Right now, someone from your organization is sitting in a coffee shop, airport or hotel, taking advantage of a shared Wi-Fi connection to conduct business, regardless of what your organization’s security policy allows or prohibits. Whether you chose to admit it or not, ubiquitous mobility is now a reality. If your security controls and policies make it difficult for users to connect, they’ve almost certainly found a work-around.
If that makes you feel a little uneasy, you can take comfort in the fact that there is a strong solution to offset this risk, and it’s probably already available in your organization: the use of virtual private networks.
VPN technology uses strong encryption to create a virtual tunnel between your end users — wherever they are in the world — and your corporate network. Other users of the same network are not able to eavesdrop on the communications, and if they try, everything looks like gibberish without access to the secret encryption key.
The primary reason most organizations implement VPNs is to safeguard sensitive corporate information. In fact, many make VPN use a requirement only for accessing sensitive intranet applications, leaving e-mail and other services accessible to the wider Internet.
By connecting to the VPN, users obtain an address on the corporate network and are able to bypass the firewalls that block outsiders from accessing sensitive information. This enables widespread remote access to internal applications. Of course, the network administrator might choose to block some especially sensitive applications from VPN users, requiring a physical presence on the corporate network.
Another common use of VPNs is to combat eavesdropping for all wireless network traffic, even that destined for locations outside the corporate network. For example, if an outsider is able to eavesdrop on your CEO’s connection to cloud-based web services, that could be just as devastating as if they were able to eavesdrop on his or her connection to your corporate intranet. With a simple routing table change, VPN connections can be set to route all data through the protected encrypted tunnel to the corporate network.
One less publicized use of VPNs is to bypass content filtering performed by the owners of third-party networks. For example, if the hotel or coffee shop they are visiting blocks access to a certain website but your corporate policy does allow such access, the user can bypass the content filter by connecting to your corporate VPN first. The local content filter can’t monitor the VPN connection and will be unaware that the user is accessing restricted content.
When configuring a VPN for the first time, network administrators have a number of protocol options at their disposal. The good news is that, for the most part, modern client operating systems hide all of this detail from the end user. After the user provides the address of the VPN server (for example, vpn.yourcompany.com), the operating system should be able to detect the protocol in use and negotiate a connection automatically.
The two original VPN protocols, the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP), are still widely deployed on the Internet today, despite several shortcomings. First, significant security vulnerabilities have surfaced in Microsoft’s original PPTP protocol over the years.
Many security professionals feel that these flaws render PPTP unsuitable for use in an enterprise environment. However, PPTP continues to proliferate, mainly because it was the easiest protocol to configure in earlier versions of Microsoft Windows. Second, both PPTP and L2TP have difficulty passing through firewalls that use network address translation. This may leave your users stranded behind a third-party network firewall, unable to connect to your corporate VPN.
Many of these problems have been solved with the introduction of Secure Sockets Layer (SSL) VPNs. These VPNs use HTTPS, the protocol commonly used to secure web applications, to secure the VPN connection. The beauty of this approach is that the VPN traffic is indistinguishable from secure web browsing. If a remote network allows users to connect to secure websites, those users will also be able to connect to your VPN. Because of this ease of use, SSL VPNs have skyrocketed in popularity over the past few years.
The good news is that, unlike many security technologies, you may be able to implement a VPN without any financial investment. Chances are good that your existing security infrastructure already contains the devices and software necessary to build a decent VPN.
The first place to check is your organization’s firewall. As the entry point to your private network, the firewall is already exposed to the Internet and provides a logical endpoint for VPN connections. Most commercially available firewalls provide some VPN capability out of the box.
The most common limitation you’ll see with this approach is that unless you’ve upgraded the license provided with your firewall, you may be limited to only a few simultaneous VPN connections. Midgrade firewalls commonly allow two or three concurrent connections with their basic license pack. This is purely a license limitation, however, as the hardware will typically support many more connections, so you can improve this capability by purchasing additional licenses from the firewall vendor.
If the firewall option doesn’t work out for you, the servers that already exist in your environment probably provide some software VPN capability. For example, the Routing and Remote Access Services role in Windows Server 2008 allows you to create a PPTP, L2TP or SSL VPN. You can easily integrate authentication with your Windows domain so that users don’t need to remember another set of credentials.
Finally, if you expect high-volume VPN use or the demands of your VPN are taxing your firewall or servers, you may need a dedicated device, known as a VPN concentrator, to handle this traffic. These hardware devices are optimized to support many simultaneous VPN connections and can support hundreds of concurrent users.
Virtual private networks add tremendous flexibility to your network security infrastructure. They allow you to rest easy when your users travel the world, confident that their network connections are protected by your organization’s security controls wherever they travel.