General security

The Security Policy and Network Requirements of a Virtual Private Network

Ravi Das
March 9, 2017 by
Ravi Das

Overview of the Last Article

In the past couple of articles we have written, we have started to examine the use of what is known as a "Virtual Private Network," or a "VPN" for short. The concept of a Virtual Private Network has been around for quite a long time. In fact, its first origins can be traced back to even the 1960's, when the first version of the Internet, the "ARPANET" came out.

At that specific point in time, both scientists and engineers realized that the power that could be harnessed from their newly created Internet Protocol. Obviously, the power and the speeds that we witness today when we connect wirelessly from our Smartphone is much greater than when the ARPANET came out.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Back then, the thoughts of using it for just simple file transfers was the main line of interest, and then the thoughts of using it for E-Mail messages spiked when the first Internet Domains could be registered.

Of course, back then, the thoughts and concerns of Security related issues were not too much of a concern. However, as time went on over the next few decades, people started to realize the cracks which existed in the earlier forms of the Internet, and this became predominantly aware in the late 1990s, at the time of the dot-com boom.

However, in its heydays, nobody did anything to cure the Security issues of the Internet, everybody was just interested in launching new products online, and getting Venture Capital funding. Perhaps, if it was addressed at this time, there have been thoughts that perhaps the Cyber-based threats and risks that we are witnessing today would not be occurring at such a fast pace.

The Cyber attacker did not see the full potential of launching attacks until 9/11 occurred; that is when everybody's mind here in the United States and worldwide started to focus on Security. However, the focus was much more emphasized upon Physical Access Entry applications, rather than upon Logical Access Entry or Cyber based applications.

Thus, the hacker took advantage of this trend and used it fully to start launching attacks and exploiting the weaknesses of the Internet to the maximum level possible. For example, this started adware, malware, and spyware attacks.

But of course, the sophistication of these attacks has proliferated to the point that a Trojan Horse can infiltrate hundreds of mobile devices so covertly that any confidential and private information can be hijacked without the individual knowing it has even occurred until literally days later, when it is of course too late, and the damage has been done.

To alleviate these extremely sophisticated Cyber-attacks, businesses and corporations have now started to understand, and even implementing the potential that a Virtual Private Network has to offer in the way of securing the lines communications between the sending and the receiving parties.

Essentially, with a Virtual Private Network, there are two layers of Security which are offered:

  1. The main Data Packet which contains the information and the data is wrapped up, or "enveloped" into another Data Packet which makes the original Data Packet invisible to the outside world.
  2. With a VPN Infrastructure, two lines of communications are established. The first one can be seen on the Public Internet, but the second one cannot be seen, and it too, is invisible to the outside world. It is on this second line that the enveloped Data Packets traverse upon, in between the sending the and receiving parties.

In this article, we continue with the theme of Virtual Private Networks, focusing on the following topics:

  1. The Components of a Virtual Private Network Security Policy
  2. The Network Requirements of a Virtual Private Network.

The Components of a Virtual Private Network Security Policy

In implementing a Virtual Private Network Infrastructure, formulating and implementing a very sound and "airtight" Security Policy is a must. Yes, even though a VPN offers great levels of security, this is now the focus of attack for the Cyber attacker of today, and given the level of sophistication in their arsenal, they will find a way to penetrate it. Thus, having a solid Security Plan for your Virtual Private Network Infrastructure is a must these days.

This type of Security Policy should address the following topics:

  • Access Rights
    • Which employees should have access to what kind and types of network-based resources?
    • When, where, and how often is access allowed through a Virtual Private Network?
  • Access Control Rights, and this should include the following:
    • The IP Address Source
    • The Data Packet content as well as its destination point from within the Virtual Private     Network Infrastructure
  • The Virtual Private Network Management responsibilities, which include the following:
    • Who will oversee and administer the Virtual Private Network?
    • Who will enforce the Security of the Virtual Private Network?
    • Who will authorize the issuance and the distribution of the Digital Certificates?
    • Who will perform the Certificate Registration activities?
  • The types and the degree of level of Encryption which is required:
    • The specific decisions which need to be made as to the types and kinds of IPsec Network Protocol settings and options are required
    • The management and the distribution of the Public Keys and the Private Key combinations
    • The length of the time for the specific Digital Certificate activity and expiration.
  • The Virtual Private Network Endpoints: This simply involves where the IP Tunneling (as reviewed in the last article) will be routed through:
    • Gateway to Gateway
    • Gateway to Desktop
    • Desktop to Desktop.

It is also important to note that the existing Information Technology Infrastructure of a business or a corporation needs to be compatible with the technologies which are associated with a Virtual Private Network. In this regard, the following variables need to be taken into consideration as well:

  1. The Database access and maintenance programs
  2. Mainframe access through the use of Terminal Emulators
  3. Any type or kind of software development tools which are used, and their respective databases
  4. The Web content generators which are used for Intranet development
  5. Any type or kind of document sharing program
  6. All remote server administration hardware and software
  7. All backup as well as remote backup tools which are utilized.

The Network Requirements of a Virtual Private Network

Determining and ascertaining the network based requirements for a Virtual Private Infrastructure is obviously of prime importance when it comes time to deploy and integrate with the existing IT infrastructure of the business or the corporation.

The specific networking requirements will, of course, vary from organization to organization, but in general, the following variables do need to be taken into consideration:

  1. The design and the topology of the network layout and structure of the business or the corporation
  2. The various access points into the overall IT infrastructure and the Corporate Intranet
  3. Any type or kind of Dynamic Protocol support
  4. The Internal Protocol Service Requirements
  5. All and any existing Routers, Firewalls, and Proxy Servers that exist in both inside and outside of the place of business or corporation
  6. All types of existing Authentication Rules that exist in the place of business or corporation
  7. Any and all business applications that will cross into the use of the Virtual Private Network Infrastructure
  8. All of the Bandwidth Requirements which have been set forth by the business or the corporation
  9. Any type or kind of Cryptographic Processing Requirements
  10. The support needs of the IT staff
  11. The full scalability of critical IT devices which include the following:

  • The Authentication Servers
  • The Database Servers
  • The Web Servers
  • Any and all mapped Network Drives and Directories
  • The Corporate E-Mail Servers and Gateways
  • The Corporate and the end user's File Transfer Protocol (FTP) Servers
  • The Remote Network/Server Administration.
  • Finally, the performance and the effectiveness of a Virtual Private Network should be gauged against the following set of criteria:

    • The Cryptographic Hardware Accelerator Support
    • The clustering of the Central Server(s) for scalability
    • All types and kinds of Quality Assurance (QA) Service levels for all of the Corporate Servers, Extranets, and Intranets
    • The importance of the backup and redundant devices to ensure full and complete nonstop processing of the information and the data for the place of business or organization
    • Any expected growth in the Network Bandwidth requirements.

    Conclusions

    In summary, this article has examined in some detail of what the Security Policy for a Virtual Private Network Infrastructure should like. The common error in thinking is that a Security Policy is only a general document which encompasses the overall requirements of the business or the corporation. However, this is not true at all.

    A Security Policy can also be created and implemented for a specific application, such as that of the VPN. Given the importance that a Virtual Private Network Infrastructure is in today's world, a Security Policy for it is almost mandatory.

    Also, a VPN is not a standalone based infrastructure anymore. Meaning, it will be integrated with other systems as well as subsystems into the overall IT Infrastructure from within the organization itself. The VPN will be the primary source from which communications will be sent from the sending party to the receiving party.

    It will be the primary mechanism as well from where the employees will be able to log into the network-based shared drives so that they can access the resources they need to perform their daily job tasks. Finally, the VPN will provide the most secure means in which remote employees can log in as well.

    Once a Virtual Private Network Infrastructure is fully deployed and operational, its impacts, whether positive or negative, will be felt by the other individual components of the IT Infrastructure.

    Our next two articles will examine these impacts from the standpoints of the Web Server, the Application Server, the Database Server, and the Firewalls and Routers.

    Resources

    http://www.infosec.gov.hk/english/technical/files/vpn.pdf

    https://www.sans.org/security-resources/policies/retired/pdf/virtual-private-network-policy

    http://www.wiley.com/legacy/compbooks/press/0471348201_09.pdf

    https://www.howard.edu/technology/docs/NetworkSecurityPolicy_UPC.pdf

    http://www.miamicountyin.gov/Departments/InformationTech/Downloads/VPN/Virtual%20Private%20Network.pdf

    http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-77.pdf

    http://people.cs.pitt.edu/~hdxia/papers/ssi2005_xia.pdf

    https://pdfs.semanticscholar.org/82a5/f37d3e7fe963eef589492de2a0c19be90778.pdf

    http://www.cs.rice.edu/~eugeneng/papers/cn-vpn01.pdf

    https://www.nsa.gov/resources/everyone/csfc/capability-packages/assets/files/vpn-cp.pdf

    http://www.scte.org/documents/pdf/CCNA4%20Sample.pdf

    http://www.tik.ee.ethz.ch/~cati/deliv/CATI-IAM-DN-P-000-1.1.pdf

    What should you learn next?

    What should you learn next?

    From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

    http://www.stratvantage.com/google/ACNvpnanalysis.pdf

    Ravi Das
    Ravi Das

    Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

    You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.