VPN’s & Remote Access Issues David Trepp VP of Technology
Housekeeping Issues Duration: 1.25 hours +/- Questions & comments: early and often
Why We’re Here Examine a brief summary of considerations surrounding successful VPN and remote access planning, deployment and management. Note other perimeter security issues.
What is a VPN? Virtual Private Network - A network that performs private, trusted data transmissions over a public, untrusted network (e.g. the Internet). Usage: –Point to Point(s) –Remote Access –Hybrid
Essential VPN Definitions Authentication – A method of establishing identity between systems or users. Authorization – The right to access a network service after authentication has taken place. CIA – Confidentiality, Integrity, Availability – The three primary ways your (or your customer’s) information can be compromised.
More Essential VPN Definitions (Cont.) Encryption – The process of converting cleartext into what appears to be random characters (a.k.a. ciphertext) – FIPS standards include DES, 3DES, AES Tunneling – Encapsulation of packets within other packets, primarily for transmission across public IP networks (e.g. the Internet) – i.e. IPSec, L2TP, PPTP, PPP
VPN Economic Considerations VPN’s can be less expensive than WAN’s and more functional and secure than modem banks. Often cost-benefit compared with voice over solutions. Decision criteria include: –Current connectivity costs –Distances –Locations –# of sites –Type & volume of traffic –Existing equipment & software
Basic VPN Connectivity Steps Site-to-Site –1) Authenticate once –2) Encapsulate an IP packet –3) Encrypt and transmit –4) De-crypt –5) Un-encapsulate Remote Access –1) Authenticate each time a session begins –2) See 2 – 5 above
VPN Scaling Considerations Processor Cycles: number of tunnels (hence, processor cycles) is greater for remote user deployments than for a single site-to-site connection (i.e. 10 remote users require more processor cycles than 100 users across a site- to-site VPN). Bandwidth: depends on how the applications are deployed, but the VPN tunnel itself adds approximately 10-30% overhead.
VPN Security Considerations Authentication & Authorization! Centrally manageable firewalls at remote sites and/or users. Generic O/S’s vs. pre-hardened firewall/VPN device O/S’s. Application security.
VPN Technical Considerations Latency > 200ms causes application errors – (often a problem for remote users with DSL connections). Non-standard tunneling, encryption and hardware/software solutions can cause problems. Meshing site-to-site(s) VPN’s for fault tolerance is complex. VPN access for remote users does not mean complete network/application access. Every O/S on remote user PC’s has its own idiosyncrasies.
Proven VPN & Remote Access Solutions CheckPoint VPN-1: + Management of remote site and user security + Runs on appliances w/ hardened O/S’s (e.g. Nokia) + Supports many authentication schemes - $ Citrix NFUSE with Secure Gateway + Requires only browser and authentication mechanism + Supports many authentication schemes - Not a complete solution for site-to-site VPN Cisco/Altiga VPN + VPN concentrator has easy remote client setup + Runs on appliance w/ hardened O/S + Supports many authentication schemes - Limited management of remote user security
Other Perimeter Security Considerations Mail Relay/Virus Scanning Intrusion Detection Voice Systems Backdoors Web Servers Vendor/Business Partners
Regulatory Considerations FITSAF (any departments dealing with the federal government) – rity_assessment_framework_ htmlhttp:// rity_assessment_framework_ html HIPAA (health departments) – t.htmhttp://aspe.os.dhhs.gov/adminsimp/nprm/seclis t.htm
References Good white papers and suchhttp:// Internet Week VPN sitehttp:// vpnsolutions.htmlhttp:// vpnsolutions.html Check Point VPN site teway.asphttp:// teway.asp Citrix Secure gateway press release chnologies/VPNs.htmlhttp:// chnologies/VPNs.html Cisco VPN site