  as a primary business communication tool. VPNs deliver tangible  business benefits with  several advantages versus RAS solutions.

  • Cost - VPN cost savings  are derived from two  sources. First, Internet  connections, which are  typically local calls, are much less expensive  than toll free or long  distance dial-up connections. This factor alone convinces  many organizations to  eliminate RAS solutions in favor of VPN solutions. Secondly, VPN equipment  is much less expensive to deploy and maintain than RAS equipment. According  to Giga Information Group,  domestic remote access  VPNs can yield cost savings of 20 to 70 percent over RAS. Similarly, international  remote access VPNs can  yield cost savings of between 60 and 90 percent  over RAS. As a result,  most remote access VPNs pay for themselves in  a matter of months.
  • Scalability - Scaling a remote access VPN involves a process of distributing VPN client software and, if necessary, increasing bandwidth of the corporate Internet  connection. Once the  VPN gateway is up and running, it can easily scale to support anywhere  from a few hundred to tens of thousands of users. Scaling RAS solutions, on the other hand, requires  deployment of additional  hardware and adding phone lines.
  • Broadband - VPNs allow users to inexpensively connect  to corporate networks via broadband links. This is a very attractive  option for telecommuters  in particular. Dial-up  solutions do not offer  this option.

Key  Requirements

The  key elements of a remote  access VPN include security,  performance, high availability, and client management. Organizations should clearly define their specific requirements in each area before selecting  and deploying a solution. The remainder of this document defines the challenges associated with each of  these elements, and outlines  how the Check Point product  family meets these challenges.

Security

Security is the foremost concern  of any organization considering sending corporate communications over the Internet. In the context of remote access VPNs, relevant security  issues include encryption,  data authentication, user authentication, access control, and broadband security.


IPSec  (Internet Protocol Security)

IPSec  is a framework of open  standards developed by  the IETF (Internet Engineering  Task Force) to ensure data  privacy, data authentication, and user authentication  on public networks. It  is a robust standard that has withstood extensive  peer review and emerged as the clear industry standard for Internet VPNs.

One of the advantages of IPSec is that it operates  at the network layer, whereas other approaches insert  security at the application  layer. The benefit of network layer security is that it can be deployed independently of applications running  on the network. This means that organizations are able to secure their networks  without deploying and coordinating  security on an application-by-application  basis.

Data Privacy

Encryption algorithms are used in a VPN to scramble data prior to transmission over the Internet. This scrambling  ensures that third parties cannot inspect data in transit. Only authorized end-points of a VPN tunnel have the ability to decrypt  and view data. IPSec specifies  56-bit DES or 168-bit 3DES  encryption for data privacy.  3DES provides the strongest  security and is recommended for highly sensitive data. DES offers better performance  than 3DES, but it is only used where strong security is not required or where export restrictions prevent  use of strong encryption.

Data Authentication

Data authentication schemes are used to verify that  communications have not been modified in transit.  IPSec specifies MD5 and  SHA-1 for data authentication and VPN-1 supports both  of these algorithms. SHA-1  is a slightly stronger  security algorithm, although both MD5 and SHA-1 are considered secure and are  widely deployed.

User Authentication

Prior  to granting access to the corporate network, it is necessary to verify the  identity of remote users. Unauthorized individuals  cannot be allowed to access the network. This process, called user authentication,  is arguably the most important  element of any VPN solution.  VPN-1 provides a host of  user authentication options.

  • Pre-shared secrets are essentially passwords that must be distributed to users "out of band",  or independent of the  VPN technology infrastructure.  They offer an easy way  to quickly roll out VPNs  to a limited number of  remote users. However, shared secrets do not  provide robust scalability  for large remote user environments. Shared secrets are part of the  IPSec standard.
  • Digital  certificates are electronic credentials  used to prove user identity.  These electronic credentials  can be stored on the  remote machine or on  tokens carried by the user. Management of digital  certificates, including distribution and revocation, is automated by a Public Key Infrastructure (PKI).  PKIs offer a stronger and more scaleable authentication infrastructure than shared secrets but are more expensive and complex  to deploy digital certificates are also part of the IPSec standard.
  • Hybrid Mode Authentication enables organizations to integrate legacy authentication schemes such as SecureID,  TACACS+, and RADIUS with  IPSec VPNs. Without Hybrid  Mode Authentication,  these schemes must be  replaced by shared secrets  or digital certificates in order to deploy an  IPSec VPN. This conversion  can be a complex and costly process.

Broadband  Security

Although cable and xDSL networks  offer attractive opportunities  to improve telecommuter productivity, each is associated with security issues that  should be addressed prior to VPN deployment. Cable modem networks rely on a shared network topology  in which computers in the same neighborhood reside on the same physical network segment. This topology  makes it trivial for malicious  or curious individuals  to access their neighbor’s  data. The second problem  is due to the fact that  cable and xDSL networks assign "always on" fixed IP addresses to user machines. An unprotected machine  with an "always on" fixed IP address on the Internet makes a very attractive  target for hackers. These  vulnerabilities mean that a hacker could easily compromise data stored on the client  machine. Even worse, a  hacker could hijack a VPN  tunnel to gain access to  the corporate network.

Client Manageability

A  major concern for most  organizations is the manageability  of the VPN client software. Common questions include the following. Can the client software be easily  distributed to users or is manual software installation  required for each remote machine? Will users understand the software or is training  required? Will the VPN  client result in many help  desk calls? Will telecommuters be able to do everything remotely that they can do from the office? The  answers to these questions  have a significant effect on VPN ROI and should be addressed prior to rollout.

Ease-of-Use

  • User Transparency — End users do not  need to know anything about VPN client software  or the VPN gateway to establish a VPN tunnel.  When a user wishes to check email remotely,  for example, he or she  simply opens their email  client and requests a download as if connected to the corporate LAN.  The VPN gateway then  automatically detects  the request, prompts  the user to authenticate  and establishes a tunnel. The only user knowledge  required is username  and password.

Next Steps

Remote access VPNs deliver tangible business benefits with significant cost savings versus RAS-based solutions.  The important factors to consider before selecting  and deploying a remote  access solution include security,  performance, and high availability, After considering  all of these issues, you  may find it helpful to  consider outsourcing the  architectural planning stage, so that a detailed  plan can be put forth for your implementation. Regardless  of how you arrive at your plan, make sure that you do have one .In  this overview, we don't consider general security  policies such as performing  audits, and checking for  valid passwords, and so on. These are an entirely  different subject, and, as costs permit, are worth  spending time on.

in arriving at your final plan, consider the following:

      Compatibility  and reliability of  the VPN client software

    • Determine  how much training and support is required  to deploy and get your  users up to speed.
    • Determine  if there is a limited hardware compatibility list.
    • Determine  if hardware and network configuration changes  can be made transparently to the end-user
    • Determine  if the client can handle  an ISP configuration  that performs NAT to  remote dialup users
    • Determine  how well the client IP addressing scheme will fit into the corporate  network

      Performance  needs of the remote applications

    • Try  to minimize or eliminate  the use of broadcast  based communications  if possible.
    • Use  compression to increase response time.
    • Try  to use at least 56Kb dialup capability.

      IP Address Planning 

    • Allocate a Pool for Virtual IP Addresses
    • Configure  a WINS Server for Microsoft Networking discovery (if required)
    • Setup  DNS entries for Virtual IP Addresses at Remote Branch Offices
    • Plan changes to routing tables if necessary  to accommodate Virtual  IP Address Range

      ISP  Evaluation

    • Make sure your ISP is accountable through a SLA (Service Level Agreement)
    • Standardize  on a single ISP for the entire corporation
    • Determine  whether your ISP does NAT to remote dialup users, and consider  testing this to ensure  that your VPN Client  software can work correctly
    • Make sure that your ISP does not have any severe restrictions by routing  packets through a firewall  that cannot handle  fragmentation
    Planning Firewall Policy Changes  (if VPN Server is behind  firewall)
    • Determine  what protocol numbers and ports to open (50  and 51 for IPSec) 
    • Determine  if the Firewall can handle fragmentation.  If not, consider putting  the VPN parallel to the firewall instead.
    • Determine  how well the client IP addressing scheme will fit into the corporate  infrastructure.

Please call 0870 421 4023 to find out how your company  can benefit from the complete range of Whitehelm's VPN solutions, or e-mail vpn.team@Whitehelm.com requesting more information.

 
[Home] [Security] [Services] [Products] [What Sets Us Apart] [Contact] [Site Map]

Copyright ©2004-2007 Whitehelm Network Security Ltd
Copyrights, Trademarks & Disclaimers Terms & Conditions