VPN Security
There is an increasing demand nowadays to connect to internal networks from distant locations. Employees often need to connect to internal private networks over the Internet (which is by nature insecure) from home, hotels, airports or from other external networks. Security becomes a major consideration when staff or business partners have constant access to internal networks from insecure external locations.
VPN (Virtual Private Network) technology provides a way of protecting information being transmitted over the Internet, by allowing users to establish a virtual private “tunnel” to securely enter an internal network, accessing resources, data and communications via an insecure network such as the Internet.
VPN Deployment
VPN is mainly employed by organisations and enterprises in the following ways:
1.
Remote access VPN: This is a user-to-network connection for the home, or from a mobile user wishing to connect to a corporate private network from a remote location. This kind of VPN permits secure, encrypted connections between a corporate private network and remote users.
2.
Intranet VPN: This is where a VPN is used to connect business partners, such as suppliers and customers, together so as to allow various parties to work with secure data in a shared environment.
3.
Extranet VPN: This is where a VPN is used to connect business partners, such as suppliers and customers, together so as to allow various parties to work with secure data in a shared environment.
4.
WAN replacement: Where VPN offers an alternative to WANs (Wide Area Networks). Maintaining a WAN can become expensive, especially when networks are geographically dispersed. VPN often requires less cost and administration overhead, and offers greater scalability than traditional private networks using leased lines.
However, network reliability and performance might be a problem, in particular when data and connections are tunnelled through the Internet.
Type of VPN Product
VPNs can be broadly categorised as follows:
1.
A firewall-based VPN is one that is equipped with both firewall and VPN capabilities. This type of VPN makes use of the security mechanisms in firewalls to restrict access to an internal network. The features it provides include address translation, user authentication, real time alarms and extensive logging.
2.
A hardware-based VPN offers high network throughput, better performance and more reliability, since there is no processor overhead. However, it is also more expensive.
3.
A software-based VPN provides the most flexibility in how traffic is managed. This type is suitable when VPN endpoints are not controlled by the same party, and where different firewalls and routers are used. It can be used with hardware encryption accelerators to enhance performance.
4.
An SSL VPN allows users to connect to VPN devices using a web browser. The SSL (Secure Sockets Layer) protocol or TLS (Transport Layer Security) protocol is used to encrypt traffic between the web browser and the SSL VPN device. One advantage of using SSL VPNs is ease of use, because all standard web browsers support the SSL protocol, therefore users do not need to do any software installation or configuration.
Risks & Limitation of VPN
Hacking Attacks
A client machine may become a target of attack, or a staging point for an attack, from within the connecting network. An intruder could exploit vulnerabilities or mis-configuration in a client machine, or use other types of hacking tools to launch an attack. These can include VPN hijacking or man-in-the-middle attacks:
1.
VPN hijacking is the unauthorised take-over of an established VPN connection from a remote client, and impersonating that client on the connecting network.
2.
Man-in-the-middle attacks affect traffic being sent between communicating parties, and can include interception, insertion, deletion, and modification of messages, reflecting messages back at the sender, replaying old messages and redirecting messages.
User Authentication
By default VPN does not provide / enforce hardening user authentication. A VPN connection should only be established by an authenticated user. If the authentication is not strong enough to restrict unauthorised access, an unauthorised party could access the connected network and its resources. Most VPN implementations provide limited authentication methods. For example, PAP, used in PPTP, transports both user name and password in clear text. A third party could capture this information and use it to gain subsequent access to the network.
Client Side Risks
The VPN client machines of, say, home users may be connected to the Internet via a standard broadband connection while at the same time holding a VPN connection to a private network, using split tunnelling. This may pose a risk to the private network being connected to.
A client machine may also be shared with other parties who are not fully aware of the security implications. In addition, a laptop used by a mobile user may be connected to the Internet, a wireless LAN at a hotel, airport or on other foreign networks. However, the security protection in most of these public connection points is inadequate for VPN access. If the VPN client machine is compromised, either before or during the connection, this poses a risk to the connecting network.
Malware Infections
A connecting network can be compromised if the client side is infected with a malware. If a malware infects a client machine, there is chance that the password for the VPN connection might be leaked to an attacker. In the case of an intranet or extranet VPN connection, if one network is infected by a malware, that malware can be spread quickly to other networks if anti-malware protection systems are ineffective.
Incorrect Network Access Rights
Some client and/or connecting networks may have been granted more access rights than is actually needed.
Interoperability
Interoperability is also a concern. For example, IPsec compliant software from two different vendors may not always be able to work together.
Related topic(s):