7.1 VPN Solutions

   

Three broad categories of VPNs are in general use today: dedicated line, dial in, and IP VPN. IP VPN will be the primary focus of this chapter, as it is quickly becoming the VPN type of choice for large corporations.

7.1.1 Dedicated Line VPNs

Dedicated line VPNs have been the type of VPN traditionally associated with large corporations. The process is fairly simple: A company with one or more remote offices contacts either a network provider such as AT&T, Sprint, or WorldCom, or an Incumbent Local Exchange Carrier (ILEC) like Verizon, BellSouth, or Pacific Bell and requests to have point-to-point connections run between offices. These point-to-point connections can either be leased lines or wireless connections, but they have one thing in common: No other traffic is on the network. A point-to-point connection requires a dedicated line to each location; the line runs through the provider's private network to the other locations on the VPN. If the locations on the VPN need to speak to all of the other locations, then a dedicated line has to be run between each connection.

Figure 7.1 shows a typical leased line VPN. Lines are run from the headquarters to Remote Office A and B. A dedicated connection is also run from Remote Office A to Remote Office B. In a perfect world this would not be necessary as the routers located within headquarters could be configured to allow the remote offices to view each other's networks. The reason it is generally not done is that there is no redundancy with a dedicated line network. The company is paying for dedicated transit, so the traffic traveling on the lines never leaves those lines to cross into a public data network. By connecting all of the offices, some redundancy is added to the network, in that there are now two data paths.

Figure 7.1. A typical dedicated line VPN design; each office in the network has a connection to all other offices on the network

graphics/07fig01.gif

Other than the lack of redundancy, the biggest drawback to this type of network is the expense. The cost of maintaining dedicated lines to, and between, each office is prohibitively expensive especially as the number of remote offices grows. Imagine that instead of three offices there were 25. Each time a new office is added to the network, the company has to pay the provider to run the dedicated line from the new office to the headquarters. The farther from the headquarters the office is, the greater the initial cost. This solution generally precludes bringing overseas offices onto the network. Running a cable across the ocean is beyond the financial resources of the vast majority of companies. The cost to run that much cable, as well as the monthly costs to the network provider, would be extremely expensive. Of course trying to manage 24 network connections, if the company wanted to run redundant links between each office, would also be an administrative nightmare.

This solution also does not take into account remote users who need access to the network while they are on the road, or working from home. Installing a dedicated connection within the house of every employee is simply not feasible , and still would not help those users who need access to the network from the road.

The positive side to this approach is that it offers the most security. The traffic on these dedicated lines is never shared with anyone else, so there is very little worry that an intruder will be able to sniff traffic as it travels between the various offices. This solution is also nice because it provides an always-on connection that allows all users, at all locations, to be connected to each other simultaneously .

7.1.2 Dial-In VPNs

A second solution is to locate an RAS server in the headquarters, and allow users to dial in to the headquarters to connect to the network. The users connect to the RAS server and have temporary access to the company network. The RAS server acts as a gateway to the rest of the network, allowing the dialed -in user complete access to servers, and other workstations, as if he or she were directly connected. When the user has completed the work, he or she simply disconnects. This solution is less expensive than a dedicated line solution because it makes use of the Public Switched Network (PSTN).

Using the PSTN to transmit data is not as secure as running a dedicated point-to-point connection but it is still a relatively secure connection. When a phone call is made, a temporary dedicated circuit is created and no traffic, aside from the communication between the two parties on that call, will be run across that circuit. Figure 7.2 shows a typical dial-up VPN.

Figure 7.2. A typical dial-up VPN. A remote user connects into an RAS server and is given access to the rest of the network.

graphics/07fig02.gif

It is still possible for someone to listen in on a phone call, but the government tightly regulates the PSTN. Because of this, providers generally have several layers of security in place to ensure that intruders are unable to easily tamper with telephone calls.

There are some problems with the dial-in model of VPN. The biggest problem is bandwidth; a dial-up connection is simply slow, especially if employees are expected to work while connected to the network.

This problem is further exacerbated when a remote office, with several users, uses a router to initiate the dial-up connection, providing a true VPN, as opposed to a single user from the remote office gaining access to the network. The amount of bandwidth available to the users, generally 53 kilobits per second (Kbps), or less, is significantly slower than a typical network connection.

A second problem is the reliability of a dial-in connection. The PSTN network is very reliable, but it is not designed for long- term conversation, nor is it designed for the type of reliability that is required by a data connection. It is not uncommon to have long lived connections automatically bounced by the LEC.

A dial-in VPN can also be expensive. While generally not as expensive as using dedicated lines, there are some significant costs involved in maintaining a dial-in VPN. The first cost is the phone lines that are needed to support the users. The number of lines will need to be proportional to the number of offices, and remote users accessing the network. If a company has 24 remote offices, which need continual access to the main network, and averages 20 users accessing the network through the RAS server at any one time, it will need at least 44 phone lines.

In addition to the phone lines, an RAS server with enough modems to support the lines being run in will be needed. If it is only a few modems, then a Windows 2000 or Unix server can be converted to an RAS server. However, if the company has quite a few remote users, it is usually best to use a purpose-built device, such as a Lucent MAX 6000 or a Cyclades PR-4000. Of course, these dedicated devices also require additional training, and maybe even additional staff to manage them.

Another cost involved is long-distance changes. If the remote offices are spread throughout the country they will incur hefty long-distance charges dialing into the corporate LAN several times a day. It is also likely you will have to maintain an 800 number for users to dial into either when they are on the road, or from home, if they live in a different area code.

A dial-in VPN also suffers from the flaw of having several single points of failure. When multiple phone lines are used, the phone company usually provisions a T1 trunk (E1 trunk in Europe). A T1 is equivalent to 24 analog channels (an E1 is 32 analog channels). Each T1 running into your RAS server represents a single point of failure. If you have two T1s (or 48 analog channels) terminating at the same central office (CO), then that CO represents a single point of failure ”though the CO itself is designed so that it will generally not experience more than five minutes of downtime a year. [1] The RAS server also represents a single point of failure. The likelihood of failure increases if a company is using a server transformed into an RAS server, instead of a purpose-built machine.

[1] Think about it: When was the last time you picked up a phone and got dead air?

There are several benefits to this solution. The primary benefit is that telephone access is nearly ubiquitous. It is very likely that no matter how far a user is from the main headquarters, he or she will have access to a phone line, and will be able to dial into the network. Despite the costs associated with a dial-in VPN, they are still significantly less than those associated with running dedicated point-to-point connections between offices. Finally, using a dial-in solution means that all employees can connect to the network, [2] giving everyone the access they need, albeit slow access.

[2] Discounting busy signals, of course.

Prior to the advent of IP VPNs, it was not uncommon for large corporations to use a combination of dedicated and dial-in VPNs as a way to offer remote network access to their remote offices and employees.

7.1.3 IP VPNs

IP VPNs are the focus of this chapter because they are quickly becoming the standard for remote VPN access. An IP VPN is a VPN that is created using a public network, generally the Internet, as the means of transit.

The appeal of IP VPNs is very apparent: Rather than bear the cost of dedicated point-to-point connections, or phone lines, to allow access into the network, a company only needs to cover the cost of Internet access (Figure 7.3).

Figure 7.3. An IP-based VPN uses the public Internet as a means of data transport allowing remote offices as well as dial-up users to access the network

graphics/07fig03.gif

IP VPNs allow a company to make use of the existing redundant network infrastructure as a means for remote offices and employees to access the network. Instead of the costs associated with dedicated point-to-point connections, or maintaining a dial-up infrastructure, the company simply has to pay for the costs involved to maintain Internet access for the remote offices, and possibly dial-up ISP accounts for employees. Some of these costs the company would have had regardless of the VPN type.

When using the Internet to make a VPN connection, security concerns are paramount. Remote offices and employees may not connect to the same Internet backbone. Even if they do, there is no guarantee that data will not be intercepted between the remote network and the corporate network. It is important to ensure that the data transmitted across the WAN is secured.

Generally, data transmitted across an IP VPN is encrypted and tunneled. There are many types of IP VPNs that incorporate myriad encryption technologies. VPNs also have a variety of configuration options. An IP VPN can be operated across a firewall or a router, it can be software based, or it can be included as part of dedicated device. Each type of VPN technology, encryption protocol, and network configuration has its own security problems. Before implementing a VPN solution, it is important to be aware of the security considerations associated with the technology used to create the VPN.

Despite a vast array of VPN options, the most commonly deployed VPN solutions are those that allow a single user, with the proper encryption software, or a remote office to connect to the main corporate network across the Internet.

These VPN solutions use varying forms of tunneling protocols to accomplish this connection. A tunneling protocol encapsulates a network packet, encrypts it, and transports it securely across the Internet. In the process of encapsulating and encrypting the packet, the tunneling protocol hides the source and destination IP address of every packet that is being sent across the VPN.

The way an IP VPN usually works is that an NAS is set up within the corporate network, with a publicly available address. Remote users, using a tunneling protocol, make a connection to that NAS device. The NAS device authenticates the user, and the tunnel is established. The user, or office, now has access to the rest of the network through the NAS device. This process is outlined in Figure 7.4. Instead of a home user, a remote office with multiple users could easily be used.

Figure 7.4. A network user makes a connection to the public IP address of the NAS server and establishes the tunnel. Once the tunnel has been established additional traffic is encrypted.

graphics/07fig04.gif

The tunnel can be created using software installed on the remote user's machine, or a VPN router can be used to establish the connection, encrypting all traffic from the remote network to the corporate network and creating the VPN.

The tunnel, once created, is up for as long as the user needs it, or it is terminated at one end or the other. A remote office with a T1 or some other sort of always-on connection can leave the tunneled connection open all the time. Even home users with cable or Digital Subscriber Line (DSL) connections can have a permanent connection to a corporate network.

While IP VPNs are quickly becoming popular because of the cost savings, and relative ease of implementation, there are some serious security concerns that network administrators need to be aware of and prepared to deal with. This will be the primary focus of the rest of the chapter.

   


The Practice of Network Security. Deployment Strategies for Production Environments
The Practice of Network Security: Deployment Strategies for Production Environments
ISBN: 0130462233
EAN: 2147483647
Year: 2002
Pages: 131
Authors: Allan Liska

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net