Site To Site VPN
Site to Site VPN
In a site
to site VPN data is encrypted from one VPN gateway to the other, providing a
secure link between two sites over the internet. This would enable both sites
to share resources such as documents and other types of data over the VPN link.
Remote Access VPN
In a remote access VPN scenario which is also known as
mobile VPN a secure connection would be made from an individual computer to a
VPN gateway. This would enable a user to access their e-mail, files and other
resources at work from where ever they may be, providing they have an internet
connection. There are two common forms of technology that exists in remote
access VPN known as IPSec and SSL that are covered further below.
Why have a VPN
A VPN
saves organisations \ companies from renting expensive dedicated leased lines,
VPN's give the ability for users to work from home and saves cost on resources
such as e-mail servers, file servers, etc, as all these can be accessed on the
VPN connection at the central site.
A real
world example would be if a company was split into two sites (When referring to
sites we mean offices), the main site in the US and a smaller site in the UK.
The US site has already a full network and storage infrastructure in place
which consisted of active directory, an exchange server, file server and so on.
The UK site only consisted of a small number of users, let’s say 10 employees.
To make this particular scenario cost effective a VPN connection from site to
site would be the best solution. Providing a VPN tunnel from the UK site to the
US site would save costs from having to install another network infrastructure,
exchange server, active directory server and so on. As the US site would
already have administrators maintaining servers and the infrastructure and can
now maintain the VPN connection as well as other resources would prove another
area where savings would be made.
Another
cost saving scenario to the above example would be to close the UK site down
where employees based in UK could work from home. A remote access VPN scenario
would be suited if the 10 users were not based anywhere in particular, and
there was no UK based office. In this case they would just require an internet
connection and a configured VPN client software enabling them to securely
connect to their corporate network in the US. If they were using SSL VPN then
they would not even require a configured client side software, they would just
require the URL address to connect to the VPN portal.
So VPN’s
provide a superb and cost effective solution for companies with several branch
offices, partners, and remote users to share data and connect to their
corporate network in a secure and private manner.
With
normal internet traffic, packets can be sniffed and read by anyone. However
sending data via a VPN tunnel encapsulates all data packets providing high
level of security. If packets which were sent securely over the internet were
sniffed, they would be unreadable and if modified this would also be detected
by the VPN gateway.
VPN Networking Protocols
VPN
tunnels use one of four main networking protocols, which provide the sufficient
level of security as shown below;
PPTP (Point to Point tunneling protocol)
PPTP is a protocol or technology that supports the
use of VPN’s. Using PPTP, remote users can access their corporate networks
securely using the Microsoft Windows Platforms and other PPP (Point to Point
tunneling Protocols) enabled systems. This is achieved with remote users
dialing into their local internet security providers to connect securely to
their networks via the internet.
PPTP has
its issues and is considered as a weak security protocol according to many
experts, although Microsoft continues to improve the use of PPTP and claims
issues within PPTP have now been corrected. Although PPTP is easier to use and
configure than IPSec, IPSec outweighs PPTP in other areas such as being more
secure and a robust protocol.
L2TP (Layer 2 Tunneling Protocol)
L2TP is an extension of the PPTP (Point to point
tunneling protocol), used by internet service providers to provide VPN services
over the internet. L2TP combines the functionality of PPTP and L2F (Layer 2
forwarding protocol) with some additional functions using some of the IPSec
functionality. Also L2TP can be used in conjunction with IPSec to provide
encryption, authentication and integrity. IPSec is the way forward and is
considered better than the layer 2 VPN’s such as PPTP and L2TP.
IPSec (IP Security)
IPSec operates on layer 3 and so can protect any
protocol that runs on top of IP. IPSec is a framework consisting of various
protocols and algorithms which can be added to and developed. IPSec provides
flexibility and strength in depth, and is an almost perfect solution for
securing VPN’s. The only drawback is IPSec requires setting up on the corporate
network and on the client end and is a complex framework to work with. IPSec is
used for both site to site and remote user connectivity.
SSL VPN (Secure Socket Layer)
SSL VPN provides excellent security for remote
access users as well as ease of use. SSL is already heavily used such as when
you shop online, accessing your bank account online, you will notice an SSL
protected page when you see the “https” in your browser URL bar as opposed to
“http”.
The
difference in using SSL VPN to IPSec is with IPSec a remote user would require
client software which would need installing, configuring and sometimes
troubleshooting. However with SSL there is no client software if a user was
using the SSL portal. The portal is a GUI interface that is accessed via a web
browser and contains tools and utilities in order to access applications on the
network such as RDP and Outlook. SSL can also imitate the way IPSec works via a
lightweight software. If a user required client SSL software, it can be
installed with very little effort via a browser which simplifies the process in
securely accessing to the corporate network.
Using SSL
VPN would mean thousands of end user’s would be able to access the corporate
network without the support of an administrator and possible hours of
configuring and trouble shooting, unlike IPSec. The end user would just need to
know the address of the SSL VPN portal. Another advantage is they can do this
from any computer as they do not have to rely on a configured client side
software.
Advantages and Disadvantages using a VPN
Advantages
VPN’s
eliminate the need for expensive leased lines. Historically T1 lines have been
used connecting office locations together in a secure manner. If the office
locations are further away, the cost of renting these least lines can be
unbearable. A VPN though, only requires you to have a broadband internet
connection, and so avoiding paying a hefty sum of monthly rental on dedicated
leased lines. VPN’s are also a replacement for remote access server’s and dial
up network connections although rarely used anymore.
Having
many branch offices over the globe requires many leased lines, and so does not
scale well. Each office would require a leased line to all other offices. VPN’s
connecting via the Internet is a far more scalable solution, as opposed leased
lines.
Through
the use of link balancing and link bonding VPN's can use two or more internet
connections, so if one connection at your company had a problem all VPN traffic
can be sent over the remaining connections, and will automatically use the
original connection when it is back up again.
Disadvantages
You have
to remember though, having a VPN means having to rely on the Internet, and
having to rely that your ISP (Internet Service Provider) is reliable, although
this problem can be reduced by having two or more ISP’s and using the 2nd in a
VPN failover scenario.
Also
VPN’s require careful configuration, possibly some troubleshooting and the
terminology can be overwhelming for administrators not familiar with the
technology.
Setting up VPN with IPSec
Below is
a basic overview in the typical way a site to site VPN is configured using
IPSec. IPSec is chosen as the example because it’s the most commonly used
technology and is known to be a solid, robust and secure VPN technology.
You may
be new to all the VPN terminology, so clicking on the links in this VPN article
will give you a good understanding on meanings within the below guide.
Basics in setting up a site to site VPN with IPSec
Below
covers what is required to set up a VPN connection on a VPN gateway with IPSec.
It is not really aimed at a specific vendor and is fairly general.
First you
would decide how your going to authenticate both VPN peers to each other.
Either select a Pre-shared key or install a digital certificate. This is used for
authentication and to ensure the VPN gateways are authorised. This would prove
their identities to each other. Both gateways must use the same type of
credentials, so either both use pre-shared keys or both use digital
certificates. Also if you are using pre-shared keys, then both keys would have
to match.
Phase 1
VPN's are
configured and processed in two phases, phase 1 and 2. In phase 1 using Main mode or Aggressive mode you will set up a secure and
encrypted channel, to protect your phase 2 negotiations.
1) You
will need to specify both gateway addresses. So you would specify the address
of the local VPN gateway and you would also specify the address of the remote
VPN gateway. You can either specify an IP address or a domain name. On some VPN
gateways you could also specify an e-mail address, or if you use a digital
certificate you could specify the certificates subject field.
2) Main mode or aggressive mode can be selected depending on
which one you would want to use. Main mode is more secure, but slower than
aggressive mode. In Main mode peers exchange identities with encryption, and
Aggressive mode, although faster exchanges identities without encryption. Main
mode is the more commonly used. Aggressive mode is typically for when one or
both of the VPN gateway's have a dynamic IP address.
3)
Specify whether to use Nat-Traversal. This is selected if your VPN
gateway is behind a NAT device. Also specify whether you want both peers to use
IKE keep-alive. This ensures that if a VPN gateway’s interface is not
responding it will failover to the second interface. This is true when your ISP
goes down and your secondary interface is a backup ISP.
4 You
would now decide on your transform set. This includes the type of encryption, authentication and how long your security association will last. For your
authentication you can either use Sha1 or MD5. Sha1 is the stronger authentication
algorithm.
For your
encryption you can select either DES, 3DES or AES 128, 192, 256 bit key strength. AES is the
strongest protocol.
You can
specify a limit before your SA expires, which will add more security to your
VPN if your keys have been hacked. Although this will also have a slight affect
on performance as well.
You will
need to specify a Diffie-Hellman key group, usually 1, 2, 5 or 14
in which 14 is the most secure group.
You can
optionally set up extra transform sets if needed. If you’re not sure on your
peers transform settings, then you may want to set up more transform sets.
Although it is recommended to know your peers settings and create the minimum
transform set’s required as it is more secure this way.
Phase 2
In phase
2 using Quick mode you would establish the IPSec SA. You would tell the gateway what traffic you
will be sending over the VPN, how to encrypt and authenticate it.
1) You
will need to specify what traffic will go across the VPN. So you would be
specifying an IP address, Network address, or IP address range. This is access
to your internal network, so either remote users from home, or the peer office
can have access to resources behind the VPN gateway.
2) You
can choose whether to use PFS (Perfect forward secrecy), for optional and
an extra layer of security. If you will be using PFS, remember that both VPN
peers must support and use PFS. You can select which Diffie-Hellman group to
use for new keying material. The higher the group you select, the stronger the
key.
You would
now need to specify some more parameters in securing your data within the IPSec
SA (Phase 2), also known as phase 2 proposals. The parameters are made up of
encryption and authentication algorithms.
3) Here
you first specify the type of proposal, either selecting AH or ESP. AH only provides authentication, and ESP
provides authentication and encryption.
4) If you
have specified ESP, which the majority would choose, then you would specify
your authentication and encryption. For authentication and integrity you can
select SHA1 or MD5, where SHA1 is the strongest algorithm. For encryption you
can select DES, 3DES or AES 128, 192, or 256-bit key strength. AES 256 is the
strongest encryption protocol.
5) You
may want to specify a value for when your key would expire. This would ensure
your encryption keys would change over a period of time, adding more security,
as well as having a slight affect on performance. The majority leave these
settings as the default. However if your a bank or any other company dealing
with confidential data then you may want to force keys to expire, and have them
re-created.
Final steps
You may
now need to create policies or rules to allow your VPN traffic in and out of
your firewall. This may have already been done for you when you had completed
configuring your gateway, and you may have had the option to either enable or
disable your VPN gateway to automatically doing this for you, all depending on
the product functionality.
You can
now save all changes to your VPN gateway.
You are
done in configuring your VPN gateway, and you can now configure the peer VPN
gateway. Remember to configure your peer VPN gateway with the exact same
settings as you configured your local gateway or else the VPN tunnel will not
form successfully.
Final words
The above article is not specific to any VPN
gateway so you may find differences in order of settings or slight difference
in terminology used, but nothing more than that. Whatever firewall you may use
for VPN connectivity such as Watchguard, Fortinet, SonicWALL, Cisco and so on
they all support IPSec which is a standardised internationally known framework
with a standard set of parameters and settings and so you will find the above
instructions to be very like how you would set up your firewall VPN gateway.
The only differences you would see would lie within the GUI, and possibly some
slight naming alterations.
In a nutshell, with all VPN gateways using IPSec
you would have to configure your VPN gateway addresses, phase 1 settings, phase
2 settings, create VPN firewall policies (some firewalls automatically create
VPN policies for you) and save the configuration in which ever vendor product
you work with.
We are a UK leased line provider with a price promise guarantee. We also offer you an instant leased line quote on our website.
ReplyDeleteleased lines
Thanks for the valuable information and insights you have so provided here... windscribe free
ReplyDeleteYour website is really cool and this is a great inspiring article. Thank you so much. tor vs vpn
ReplyDeleteI think that thanks for the valuabe information and insights you have so provided here. avast vpn torrenting
ReplyDeleteTruly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work! tempmailo
ReplyDelete