Whitehelm - Remote Access VPN

Secure Remote Access

Summary

VPNs aim to give the remote corporate user the same level of access to corporate computing and data resources as the user would have if she were physically present at the corporate headquarters. By reducing the costs of transporting data traffic and by enabling network connections in locations where they would not be affordable, VPNs reduce the total cost of ownership of a corporate network.

RAS Remote Access

Traditional remote access solutions utilise a dial-up remote access server (RAS). RAS solutions require employees to connect to the corporate network via a direct telephone call to modem banks installed at the network edge. The key differences between dial-up and VPN architectures are:

Direct dial-up does not leverage the Internet for long distance connections,
Modem banks are supported by the corporation rather than the ISP, and
Encryption technologies are not required due to the fact that traffic traverses non-shared (switched) links. Figure 2 illustrates a dial-up remote access solution.

Fig. 2: Typical Dial-Up Remote Access

Migrating from traditional remote access

Companies that operate their own direct-dial remote access servers assign each client an IP address from the corporate network. In most cases, dynamic addresses are allocated from a pool, enabling reuse and simplifying address administration . Access servers typically use PPP IP Control Protocol (IPCP, RFC 1332) to communicate dynamic addresses to remote clients.

By receiving addresses from the corporate block, remote clients gain a "presence" on the corporate network. These addresses are internally routable and resolvable. They can receive LAN broadcasts and pass through IP filters designed to block outsider access.

Virtual private networks replace the physical connection between remote client and access server by a logical connection–a tunnel over a public network. Depending upon the approach used, this indirection can also limit the corporate network services extended to the remote client. For example, if the client cannot receive broadcasts, the user may not be able to browse the corporate "network neighborhood". When using a foreign address, corporate servers may not be accessible and new routes may be required to direct return traffic.

When migrating from traditional remote access to VPN, any loss of functionality is going to create unhappy users. The trick is to identify and circumvent potential problems before deployment. To do so, one must carefully consider client-side addressing.

Extending PPP across the VPN

Compulsory-mode L2TP involves tunneling from an L2TP access concentrator (LAC) at the ISP POP to an L2TP network server (LNS) at the edge of the corporate network. The ISP provides call termination and proxies PPP from remote clients to the LNS.

Voluntary-mode L2TP extends the tunnel end-to-end, from remote client to LNS. The ISP provides call termination and network connectivity, but LAC functions are performed by client software–for example, the L2TP client in Windows 2000.

In either mode, because PPP flows end-to-end, the LNS can use IPCP to supply dynamic address assignments to remote clients. Extending PPP across the VPN automatically preserves the remote client's "presence" on the corporate network.

Unfortunately, L2TP does not provide the level of security afforded by IPsec. Limitations identified include weak tunnel endpoint authentication, inadequate encryption services, and inability to protect data integrity. Some companies will be satisfied with L2TP. However, those who require strong authentication and confidentiality may require IPsec or L2TP over IPsec.

VPN Remote Access Defined

A remote access VPN uses data security technologies to securely connect remote employees to corporate information resources via the Internet. Figure 1 illustrates a typical remote access VPN.

Fig.1: Typical Remote Access VPN

In a remote access VPN, the employee first connects to the Internet using a standard broadband or dial-up link to any ISP’s local point of presence (POP). VPN client software running on a remote machine then uses a combination of encryption and authentication technologies to establish a secure tunnel over the Internet to a VPN gateway running at the edge of the corporate network. Once the VPN tunnel has been established, all communications between the client and the gateway are secured. This design leverages the Internet for long distance data transport while outsourcing modem termination hardware and last-mile connectivity to the ISP and local phone company respectively.

Business Case

Remote access makes remote employees more productive and more effective by giving them direct access to information from anywhere in the world. Access to email alone makes a big difference for mobile employees who rely on it as a primary business communication tool. VPNs deliver tangible business benefits with several advantages versus RAS solutions.

Cost - VPN cost savings are derived from two sources. First, Internet connections, which are typically local calls, are much less expensive than toll free or long distance dial-up connections. This factor alone convinces many organizations to eliminate RAS solutions in favor of VPN solutions. Secondly, VPN equipment is much less expensive to deploy and maintain than RAS equipment. According to Giga Information Group, domestic remote access VPNs can yield cost savings of 20 to 70 percent over RAS. Similarly, international remote access VPNs can yield cost savings of between 60 and 90 percent over RAS. As a result, most remote access VPNs pay for themselves in a matter of months.
Scalability - Scaling a remote access VPN involves a process of distributing VPN client software and, if necessary, increasing bandwidth of the corporate Internet connection. Once the VPN gateway is up and running, it can easily scale to support anywhere from a few hundred to tens of thousands of users. Scaling RAS solutions, on the other hand, requires deployment of additional hardware and adding phone lines.
Broadband - VPNs allow users to inexpensively connect to corporate networks via broadband links. This is a very attractive option for telecommuters in particular. Dial-up solutions do not offer this option.

Key Requirements

The key elements of a remote access VPN include security, performance, high availability, and client management. Organizations should clearly define their specific requirements in each area before selecting and deploying a solution. The remainder of this document defines the challenges associated with each of these elements, and outlines how the Check Point product family meets these challenges.

Security

Security is the foremost concern of any organization considering sending corporate communications over the Internet. In the context of remote access VPNs, relevant security issues include encryption, data authentication, user authentication, access control, and broadband security.

IPSec (Internet Protocol Security)

IPSec is a framework of open standards developed by the IETF (Internet Engineering Task Force) to ensure data privacy, data authentication, and user authentication on public networks. It is a robust standard that has withstood extensive peer review and emerged as the clear industry standard for Internet VPNs.

One of the advantages of IPSec is that it operates at the network layer, whereas other approaches insert security at the application layer. The benefit of network layer security is that it can be deployed independently of applications running on the network. This means that organizations are able to secure their networks without deploying and coordinating security on an application-by-application basis.

Data Privacy

Encryption algorithms are used in a VPN to scramble data prior to transmission over the Internet. This scrambling ensures that third parties cannot inspect data in transit. Only authorized end-points of a VPN tunnel have the ability to decrypt and view data. IPSec specifies 56-bit DES or 168-bit 3DES encryption for data privacy. 3DES provides the strongest security and is recommended for highly sensitive data. DES offers better performance than 3DES, but it is only used where strong security is not required or where export restrictions prevent use of strong encryption.

Data Authentication

Data authentication schemes are used to verify that communications have not been modified in transit. IPSec specifies MD5 and SHA-1 for data authentication and VPN-1 supports both of these algorithms. SHA-1 is a slightly stronger security algorithm, although both MD5 and SHA-1 are considered secure and are widely deployed.

User Authentication

Prior to granting access to the corporate network, it is necessary to verify the identity of remote users. Unauthorized individuals cannot be allowed to access the network. This process, called user authentication, is arguably the most important element of any VPN solution. VPN-1 provides a host of user authentication options.

Pre-shared secrets are essentially passwords that must be distributed to users "out of band", or independent of the VPN technology infrastructure. They offer an easy way to quickly roll out VPNs to a limited number of remote users. However, shared secrets do not provide robust scalability for large remote user environments. Shared secrets are part of the IPSec standard.
Digital certificates are electronic credentials used to prove user identity. These electronic credentials can be stored on the remote machine or on tokens carried by the user. Management of digital certificates, including distribution and revocation, is automated by a Public Key Infrastructure (PKI). PKIs offer a stronger and more scaleable authentication infrastructure than shared secrets but are more expensive and complex to deploy digital certificates are also part of the IPSec standard.
Hybrid Mode Authentication enables organizations to integrate legacy authentication schemes such as SecureID, TACACS+, and RADIUS with IPSec VPNs. Without Hybrid Mode Authentication, these schemes must be replaced by shared secrets or digital certificates in order to deploy an IPSec VPN. This conversion can be a complex and costly process.

Broadband Security

Although cable and xDSL networks offer attractive opportunities to improve telecommuter productivity, each is associated with security issues that should be addressed prior to VPN deployment. Cable modem networks rely on a shared network topology in which computers in the same neighborhood reside on the same physical network segment. This topology makes it trivial for malicious or curious individuals to access their neighbor’s data. The second problem is due to the fact that cable and xDSL networks assign "always on" fixed IP addresses to user machines. An unprotected machine with an "always on" fixed IP address on the Internet makes a very attractive target for hackers. These vulnerabilities mean that a hacker could easily compromise data stored on the client machine. Even worse, a hacker could hijack a VPN tunnel to gain access to the corporate network.

Client Manageability

A major concern for most organizations is the manageability of the VPN client software. Common questions include the following. Can the client software be easily distributed to users or is manual software installation required for each remote machine? Will users understand the software or is training required? Will the VPN client result in many help desk calls? Will telecommuters be able to do everything remotely that they can do from the office? The answers to these questions have a significant effect on VPN ROI and should be addressed prior to rollout.

Ease-of-Use

User Transparency — End users do not need to know anything about VPN client software or the VPN gateway to establish a VPN tunnel. When a user wishes to check email remotely, for example, he or she simply opens their email client and requests a download as if connected to the corporate LAN. The VPN gateway then automatically detects the request, prompts the user to authenticate and establishes a tunnel. The only user knowledge required is username and password.

Next Steps

Remote access VPNs deliver tangible business benefits with significant cost savings versus RAS-based solutions. The important factors to consider before selecting and deploying a remote access solution include security, performance, and high availability, After considering all of these issues, you may find it helpful to consider outsourcing the architectural planning stage, so that a detailed plan can be put forth for your implementation. Regardless of how you arrive at your plan, make sure that you do have one .In this overview, we don't consider general security policies such as performing audits, and checking for valid passwords, and so on. These are an entirely different subject, and, as costs permit, are worth spending time on.

in arriving at your final plan, consider the following:

Compatibility and reliability of the VPN client software

Determine how much training and support is required to deploy and get your users up to speed.
Determine if there is a limited hardware compatibility list.
Determine if hardware and network configuration changes can be made transparently to the end-user
Determine if the client can handle an ISP configuration that performs NAT to remote dialup users
Determine how well the client IP addressing scheme will fit into the corporate network

Performance needs of the remote applications

Try to minimize or eliminate the use of broadcast based communications if possible.
Use compression to increase response time.
Try to use at least 56Kb dialup capability.

IP Address Planning

Allocate a Pool for Virtual IP Addresses
Configure a WINS Server for Microsoft Networking discovery (if required)
Setup DNS entries for Virtual IP Addresses at Remote Branch Offices
Plan changes to routing tables if necessary to accommodate Virtual IP Address Range

ISP Evaluation

Make sure your ISP is accountable through a SLA (Service Level Agreement)
Standardize on a single ISP for the entire corporation
Determine whether your ISP does NAT to remote dialup users, and consider testing this to ensure that your VPN Client software can work correctly
Make sure that your ISP does not have any severe restrictions by routing packets through a firewall that cannot handle fragmentation

Planning Firewall Policy Changes (if VPN Server is behind firewall)

Determine what protocol numbers and ports to open (50 and 51 for IPSec)
Determine if the Firewall can handle fragmentation. If not, consider putting the VPN parallel to the firewall instead.
Determine how well the client IP addressing scheme will fit into the corporate infrastructure.

Please call 0870 421 4023 to find out how your company can benefit from the complete range of Whitehelm's VPN solutions, or e-mail sales@whitehelm.com requesting more information.