All organizations world wide require secure network connectivity in their applications and businesses regardless of their sizes. This comes due to arising of the need to connect with customers, partners and the employees anywhere anytime. This has resulted into network expansion from local area networks (LANS) to virtual private networks, dial up remote access and also wireless networks. For increased access and productivity, the network security, cost and the complexity of management should be highly considered. This paper addresses the issue of providing a design for securing a virtual private network.
Currently, the world has been changing completely due to the increased changes in technology. Due to this, many businesses and organizations have changed their local and regional concerns to global markets and logistics concerns. All companies in the world require a means and way of retaining fast, reliable and secure communications in all over their offices for the increased spread of facilities. Recently, this has been achieved through the use of leased lines for a wide area network abbreviated as WAN. These leased lines range from integrated services digital network, ISDN, that is composed of 128 Kbps to optical carrier three fiber, OC3, composing of 155 Mbps (Booth, 2004). The leased lines have served to expand a company's private network beyond the geographic area. The Wan was more reliable, with increased performance and security as compared to the public network, for instance the internet. They only disadvantage of the WAN is that it is are expensive to maintain and also its cost increases with increase in the distance between the offices.
However, as the internet grew in popularity, all businesses applied it for the extension of their own networks. Intranets were the first to be used in these businesses. Intranets are sites protected by a password and used only by company employees. Currently, most of the companies are building their own virtue private networks (VPN) to meet the requirements of both distant offices and remote employees. In general, a VPN is a private network applying the use of a public network, mostly the internet, for connecting remote users and sites together. It involves the use of virtue connections that are routed via the internet from the private network of the company to the employees and the entire remote site, rather than using a real world dedicated connection, for instance the leased line.
The technology of VPN applies the idea of tunneling involving the establishment and maintenance of a network connection that is logical. Through the connection, packets are constructed in a particular format of VPN protocol encapsulated within other carrier protocol, hence passed between a VPN server and client in which they are finally de-encapsulated by the recipient. In order to secure the VPN, the extent of the VPN must be well known by the administrator. It should be capable of determining the type of data necessary for use in the VPN. The secure VPN should be completely encrypted and authenticated. Some of the protocols used in creation of secure VPNs enhance the creation of authenticated but unencrypted VPNs.
Despite the fact that this network is more secure, it is not considered as a VPN since it lacks privacy. A secure VPN has either one or more tunnels, each tunnel with two end points. Administrators of these end points should agree on the security properties of the given tunnel. The VPN security properties should be set in a way that no individual outside the VPN who can be in a position to affect them. It should be too hard and difficult for an attacker to interfere or rather result into any changes in the VPN, for instance weakening the encryption or affecting the encryption keys.
Davis (2001) explains that in order to secure the VPN, there are certain aspects which we should put into consideration. First, we should consider the information sensitivity. This includes the stored, processed and also the information that passes through the network. We should also secure the information which is accessed remotely. Currently, business partners, employees and customers mostly need access from offices, homes and also hotel rooms. The VPN must be appropriately segmented. If the net work is divided into various separated networks, the spread of malware is prevented and the access control efforts are enforced. The VPN should also be encrypted.
A part from designing a secure VPN, retaining the secure remote access is always tough and challenging. However, we can apply certain practices which help to fight this problem. A policy that states the required security software control in the systems can be established. The policy should be distributed together with the connection set up and other similar instructions for the final users. There should be a set of guidelines which the end users should meet to in order to connect the VPN network. The second practice should consider the end point security. A vendor capable of offering comprehensive management of an endpoint security together with enforcing the policy as part of the VPN should be chosen.
The third practice involves enforcing corporate policy compliance. The end users should be informed that the security policy goes further to their remote desktops after being connected to the entire network. Fourth, reporting on the final user compliance always sounds very critical and hence it should always be adhered to. The final report practice to consider is reviewing the policy and reports periodically. This will help to identify the patterns and trends in access violations. It also serves an important role of ensuring the technical controls together with the policy address the security needs of the remote access.
Nevertheless, to ensure the VPN security and benefits, we should put some factors in place. We should apply the use of the strongest authentication VPN access method ever possible. This is dependent on the network infrastructure and the VPN must be checked to determine the necessary options. A good example is the network with Microsoft servers which is considered as the most secure authentication. It is provided by "Extensible Authentication Protocol Transport level security", the EAP-TLS, which is used together with smart cards. Others like password Authentication protocol, PAP, challenge Handshake Authentication Protocol, CHAP, together with Shiva password authentication, SPAP, are considered to be very weak.
We should also include the strongest encryption VPN access method. In Microsoft servers' network, it is layer two protocols, L2TP, over the internet protocol security, IP sec. The VPN access should be limited to those who possess a valid business reason when necessary. Since VPN connection serves as a door to the user LAN, it should only be open if need be. The remote employees should not be encouraged to connect to the VPN when not necessary. The secure VPN should provide avail access to certain chosen files through the extranets and intranets apart from VPNS. It should also enable the access of emails without the use of VPN access. A strong password policy should be implemented and hence enforced for a secure VPN.
No individual should be given the mandate to permanently retain password permanently, or use specific word for the password, such as phone number, pets name, family name or any other personal related word. A strong antivirus, personal firewall protection and antispam should be provided to the remote users, and should be used always when required. If a client computer begins a VPN session, it should not access the network fully until the time it is checked any proved to comply with the network policies. The use of other VPNs and mote control software should not be put in place at the same time a user is connected to his/ her VPN. Finally, all the remote wireless networks should be secured.
In conclusion, a virtual private network should be made in a way that enhances its efficiency and privacy. This makes it so reliable to the users and hence beneficial as compared to the rest of the networks for instance the intranet. All these factors stated in this essay should be considered in order to give out or rather come out with an effective and efficient virtual private network.
