Advantages and Disadvantages of VPNs

When determining whether a VPN is the solution of choice for your organization's remote connectivity needs, you must consider many factors. What is the confidence level of the data you are sending? What value is placed on its secrecy? How important is it to know the source of the data? If the secrecy level is high enough, even a VPN that uses strong encryption might be inappropriate. Only a dedicated point-to-point connection might be suitable.

You can describe all forms of remote connectivity as three different types:

• Dedicated point-to-point connections, such as via a leased T1 line

• Standard unencrypted Internet communications

• Encrypted VPN Internet communications, which is a compromise between the first two types

Of the first two types, the security and performance advantages both go to a dedicated connection type. Why consider an alternative? The answer is that a third factor is involved: finances. Dedicated connections are expensive, especially when they cover great distances. To add to this expense, most sites are also already utilizing some sort of high-speed Internet connection. Because broadband Internet connections are becoming a common part of most networks, the ability to utilize such a high-speed connection as a means of remote connectivity is attractive for most businesses. The monthly expense of leased T1 lines can be a thing of the past.

However, the use of a shared medium such as the Internet makes security an even greater issue. Your data is literally traversing an infrastructure shared by millions of people around the world. The cost advantages of such public access connectivity must offset the value of your data's secrecy. Therefore, to be able to leverage the functionality of your existing Internet connection and increase the security level of your communications, the VPN is an excellent compromise. Encryption protects your data, but it adds a slight burden to your network and decreases bandwidth. Varying levels of encryption strength can add to the VPN's ability to protect your data, although greater encryption strength comes with a cost. More expensive hardwareor often, more expensive or additional softwaremight be required to use a stronger encryption algorithm. Because of the greater complexities of such an algorithm, additional overhead must be shouldered by the equipment you are using, thus decreasing overall bandwidth.

Note

Although some commercial VPN solutions might vary their prices based on the level of encryption you choose, it should be mentioned that some excellent free VPN solutions are available. Many free Linux variants have exceptional IPSec implementations, and freeware VPN applications provide adequate protection as well.

Benefits of a VPN

The main benefit of using a VPN for remote network access can be summed up as the price effectiveness of being able to utilize a public medium to transport private information as securely as possible. A VPN can supply many levels of security to a shared network medium, including improved confidentiality, integrity, and authentication. Because a VPN utilizes existing infrastructures, it can be implemented swiftly, without having to wait for the establishment of a line or other factors that commonly hold up such implementations. If VPNs are used for remote users, they can offer a secure and more cost-effective "road warrior" solution. That way, people who need remote access can take advantage of local Internet access wherever they are, instead of making costly long- distance calls. The combination of security, quick setup, and cost effectiveness can make a VPN an excellent communication solution.

Security

VPNs offer many security features that make them a powerful method for securing information traveling across insecure territory. These features can be customized depending on the "hostility level" of the environment. This security level must be balanced against the value of the data.

Lower-strength encryption might be adequate for remote connections for many companies; the information that is being transmitted might be of little value to others. For example, if you owned a car lot with two locations, you might want to share inventory and pricing information between them. For obvious reasons, it might be a little too tempting for your competitors if you transmit this information in the clear, making it possible for someone else to read it. On the other side of the coin, it is unlikely that your competition will go to great lengths to break your encrypted traffic; they could easily drive by to count the inventory in your lot, and probably have a good general idea of what you are paying for your inventory. Utilizing a low-strength encryption VPN might adequately protect your information.

However, what if you are sending a top-secret formula for an item that is a matter of national defense or possibly the whole reason your company is in business? That data might be valuable enough that some outsiders would be willing to go to great expense and effort to defeat your protection. Therefore, stronger encryption would be needed. In general, if the cost of using stronger encryption is not much greater than that for weaker encryption, carefully consider using stronger encryption. The security needs for the communications could increase over time without your knowledge, so it is safer to use the strongest available encryption.

Regardless of the strength of the chosen encryption technology used for your VPN, your VPN should still offer the requirements of a secure communication channel. The following three requirements are the most basic:

• Confidentiality is the guarantee that no one else is going to be able to peek at your information. The encryption algorithms that scramble your private data into meaningless segments of characters provide this for a VPN. If this encryption algorithm is not sufficiently strong enough to protect your data, your confidentiality can be compromised.

• Data integrity is the next issue that can be protected through encryption and VPN use. Integrity verifies that the information you are receiving is the same as it was when it was sent to you. Long ago, this was often accomplished by securing a document with a wax seal emblem of the party who was sending the message. If the seal was broken, you could not be sure that the message wasn't altered in transit. In today's world, this same integrity assurance can be accomplished with digital signatures and hashes. Both are discussed in greater detail in Appendix B.

• Authentication verifies that the information has come from whom it is supposed to and, in turn, that it is received by whom is supposed to receive it.

Deployment Advantages

Anyone who has had to wait for the phone company to terminate or activate a line knows that the waiting can be the hardest part. When you need to have something done today, filling out requests and waiting for outside parties are not things you want on your itinerary. Because VPNs can take advantage of existing infrastructure, many of these stumbling blocks can be avoided. Even in cases in which internal infrastructure needs to be patchworked, a VPN can shine. For example, imagine you are the network engineer at a college campus. You are told that the accounting office is having an audit tomorrow and you are responsible for setting up a place for the teams of auditors to work. The auditors have to be separate from the rest of the accounting office, and the only place you have for them to go is quite a distance away on the other side of the campus. Networks connect the whole campus, but none connect to the accounting office because it is on a separate segment from the rest of the campus. You could get out your handy spool of fiber-optic cable and trench digger and get ready to physically run the half-mile connection, or you could rely on securing the connection through existing infrastructure with VPN technology. This could either be accomplished by adding an additional hardware device and doing some fancy cable-patching to tie the remote location to the accounting office, or relying on an existing VPN device that the accounting office already uses for remote connection and some already available Internet connections across campus. The end result of going with the latter option is a lot less work, considerably less preparation time, and, most likely, a savings cost of infrastructure changes.

Cost Effectiveness

A VPN can save you money in many ways, most of which involve the VPN replacing some type of high-cost, dedicated WAN link. Often, high-speed Internet access is already in place at these same locations. When pitching broadband Internet, you should see a bean-counter's eyes light up when you explain that the monthly Internet access charges will be offset by the removal of the dedicated T1 link that the company is currently using to connect to its branch office. Usually, same-speed Internet access offsets the price of a similar speed point-to-point T1 within a year or two (this can vary greatly by region and location proximity), even considering the costs of additional firewall/VPN hardware.

VPNs can help pay for themselves in other ways as well. For instance, most VPN solutions can also offer an alternative to remote dial-in. This can add up to savings in long-distance bills for remote users who are accessing your network. It also removes the need for dedicated dial-in servers or modem pools for these same users, meaning lowered equipment cost, as well as a reduction in monthly dial-up phone charges. Regardless of the network setup, in most scenarios a VPN can give an excellent return on investment and add up to considerable savings in the long run.

Disadvantages of VPN

Despite all their positive points, VPNs are not all smiles and sunshine. You must consider the disadvantages before confirming that a VPN is suitable for your environment. The use of encryption brings about an additional processing burden, most likely to be handled by your existing gateway devices or by additional equipment that must be purchased. Fitting a VPN into an existing location can also be a challenge in some environments due to the additional packet overhead. A VPN has significant design issues that novices (as well as some intermediates) will most likely not want to tackle on their own, and troubleshooting traffic that is encapsulated can be a real challenge for even the most experienced practitioners.

Processing Overhead

Encryption, the backbone of the VPN, involves incredibly complex mathematical computations. These must occur for every packet that is sent across and received by a VPN gateway device. These complicated computations take their toll not only on the gateway device, but also on the overall bandwidth of the VPN connection. This speed reduction intensifies with stronger encryption algorithms, which in turn require more mathematical complexity and more processing bandwidth. This problem has become such an issue over time that special "offload cards" have been created to help absorb some of the additional processing burden of VPN encryption. These hardware acceleration devices can improve the detriment of lost processing power, but at a hefty price. In turn, it is important to make this processing burden a part of your hardware and bandwidth determination requirements when deciding on a VPN.

Packet Overhead

Another interesting disadvantage of implementing a VPN is the additional overhead that is added to every packet. Existing packets can be encapsulated, which requires the "wrapping" of the original packet in additional packet overhead. Even if you aren't using encapsulation, additional header information still adds to the packet size. In either case, this overhead, although not substantial, can be enough to become a design concern in some environments. In addition, adding size to every packet can negatively affect network bandwidth, not only due to sending larger packets, but also because each larger packet is more likely to need fragmentation as it journeys across various gateways and routers. This fragmentation will negatively affect network performance.

Implementation Issues

Implementation is a concern when making a VPN part of your existing network infrastructure. Some of these implementation issues include incompatibility with Network Address Translation (NAT), VPN passthrough usage, and maximum transmission unit (MTU) size and design issues. VPN design and implementation details are covered in greater detail in Chapter 16.

Troubleshooting and Control Issues

Troubleshooting a VPN can be a complicated process. Because the inner headers and payloads of encapsulated packets are unavailable until they are decrypted, you can't see what is happening while the packet travels between two gateway devices. Tools such as traceroute are ineffective when employed across a VPN tunnel. For more information on traceroute and VPN troubleshooting considerations, see Chapter 21, "Troubleshooting Defense Components."

Common means to examine the packet flow, such as network intrusion detection systems (IDSs), are less effective because the payload is unknown until after it passes through the perimeter VPN device. Not only can this make troubleshooting more difficult, but it also can punch a big hole in an otherwise secure network.

Note

Host-based intrusion detection offers one way to effectively monitor encrypted traffic, as we discuss in Chapter 10, "Host Defense Components." Because the traffic is decrypted either before reaching the host at a perimeter device (tunnel mode) or on the host (transport mode), the host-based IDS can check the packets after they are translated. Therefore, in high-security environments that use a VPN, it is wise to implement host-based IDS on mission-critical systems.

It becomes a security concern when you don't have controls on entities that are remotely connected by the VPN. For example, users who telecommute via a VPN might provide backdoors to your network due to a lack of security on their home PCs. Also, smaller remote offices that lack an IT staff, or even extranet connections to customers or vendors, could be the source of backdoor attacks or malicious code propagation.

Regardless of your environment, you must consider many issues when deciding the effectiveness of a VPN solution as your remote communication choice. If all issues are adequately considered beforehand, the outcome will be a correct decision and a smooth implementation.

Internet Availability Issues

One final point that must be made about using the Internet as the backbone of your wide area network (WAN) concerns the communication glitches that can occur between you and your remote partners' networks. Technical problems at your Internet service provider's (ISP's) level, denial of service (DoS) attacks, or other infrastructure issues such as damage to outside cabling can cause outages to Internet service that most of us have experienced at one time or another. Because the Internet is redundant by design, hopefully these problems are few and far between. However, when your business relies on remote communications, any such outage can become a major financial burden and an unacceptable outcome. Designing in extra redundancy to your Internet connectivity can help alleviate such situations. Multiple Internet connections using multiple ISPs can lessen the chance that a problem at a single ISP will create a system-down situation for you. This, combined with the incorporation of screening routers or like products that can help prevent DoS conditions, can maximize Internet availability for your network. For more information on the use of such screening routers, check out Chapter 6, "The Role of a Router."