Understanding VPN Technology Choices Presented by: Rob Pantazelos, Network Administrator Brown Rudnick, LLP The most current version of this presentation can be downloaded at: http://www.brownrudnick.com/nr/ilta2008_vpn.ppt Presentation Overview Introduction Background Remote Access VPN Topologies and Technologies Caveats, Considerations, and Competing Technologies Site to Site VPN Benefits, Challenges, and Considerations Summary Questions, Comments, Ideas Introduction Expansion of companies, particularly law firms outside the traditional boundaries of a central office Need to deliver content and applications to remote offices and remote users Ability to deliver reliably Ability to deliver at low cost 1
Background What is VPN? Stands for Virtual Private Network. Provides private connectivity, through a public connection medium (Internet) referred to as a tunnel Virtual The availability of internal networks and resources is extended to remote users and remote offices Private Through the use of encryption, although traffic is passing through the public domain it is only decipherable by intended recipients Background - Encryption Encryption is the use of a key or cipher to alter (off-set) the data set. The data stream can only be understood by recipients with the key. THI SISTHE THI DECRY PTEDME SSAGE Background How does VPN work? Uses two endpoints to encrypt/decrypt traffic The end points share a key or certificate which serves as the encryption algorithm Can be used to connect remote PCs to a central office (remote access VPN) or even whole networks (site to site VPN) Creates a secured connection over the public internet without the need for dedicated (expensive) point to point links 2
User User Remote Access VPN Topology EMAIL SERVER FIREWALL RAS SERVER VPN CONCENTRATOR INTERNET REMOTE USER MAIN OFFICE REMOTE USER FILE SERVER Remote Access VPN Technology - PPTP Authentication based VPN Requires a connection and an authentication server, most prevalently Microsoft RAS Server + LDAP or RADIUS Encryption key is generated from the password Pros Deployment Cost Single Sign-on integrated Cons Lowest level of encryption Remote Access Technology Firewall Client Based VPN Requires a hardware device either a Firewall or a VPN Concentrator Authentication is 2 phase, requires a preshared key, then authenticates the user either Device Local or RADIUS Encryption key is generated from the password Pros Strong Encryption Cons Software must be installed on all client machines Often blocked by Hotel/Hotspot Firewalls 3
Remote Access Technology SSL Web-based VPN Users are able to connect to the VPN by logging into a webpage All network traffic is then encrypted over SSL (443) port Pros Clientless Uses standard SSL port removing Hotel/Hotspot Challenges Cons Licensing Costs Service based deployment, whole network is not available by default Caveats & Considerations Network is actually extended to the client and data is actually extended to the client machine Processing is done on the connecting machine, data must transfer, can be slow for large files Client machine must have all of the required applications and configurations installed Data can be copied locally/removed Maintaining security policy - Antivirus Competing Technology Transmit presentation data, not actual data Centralized Single connection point, managed environment Citrix Terminal Server Decentralized PC Redirection GoToMyPC Logmein.com VNC 4
VPN vs. CITRIX/Terminal Server Site to Site VPN Connect multiple networks at multiple sites Connection provided by appliances, either firewalls, VPN concentrators, potentially routers Each device has the encryption key data is encrypted using device memory and CPU utilization then transmitted, received and decrypted Higher encryption level = higher overhead = slower transmission rates Site to Site VPN Topology EMAIL SERVER FILE SERVER INTERNET Firewall Firewall REMOTE OFFICE MAIN OFFICE FILE SERVER 5
Considerations for Site to Site VPN Bandwidth Shared with Internet bandwidth Also has overhead and encapsulation requirements Latency Sensitive Public Relies on upstream devices Single point of failure for both WAN and Internet No QOS for VOIP/VIDEO Benefits of VPN Low Deployment Cost Speed in connecting sites, only internet connectivity is needed Strong encryption On the network with local resources that are available on the PC that you are connecting through Limitations/Shortcomings of VPN Even though data is encrypted, it is still being transmitted on the public internet International regulations and export guidelines restrict where you can create a VPN tunnel to and from Firewalls at remote sites particularly Hotels, Conferences, and Wifi hotspots typically do not allow IPSec passthrough, thus blocking a tunnel formation. This is why SSL VPN s are becoming more prevalent. Challenges enforcing endpoint security on remote clients (local antivirus and antispyware, etc.) No QOS since you are using a public network. VOIP/Video can be problematic over a VPN. Requires software to be installed on remote computer the same way it is installed on the corporate computer. 6
Summary A strong solution for certain applications/requirements Many Considerations Often works best in tandem with other Solutions Future of VPN Stronger encryption Offered by ISP vendors to complement MPLS networks Deployments being made easier Devices offering endpoint security methods Questions, Comments, Ideas 7