S 3.65 Introduction to basic VPN terminology
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator, IT Security Officer
A virtual private network (VPN) offers a secure communication channel between IT systems that is secured by access controls and the use of encryption. Selection and integration of suitable cryptographic procedures protect the integrity and confidentiality of the data transmitted. This also makes secure authentication possible for the communication partners when configured accordingly even when several networks or computers are connected to each other over leased lines or public networks.
A VPN can be established using almost any media available. VPNs may differ in terms of their implementation, the functions they offer, and in which layer of the ISO/OSI layer model they reside. It is necessary during the planning phase of a VPN to decide how the VPN will be operated later on and if an external service provider will be contracted to design and build it or operate it.
Typical VPN usage scenarios:
The following describes several operational scenarios VPNs are usually used in.
- Mobile employees:
Mobile employees work at a variety of different workplaces in different environments and may need remote access to the data in the LAN of the organisation under some circumstances. In addition to securing such connections, it is also necessary to consider the security of the device as well as its application environment. Depending on the task to be accomplished, the employee may want to be able to dial in from any work location, for example from a hotel or an airport, into the internal network. In order to achieve an adequate level of security that is comparable to the security situation offered by an office, the recommendations in S 2.10 Mobile workplace also need to be taken into consideration. The devices used by the employees are usually laptops or PDAs. The corresponding IT-Grundschutz modules also need to be applied in this case, for example S 3.3 Laptops, S 3.5 PDAs, etc. - Telecommuter workplace:
When connecting a telecommuter workplace, a client system accesses the internal network of an organisation from a fixed workplace located outside of the office environment.
Communication between the telecommuter's computer and the LAN is normally conducted using insecure public networks. The IT systems of the telecommuter workplaces should be administered at a central location. Module S 5.8 Telecommuting describes how to secure the connection to the computer of the telecommuter. - Location networking:
In location networking, the subnetworks of different locations of an organisation are connected to each other. Here, the trustworthy LANs operated under the control of the organisation are often connected using an insecure public transport network. In this scenario, the transport channel in particular needs to be secured. In addition, the networks and client systems of the various locations must be secured against attacks from the internet using security gateways. - Customer and partner connection:
In many cases, it is necessary to connect customers or partners to the internal network of an organisation. The following are examples of typical scenarios- certain internal information is to be provided so that it can be retrieved from a network trusted only to a limited extent, i.e. from "outside" the organisation.
- it is necessary to query external databases from inside the trustworthy network so that goods can be selected and purchased, for example.
- software will be developed on the internal systems by external companies.
Since the IT systems of the customers and partners are not under the control of the organisation, it must be guaranteed that only the shared resources can be accessed. For example, all IT systems the customers or partners have access to can be operated in a separate network that is isolated from the LAN of the organisation by a security gateway (see S 3.1 Security gateway (firewall)). - Remote maintenance:
When performing remote maintenance tasks, it is necessary to have privileged administrator access to the internal systems. The remote maintenance (maintenance, support, and operation) of internal systems can be performed by the organisation's own employees or by external employees. In both cases, there are high requirements regarding the authentication of the remote user, the control of the flow of data, and the availability of the connection. If external employees are contracted to maintain the IT systems, the recommendations in module S 1.11 Outsourcing must be taken into account.
VPNs are often used to protect the communication of individual protocols and applications. For example, if the existing wireless LAN components do not support any form of secure encryption, all communication over the wireless LAN could be transmitted in encrypted form using a VPN that is independent of the wireless LAN. In this case, the signalisation and media transport of a VoIP connection could be bundled in a VPN tunnel and then encrypted.
VPN endpoint
The two basic types of VPN endpoints are VPN servers and VPN clients. The endpoint the connection is established to acts as the VPN server. The endpoint initiating the connection is referred to as the VPN client. VPN endpoints can be implemented in software or in hardware. In the case of field service employees, the VPN client generally consists of a software application running on a mobile IT system. Such a VPN client often intervenes strongly with the installed operating system. The parallel installation of several different VPN clients on a single device should be avoided for this reason. The connections forming the network between the individual VPN endpoints must be based on the results of the requirements analysis (S 2.415 Performing a VPN requirements analysis). The use of a secure authentication procedure must be ensured on the VPN endpoints as described in safeguard S 4.321 Secure operation of a VPN so that only authorised persons will be able to dial in to the VPN. Depending on the area of application, consideration could also be given to using an authentication server, for example a RADIUS server.
Selection of the communication relationships between the locations
If combining several different locations to form a LAN is planned, it is important to know between which locations the VPN connections will be established. The following topologies or combinations thereof are suitable for use when networking several locations:
- Star network:
In a star network, a central location (for example at the corporate headquarters) is selected and a separate VPN connection is opened from every additional remote location. When transmitting information from one remote location to another, the information will always need to pass through the central location. The failure of the central location will then lead to the failure of the entire cluster network. This can be a disadvantage resulting in longer transmission times, especially when two locations that are geographically close to each other need to communicate with each other, but all information is transmitted through the central location. - Ring network:
In a ring network, every location is connected to exactly two other locations. Information that is to be sent to a location that is not directly connected to the source location will be forwarded by the locations located between them until it arrives at the recipient. If only one location fails in the ring network, the information can be transmitted using the remaining locations. If more than two locations fail, the availability of the entire VPN system is threatened. - Tree network
The various VPN endpoints in the different locations are organised hierarchically. One central location is defined as the "root". One or more additional locations in turn are connected to the root using a VPN connection, and these locations are in turn connected to further locations. It is easy to add additional locations to a tree network. However, if the central system fails, the VPN segments connected to the system will not be able to communicate any more in the VPN network. - Fully meshed network:
Every location is connected to every other location by a separate connection. If one line should fail, communication can be conducted using one of the other lines still available. Transmission times can be reduced due to the use of direct connections. However, these advantages come in conjunction with the high cost of implementing this topology.
A suitable network must be selected from these topologies or combinations thereof. To strike a compromise between reliability and cost, experience gained in practical applications has shown that it is best to use a topology with several central network access points and connect the individual locations to these central access points.
Types of VPNs
VPNs can be used to combine remote physical networks to form a logical network or to connect individual devices used in insecure networks to the central LAN using a protected channel. Depending on which systems are used at the endpoints of the VPN connection, such VPNs are referred to as site-to-site, end-to-end, or end-to-site VPNs.
- Site-to-site VPN
In site-to-site VPNs, networks are linked together to enable the shared use and operation of applications. Access between different networks is needed in this case. The transport channel is secured using VPN gateways in the connected networks.
Connections between LANs are typically used to connect field offices or branches to the internal network of the organisation. - End-to-end VPN
End-to-end VPNs are usually implemented for the use of individual applications. The connections can be restricted to specific systems and services.
Typical uses of end-to-end VPNs include the following:- remote maintenance of dedicated systems in cases where access at the level of an administrator is needed.
- accesses to individual applications or databases. Authorisations at the administrator and/or system levels are seldom necessary.
- accesses using terminal servers. Many of the applications installed on a remote system can be used via remote access. Remote access authorisations at the administrator and system levels on the terminal server are normally unnecessary.
- integration of business partners or customers in subnetworks of the central data network of an organisation.
- End-to-site VPN (remote access VPN)
End-to-site VPNs are also referred to as remote access VPNs (RAS-VPNs). This type of VPN is used so clients can access several different applications located on different IT systems in the organisation's LAN. This means access to the entire network is needed, and the VPN software on the client system and a VPN gateway in the LAN usually secure the transport channel. Telecommuters and mobile users are generally integrated into the LAN using end-to-site VPNs.
Types of VPNs
The term VPN is often used as a synonym for encrypted connections. The different types of VPNs are often referred to by the VPN protocol used, for example TLS/SSLVPN or IPSec VPN. However, other methods can be used to secure the transport channel such as special functions provided by the transport protocol used, for example. There are also two basic types of VPNs: trusted VPNs and secure VPNs.
VPNs are referred to as trusted VPNs when the VPN connections between different locations are guaranteed by trusted external VPN service providers. In this case, the data is generally forwarded from the trusted network in unencrypted form to a gateway router of the provider using a dedicated communication channel. The VPN is formed by logically isolating the VPN data traffic from the rest of the data traffic (using multiprotocol label switching or MPLS, for example). For mobile users, service providers also provide VPNs using gateway routers only available through special dial-up nodes that are protected against unauthorised access.
If an external service provider is contracted to provide a trusted VPN, module S 1.11 Outsourcing should also be taken into account.
Trusted VPNs are not suitable for transmitting confidential data without additional encryption at the application layer, because the security of such connections lies completely in the hands of the VPN service provider. For example, a trusted VPN does not offer any protection against perpetrators working for the provider. It is therefore recommended to use a secure VPN for confidential data communications.
The dependency on third parties in terms of confidentiality can be avoided when communications are protected at the endpoints of the connection using encryption, in which case the VPN user is responsible for encryption. This solution is also referred to as a secure VPN.
A special form of trusted VPNs is if a dedicated line of the carrier is used to implement the VPN. In this case as well, it is necessary to protect confidential data before transmission using encryption, and the VPN user is again responsible for the encryption. Encryption can be performed on the VPN endpoints at the transport level (secure VPN) or at the application level.
VPN devices
A basic decision must be made as to whether the VPN product selected should be a dedicated VPN device, a combination device, or a software-based VPN solution running on standard IT systems (e.g. Linux with IPSec):
- Dedicated VPN gateways (appliances):
These VPN products only serve to implement VPN connections and do not offer any further functionality such as content filtering at the application level, for example. VPN appliances have advantage that they are optimised for VPN use and are easy to configure securely, because the operating system has already been hardened, for example. - Combination devices:
Routers and other components of security gateways (e.g. application level gateways or ALGs) are examples of integrated VPN devices that have VPN functionality already available or that can be expanded accordingly. In addition to the financial advantages of combination devices, they also often have the advantage that it is possible to administrate the various functions from a single location.
The combination of different functionality into a single device may come at the cost of performance. When a VPN is use extensively, this means it is necessary to check if separate VPN components should be preferred for reasons of availability or throughput. Some combination devices offer the ability to install special hardware encryption modules after purchase to increase the performance. - VPNs based on standard IT systems:
VPN devices may also be compiled by the organisation itself using free or commercial software components. It is often possible to install these components on commercially available hardware running standard operating systems. Compiled VPN devices offer a high level of flexibility and are well suited for numerous applications.
The installation and integration of the required components is prone to error, though. This may lead to security risks when using a compiled VPN device. Another disadvantage is that it is usually necessary to contact several different contacts, one for each component of the VPN device (e.g. for the hardware, operating system, and VPN software), in the event of support requests.
The advantages and disadvantages of the various designs are summarised and compared in the following table. An (x) indicates the design has the corresponding property, and a (-) indicates that it does not.
| Property | Dedicated VPN gateways | Combination devices | VPNs based on standard IT systems |
|---|---|---|---|
| (Self) protection of the VPN component | - | x | - |
| High performance | x | - | x |
| Low cost of acquisition | - | - | x |
| Little time and effort until initial operation | x | x | - |
| Simple administration | x | x | - |
| Easy to expand | - | - | x |
| Distribution of know-how | x | x | - |
| Support from one source | x | x | - |
Table 1: Comparison of the various VPN designs
The entries in the table are derived from practical experience, and it will be necessary to verify if the product actually possesses the corresponding properties on a case-by-case basis.