A well-designed VPN uses several methods for keeping your connection and data secure:
- Firewalls
- Encryption
- IPSec
- AAA Server
In the following sections, we'll discuss each of these security methods. We'll start with the firewall.
A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports, what type of packets are passed through and which protocols are allowed through. Some VPN products, such as Cisco's 1700 routers, can be upgraded to include firewall capabilities by running the appropriate Cisco IOS on them. You should already have a good firewall in place before you implement a VPN, but a firewall can also be used to terminate the VPN sessions
VPN Security: Encryption
Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories:
- Symmetric-k*y encryption
- Public-k*y encryption
In symmetric-k*y encryption, each computer has a secret k*y (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-k*y requires that you know which computers will be talking to each other so you can install the k*y on each one. Symmetric-k*y encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the k*y to decoding the message. Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So A becomes C,and B becomes D.You have already told a trusted friend that the code is Shift by 2.Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.
The sending computer encrypts the document with a symmetric k*y, then encrypts the symmetric k*y with the public k*y of the receiving computer. The receiving computer uses its private k*y to decode the symmetric k*y. It then uses the symmetric k*y to decode the document.
Public-k*y encryption uses a combination of a private k*y and a public k*y. The private k*y is known only to your computer, while the public k*y is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public k*y, provided by the originating computer, and its own private k*y. A very popular public-k*y encryption utility is called Pretty Good Privacy (PGP), which allows you to encrypt almost anything. You can find out more about PGP at the PGP site.
VPN Security: IPSec
Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.
IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common k*y and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as:
- Router to router
- Firewall to router
- PC to router
- PC to server
VPN Security: AAA Servers
AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following:
- Who you are (authentication)
- What you are allowed to do (authorization)
- What you actually do (accounting)
The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.
VPN Technologies
Depending on the type of VPN (remote-access or site-to-site), you will need to put in place certain components to build your VPN. These might include:
- Desktop software client for each remote user
- Dedicated hardware such as a VPN concentrator or secure PIX firewall
- Dedicated VPN server for dial-up services
- NAS (network access server) used by service provider for remote-user VPN access
- VPN network and policy-management center
Because there is no widely accepted standard for implementing a VPN, many companies have developed turn-k*y solutions on their own.
No comments:
Post a Comment