Now that you understand best practices and VPN policy, it’s time to look at how to select, place, and use a VPN.
Consider these criteria during your search:
Once you have gathered this information, you can start to narrow your selection based on how well these features meet your criteria.
Before selecting and purchasing a VPN solution, consider a number of factors. One that is too frequently ignored is the budget for the solution. Carefully consider your criteria and evaluate your options, always keeping in mind that you need to live within your budget. When budgeting, be sure to look not only at acquisition costs, but also at the ongoing support and maintenance costs for at least the first three years.
Next, consider where you will deploy the VPN on your network. Three common architectures typically accompany VPN solution deployments. The three deployment types are bypass, internally connected, and DMZ-based.
A bypass architecture (FIGURE 10-1) deploys the VPN so that traffic to the VPN and from the VPN to the internal network is not firewalled in any way. This is referred to as bypass deployment.
This was a common architecture when VPNs were first introduced to the market. The logic behind this deployment architecture is that security is adequate without additional firewalling because the VPN accepts only encrypted connections on a specific port. The assumption is that because traffic is encrypted, it does not require additional protection. Even if you did place a firewall on the Internet-facing VPN connection, the firewall would not be able to analyze the encrypted VPN traffic. A bypass architecture also considers anyone connected to the VPN as a trusted host. Finally, passing traffic across a firewall always causes concerns about performance impacts, and justifiably so.
Two significant issues arise with this implementation model. First, VPNs are like any network device; each can have a variety of vulnerabilities. As a result, VPNs are still vulnerable to an attack against the device itself. Second, the uses for VPN have expanded greatly since the technology first appeared, and it is not uncommon in today’s environment to leverage a VPN to provide untrustworthy hosts access to portions of the network. These could be customers accessing an order management portal, vendors supporting systems on the internal network, or suppliers who are transferring invoices to your internal systems. Although some controls (usually routing table–related) are available in most VPN solutions, terminating a VPN directly on your internal network is a dangerous practice. As a result, the circumstances where a bypass VPN architecture is still a viable solution are limited, unless your risk tolerance is fairly high.
An internally connected architecture (FIGURE 10-2) deploys the VPN so that traffic to the VPN and from the VPN to the internal network is not firewalled in any way.
An internally connected VPN architecture recognizes that the VPN is vulnerable to attack if placed directly on the Internet, so it places the Internet-facing VPN connection behind a firewall. Selecting the appropriate firewall for this solution is critical to a successful implementation. The VPN then connects any remote users or site-to-site connections directly to the internal network.
This is an improvement over the bypass architecture, but it still does not address the potential security issues associated with untrustworthy VPN connections. This architecture is not recommended, although it will work if the only hosts connecting are trusted hosts.
A demilitarized zone (DMZ)–based implementation (FIGURE 10-3) addresses the main shortcomings of the previous two architectures.
This architecture features a firewall in front of the VPN to protect it from Internet-based attacks, as well as a firewall behind to protect the internal network. The firewall on the inside can be configured to protect important infrastructure like finance department or research department servers, restrict business partners to only the systems to which they need access, or limit vendor access to only those systems supported.
The largest negative in this design is the cost of deploying multiple firewalls for the implementation. However, many companies already have DMZs set up in this configuration, so it may be just a matter of leveraging the existing infrastructure for your needs.
After selecting the ideal VPN and determining where you are going to place it in your infrastructure, it is time to work up your deployment plan.
Before you look at the components of a successful deployment plan, keep in mind that your environment is unique to your organization. Some elements you will read about will not apply to your deployment. These are, rather, just some common elements found in most typical VPN deployment plans. Just as with the other topics discussed here, review these while thinking of the requirements of your organization.
To deploy your VPN successfully, you need to:
You can use a project management application to plan your VPN rollout, or use something as simple as a word processing or spreadsheet application. The purpose of this plan is to allow you to structure your deployment more formally than a plan written on the back of a cocktail napkin.
You now should be able to select, plan, and successfully deploy a VPN for your organization.
18.226.34.197