Security and design considerations for deploying a VPN

Most enterprises need to protect internet communication. For many enterprises, the simplest way to protect communication is to use virtual private network (VPN) to create an encrypted channel between systems to communicate.

The most common use cases of VPN include connecting remote staff to the central data center, allowing them to securely access the internal resources required for their work, and creating permanent connections between physically separated locations, and protect the connection between internal systems or network areas.

Although there are many variants, the vast majority of VPNs are mainly divided into two technical types. The first method is to use Secure Sockets Layer (SSL) technology to enhance connections through SSL or trusted layer security (TLS) certificates. The second is based on the Internet Protocol Security (IPSec) VPN to provide more advanced security options.

SSL VPN

In most cases, ssl vpn provides connections to employees who require secure access to applications and systems. Many ssl vpn providers provide local integration and configuration options to process common applications, including emails, office tools, file sharing, and web applications that are typically accessed through browsing. The advantage of these VPNs is that they do not need to install any clients on the connection endpoint, and they are easy to install and configure when accessing common applications.

IPSec VPN

For non-web applications and more complex security requirements, IPSec VPN may be a better choice. Although there are other remote access VPN protocols, such as the point-to-point channel protocol and the layer-2 network channel protocol, the difference is that IPSec completely encapsulates between the endpoint and the security gateway (or between two security gateways) all IP protocol traffic and provide stronger encryption options. IPSec is a more complex set of protocols. It provides enterprises with more flexible methods to establish dedicated channels between gateways and systems to process most types of communication. Most enterprise-level VPNs are deployed as hardware devices. However, small enterprises can install VPN software on traditional server hardware.

Different architectures depend on the servers behind the firewall

We have several types of architecture that can be used to deploy the VPN platform. The most common architecture for remote access involves creating a VPN Server behind the Perimeter Firewall of the isolation zone (DMZ), allowing specific ports or URLs to access the server through the firewall. DMZ can be set between two different firewalls (or on a single network segment connected to a firewall), and the VPN Server is located in this subnet. The client connects to the VPN Server, and then the VPN Server connects the user to internal applications and services based on the user's role and authentication creden. In some deployments, the VPN and firewall may be the same device, as long as the number of connections at the same time can be managed, without significantly affecting the performance.

This architecture has withstood the test of time. Currently, most deployment solutions involve the "VPN + Firewall" or "VPN in DMZ" mode. The main disadvantage of this mode is that you need to trust the traffic from the VPN platform. In many cases, the traffic is not encrypted internally. However, traditional network monitoring tools (Intrusion Detection Systems) can monitor such traffic.

The second VPN architecture is the site-to-site connection between two physical locations, which is usually configured between the peripheral gateway devices (usually routers. For this architecture, the most critical security issue is the reliability of the Remote VPN platform and network. This is because such connections are usually permanent.

Finally, there is also a so-called internal VPN, which is the most common architecture in a more advanced security architecture. In this method, the VPN Server serves as the gateway to key network areas and systems. Establishing an internal gateway to control access to sensitive data and resources can help enterprises meet compliance requirements and monitor privileged user behavior.

Common attributes of good VPN design

Regardless of the deployed architecture, we have many configuration options to lock the VPN platform and its functions. All VPN deployment should have the following features:

• Authentication and access control: ssl vpn uses the SSL/TLS Certificate to authenticate the endpoint to create an encrypted channel, and usually provides a web interface, supports password or multi-factor authentication (token, client certificate, or one-time password or code. IPSec VPN is usually pre-configured with the AUTHENTICATION option between the gateway and the client. remote users can provide the user name, password, and Token code to verify the identity.
• Verify the security and credibility of the terminal device: Over the past few years, the VPN product has gradually added the terminal device security evaluation function. Many VPNs can now determine the operating system, patch repair level, browser version and security settings of the terminal device, and whether anti-malware is installed (and what signature version is deployed ).
• Confidentiality and integrity: ssl vpn supports group passwords and stream encryption algorithms, including 3DES, RC4, IDEA, and AES. IPSec VPN only supports group password encryption. Both types of VPN support hash password for integrity verification, and there are different methods to detect packet tampering and replay attacks-by serial number and hash or Message Authentication