Building and Testing Your Own VPN
Introduction
Our previous articles on Virtual Private Networks has provided a comprehensive review of what a Virtual Private Network is all about. We have examined the following topics:
- An introduction to the concept of what a Virtual Private Network is all about, as well as the concept of IP Tunneling. This is where the Data Packet which is transit from the sending party to the receiving party is encapsulated into another Data Packet and is further fortified by an extra layer of encryption. Also, a second line of communications is established which remains invisible to the Public Internet. This is where these encapsulated Data Packets travel upon.
- How to conduct a specific Cost-Benefit Analysis if your corporation or business is considering to implement Virtual Private Network Infrastructure. Remember, implementing one can be a costly proposition, and it can be financially prohibitive for a Small to Medium sized (SMB) to implement one. If this analysis proves to be that implementing a VPN will result in a negative cash flow and negative ROI, then other Security based alternatives need to be looked at.
- The Security Policy and Network Requirements which need to be taken into consideration if you are indeed going to implement a Virtua Private Network Infrastructure. It is important to keep in mind that a VPN is not just a technical component, it too as a social component, but to a much lesser degree (such as when compared to using Biometric Technology). Probably the best example of the latter is that of the end user. When using a VPN, it is no longer simply entering a username and password. Another Security related mechanism needs to be used, such as a FOB. The employee will need to be trained on how to use this new tool properly, and the importance of the following the Security Policies which have been established for it. The employee also needs to be educated upon the ramifications of the penalties if these specific Security Policies are not followed. Since a Virtual Private Network Infrastructure is mostly networked based, it is also very important to ascertain and analyze the specific impacts that it will have upon the existing Network Infrastructure of the business or the corporation.
- The technical impacts that the implementation of a Virtual Private Infrastructure will have upon the overall the Information Technology environment. It is important to remember as well that deploying a VPN will also have a strong impact to other pieces of hardware and software applications which are in existence at the corporation or the business. The three areas in which this impact will be "felt" the most include the following:
In fact, our last two articles examined these impacts in much more detail and the factors which need to be taken into consideration to ascertain the effects fully. In reality, it will be the Database Server and the Firewalls/Routers which will be affected the most.
After all, the former contains all of the mission critical information and data, and the latter is primarily used as the front lines of defense (it was strongly recommended in our last article that a Firewall and/or the Router should be placed before the Virtual Private Network Server – this will help to ensure the strongest layers of Security possible).
As it was mentioned earlier, the implementation of a Virtual Private Network Infrastructure can be quite cost prohibitive for an organization, especially if it is smaller in size. The IT budgets may so constrained that the deployment of a VPN will simply not work, even if it is forecasted that there is a positive Return On Investment (ROI).
In fact, quite truthfully, the Security requirements and needs of a much smaller business will probably be much smaller, so therefore, a sophisticated Virtual Private Network Infrastructure will not be needed. A much rudimentary can be used, and in fact, can be built. This is one of the focal points of this article, and will cover the following topics:
- Building your own Virtual Private Network Infrastructure
- The Formal Implementation of an Independently Built Virtual Private Network Infrastructure.
Building Your Own Virtual Private Network Infrastructure
If the corporation or business is daring enough, it can even establish the plans to not only implement its own Virtual Private Network Infrastructure but also even build it from scratch. However, this is a task which can be quite daunting, and unless the IT staff of the organization knows absolutely what they are doing, this approach is not recommended.
However, should a corporation or business decide to go down this route, there are a number of key considerations which need to be very carefully examined.
Although it is out of the realm of this specific article to go over in detail each of these variables (once again, each organization will have its own set of Security requirements – and this will have an impact on these variables), the general aspects are considered.
First, it is important to remember once again the three levels of IT systems which are impacted by the deployment of a Virtual Private Network Infrastructure. These are the following:
- The Web Servers
- The Application Servers
- The Database Servers.
Based on this "trinity," the following variables need to be addressed age when it comes to constructing your own VPN:
- If the Information Technology Infrastructure as a whole will be greatly enhanced.
- If the server scalability will be much easier to implement.
- If the centralization concepts allows for the IT staff to control and secure the various software applications and the respective servers.
- If the overall Information Technology model at the business or corporation allows for IT staff to be flexible in a dynamically changing environment and continue to respond quickly to cases.
- If any of the mainframe services can be reused over a certain time period
- If the newly built Virtual Private Network Infrastructure makes has the capability to adopt and make use of an Open Source Software Model, which will allow it react to Cyber-based threats in a much more proactive fashion than using a Closed Source Software Model.
Now that you have built your own Virtual Private Network Infrastructure (taking into account the variables mentioned above), the next step is in actually implementing it on your own.
The Formal Implementation of an Independently Built Virtual Private Network Infrastructure
Now that you have built your Virtual Private Network Infrastructure, the next step is the proper implementation of it at the business or the corporation. One of our previous articles provided an overview into this, in this article, we expand more into it and provide much more technical detail.
It is important to deploy a VPN into four distinct stages, which are as follows:
- The development of the Virtual Private Network Infrastructure Plan
- The preparation for the actual installation
- The performance of the installation activities
- The actual Virtual Private Network Infrastructure verification.
Regarding the development of the Security Plan, it needs to be carefully crafted and designed so that all of the policies, procedures and the rules govern the safe usage of the following Information Technology components:
- The host computers and the servers
- The computer workstations
- The various network gateways, routers, firewalls, and network bridges
- The terminal servers and the remote access servers
- The network operating software
- The operating system software of all of the servers
- Any type of server application software which may be in use
- All and any types of mission critical data found at the business or corporation.
However, keep in mind that actually building the Security Plan must include those end users whom will be most affected by the implementation of the Virtual Private Network Infrastructure.
The IT staff of the business or the corporation needs to carefully formulate the types and kinds of services that the employees will need from the system. Also, the establishment of the permission rules for the various user groups needs to be further established as well.
Equally important to the protection of the Virtual Private Network Infrastructure is that of safeguarding of both the Public Keys and the Private Keys which are used. As part of the developing the respective Security Plan, information and data on the following types of hardware which exists in the Information Technology needs to be collected:
- The external Proxy Servers
- All of the Internet Routers
- All of the Firewalls/Routers
- All of the Virtual Servers.
In addition, the IT staff will have to set up Access Control Policies for the following:
- All of the VPN based Domain Name Service hostnames and their corresponding IP Resolution Tables
- All of the E-Mail Network Protocols used
- The Web Servers in use (such as Internet Information Services for the Microsoft environments and Apache for the Linux environments)
- Any Telnet and File Transfer Protocol (FTP) networks and connections
- Any other type or kind of Socket Protocols and other forms of customized Network Protocols.
Once all of the above steps have been accomplished, then the user groups need to be further defined and ultimately created. This step simply involves the building and the establishing of end user tables as well as the defining of the Access Roles and Rights of each group, and the end users which exist in them.
A key benefit of establishing these groups is that you can create a single entity that will encompass all of the needs of each end user, rather than having to create rights and permissions for each individual employee at the business or the corporation.
The next phase of the implementation cycle is to define the Virtual Private Network Infrastructure system tunnels, which include the following:
- The Remote User Access to the VPN Gateway
- The Gateway to Gateway exchanges and connections
- The Gateway to Remote Partner exchanges and connections.
The last step now is to get the Virtual Private Network Infrastructure set up for the last step in the implementation cycle. This involves a full assessment of all of these resources which exist from within the Information Technology environment:
- The Operating System readiness
- All of the configured hardware
- The Physical Access Control checks to the VPN system
- All of the network hardware and software
- All of the networking Routing Tables
- All of the Host Names (all of these should match all of the Domain Name Server entry names)
- All of the TCP/IP Addresses that are related to the Virtual Private Network Infrastructure.
Conclusions
In summary, this article has examined the general considerations which need to be taken into account for constructing your own Virtual Private Network Infrastructure. This practice is typically not recommended unless the IT Staff knows 100% what they are doing. If not, the VPN environment could be at grave risk for a Cyber based threat or risk, thus defeating the purpose of it all together.
Although one of our previous articles provided a general overview of what it takes to implement a Virtual Private Network Infrastructure, this article gave more into technical detail into it, by providing a four-step plan.
Our next article continues with the theme of the Virtual Private Network Infrastructure, focusing in on the testing of it.
Resources
http://www.cis.syr.edu/~wedu/seed/Labs/VPN/VPN.pdf
https://www.potaroo.net/papers/1998-3-vpn/vpn.pdf
http://www.juniper.net/us/en/local/pdf/whitepapers/2000559-en.pdf
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.115.5263&rep=rep1&type=pdf
http://www.diva-portal.org/smash/get/diva2:487709/FULLTEXT01.pdf
http://www.cs.technion.ac.il/~rcohen/PAPERS/VPN.pdf
http://www.wi.fh-flensburg.de/fileadmin/dozenten/Riggert/IP-Design-Guide.pdf