Connecting Secured Remote Networks
Introduction
Providing a remote secure access over the insecure Internet is business imperative for large corporations. The need for connecting remote users to corporate resources securely is not a new problem for IT. Nowadays end users with emerging work styles, new computing and communication devices and ever increasing expectations are driving demand for expanded remote access. The corporate today enables teleworkers; day extenders and business partners to access the corporate network resources across un-trusted networks. The remote users will be behind their own firewalls. They all expect easy, clientless access to the network resources they need, from anywhere, at any time, using any device.
Mandatory Solution - The VPN
The buzzing keyword Virtual Private Network (VPN) now becomes the mandatory solution for secure remote access. A VPN is a group of two or more computer systems, typically connected to a private network (a network built and maintained by an organization solely for its own use) with limited public-network access that communicates "securely" over a public network. VPNs may exist between an individual machine and a private network (client-to-server) or a remote LAN and a private network (server-to-server). Security features differ from product to product. But VPNs must include encryption, strong authentication of remote users or hosts, and mechanisms for hiding or masking information about the private network topology from potential attackers on the public network.
Types of VPN
Normally VPN fall into three broad categories
- Hardware-based systems
- Firewall-based VPNs
- Software-based VPNs
Hardware based VPN Systems
Hardware-based VPN systems are encrypting routers. They are secure and easy to use. They provide the nearest thing to "plug and play" encryption equipment available. They provide the highest network throughput of all VPN systems. They don't waste processor overhead in running an operating system or other applications. However, they may not be as flexible as software-based systems. The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices.
Firewall based VPN Systems
Firewall-based VPNs take advantage of the firewall's security mechanisms, including restricting access to the internal network. They also perform address translation, satisfy requirements for strong authentication; and serve up real-time alarms and extensive logging. Most commercial firewalls also "harden" the host operating system kernel by stripping out dangerous, unnecessary services, providing additional security for the VPN server. OS protection is a major plus, since very few VPN application vendors supply guidance on OS security. Performance may be a concern, especially if the firewall is already loaded. However, some firewall vendors offer hardware-based encryption processors to minimize the impact of VPN management on the system.
Software based VPN Systems
Software-based VPNs are ideal in situations where both endpoints of the VPN are not controlled by the same organization (typical for client support requirements or business partnerships), or when different firewalls and routers are implemented within the same organization. At the moment, software VPNs offers the most flexibility in how network traffic is managed. Many software-based products allow traffic to be tunneled based on address or protocol, unlike hardware-based products, which generally tunnel all traffic they handle. In situations where performance requirements are modest (such as users connecting over dial-up links), software-based VPNs may be the best choice. But software-based systems are generally harder to manage than encrypting routers. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms. And some software VPN packages require changes to routing tables and network addressing schemes.
VPN Tunneling Protocols
Over the years, several protocols are developed for encrypting network packets for VPN purpose. Each protocol has its own advantages and disadvantages and are incompatible with each other. The four major protocols, which are widely accepted in the industry, are listed below.
- Point-to-Point Tunneling Protocol (PPTP)
- Layer Two Tunneling Protocol (L2TP)
- Internet Protocol Security (IPsec)
- Secure Socket Layer (SSL)
Basic Architecture of Software Based VPN
Software based VPN can be implemented by adding the required applications to the various layers of the existing network stack. The most popular stack that's commonly used in the Internet is TCP/IP. The network stack is layered i.e., each layer performs a specific task defined for it yet still works in coherence with each other. The Software based VPN can be implemented by tinkering the various layers of the network stack. SSL VPN is one of the best examples of the software based VPN.A standard TCP/IP stack looks as shown in the figure.
SSL Based VPNs
The Secure Socket Layer (SSL) is a shim layer between the application and transport layer of the TCP/IP network stack. The SSL takes care of the encryption and decryption part of the VPN. There are a number of ways of filtering the packets when it moves through network stack starting at the application Layer. The common layer of filtering takes place at the following layer.
- Transport Layer
- Network Layer
- Data Link Layer
This is policy and the implementation differs among the vendors. Each layer of filters has its own pros and cons. The filter may be combined together to provide a hybrid filters which helps to improve the performance and remove the disability of other filters.
Basic Working Steps of SSL VPN
The two fundamental components of SSL VPN are
- VPN Server
- VPN Client
The Client may be persistently installed in the system or a most popular version called clientless version may be used. The steps are sequenced below
- The server is started and configured
- The Client and the filter are started in the end user machine.
- The Client make initial handshake with Server.
- The Client and Server authenticate each other.
- The success of authentication leads to the exchange of security related and other necessary parameters
- Variety of techniques is employed in the filters to tunnel the required traffic to the remote place based on different parameters.
- The user accesses the application from the remote place transparently and securely.
The server on the remote site is properly equipped to handle all the requests from the client.
Advantages of SSL VPN
Security Benefits
privacy:
A private connection is established over the public channel by using data encryption.
Authentication:
Authentication is provided between the client and the server by using the asymmetric algorithms
Reliability:
Reliability and the message integrity is provided by using SHA and MAC
Accessibility Benefits
A 100% accessibility of all the applications on the remote private network can be achieved using the SSL VPN. The amount of accessibility depends on the filters that are installed on the SSL VPN client side and the accessibility rules defined by the SSL VPN server. It can tunnel all the application layer protocols. The SSL VPN is not affected by the presence of NAT.
Business Benefits
Purchase Cost:
The SSL VPN is highly cost effective and its purchase price is nearly half as that of other VPNS. The cost of operation of maintenance is minimal.
Round the Clock Work:
The SSL VPN promises 'anytime anywhere secure accesses' and increase the availability of the valuable secure resource in the global village.
Conclusion
As the VPN market evolves, the distinction between VPN architectures is becoming less clearly defined. The vendors have added software clients to their products and extended their server capabilities to include some of the security features more "traditionally" offered by software or firewall-based VPNs. A few software-based products have added support for hardware-based encryptors to improve their performance. The SSL VPNs and the different layers of filters are packaged into a single entity called Universal VPN. The Universal VPN provides the user with the flexibility of using the VPN that best suits the application.