«
»

When is VPN a Good Idea?

Published January 1, 2010 | By InetDaemon
We have 2 PCs behind routers in geographically separated
networks. What is the best practice to connect those two
PCs together as if they were connected locally in a LAN.
Is VPN the answer and how do I setup a VPN network connection?
Do I need a VPN server or something?

Thank you for such wonderful site.

When is VPN a Good Idea?

A VPN connection is only necessary if the two hosts are communicating across an unsecured, public network and the information they are sharing should be protected.  If you have no need to protect the information flow or the network(s) in between them are under your control, there is probably no need for VPN.

If you do need some sort of VPN connectivity, there are several means to achieve it and no specific ‘best practice’.  If you are connecting just the two PC’s, then you can install software on each of the two PC’s to create the VPN.  Simple, pre-shared key encryption such as a simple SSL/TLS tunnel should be sufficient if you have secure means of installing the encryption keys and software (OpenSSL) on both machines.

If you’re looking to share the VPN connection with all PC’s connected to the routers on both sides of the connection, you can configure the routers to form the VPN connection, provided the routers have that capability in their firmware (eg. Cisco IOS) software.  In that case, the VPN options in the router will dictate your choices.

Tunnel Architecture Considerations

Whether you wish to use the routers as your VPN gateways, or create a direct end-to-end VPN connection will depend on your need for security. Here’s some general things to consider before you create your VPN connecton(s).

  • An end-to-end connection protects the entire communication path.
  • Using the routers as gateways only protects the router to router traffic.
  • Creating separate VPN connections between  the PC’s and the routers and then a second connection from router to router is not as effective from a security standpoint as an end-to-end tunnel because the security encryption keys for each connection are stored on the routers and the packets are temporarily decrypted on receipt from a PC and re-encrypted on transmit to the far end router, leaving the data temporarily unencrypted between ‘hops’ in the VPN.
  • A router-to-router tunnel is simpler to use and scales better as other computers can share the VPN connection.

VPN Server

You probably do not need a special VPN server unless you are connecting multiple external users or PC’s to a local network or resource across unsecured networks.  VPN concentrators are used for this purpose and most Firewall appliances and software support this function.

VPN Protocols

This is going to be a very brief summary of the available options. There are several protocols available for use in creating VPN connections:

  • Point to Point Tunneling Protocol (PPTP)
  • Layer 2 Tunneling Protocol (L2TP)
  • IPSecurity (IPSec)
  • Secure Sockets Layer/Transport Layer Security (SSL/TLS)

Point to Point Tunneling Protocol

  • Jointly developed by Microsoft and Cisco.
  • Works over PPP dial-up connections.
  • Supported on nearly all Windows systems (all the way down to NT and Windows 95)
  • No encryption provided unless used with MPPE
  • Make sure you are using the latest version, several MAJOR security flaws existed in this protocol originally.

Layer 2 Tunnelling Protocol

  • Another jointly developed protocol by Microsoft and Cisco.
  • Well supported on most routers, firewalls and Microsoft hosts.
  • Can be used on non-Internet Protocol based networks (ATM, Frame Relay etc.)
  • Requires a digital certificates and can use IPSec encryption.

IPSec

  • A set of open standards
  • Most common solution chosen.
  • Broadest support from vendors.
  • Growing support for this protocol
  • Two flavors
    • Authentication Header
    • Encapsulating Security Payload
  • Uses Internet Key Exchange (IKE)

Secure Sockets Layer/Transport Layer Security

  • Simplest solution.
  • Uses the same encryption solution as any web browser.
  • Supported by installing OpenVPN or other clients.
  • Creates an end-to-end encryption solution between two PC’s
  • Doesn’t scale well

Which VPN Solution?

Which VPN solution is the best match is going to depend on the hardware, software, security policies and architecture, but SSL/TLS for something simple and IPSec for anything else would be my first two recommendations.

Posted in Facebook, Internet, Network, Q&A, Technology, Tweet | Tagged , , ,
«
»
Support InetDaemon.Com

TUTORIALS [ BASICS | COMPUTERS | INTERNET | SATELLITE | SECURITY | TELECOM | WORLD WIDE WEB | TROUBLESHOOTING ]

YOUR DONATIONS SUPPORT THE CONSTRUCTION OR COMPLETION OF TUTORIALS THROUGHOUT THIS SITE
STANDARD DISCLAIMER | Comments and Suggestions | FAQ's | About InetDaemon.Com | About InetDaemon | Acceptable Use Policy | Privacy Policy

All content Copyright © 1995-2024, InetDaemon.Com Enterprises

BlueBloxSlim Designed By InetDaemon.