vpn considerations 2002
TRANSCRIPT
![Page 2: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/2.jpg)
Housekeeping Issues
• Duration: 1.25 hours +/-
• Questions & comments: early and often
![Page 3: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/3.jpg)
Why We’re Here
• Examine a brief summary of considerations surrounding successful VPN and remote access planning, deployment and management.
• Note other perimeter security issues.
![Page 4: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/4.jpg)
What is a VPN?
• Virtual Private Network - A network that performs private, trusted data transmissions over a public, untrusted network (e.g. the Internet).
• Usage:– Point to Point(s)– Remote Access– Hybrid
![Page 5: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/5.jpg)
Essential VPN Definitions
• Authentication – A method of establishing identity between systems or users.
• Authorization – The right to access a network service after authentication has taken place.
• CIA – Confidentiality, Integrity, Availability – The three primary ways your (or your customer’s) information can be compromised.
![Page 6: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/6.jpg)
More EssentialVPN Definitions (Cont.)
• Encryption – The process of converting cleartext into what appears to be random characters (a.k.a. ciphertext) – FIPS standards include DES, 3DES, AES
• Tunneling – Encapsulation of packets within other packets, primarily for transmission across public IP networks (e.g. the Internet) – i.e. IPSec, L2TP, PPTP, PPP
![Page 7: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/7.jpg)
VPN Economic Considerations
• VPN’s can be less expensive than WAN’s and more functional and secure than modem banks.
• Often cost-benefit compared with voice over solutions.
• Decision criteria include:– Current connectivity costs– Distances– Locations– # of sites– Type & volume of traffic– Existing equipment & software
![Page 8: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/8.jpg)
Basic VPN Connectivity Steps
• Site-to-Site– 1) Authenticate once– 2) Encapsulate an IP packet– 3) Encrypt and transmit– 4) De-crypt– 5) Un-encapsulate
• Remote Access– 1) Authenticate each time a session begins– 2) See 2 – 5 above
![Page 9: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/9.jpg)
VPN Scaling Considerations
• Processor Cycles: number of tunnels (hence, processor cycles) is greater for remote user deployments than for a single site-to-site connection (i.e. 10 remote users require more processor cycles than 100 users across a site-to-site VPN).
• Bandwidth: depends on how the applications are deployed, but the VPN tunnel itself adds approximately 10-30% overhead.
![Page 10: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/10.jpg)
VPN Security Considerations
• Authentication & Authorization!
• Centrally manageable firewalls at remote sites and/or users.
• Generic O/S’s vs. pre-hardened firewall/VPN device O/S’s.
• Application security.
![Page 11: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/11.jpg)
VPN Technical Considerations• Latency > 200ms causes application errors – (often
a problem for remote users with DSL connections).• Non-standard tunneling, encryption and
hardware/software solutions can cause problems.• Meshing site-to-site(s) VPN’s for fault tolerance is
complex.• VPN access for remote users does not mean
complete network/application access.• Every O/S on remote user PC’s has its own
idiosyncrasies.
![Page 12: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/12.jpg)
Proven VPN & Remote Access Solutions
• CheckPoint VPN-1: + Management of remote site and user security + Runs on appliances w/ hardened O/S’s (e.g. Nokia)+ Supports many authentication schemes - $
• Citrix NFUSE with Secure Gateway+ Requires only browser and authentication mechanism+ Supports many authentication schemes- Not a complete solution for site-to-site VPN
• Cisco/Altiga VPN+ VPN concentrator has easy remote client setup+ Runs on appliance w/ hardened O/S+ Supports many authentication schemes- Limited management of remote user security
![Page 13: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/13.jpg)
Other Perimeter Security Considerations
• Mail Relay/Virus Scanning
• Intrusion Detection
• Voice Systems
• Backdoors
• Web Servers
• Vendor/Business Partners
![Page 14: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/14.jpg)
Regulatory Considerations
• FITSAF (any departments dealing with the federal government)– http://www.cio.gov/documents/
federal_it_security_assessment_framework_112800.html
• HIPAA (health departments)– http://aspe.os.dhhs.gov/adminsimp/nprm/
seclist.htm
![Page 15: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/15.jpg)
![Page 16: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/16.jpg)
![Page 17: VPN Considerations 2002](https://reader036.vdocument.in/reader036/viewer/2022062710/559356551a28ab465c8b45f6/html5/thumbnails/17.jpg)
References• http://www.rsasecurity.com/solutions/vpn/infocenter/ Good
white papers and such• http://www.internetwk.com/VPN/default.html Internet
Week VPN site• http://www.checkpoint.com/products/security/
gateway_vpnsolutions.html Check Point VPN site• http://www.citrix.com/press/news/releases/20011030_gateway.asp Citrix Secure gateway press release• http://www.cisco.com/warp/public/779/largeent/learn/
technologies/VPNs.html Cisco VPN site