VPN Questions Answered

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1054748,00.asp

May 5, 2003 

A recent eSeminar showed that, while virtual private networks have
been widely deployed, many questions about the technology remain, and
many new questions are arising as the technology evolves. Following,
eWEEK Labs answers some of the questions that were submitted by
seminar attendees during the event, which took place April 16. For a
recorded version of the seminar and for more information about Ziff
Davis Media Inc. eSeminars, go to www.webseminarslive.com.


What is the advantage of using VPN technologies instead of WAN
technologies?

Lower cost and network design flexibility are the two main benefits.  
In addition, with VPNs, you don't have to lease lines or X.25
bandwidth and can use the IP connectivity you already pay for. You
also get finer control over which users can connect to the VPN and
when they can do this.


Does a single client-side VPN create as much overhead (bandwidth
aside) as a site-to-site VPN?

In transmission and latency, yes. The difference is in the connection
setup, which is computationally expensive. Site-to-site does this
rarely and leaves the link up; client-side VPNs have lots of
connection setups and tear-downs.


What are the concerns when using a VPN with cellular/wireless
connections?

One of the biggest problems with using wireless devices to gain
network access is that physical security for these portable devices is
so poor. Most solutions authenticate the device, not the user, so a
misplaced or stolen device can grant all the legitimate user's
privileges—especially if atrocious "convenience" features such as
password saving or automatic Web site ID/password completion features
in browsers are used. Overall security policies and follow-up actions
must keep these threats in check.


I thought there was an issue with using unprotected wireless - someone
can get onto your machine and then get onto the secured VPN channel?

If your wireless channel is itself unprotected, but it's only carrying
encrypted content that stays encrypted end-to-end throughout your
wired/wireless VPN, then you avoid the burden of administering another
parallel ID and key infrastructure (which protects only the wireless
links) while still preventing analysis of the content of your traffic.  
All wireless systems, of course, remain vulnerable to traffic analysis
as to which nodes interact with other nodes. Would additional
protection of the wireless channel enhance overall system security?  
Incrementally, yes, it would, but at what cost? It's a question of how
much security you want on your network as a whole and then where you
want to apply your effort and resources to portions of that system.


Why don't more experts make a distinction between "wireless" and
"mobile"? VPNs are not very user-friendly for most mobile users.

This is a good point, especially in that some solutions work much
better in a space administered by a single service provider than
across multiple service jurisdictions (if that's the word). The more
your link can look like plain-vanilla TCP/IP, the more flexibility
there will be for using many different services and providers. For
example, encrypting e-mail, rather than sending in clear e-mail over a
VPN, makes fewer demands on the link and its service provider.


Are there any IP Security or Secure Sockets Layer solutions for Linux?

Yes, definitely, on both fronts. FreeS/WAN and Stunnel are popular
open-source packages. The commercial appliances are operating
system-independent, but a number of them are running Linux. On the
client side, SSL VPNs just need a browser, so no problem there. IPSec
client interoperability is harder, and there may be problems there.  
You'll need to check it out on a case-by-case basis.


What do you think about the security of VPNs using Windows 2000 Server
via DSL [digital subscriber line] or cable? Are they secure, and what
are disadvantages?

If a broadband connection includes a static IP address, it clearly
becomes easier to target a particular machine. Even so, most security
improvements in Windows 2000, and moving forward to Windows Server
2003, are configuration issues—defaulting to security, rather than
out-of-the-box capability, as the default—plus the aggregate effect of
applying years of patches. Assertions that open-source software is
inherently more secure are now being challenged (see
www.eWEEK.com/links) conscientious administration is the foundation of
security, regardless of operating system choice.


Can you describe security requirements for VPNs when used over public
and private networks?

It's hard to imagine adding a VPN on top of a private network, unless
there are issues of trust with the network service provider or
concerns about physical interception of signals on network links. If
you have such concerns, protecting the network traffic could be
worthwhile—but a VPN is only one of several solutions that you should
consider. E-mail encryption, for example, is an alternative.


Can you provide more information on LAN-to-LAN VPNs?

If a LAN-to-LAN VPN is implemented by [IP Security] gateways that are
themselves outside each LAN's individual firewall, there's minimal
impact on the pre-VPN LAN. But at the same time, the firewall won't
have the opportunity to protect that gateway and analyze attacks that
might be made against it. On the other hand, an attacker cannot use
the VPN to tunnel through the firewall—the firewall sees everything
coming in from the gateway as plain-vanilla network traffic. Depending
on the types of attack that most concern you, this may be a good
trade-off—or not. Only if the gateway and firewall functions are
highly integrated will roaming clients, with constantly changing IP
addresses, be relatively easy to support.


How will IPv6 affect VPNs?

An IPv6 channel supports, by definition, any application's request for
IPSec service. Instead of being layered on top of the Internet, IPSec
becomes part of it. IPv6 substantially improves defenses against many
forms of attack, and its more rapid adoption would be a good thing. As
to how this "affects" VPNs, it doesn't eliminate the need for tools
that administer privileges and determine which application can use
IPSec for secure access to which resources. So VPN tools continue to
be important; they just delegate some of their low-level tasks to the
network infrastructure.


I have a firewall appliance that gives us VPN capability for many
mobile users, and we use PPTP [Point-to-Point Tunneling Protocol].  
What else can I do to secure this?

Your remaining opportunities for improved security may lie more in the
realm of policy than technology. Your process of granting and revoking
privileges, your management of access to sensitive information, and
your training of users in their security responsibilities may be
fruitful areas for emphasis.


What do you mean by "granular" access as opposed to open access with a
VPN connection?

"Granular" access control implies more specific opportunities to grant
or deny specific permissions to specific network nodes or users. The
mechanisms by which these privileges are controlled may lie in the
network operating system or in a higher-level layer managed by the VPN
access controls.


What is a VPN accelerator?

A VPN accelerator offloads the computations of VPN encryption and
decryption to one or more dedicated processors, reducing burdens on a
general-purpose server CPU.


What if I have several small clients that want to create connectivity
between two offices, with less than 15 users at each office, and they
want to share the same data to both offices? Will a VPN be
cost-effective?

Sure, a low-cost site-to-site VPN will do this just fine. Look to
spend $1,000 to $2,000 for the two devices. Or you can put two Linux
boxes at each end and use FreeS/ WAN (free and available at
www.freeswan.org), but this is more complex to set up.


Is using Microsoft Remote Desktop log-in as secure as using a VPN?

Remote Desktop provides simpler configuration and firewalling.  
However, VPNs provide better security because you have to authenticate
twice—once for the VPN, plus once for the application you want to use.  
But Remote Desktop plus some firewall protection to limit IPs calling
in provides "good enough" security.


Is there any way to have LAN-to-LAN connectivity but still require
authentication in another level?

You cannot tunnel a VPN in a VPN, so to get two-factor authentication
you will need to use application- or port-level authentication (for
example, IPSec plus HTTP/SSL or Secure Shell).


If you set up a VPN between a primary site and a remote disaster
recovery site, with a high-availability cluster between these two
sites, and the primary site is destroyed, can the clients connect
through a different VPN location to the backup site?

In short, yes, but you will have to reconnect in the IPSec case as the
protocol is stateful, and that state will not survive the server
failover. In the SSL case, you can get failover if you terminate the
SSL connection in front of your server pair, or you can get a VPN
appliance that has failover (many do).


You refer to VPN policies. Is there a good resource for such policies?

Try The SANS Institute. It's an excellent resource for security policy
information. Just click on "sample policies" on the SANS home page at
www.sans.org.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.