Internet Security and VPN Network Design
This article discusses some essential technical concepts associated with a VPN. A
Virtual Private Network (VPN) integrates remote employees, company offices, and business
partners using the Internet and secures encrypted tunnels between locations. An Access VPN
is used to connect remote users to the enterprise network. The remote workstation or
laptop will use an access circuit such as Cable, DSL or Wireless to connect to a local
Internet Service Provider (ISP). With a client-initiated model, software on the remote
workstation builds an encrypted tunnel from the laptop to the ISP using IPSec, Layer 2
Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP).
The user must authenticate as a permitted VPN user with the ISP. Once that is finished,
the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS,
RADIUS or Windows servers will authenticate the remote user as an employee that is allowed
access to the company network. With that finished, the remote user must then authenticate
to the local Windows domain server, Unix server or Mainframe host depending upon where
there network account is located. The ISP initiated model is less secure than the
client-initiated model since the encrypted tunnel is built from the ISP to the company
VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F.
The Extranet VPN will connect business partners to a company network by building a
secure VPN connection from the business partner router to the company VPN router or
concentrator. The specific tunneling protocol utilized depends upon whether it is a router
connection or a remote dialup connection. The options for a router connected Extranet VPN
are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize
L2TP or L2F. The Intranet VPN will connect company offices across a secure connection
using the same process with IPSec or GRE as the tunneling protocols.
It is important to note that what makes VPN's very cost effective and efficient is
that they leverage the existing Internet for transporting company traffic. That is why
many companies are selecting IPSec as the security protocol of choice for guaranteeing
that information is secure as it travels between routers or laptop and router. IPSec is
comprised of 3DES encryption, IKE key exchange authentication and MD5 route authentication,
which provide authentication, authorization and confidentiality.
Internet Protocol Security (IPSec)
IPSec operation is worth noting since it such a prevalent security protocol utilized
today with Virtual Private Networking. IPSec is specified with RFC 2401 and developed as
an open standard for secure transport of IP across the public Internet. The packet
structure is comprised of an IP header⁄IPSec header⁄Encapsulating Security
Payload. IPSec provides encryption services with 3DES and authentication with MD5. In
addition there is Internet Key Exchange (IKE) and ISAKMP, which automate the distribution
of secret keys between IPSec peer devices (concentrators and routers).
Those protocols are required for negotiating one-way or two-way security associations.
IPSec security associations are comprised of an encryption algorithm (3DES), hash algorithm
(MD5) and an authentication method (MD5). Access VPN implementations utilize three security
associations (SA) per connection (transmit, receive and IKE). An enterprise network with
many IPSec peer devices will utilize a Certificate Authority for scalability with the
authentication process instead of IKE⁄pre-shared keys.