• DISCOVER
  • CREATE
IN-FOCUS
CONCEPTS
PROCESS
ROLES
CONTEXT
RATIONALE
HANDS-ON LAB
CHALLENGE
CONTRIBUTING FACTORS
COURSE OF ACTION
Key Concepts:
  • Strategies for protection of remote network access using a VPN
  • Network architecture necessary for VPN implementation
  • Types of VPN solutions and common protocols used for connectivity and data transport
  • Planning and selecting the best VPN options for an organization

Network Security,
Firewalls, and VPNs

VPN Fundamentals

VPN Fundamentals
Introducing a VPN

A VPN makes a secure network connection over a public telecom infrastructure, such as the Internet, to provide remote access to private networks. A VPN enables organizations to privately transmit sensitive data remotely over public networks.

Think about answers to the following questions. Then, click each question to reveal its answer. Then, click the ACTIVITY button to attempt a simple exercise related to the limitations of a firewall.

  • What are the advantages of a VPN?
  • What are the disadvantages of a VPN?
  • What are the various types of architecture for a VPN connection?
  • What security and privacy issues are associated with a VPN?
X
The following are some of the advantages of a VPN:
  • It employs encryption and authentication for secure transmission and secures communication between separate private networks through tunneling.
  • It protects sensitive information transiting over a public network.
  • It is a low-cost alternative compared to a leased-line infrastructure.
  • It supports Internet remote access.
  • It provides remote access and remote control.

Click the image to see the enlarged view of the basic VPN architecture.

The following are some of the disadvantages of a VPN:
  • A VPN suffers from congestion, latency, fragmentation, and packet loss similar to any long-distance connection.
  • VPN clients are more difficult to keep compliant and to troubleshoot than on-site devices and systems.
  • Encrypted traffic used by VPNs does not compress because it lacks repeating patterns and is therefore more bandwidth-intensive than clear-text transmission.
  • VPN connectivity requires high availability for constant uptime and accessibility.
The primary types of architecture for VPN connections are:
  • A VPN that connects a LAN with remote mobile users
  • A VPN that connects multiple LANs
  • A VPN that connects multiple LANs with remote mobile users

Click the image to see the enlarged view of these architectures.

A VPN has the following security and privacy issues:
  • A VPN cannot ensure quality of service (QoS) or complete security.
  • Links in a VPN depend on the availability, stability, and throughput of the Internet service provider (ISP) connection.
  • A VPN is not an ideal connection method for dial-up modems or low-bandwidth links because the connection can be slow.
  • Infected mobile users can potentially damage or disrupt the private network.
  • Confidential data can be copied outside the boundaries of internal controls.
Defining a VPN Policy
An organization needs to create VPN policies to ensure that VPNs have appropriate security restrictions such that the VPN policy align with the overall information technology (IT) mission and goals of the organization. Steps involved in defining a VPN policy are listed below. After going through the steps, click the ACTIVITY button to attempt a simple exercise.

Resources

The following steps are involved in defining an effective VPN policy:

  • Define enterprise-class security considerations.
  • Define users, groups, and access rights.
  • Create VPN-specific standards, guidelines, and procedures.
  • Define VPN usage concerns and models.

Click the RESOURCES icon to learn more about each of the steps.

Types of VPNs
Using a wrong VPN or a VPN that does not meet your organization's requirements can create security problems. Before selecting a VPN product or technology for your organization, create a detailed requirements document. This should factor in not only the security requirements for the VPN but also business requirements. Click on each type of VPN listed below to know more about it. Then, click the ACTIVITY button to attempt a simple exercise.
  • Hardware-based VPNs
  • Software-based VPNs
  • Owned and outsourced VPNs
Hardware-based VPNs are dedicated resources with optimized processing power. The advantages of hardware-based VPNs are VPN appliances and supportive corporate firewalls are designed for routing, dedicated services never borrow from general processing resources, and devices are streamlined for a high-throughput secure network delivery. Hardware-based VPNs have a few disadvantages also. They are more expensive options and are exclusive to compatible VPN termination points.
Software-based VPNs are platform independent and use Secure Sockets Layer (SSL) or Transport Layer Security (TLS). The following are some of the advantages of software-based VPNs:
  • They install and deploy rapidly if browser-based VPN clients are used.
  • They establish quick VPN connections by using client-server software.
  • They are lightweight, portable, cross platform, and inexpensive.
In the case of a company-owned VPN, the company owns the VPN or operates the telecommunications infrastructure and VPN endpoints. A company-owned VPN is usually more expensive but offers more control than an outsourced VPN—a VPN in which the company maintains and manages only the contract related to the VPN.
VPN Solutions
Organizations use various VPN solutions in enterprise environments. The components of common VPN solutions are listed below. Click on each component to learn more about it. Then, click the ACTIVITY button to attempt a simple exercise.
  • Tunnel-mode VPN
  • Transport-mode VPN
  • Cryptographic protocols
  • Network protocols
  • VPN authentication, authorization, and accountability mechanisms
This type of VPN is ideal for gateway-to-gateway or network-to-network communication. It transmits VPN packets by using a carrier protocol, packages the original data by using an encapsulating protocol, and carries the original data payload or protocol by using a passenger protocol. The advantages of a tunnel-mode VPN is that it encapsulates an entire packet within another packet and encrypts the payload and header, such as Internet Protocol (IP), User Datagram Protocol (UDP), or Transmission Control Protocol (TCP), to protect identities. The tunnel-mode also encapsulates packets that are not routable through the Internet and routes nonroutable traffic over a public infrastructure.

This type of VPN is ideal for direct endpoint-to-endpoint or endpoint-to-gateway communication. The following are some of the characteristics of a transport-mode VPN:

  • It encapsulates only the packet payload.
  • It cannot prevent some forms of observation such as eavesdropping and alteration.
  • It does not conceal endpoint identity.
These protocols ensure confidentiality and nonrepudiation. They require encryption algorithms, protocols, and authentication methods. Endpoints should also support identical cryptographic protocols and methods.
The following are common network protocols used by VPNs:
  • Tunneling protocol: Packages packets within packets for secure transport
  • Transport protocol: Packages payloads within packets
  • Encapsulating protocol: Wraps around original passenger protocols
  • Carrier protocol: Carries packaged VPN packets
These mechanisms enable approved external entities to interconnect and interact with a private network. These mechanisms use varying methods for authenticating users, such as passkeys and biometrics. VPN authentication, authorization, and accountability mechanisms also track and log user interactions to maintain user accountability.
Strategies to Protect a VPN
A VPN is a security technology, but it might degrade the security parameters associated with a network. Therefore, after the VPN is in place, the organization needs to address a number of additional factors for successful VPN deployment. Think about answers to the following questions related to protecting VPN implementation. Then, click each question to reveal its answer.
  • What is the purpose of various VPN deployment models?
  • What are the security requirements for various VPN hardware devices?
  • What are the security characteristics of VPN architecture?
  • What are common VPN supporting services and protocols?
VPN deployment model might be private, trusted, secure, or hybrid, and an organization should tailor VPN security to match organizational and data privacy needs. The organization should establish VPN controls for components, conversations, and communications. VPN customers and providers should separately manage and maintain devices. In addition, VPN customers can outsource the various aspects of VPN ownership and operation to service providers and tailor ownership and operator responsibilities according to budgetary needs.
The following are the security requirements for various VPN hardware devices:
  • VPN appliances: These should be dedicated devices and specialized to handle VPN off-loading from routers and host systems. These appliances can be placed outside a corporate firewall for traffic filtering and supplement existing corporate firewalls that do not support VPN services.
  • Edge routers: These routers transport VPN data over public networks and ensure that all traffic complies with the firewall. Edge routers are ideal for customer and supplier or business partner access and are best suited for controlled access into a demilitarized zone (DMZ).
  • Corporate firewall: This allows LAN-to-LAN traffic and treats the joined network as any other LAN route. A corporate firewall enables users to cross network segments without reauthenticating. It provides no additional firewall filtering or restrictions.
A VPN supports LAN-to-LAN and client-server direct connections over the Internet. Organizations use different VPN technologies for different needs to have control over the various aspects of a network such as a provider network, a customer network, a customer site, and a provider device. Organizations also use Authentication, Authorization, and Accounting (AAA) server deployment to track authentication, check authorization, and record accounting, respectively.
An enterprise-class VPN requires enterprise-class security, and authentication should establish the levels of authorization and access. Strong cryptographic tunneling protocols avoid intercepts and sniffing by protecting confidentiality. Strong authentication supports nonrepudiation and prevents identity spoofing.

In this section, you will have an opportunity to practice the concepts and processes that you have explored in this lesson.

The Hands-On Lab provides you with an engaging learning experience that is diagnostic and flexible. Following the instructions provided in the Lab Manual, you will be able to practice the steps IT Security Specialists perform on a daily basis and develop the skills required for effective execution and management of IT Security operations.

In this section, you will have an opportunity to apply what you’ve learned in this lesson in the context of analyzing a business situation. Although simplified, a problem scenario provided here depicts the challenges often faced by professionals in the workplace.

In this interactive case study, you will explore a business situation, review critical information related to the problem discussed in the case, decide on the course of action, and receive a decision analysis summary that discusses the implications of your decision. Once you analyze the impact of your decision, explore alternative solutions to learn about other potential ways to address the issue in the case. Complete your work on the case by submitting the graded assignment that will reflect on your process of analyzing the business situation and defining an appropriate course of action.

You have been working on the Corporation Techs' network project. Your manager now wants to brief you on your next task—the continuation of the assignment based on the Corporation Techs scenario.

Click the image of the manager to get his instructions.

After you have gone through the challenge, navigate to Contributing Factors from the panel at the top of your screen.
Corporation Techs' network is experiencing several VPN connection failures lately. Therefore, we need to create a VPN troubleshooting checklist to deal with the problem. I will send you details by e-mail. All the best!
Contributing Factors
From where can you gather information on this case? Let's find out by clicking the contributing factors. After you have gone through the contributing factors, navigate to Course of Action from the panel at the top of your screen.

Read E-mail
Review Documents

Select the icons from the top to receive additional
information related to the situation

Click here to view the VPN troubleshooting information.
Hi,

As already discussed, you need to create a VPN connectivity troubleshooting checklist for future use.

To create the checklist, use the troubleshooting information in the text sheet. Next, identify the relevant steps involved in the VPN connectivity troubleshooting process. Finally, create a checklist that helps you and others resolve general VPN connectivity issues.
Course of Action
Use the following checklist as a guide to complete this assignment. Note that the tasks that you have completed are already checked in the list.

Tasks

  • Consider the advice of the chief security officer.
  • Review the VPN troubleshooting information.
  • Identify the relevant steps involved in the VPN connectivity troubleshooting process.
  • Create the VPN connectivity troubleshooting checklist.
  • Submit the checklist to your instructor.
At the end of this lesson, you should be able to:
  • Identify the benefits and limitations of virtual private networks (VPNs).
  • Discuss VPN deployment models and architecture and differentiate between a transport-mode VPN and a tunnel-mode VPN.
  • Compare hardware and software VPN solutions and explain VPN protocols and their advantages and limitations.
  • Understand how to define a VPN policy.
In this lesson, you will learn about the advantages and disadvantages of a VPN and the process of defining a VPN policy. You will also explore various VPN solutions. In addition, you will learn about various strategies to protect a VPN.