Consulting Analysis Security VPN Internet Connectivity Wireless Implementation

Virtual Private Networks

Virtual Private Networks(VPNs) are a cost effective way to extend your LAN over the internet to remote networks and remote client computers. VPNs use the Internet to route LAN traffic from one private network to another by encapsulating the LAN traffic in IP packets. The encrypted packets are unreadable by intermediary Internet computers and can contain any kind of LAN communications, including file and print access, LAN e-mail, Remote Procedure Calls, and client/server database access.

Virtual Private Networks between LANs can be made using VPN software on the client computers or by dialing in to ISPs that support VPN protocol. Using this second method, however, makes the ISP a partner in your network security in the same way that relying on an ISP for your firewall does.

Pure VPN systems don't provide adequate network protection. You also need a firewall and other Internet security services to keep your network safe. You should be particularly aware of the security problems of PPTP and take steps to correct them in your own network.

Using the Internet to link LANs and give remote computers LAN access causes security, performance, reliable to members of your organization. The LAN client and servers should be protected from the Internet by a firewall and proxy servers so that (ideally) network intruders can't even identify their existence, much less target them for individual attack. In order to make it more difficult for hackers to capture private company information most firewalls are configured not to pass typical LAN service protocols such as NetBIOS, the NetWare Core Protocol, or NFS.

You could link your Windows-based LANs together over the Internet and by simply configuring your firewall to pass NetBIOS traffic, allow your employees to have remoteaccess to file and print services. You could open your firewall to NFS to allow UNIX hosts to communicate directly over the Internet or open your firewall to AppleTalk traffic for Macintosh clients. But this would allow hackers to access your data simply by providing a valid account name and password or by attacking the protocol to exploit a bug that would allow access.

Exposing your LAN file-sharing protocols (like NetBIOS, NFS, or AppleTalk) in this manner effectively makes the whole Internet your LAN. It is virtual, but not private. Not only could your sales force print to your engineering department's printers or log on to your accounting department's file server, anyone on the Internet could print to the printer or log on to the file server. An intruder would have to guess a password, of course, but hackers have a lot of experience in guessing passwords.

Virtual Private Networking Explained

Virtual Private Networks solve the problem of direct Internet access to servers through a combination of the following fundemental security components:

• IP encapsulation
• Cryptographic authentication
• Data payload encryption

All three components must exist in a true VPN. Although cryptographic authentication and data payload encryption may seem like the same thing at first, they are actually entirely different functions and may exist independently of each other. For example, Secure Socket Layer performs data payload encryption without cryptographic authentication of the remote user, and the standard Windows logon performs cryptographic authentication without performing data payload encryption.

Characteristics of VPNs

When you consider establishing a VPN for your company, you should understand the advantages and disadvantages of VPNs when compared with traditional LANs and WANs.

VPNs Are Cheaper Than WANs

The primary consideration, in many cases, is that a VPN is often much cheaper than a WAN of similar size, especially when you want Internet connectivity for your LANs. A single dedicated leased line through a metropolitan area (from one part of a city to another) can cost from hundreds to thousands of dollars a month, depending on the amount of bandwidth you need. A company's dedicated connection to an ISP is usually made with a leased line of this sort, but for each LAN to be linked with a VPN, only one leased line to an ISP is required and can be used for both Internet and VPN traffic. ISPs can be selected for proximity, to your operation to reduce cost.
You can also establish a business Internet connection to some ISPs using regular analog modems, ISDN, xDSL, or cable modems, depending on the services available in your area. These methods of connecting to the Internet can be much less expensive than dedicated leased telephone lines, but you must evaluate whether the bandwidth provided by these connection methods is sufficient for use with your VPN.
VPNs really shine compared to traditional WANs in the way they deal with LANs being connected over widely separated geographical areas (in different cities, different states, or even different countries). The costs of dedicated long distance phone lines are much greater than the costs for local-loop circuits (connections between locations that share the same local telephone switch). You can use the Internet instead of expensive long-distance lines.
When considering a VPN, you have to take into account your total monthly bandwidth requirements as well as your peak, short-period bandwidth requirements. Many ISPs apply a surcharge when the total amount of data transferred in a month exceeds a certain amount. It is unlikely that even intensive long-term use of the Internet connection will exceed the costs of leasing a long-distance line of similar capacity, but you should still check the policies of the ISPs in your area and make plans accordingly.
The VPN advantage in terms of remote user dial-in is that you don't have to provide and support your own specialized dial-in equipment, such as modems and terminal servers, or maintain dial-up phone lines. You can rely on an ISP to provide that service for you. The management and equipment depreciation costs alone should justify paying for your users' ISP accounts (and many users have arranged for their own ISP accounts for their home computers, anyway).

VPNs Are Easier to Establish

The two most difficult issues in WAN creation and management have to do with establishing communications links over the dedicated leased phone lines (using specialized communications devices) and routing WAN traffic over those links using routers and gateways.
When you establish a VPN over the Internet, your Internet Service Provider will help you make the initial IP connection to their service. Once you configure your firewall for tunneling, you can let the Internet do your routing for you. You don't have to learn how to program and manage specialized routers and gateways (unless you use them in your local network, as when several LANs in a campus are linked together). You do have to establish and manage the VPN connections, however, and you must maintain a connection to the Internet (you will most likely be maintaining an Internet connection anyway).

Types of VPNs

Many firewalls also jnclude IP tunneling functionality on which a VPN can be based. Many medium to large networks use routers to manage traffic routed within, as well as into and out of, the LAN. And many routers include VPN features that perform the same function as PPTP. A number of VPN only routers also exist; these devices are called VPN appliances because they perform only one function. Regardless of how the VPN is set up, any properly secured network with an Internet connection will include firewall and possibly proxy server services. A VPN must be configured to work with these services.

There are three types of VPNs:

• Server-based VPNs
• Firewall-based VPNs
• Router-based VPNs including VPN appliances.

Server-Based VPNs

In a Windows NT-based network, perhaps the easiest and least disruptive way to establish a VPN between LANs is to dedicate a Windows NT Server computer to routing the PPTP traffic. Existing firewall, router, and proxy server services can be left in place, and the only modification to the Internet security setup required is for the firewall to pass the PPTP ports through to the Windows NT RAS server.
While Windows NT is a full-featured operating system that can run firewall software, maintain PPTP links using RAS, and provide file and print services to network clients all at the same time, it is not a good idea to do all that with just one computer. A security failure in any one of these services would compromise the entire network instead of just the affected computer. The RAS server, for example, doesn't have to be a privileged computer in the network; all it has to do is encapsulate and un-encapsulate network traffic. A hacker who has compromised a properly isolated RAS server will still have regular LAN security to defeat (such as usernames and passwords) and will have to get through the firewall to get to the RAS server. If the file server also hosted the RAS services, the hacker would have access to all of the network files.
You should be aware that VPN traffic destined for a remote network in the VPN travels over each LAN twice-once in the form of regular LAN traffic to the RAS server, and once again encapsulated in PPTP from the RAS server to the firewall. While the duplication of LAN traffic is inefficient, the amount of traffic is usually insignificant compared to regular LAN traffic because the bandwidth of the Internet connection limits the amount of information that can be sent over PPTP.
Windows NT Server 4 comes with everything you need to establish a Virtual Private Network over the Internet using PPTP, but their implementation of PPTP is flawed and should only be considered somewhat secure. You may want to rely on additional software to protect your network from IP intrusion, even if the RAS service that comes with the operating system is sufficient to establish an encrypted link between secure LANs.
Linux's IP masquerade/IP Chains features can be used with additional open-source software to create fairly robust VPNs as well. However, integrating numerous packages from different vendors isn't easy to do correctly, and can lead to a "Swiss-cheese" security effect, where all the pieces are in place but holes exist because they aren't well integrated.
Microsoft's PPTP software isn't the only server-based IP tunneling solution. Alta Vista's Tunnel is a popular and secure alternative for providing secure LAN connections over the Internet, and most firewalls have VPN modules you can use. Additionally, a number of tunnel solutions exist for UNIX.

Firewall-Based VPNs

Every LAN that is connected to the Internet needs a firewall to isolate LAN traffic (NetBIOS traffic in the case of NT networks; NFS, telnet, or X-Windows in the case of UNIX networks; AppleTalk in the case of Macintosh networks; and IPX in legacy NetWare networks) from Internet traffic. A firewall should at least block certain ports-especially the NetBIOS, NFS, Telnet, or X-Windows ports-from being accessed from outside your network, and should specify which computers inside your network are allowed to access the Internet.
That is not all that modern firewalls can do, however. Popular firewalls can perform address translation; take care of protocol and port filtering; redirect common services such as mail, news, and FTP; and even proxy such protocols as HTTP, SMTP, NNTP, Telnet, and FTP. Since firewalls already do every other sort of analysis and transformation of network packets, it is a simple matter to include IP tunneling capability in the firewall.
The tunneling protocols included with most firewalls are proprietary and will only establish a VPN link with the same brand of firewall on the remote LAN or with client software written specifically for that firewall. This situation is beginning to change with the widespread adoption of the IPSec+IKE (IP Security with Internet Key Exchange) encryption and negotiation protocols. Although many vendors now support IPSec+IKE encryption, their specific versions are not always compatible. If you intend to use IPSec+IKE in a multi-vendor firewall network, contact each vendor to make sure they've tested their software to work with your other firewalls and to identify any configuration issues you'll have. A completely standardized implementation of IPSec+IKE should eliminate the compatibility problems caused by proprietary encryption systems.
___ _. Many of the firewalls-include VPN software for individual remote client computers to connect to the firewall and establish a tunnel. If you need to connect remote computers to your LAN, you should check to make sure the client software is available for all your supported platforms.

Router Based VPNs

Large networks (such as those in a business, school, government, or campus environ
ment) are often comprised of several LAN segments linked together by routers. The rout
ers isolate internal LAN segment traffic while conveying inter-LAN traffic quickly and
efficiently. The routers are custom hardware devices with specialized circuitry and pro
gramming for handling network packets. . . .
Simple routers merely transport the network packets from one segment to another, but the more complex and expensive routers can also act as firewalls, examining the network traffic and manipulating it (blocking ports, redirecting packets, and so on) according to rules established by the network administrator. Some routers even include the ability to encapsulate network traffic and establish VPN links between routers. IBM's 2210 router family, Cisco's routers running IOS, and Ascend's MAX switches are three popular router solutions that support VPN capabilities.

Secure Remote Access

Virtual Private Networks are great for connecting LANs, but what about people with isolated computers such as telecommuters, roving troubleshooters, salespeople, executives on the move, or anyone else lucky (or unlucky) enough not to work in an office or cubicle? The traditional (read: expensive) way to provide these users with LAN access is to install modem banks and purchase phone lines so that they can dial up to your LAN using modems. Dial-up services provided in this manner require a modem and a phone line for each simultaneous dial-in connection supported. If you want two people to be able to connect at the same time, you'll need two modems and two phone lines for your dial-up server. If you want to support two hundred people at the same time, you'll need two hundred modems and two hundred phone lines (and some esoteric serial connection hardware as well). Also, either your company or the dial-up users will have to pay any long-distance toll charges if the users aren't a local phone call away from the dial-up server.
Just about anywhere you can go in the industrialized world today, an Internet Service Provider is a local phone call away. Internet service from these providers is relatively cheap because the ISPs can spread the cost of supporting dial-up connections across a wide base of customers. It makes sense to use these dial-up services just for your own network connections rather than to duplicate them. The problem is this: How do you protect the network communications between the remote computer and the computers on your LAN?
There are two ways to extend a Virtual Private Network to include individual remote computers connecting over the Internet. One way is to have your users dial up to ISPs that include a VPN port in their dial-up service, essentially making the ISP a partner in your LAN security management. The other way is to move the VPN port into the remote computer.

VPN in the ISP

Internet Service Providers use special devices called remote access switches, remote access servers, terminal servers, or serial concentrators to connect a large number of phone lines and modems to their dial-up network. The serial concentrators allow a server computer (often a UNIX workstation but sometimes a Windows NT Server computer) to accept a large number of dial-in connections. The remote access switches, servers, and terminal servers are special-purpose computers designed just to connect dial-in users to the network. In either case, the dial-up server (a general purpose computer or specialized device) performs the functions of authenticating the user and connecting the user's computer to the ISP's LAN.
Many newer dial-in switches (Windows NT Server computers as well, of course) support the PPTP protocol. When the user establishes an account with the ISP, the user (in cooperation with the network administrator of the LAN the user wants to connect to) can specify which VPNs the user's computer should be allowed to connect to. When the user connects to the remote access switch (typically using the PPP protocol), the ISP's remote access switch first gets the user's ISP account name and password, and then makes an encrypted connection over the Internet to the RAS server specified by the user's network administrator. The remote user can (after providing a valid account name and password for the LAN, of course) then participate in the LAN like any other network client.
Having the ISP establish the encrypted tunnel connection as well as authenticate and encapsulate the remote users' network traffic provides equivalent security as having your LAN's ISP manage your firewall for you. Many companies rely on the ISP to provide firewall services, and this can be a cost-effective solution when you have confidence in the security and responsibility of the Internet service provider.

VPN in the Dial-Up Client

In most cases, the remote user will not be able to rely on the Internet service provider to establish a VPN session with your remote users. The vast majority of firewall and encrypted tunnel vendors provide small client-side versions of their tunnel software that can be run directly on the remote access client. This allows the client to connect directly to the firewall over the Internet and appear as if it is a workstation on the local network.
In order for the client computer to establish a VPN session, it must first connect to the .. Internet. This connection can be made through any ISP or can even be made from a computer on a foreign LAN (one that's not a part of your VPN) that is connected to the Internet. Once the client computer is on the Internet, the client VPN software can establish the encrypted connection to your firewall or server using TCP/IP.
In the case of Microsoft's PPTP protocol, the encapsulation process is quite clear. The user must first connect (using their dialer) to the Internet, and then connect using their dialer to the firewall with PPTP. From the user's point of view, they have to use the dial-up software twice-once to connect to the ISP and then once to connect to the RAS server over that IP connection.

VPN Best Practices

Virtual Private Networks are convenient, but they can also create gaping security holes in your network. The following practices will help you avoid trouble.

• Use a real firewall.
• Secure the base operating system.
• Use a single ISP.
• Use packet filtering to reject unknown hosts.
• Use public-key encryption and secure authentication.
• Compress before you encrypt.
• Secure remote hosts.

Use a Real Firewall

As with every other security component, the best way to ensure you have comprehensive security is to combine security functions on a single machine. Firewalls make ideal VPN end points because they can route translated packets between private systems. If your VPN solution wasn't combined with your NAT solution, you'd have to open some route through your firewall for the VPN software or the NAT software, both of which can create a vector for attack.
Real firewalls are also most likely to use provably secure encryption and authentication methods, and their vendors are more likely to have implemented the protocol correctly. Ideally, you'd be able to find an open-source firewall whose source code you (and everyone else) could inspect for discernable problems.

Secure the Base Operating System

No VPN solution provides effective security if the operating system of the machine is not secure. Presumably, the firewall will protect the base operating system from attack, which is another reason why you should combine your VPN solution with your firewall.
Implementing PPTP on a Windows NT Server without also implementing PPTP filtering is asking for trouble-without a secure base operating system, the VPN can be easily hacked to gain access to your network from anywhere.

Use a Single ISP

Using a single ISP to connect all the hosts acting as tunnel end points will increase both the speed and security of your tunnel because ISPs will keep as much traffic as they possibly can on their own networks. This means that your traffic is less exposed to the Internet as a whole and that the routes your ISP uses will avoid congestion points in the Internet. When you use multiple ISPs, they will most likely connect through the commercial Internet exchange network access points-the most congested spots on the Internet. This practically guarantees that your VPN tunnel will be slow-often uselessly slow for some protocols.
Chose an ISP that can also provide dial-up service to your remote users who need it. Alternatively, you may choose a local ISP that is down-stream from your national ISP because they are also on the national ISP's network and many national ISPs don't provide dial-up service.

Use Packet Filtering to Reject Unknown Hosts

You should always use packet filtering to reject connection attempts from every computer except those you've specifically set up to connect to your network remotely. If you are creating a simple network-to-network VPN, this is easy-simply cross filter on the foreign
server's IP address and you'll be highly secure. If you're providing VPN access to remote users whose IP address changes dynamically, you'll have to filter on the network address of the ISP's dial-up TCP/IP domain. Although this method is less secure, it's still considerably more secure than allowing the entire Internet to attempt to authenticate with your firewall.

Use Public-Key Encryption and Secure Authentication

Public key authentication is considerably more secure than the simple, shared secret authentication used in some VPN implementations-especially those that use your network account name and password to create your secret key the way PPTP does. Select VPN solutions that use strong public key encryption to perform authentication and to exchange the secret keys used for bulk stream encryption.
Microsoft's implementation of PPTP is an example of a very insecure authentication method. PPTP relies upon the Windows NT account name and password to generate the authentication hash. This means that anyone with access to a valid name or password (like a malicious Web site one of your users has visited that may have initiated a surreptitious password exchange with Internet Explorer) can authenticate with your PPTP server.

Compress Before You Encrypt

You can get more data through your connection by stream compressing the data before you put it through your VPN. Compression works by removing redundancy. Since encryption salts your data with non-redundant random data, properly encrypted data cannot be compressed. This means that if you want to use compression, you must compress before you encrypt. Any VPN solution that includes compression will automatically take care of that function for you.

Secure Remote Hosts

Make sure the remote access users who connect to your VPN using VPN client software are properly secured. Hacking Windows 98 home computers from the Internet is depressingly easy, and can become a vector directly into your network if that home computer is running a VPN tunnel to it. Consider the case of a home user with more than one computer using a proxy product like WinGate to share his Internet connection, who also has a VPN tunnel established over the Internet to your network. Any hacker on the planet could then proxy through the WinGate server directly into your private network. This configuration is far more common than it should be.
Alert users to the risks of running proxy software on their home machines. Purchase client firewalling software to protect each of your home users; remember that a weakness in their home computer security is a weakness in your network security when they're attached to your network.