CHAPTER
10
Virtual Private
Networks
167
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
P
rivate networks have been used by organizations to communicate with remote sites
and with other organizations. Private networks are made up of lines leased from
the various phone companies and ISPs. The lines are point to point and the bits that
travel on these lines are segregated from other traffic because the leased lines create a real
circuit between the two sites. There are many benefits to private networks:
▼
Information is kept “within the fold.”
■
Remote sites can exchange information instantaneously.
▲
Remote users do not feel so isolated.
Unfortunately, there is also a big disadvantage: cost. Private networks cost a lot of
money. Using slower lines can save some money but then the remote users start to notice
the lack of speed and some of the advantages begin to evaporate.
With the increasing use of the Internet, many organizations have moved to Virtual
Private Networks (VPN). VPNs offer organizations many of the advantages of private
networks with a lower cost. However, VPNs introduce a whole new set of issues and
risks for an organization. Properly architected and implemented, VPNs can be advanta-
geous to the organization. Poorly architected and implemented, all the information that
passes across the VPN might as well be posted on the Internet.
DEFINING VIRTUAL PRIVATE NETWORKS
So, we are going to send sensitive organization information across the Internet in such a
way as to reduce the need for leased lines and still maintain the confidentiality of the traf-
fic. How do we separate our traffic from everyone else’s? The short answer is that we use

encryption.
All kinds of traffic flow across the Internet. Much of that traffic is sent in the clear so that
anyone watching the traffic can see exactly what is going by. This is true for most mail and
Web traffic as well as telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer
Protocol - Secure (HTTPS) traffic is encrypted and thus cannot be examined by someone
reading the packets. However, SSH and HTTPS traffic does not constitute a VPN.
VPNs have several characteristics:
▼
Traffic is encrypted so as to prevent eavesdropping.
■
The remote site is authenticated.
■
Multiple protocols are supported over the VPN.
▲
The connection is point to point.
Since neither SSH nor HTTPS can handle multiple protocols, neither is a real VPN.
VPN packets are mixed in with the regular traffic flow on the Internet and segregated be
-
cause only the end points of the connection can read the traffic.
168
Network Security: A Beginner’s Guide
Let’s look more closely at each of the characteristics of a VPN. We have already stated
that VPN traffic is encrypted to prevent eavesdropping. The encryption must be strong
enough to guarantee the confidentiality of the traffic for the length of time the traffic is
valuable. Passwords may only be valuable for 30 days (assuming a 30-day change pol
-
icy); however, sensitive information may be valuable for years. Therefore, the encryption
algorithm and the VPN implementation must prevent an unauthorized individual from
decrypting the traffic for some number of years.
The second characteristic is that the remote site is authenticated. This characteristic

may require that some users be authenticated to a central server or it may require that
both ends of the VPN be authenticated to each other. The authentication mechanism used
will be governed by policy. It may require that users authenticate with two factors or with
dynamic passwords. For mutual authentication, both sites may be required to demon
-
strate knowledge of a shared secret that is preconfigured.
VPNs are built to handle different protocols, especially at the application layer. For
example, a remote user may use SMTP to communicate with a mail server while also us
-
ing NetBIOS to communicate with a file server. Both of these protocols would run over
the same VPN channel or circuit (see Figure 10-1).
Point to point means that the two end points of the VPN set up a unique channel be-
tween them. Each end point may have several VPNs open with other end points simulta-
neously but each is distinct from the others and separated by the encryption.
Chapter 10: Virtual Private Networks
169
Figure 10-1.
VPNs handle multiple protocols
VPNs are generally separated into two types: user VPNs and site VPNs. The differ
-
ence between them is the way the two types are used, not because of the way traffic is seg
-
regated by each type. The remainder of this chapter discusses each type of VPN in detail.
USER VPNS
User VPNs are virtual private networks between an individual user machine and an or
-
ganization site or network. Often user VPNs are used for employees who travel or work
from home. The VPN server may be the organization’s firewall or it may be a separate
VPN server. The user connects to the Internet via a local ISP dial-up, DSL line, or cable
modem and initiates a VPN to the organization site via the Internet.

The organization’s site requests the user to authenticate and, if successful, allows the
user access to the organization’s internal network as if the user were within the site and
physically on the network. Obviously, the network speeds will be slower since the limit
-
ing factor will be the user’s Internet connection.
User VPNs may allow the organization to limit the systems or files that the remote
user can access. This limitation should be based on organization policy and depends on
the capabilities of the VPN product.
While the user has a VPN back to the organization’s internal network, he or she also
has a connection to the Internet and can surf the Web or perform other activities like a
normal Internet user. The VPN is handled by a separate application on the user’s com-
puter (see Figure 10-2).
Benefits of User VPNs
There are two primary benefits of user VPNs:
▼
Employees who travel can have access to e-mail, files, and internal systems
wherever they are without the need for expensive long distance calls to
dial-in servers.
▲
Employees who work from home can have the same access to network services
as employees who work from the organization facilities without the
requirement for expensive leased lines.
Both of these benefits can be figured into cost savings. Whether the costs are long-dis
-
tance charges, leased-line fees, or staff time to administer dial-in servers, there is a cost
savings.
For some users there may also be a speed increase over dial-in systems. Home users
with DSL or cable modems should see a speed increase over 56K dial-up lines. More and
more hotel rooms are also being equipped with network access connections so speed
should also increase for employees who travel.

170
Network Security: A Beginner’s Guide
TEAMFLY






















































Team-Fly
®

NOTE:

A speed increase over a 56K dial-up line is not guaranteed. The overall speed of the connection
depends upon many things, including the user’s Internet connection, the organization’s Internet connec-
tion, congestion on the Internet, and the number of simultaneous connections to the VPN server.
Issues with User VPNs
The proper use of user VPNs can reduce the costs to an organization but user VPNs are
not a panacea. There are significant security risks and implementation issues that must be
dealt with.
Perhaps the biggest single security issue with the use of a VPN by an employee is the
simultaneous connection to other Internet sites. Normally, the VPN software on the
user’s computer determines if the traffic should be sent to the organization via the VPN
or to some other Internet site in the clear. If the user’s computer has been compromised
with a Trojan Horse program, it may be possible for some external, unauthorized user to
use the employee’s computer to connect to the organization’s internal network (see Fig
-
ure 10-3). This type of attack takes some sophistication but is far from impossible.
User VPNs require the same attention to user-management issues as internal systems.
In some cases, the users of the VPN can be tied to user IDs on a Windows NT domain or to
some other central user-management system. This capability makes user management
Chapter 10: Virtual Private Networks
171
Figure 10-2.
User VPN configuration
simpler but administrators must still be cognizant of which users require remote VPN ac-
cess and which do not. If the VPN user management is not tied to a central user-manage-
ment system, the user-management procedures for the organization must take this into
account when employees leave the organization.
Users must authenticate themselves before using the VPN. Since the VPN allows re
-
mote access to the organization’s internal network, this authentication should require
two factors. One factor may be the user’s computer itself. If so, the second factor must be

something the user knows or something she is. In either case, the second factor must not
be something that can reside on or with the computer.
Organizations must also be concerned with traffic loads. The primary load point will
be the VPN server at the organization site. The key parameter for loads is the number of
simultaneous connections that are expected. As each connection comes up, the VPN
server is expected to be able to decrypt additional traffic. While the processor may be able
to handle large traffic volumes, it may not be able to encrypt and decrypt a large number
of packets without significant delay. Therefore, the VPN server should be sized based on
the number of simultaneous connections that are expected.
One other issue may impact how an organization uses a user VPN. This issue is the
use of NAT at the remote end of the connection. If the organization expects its employees
to attempt to use a VPN from sites that are behind firewalls, this may become an issue.
172
Network Security: A Beginner’s Guide
Figure 10-3.
Use of a Trojan Horse program to access an organization’s internal network
For example, if Organization A is a consulting company with employees working at Or
-
ganization B, A might like its employees to be able to connect back for mail and file access.
However, if they are working from computers attached to B’s internal network and B
uses dynamic NAT to hide the addresses of internal systems, this may not be possible. If
your organization chooses to use its VPN in this matter, you should check the capabilities
of the VPN software in this regard.
Managing User VPNs
Managing user VPNs is primarily an issue of managing the users and user computer sys
-
tems. Appropriate user-management procedures should be in place and followed during
employee separation.
Obviously, the proper VPN software versions and configurations must be loaded on
user computers. If the computers are owned by the organization, this becomes part of the

standard software load for the computer. If the organization allows employees to use the
VPN from their home computers, the organization will need to increase overall support
to these users as different computers and ISPs may require different configurations.
One key aspect of the user VPN that should not be forgotten is the use of a good
anti-virus software package on the user’s computer. This software package should have
its signatures updated on a regular basis (at least monthly) to guard against viruses and
Trojan Horse programs being loaded on the user’s computer.
SITE VPNS
Site VPNs are used by organizations to connect remote sites without the need for expen-
sive leased lines or to connect two different organizations that wish to communicate for
some business purpose. Generally, the VPN connects one firewall or border router with
another firewall or border router (see Figure 10-4).
To initiate the connection, one site attempts to send traffic to the other. This
causes the two VPN end points to initiate the VPN. The two end points will negotiate
the parameters of the connection depending on the policies of the two sites. The two
Chapter 10: Virtual Private Networks
173
Figure 10-4.
Site-to-site VPN across the Internet