VPN Surfing Challenge    

Many Internet users need secure access to business documents and data away from the office, and while using their computer to access other resources online. VPNs offer one popular solution to this security challenge.

A virtual private network, VPN for short, allows secure remote access to network resources for users who are not locally on the network. Regardless which technology is used to construct a VPN, the underlying principle does not change.

In principle, a VPN is a secured communications channel through an insecure network. Typically, the deployment of a VPN provides connectivity for ‘many-to-many’ or ‘one-to-many’ endpoints.

Many-to-many or office-to-office:
A many-to-many VPN allows multiple hosts on one network to talk to multiple hosts on another. Branch offi ce connectivity to head office resources is the most typical use of this type of deployment.

One-to-many or client-to-office:
A one-to-many VPN allows a single host or client access to resources on a network. Outside sales representatives needing access to documents or data is a prime example of this type of VPN.

Many-to-many VPNs typically provide access to the public Internet at each end so not to burden the VPN encryption engine with Internet traffic. Note that policy must be set and enforced at both ends. With one-to-many VPN access, policy is enforced at only one end, leaving the client potentially unsecured, so we’ll focus on this.

As small and medium sized organizations rely more and more on centralized data, the need to access this data securely becomes of ever greater importance. Many of these organizations do not have extensive capital resources, and therefore seek to get the most out of their monetary outlay. Combining firewall protection and VPN termination in a single box is the most straightforward way to save money while having the required functionality.

One example of hardware with a combined capacity for firewall and VPN functionality is the Cisco PIX firewall. The Cisco PIX firewall has seen wide deployment and is still in use at many small and medium size organizations, and we’ll see the next generation Cisco Adaptive Security Appliances (ASA) grow in popularity as well. Both provide reliable encrypting at one end of the VPN and decrypting at the other.

With a one-to-many VPN, you cannot rely on effective security precautions on the client end. Consequently, you need to be aware of a potential ‘gotcha’ when using a CISCO PIX as a dynamic VPN endpoint.

The Cisco PIX prohibits traffic from traveling into it and then out again via the same interface. This means that if you have a VPN connection to the PIX and you wish to surf the public Internet, then that traffic will need to be routed to the inside of your network (or to the DMZ) and back out again. You will need a proxy server. Without this proxy, VPN users will not be able to surf. The VPN connection parameters therefore need to include PROXY settings. And we’ve tested proxy use for a Microsoft Windows environment for both HTTP and HTTPS; configured correctly, the solution can be reliable.

There is an alternative. You can configure ‘Split-Tunnel’ on the VPN client machine. To accomplish this, configure the list of protected network destinations. All other traffi c is sent to the local machine’s default gateway. There is a danger here, namely that the end user has a connection to the public Internet and the Local Area Network connected by the VPN at the same time. The danger can be somewhat mitigated by instituting a remote user policy prohibiting web surfing while the VPN link is established.

VPNs can offer users secure access to the office when needed, even for those who need to surf at the same time.

Originally published July 2008
Fragment - Current Release


IT Roles and Responsibilities
On Passwords
Spending Enough
Planning to Fail
Living With the Enemy
A Reason for Policy
Mission Critical Messaging – Do you have a policy
Globalizing the SMB
High Availability: People and Processes
Case for Project Management
Risk Management

On Routing
VLAN Tutorial
IPs 4 Golden Rules
WAN Technology primer
DHCP Primer
Your Head in the Cloud(s)
DNS: Terms and Process
VPN Surfing Challenge
Network Slowdown
Importance of Time
High Availability: Technologies

Spammers Go Full Circle
Beyond the Lock
The Guardian at the Gate
A Web of Trust
Data Breach Notification

Electricity Primer
Data Control
Open Source in the Enterprise
Closing the Loop
Helping IT to help you
Your ICT Keystone

eSubnet Services

Contact us regarding your network,
security and Internet services needs

All content © eSubnet 2003-2021