When designing secure connectivity to remote offices, you must choose a method for connecting the remote office and develop a security plan for the remote office link.
Your first decision when connecting a remote office to a corporate network is choosing which connection solution to use. You can deploy a dedicated (or private) WAN link or you can implement a VPN over a public network such as the Internet. Your decision will be based on your evaluation of the risks and costs associated with each deployment.
Private WAN links are typically implemented by purchasing or leasing a dedicated telecommunications line between the remote office and the corporate network, as shown in Figure 13.6.
Figure 13.6 Connecting a remote network to the corporate office using a dedicated WAN link
The telecommunication links are typically technologies such as T1, T3, Frame Relay, or Integrated Services Digital Network (ISDN). Advantages of selecting a dedicated WAN solution include guaranteed bandwidth between sites and not sharing the network link with other organizations.
In a VPN solution the organization uses a public network to link the offices. The remote office and the corporate office will still require telecommunication links, but the links will be to the Internet rather than between the offices. Using a public network between the offices carries a risk of data interception. By creating VPNs between the two offices, you reduce the risk because the data is transmitted in an encrypted format.
Table 13.9 shows the factors you need to consider when deciding whether to implement private or VPN methods for connecting a remote office to a corporate network.
Table 13.9 Choosing a Remote Office Connectivity Solution
Choose This Connection Solution | To Meet These Business Objectives |
---|---|
Dedicated WAN link | To restrict network traffic over the WAN link exclusively to traffic between the two offices. To guarantee bandwidth between the two sites. The cost of a dedicated link isn't prohibitive. International boundaries or local laws don't prevent the establishment of a dedicated network link. |
VPN over a public network | To leverage existing Internet links to provide network connectivity between sites. To provide connectivity between hardware from different net work vendors over public networks. To reduce the costs associated with connecting offices across international boundaries. |
Due to the high costs of establishing a dedicated WAN link between Canada and the United States, Hanson Brothers plans to implement a VPN solution. All data exchanged between the Montréal office and the Warroad office must be encrypted as it's transmitted over the Internet.
Although dedicated WAN connections aren't exposed to the same vulnerabilities as VPN solutions, you should still take the following measures to ensure the security of transmitted data over the WAN connection:
NOTE
A Windows 2000 server configured with RRAS can act as a router for a dedicated network link. Windows 2000 supports common routing protocols such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) protocol and can interoperate with many third-party routers.
Table 13.10 outlines the design decisions you face when implementing a dedicated network connection between network offices.
Table 13.10 Designing Security for Dedicated WAN Links
To | Do the Following |
---|---|
Limit which protocols are allowed to traverse the network link | Determine which protocols your organization will permit to traverse the WAN link. Design packet filters to match the allowed protocols or to match the protocols that can't be transmitted over the WAN link. Apply the packet filters at each router and test to ensure that the filters only allow the use of desired protocols. |
Limit which computers can transmit data over the WAN link | Identify which computers will be allowed to transmit data across the WAN link. Develop packet filters at each router that enforce which computers can transmit data over the WAN link. |
Ensure that confidential data can't be inspected as it's transmitted | Configure the routers to encrypt data over the WAN link. |
Limit which routers can connect to another router | Enable mutual authentication between routers to limit which routers can establish connections. |
Hanson Brothers plans to use a VPN solution for connecting the Montréal office to the corporate network in Warroad. Since a third-party firewall will be used at the Montréal office, many of the design decisions for dedicated network connections will be applied at the firewall.
Configure the third-party firewall to accept only connections from the remote access server at the Warroad office. This ensures that no other routers, remote access servers, or firewalls can establish connections to the firewall.
VPNs allow an organization to leverage existing network links to a public network and use those links to connect remote offices. VPNs ensure that data is protected as it's transmitted over the public network.
VPN solutions between offices can use PPTP, L2TP/IPSec, and IPSec tunnel mode. Your choice depends on the remote access devices deployed at each office, the availability of a Public Key Infrastructure (PKI), and the placement of remote access devices.
For example, Figure 13.7 shows a typical remote access server deployment for securing access to a remote network. In this scenario, the remote access server, also referred to as a tunnel server, is located in the network's Demilitarized Zone (DMZ). The DMZ, or perimeter network, is used to store externally available resources. In this scenario the DMZ is implementing NAT. Since you can't use IPSec to connect through a firewall that's implementing NAT, this network infrastructure supports only a PPTP tunnel connection to the tunnel server.
Figure 13.7 A VPN deployment in a DMZ using private network addressing
NOTE
You can identify when NAT is applied by inspecting the address ranges used on the interfaces of the firewall or perimeter server. If any of the interfaces use RFC 1918 addressing while others use public network addressing, the firewall or perimeter server is performing NAT services.
Alternatively, you could deploy the tunnel server in the network shown in Figure 13.8.
Figure 13.8 A VPN deployment in a DMZ not using private network addressing
In this network the tunnel server is located in a network segment that's using public network addressing. Because the firewall isn't performing NAT on traffic entering the DMZ, the VPN can use PPTP, L2TP/IPSec, or IPSec tunnel mode. The decision in this case will be based on other business factors.
What if the Tunnel Server is the Server Performing NAT?
You can deploy NAT and IPSec tunnels in one circumstance—when the tunnel server is also the server that performs the NAT process, as shown in Figure 13.9.
Figure 13.9 A scenario where ipsec and nat can work together
In this scenario the tunnel servers at the corporate office and the remote network are both performing NAT services for the local networks. The external interfaces connected to the Internet use public network addresses.
If L2TP/IPSec or IPSec tunnel mode is configured between the two tunnel servers, the VPN connection will terminate before the NAT process is performed on any incoming or outgoing packets.
Table 13.11 shows a decision matrix for determining when to use PPTP, L2TP/IPSec, or IPSec tunnel mode to connect remote offices with a VPN over a public network.
Table 13.11 Determining When to Deploy Tunneling Protocols
Use the Following VPN Protocol | When |
---|---|
PPTP | Either tunnel server is located in a network segment where NAT is performed. Creating VPNs with Windows NT 4.0 RAS servers. Windows NT 4.0 RAS servers only support the use of PPTP. Windows NT 4.0 doesn't support IPS encryption. You require only user authentication for the VPN connection. PPTP connections are established by authenticating the user accounts provided for the connection. |
L2TP/IPSec | Stronger encryption is required for the connection between sites. Authentication of both a user account and machine account is required. The tunnel servers aren't located behind a firewall or perimeter server that performs NAT. |
IPSec tunnel mode | The tunnel servers aren't located behind a firewall or perimeter server that performs NAT. Connecting to a third-party firewall or firewall that doesn't support PPTP or L2TP/IPSec. You only require machine authentication between the two tunnel endpoints. |
Hanson Brothers will use IPSec tunnel mode for the connection between the Montréal office and the corporate office in Warroad. Hanson Brothers must either ensure that the DMZ uses public network addressing or deploy the tunnel server as a perimeter server so that the NAT process takes place after the tunnel has terminated.
To secure the tunnel server, include the following tasks in the security design plan:
If your organization requires connectivity to remote offices, you must ensure that security is maintained so that network communications to the remote office don't weaken the overall network security.
Define security to protect all data transmitted between the remote office and the corporate network. This may be as simple as providing authentication between the connecting devices, or it may require the encryption of all data transmitted between the networks. Whatever solution you choose, make sure that it meets your business objectives without weakening network security.