This scheme is the least widespread but one of the most powerful to use within the company. It is a variant of the “remote access” type, but instead of using the Internet as a means of connection, it uses the same local area network (or LAN according to abbreviationfinder) as the company. It is used to isolate zones and services from the internal network. This capacity makes it very convenient to improve the security features of wireless networks (WiFi).
A classic example is a server with sensitive information, such as payroll, located behind a VPN equipment, which provides additional authentication plus the addition of encryption, making it possible for only qualified human resources personnel to access the information.
Another example is the connection to Wi-Fi networks using encrypted IPSec or SSL tunnels that, in addition to going through traditional authentication methods (WEP, WPA, MAC addresses, etc.) add the security credentials of the VPN tunnel created in the Internal or external LAN.
Basic characteristics
To make this possible in a secure way, it is necessary to provide the means to guarantee authentication.
- Authentication and authorization: Who is on the other side? User / team and what level of access it should have.
- Integrity: that the data sent has not been altered. Hash functions are used for this. The most common hashing algorithms are the Message Digest (MD2 and MD5) and the Secure Hash Algorithm (SHA).
- Confidentiality / Privacy: Since it can only be interpreted by the recipients of the same. It makes use of encryption algorithms such as Data Encryption Standard (DES), Triple DES (3DES) and Advanced Encryption Standard (AES).
- Non-repudiation: that is, a message must be signed, and whoever signs it cannot deny that they sent the message.
- Access control: This is to ensure that authenticated participants have access only to the data to which they are authorized.
- Audit and registration of activities: This is to ensure proper operation and recovery capacity.
- Quality of service: It is about ensuring good performance, that there is no unacceptable degradation in transmission speed.
Advantage
- Integrity, confidentiality and data security.
- VPNs reduce costs and are easy to use.
- Facilitates communication between two users in distant places.
Connection types
Remote access connection
A remote access connection is made by a client or a user of a computer that connects to a private network, the packets sent through the VPN connection are originated by the remote access client, and this is authenticated to the remote access server, and the server authenticates to the client.
VPN router to router connection
A router- to-router VPN connection is made by a router, and this in turn connects to a private network. In this type of connection, the packets sent from any router do not originate from the routers. The router that makes the call is authenticated by the router that responds and this in turn is authenticated by the router that makes the call and also serves the intranet.
VPN firewall to firewall connection
A firewall- to-firewall VPN connection is made by one of them, and this in turn connects to a private network. In this type of connection, the packets are sent from any user on the Internet. The firewall that makes the call authenticates itself to the respondent and the latter in turn authenticates itself to the caller.
Basic requirements
- User identification: VPNs must verify the identity of users and restrict their access to those who are not authorized.
- Data encryption: the data that is going to be transmitted through the public network (Internet) must first be encrypted, so that it cannot be read if it is intercepted. This task is carried out with encryption algorithms such as DES or 3DES that can only be read by the sender and receiver.
- Key management – VPNs must update encryption keys for users.
New SEAL security algorithm.
Services
- SSL VPN service. To use this service it is necessary to previously install a program (called VPN client). Once the client is installed, it is only necessary to provide our credentials from the official UGR email each time you make a connection, running the program that we already have installed.
- PPTP VPN service. In this mode it is necessary to configure a program (called VPN client) that is normally incorporated in most operating systems. Once the client has been configured, each time you want to make a VPN connection, a previous step is necessary, consisting of obtaining a temporary key for said connection. This key is obtained by accessing a web access where it is necessary to identify with the credentials of the official UGR email.
Implementations
The de facto standard protocol is IPSEC, but there are also PPTP, L2F, L2TP, SSL / TLS, SSH, etc. Each one with its advantages and disadvantages in terms of security, ease, maintenance and types of clients supported.
There is currently a growing line of products related to the SSL / TLS protocol, which tries to make the configuration and operation of these solutions more user-friendly.
- Hardware solutions almost always offer higher performance and ease of configuration, although they do not have the flexibility of software versions. Within this family we have the products of Fortinet, SonicWALL, WatchGuard, Nortel, Cisco, Linksys, Netscreen (Juniper Networks), Symantec, Nokia, US Robotics, D-link, Mikrotik, etc.
- Software VPN applications are the most configurable and are ideal when interoperability issues arise in older models. Obviously the performance is lower and the configuration more delicate, because the operating system and the security of the computer in general are added. Here we have, for example, native solutions for Windows, GNU / Linux and Unix in general. For example open source products like OpenSSH, OpenVPN and FreeS / Wan.
In both cases, firewall solutions (‘firewall’ or ‘fire barrier’, in Spanish) can be used, obtaining a high level of security due to the protection it provides, to the detriment of performance.