802.11x Tutorial Glossary RF & Health Tools
 
  VPN Security

Home
Company Info
Projects
Services
FAQ
Support
Solution Partners
Contact Us

 

VPN Security

A Brief Overview.

Computer networking provides a flexibility not available when using an archaic, paper-based system. With this flexibility, however, comes an increased risk in security. This is why firewalls were first built; your router probably has a firewall. Firewalls help to protect data inside of a local network. But what do you do once information is sent outside of your local network, emailed or posted on the Internet. How is that data protected?

That is when a VPN can help. VPNs are called Virtual Private Networks because they secure data moving outside of your network as if it was still within that network.

How is this accomplished? And what can you do to maximize data security with a VPN? Read on.

Why VPN?

When data is sent out from your computer, it is always open to attacks. You may already have a firewall, which will help protect data moving around or held within your network from being corrupted or intercepted by entities outside of your network, but once data moves outside of your network—when you send data to someone via email or communicate with an individual over the Internet—the firewall will no longer protect that data.

At this point, your data becomes open to hackers using a variety of methods to steal not only the data you are transmitting but also your network login and security data. Some of the most common methods are as follows:

1) MAC Address Spoofing

Packets transmitted over a network, either your local network or the Internet, are preceded by a Packet Header. These Packet Headers contain both the source and destination information for that packet. A hacker can use this information to spoof (or fake) a MAC Address allowed on the network. With this spoofed MAC Address, the hacker can also intercept information meant for another user.

2) Data Sniffing

Data "sniffing" is a method used by hackers to obtain network data as it travels through unsecured networks, such as the Internet. Tools for just this kind of activity, such as protocol analyzers and network diagnostic tools, are often built into operating systems and allow the data to be viewed in clear text.

3) Man in the Middle Attacks

Once the hacker has either sniffed or spoofed enough information, he can now perform a "man in the middle" attack. This attack is performed, when data is being transmitted from one network to another, by using this information to reroute the data and appear to be the intended destination. This way, the data appears to be going to its intended recipient.

These are only a few of the methods hackers use and they are always developing more. Whenever it's outside the security of your firewall, your data is constantly open to such attacks as it travels over the Internet. Data travelling over the Internet will often pass through many different servers around the world before reaching its final destination. That's a long way to go for unsecured data and this is where a VPN serves its purpose.

What is a VPN?

A VPN, or Virtual Private Network, is a connection between two PCs in different networks that allows private data to be sent securely over a shared or public network, such as the Internet. This establishes a private network that can send data securely between these two locations.

This is done by creating a "tunnel". A VPN tunnel connects the two PCs and allows data to be transmitted over the Internet as if it were still within those networks. Not a literal tunnel, it is a connection secured by encrypting the data sent between the two networks. This encrypted data "tunnels" through the open region of the Internet.

VPN was created as a cost-effective alternative to using a private, dedicated, leased line for a private network. Using industry standard encryption and authentication techniques, IPSec, the VPN creates a secure connection that, in effect, operates as if you are directly connected to your local network. Virtual Private Networking can be used to create secure networks linking a central office with branch offices, telecommuters, and/or professionals on the road (travelers can connect to a VPN Router using any computer with VPN client software that supports IPSec.)

There are two basic ways to create a VPN connection:

bullet VPN Router to VPN Router
bullet Computer (using VPN client software that supports IPSec) to VPN Router

An example of a VPN Router-to-VPN Router VPN would be as follows. At home, a telecommuter uses his Cable/DSL VPN Router for his always-on Internet connection. His router is configured with his office's VPN settings. When he connects to his office's router, the two routers create a VPN tunnel, encrypting and decrypting data. Since VPNs utilize the Internet, distance is not a factor. Using the VPN, the telecommuter now has a secure connection to the central office's network, as if he were physically connected.

The following is an example of a computer-to-VPN Router VPN. In her hotel room, a traveling businesswoman dials up her ISP. Her notebook computer has VPN client software that is configured with her office's VPN settings. She runs the VPN client software that supports IPSec and connects to the VPN Router at the central office. Since VPNs utilize the Internet, distance is not a factor. Using the VPN, the businesswoman now has a secure connection to the central office's network, as if she were physically connected.

Maximizing VPN Security.

Just as you maximized your internal network security with a firewall router, you should also maximize security for your externally transmitted data with a VPN router from Linksys.

Avoid any VPN, router or software, that utilizes PPTP over IPSec. PPTP (Point-to-Point Tunneling Protocol) only utilizes the user's name and password for security. IPSec (IP Security), on the other hand, offers more robust authentication and actually encrypts the data transmitted over the Internet.

IPSec is compatible with most VPN endpoints and ensures privacy and authentication for data, while authenticating user identification. With IPSec, authentication is based upon the PC's IP Address. This not only confirms the user's identity but also establishes the secure tunnel at the network layer, protecting all data that passes through.

By operating at the network layer, IPSec is independent of any applications running on the network. This way, it doesn't take up bandwidth on your network, allowing you to do more with greater security. Still, it is important to note that IPSec encryption does create a slight slowdown in network throughput, due to the processing necessary for encrypting and decrypting data.

Some VPN devices leave the IP Headers unencrypted. These headers contain the IP Addresses for the users at both ends of the VPN tunnel and can be utilized by the hacker in future attacks. Linksys VPN Routers, however, do not leave the IP Headers unencrypted. Using a method called PFS (Perfect Forward Secrecy), not only are the IP Headers encrypted but the secret keys used to secure the tunnel are encrypted as well.

All of this protection actually comes at a lower cost than most VPN endpoint software packages. A Linksys VPN Router will allow the users on your network to secure their data over the Internet without having to purchase the extra client licenses that software packages will require. With VPN functions handled by the router, rather than your PC (which software packages would require), your PCs are freed up to perform more functions, more efficiently. An additional benefit to this is that you aren't required to reconfigure any of your network PCs.

As secure as a Linksys VPN Router makes your data, there are still more ways to maximize security. The following are just a few suggestions on how to increase data security beyond using a VPN router.

1) Maximize security on your other networks. Install firewall routers for your Internet connections and use the most up-to-date security measures for wireless networking.

2) Narrow the scope of your VPN tunnel as much as possible. Rather than assigning a range of IP Addresses, use the address specific to the endpoints required.

3) Do not set the Remote Security Group to Any, as this will open the VPN to any IP Address. Specify a single IP address.

4) Maximize Encryption and Authentication. Use 3DES encryption and SHA Authentication whenever possible.

5) Manage your Pre-shared Keys. Change Pre-shared Keys regularly.

Data transmission over the Internet is a hole in network security that is often overlooked. With VPN maximized, along with the use of a firewall router and wireless security, you can secure your data even when it leaves your network.

 

 

 

 

Back Home Up Next

 

Copyright ©  2003 - WirelessTEK