In: Categories » Electronics and communication » Network security » Why to Deploy a VPN
|
The motivation behind building VPNs is spread along different sectors of human nature, be it cost reduction or privacy of the communication. The common part lies in virtualization of communications by using modern means of secure data transfer. The basic advantage for VPN communication lies in a cost reduction for interconnecting remote sites. The current alternative to VPN solutions is purchase of a leased line or introduction of a Remote Access Server (RAS). Dedicated lines are usually installed for mission-critical applications that require a lot of guaranteed throughput between the nodes, when data transfer over the public data networks (PDNs) is seen as unreliable and their service availability can not be guaranteed. Installation of a point-to-point wireless link can provide another cheap alternative, but would it be sufficiently secure? Modern communication systems exhibit a high fixed-cost component such as installation and maintenance, with the variable cost component (e.g., bandwidth) accounting for a much smaller proportion of the total cost of ownership. A properly designed and implemented VPN might become a more attractive solution involving one "fat pipe" accommodating all the communication needs of an organization with VPNs running through it. A sufficiently wide radio frequency data carrier can constitute such a fat pipe. On the other hand, the second major motivator for VPN deployment is the increased need for privacy of data communications. All externally transmitted internal communications must be separated from the external observer through the use of strong cryptography and authenticity. The traditional secure solution that enables external clients to access internal resources is the deployment of RAS. However, affiliated costs of maintaining the equipment and the associated costs of telephone calls can aggravate the attractiveness of such a tactic. With respect to wireless networks, at least until the final 802.11i draft is out, the main motivator for wireless VPN deployment lies in the price–performance ratio of adding an extra layer of protection to otherwise vulnerable wireless communications. The traditional 802.11a/b/g authentication and encryption mechanisms on their own cannot offer sufficient protection against experienced attackers. Whereas 802.11x with a RADIUS server is way out of reach for the standard SOHO wireless network, most of the marketed network security devices can run a decent VPN, achieving a similar level of protection.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Can symmetric cryptography meet the requirements of the Biba model, based on the data integrity checks and proper authentication? The answer is "yes," but in a very inefficient way. Recall the practical authentication example with the UNIX (well, Linux in our case) password encryption flaw when DES in ECB is used. Of course, any of the feedback modes or 128-bit block ciphers can be used instead of DES, with the obvious performance penalties. However, in our example, MD5 scales very well. A cryptographic hash function i...
2. 802.11i Wireless Security Standard and WPA
Thus, the main hope of the international 802.11 community and network administrators lies with the 802.11i standard development. Sometimes 802.11i is referred to as the Robust Security Network (RSN) as compared to traditional security network (TSN). The "i" IEEE task group was supposed to produce a new wireless security standard that should have completely replaced legacy WEP by the end of 2003. In the meantime, some bits and pieces of the incoming 802.11i standard have been implemented by wireless equipment and software vendor...
3. Proprietary Improvements to WEP and WEP Usage
The article devoted to the proprietary and standards-based improvements for currently vulnerable 802.11 safeguards. The most publicized 802.11 vulnerability is the insecurity of WEP. We have already reviewed the cryptographic weaknesses of WEP linked to the key IV space reuse and insecure key-from-string generation algorithm. There are also well-known WEP key management issues: All symmetric cipher implementations suffer secure key distribution problems. WEP is no exception. In the original design,...
4. Penetration Testing as Your First Line of Defense
It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks. First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteris...
5. Asymmetric Cryptography
Message authentication using HMACs works just fine, but how do we distribute symmetric cipher keys among the users? We can pass them around on floppies or fancy USB pen-drives with encrypted partitions on them, but what if many users live all over the world? What if the physical key distribution method takes time and the keys must be frequently changed? This is the case with the traditional WEP, which should be rotated every few minutes. Key-encrypting keys (KEKs) were offered as symmetric cipher keys used only to encrypt...
6. Examples and Analysis of Common Wireless Attack Signatures
The best way of knowing these signatures is trying out the tools in question and sniffing out their output: "Attack through defending, defend through attacking" (Dr. Mudge). The best source on wireless network intrusion tool detection and attack signatures we are aware of is Joshua Wright's "Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection" and "Detecting Wireless LAN MAC Address Spoofing" papers. A large part of this tutorial is inspired by these brilliant articles and our experience of analyzing WLAN tr...
7. Deploying a Wireless IDS Solution for Your WLAN
How many IDS solutions that implement the recommendations and follow the guidelines we have already discussed are present on the modern wireless market? The answer is none. There are many wireless IDS solutions that look for illicit MAC addresses and ESSIDs on the monitored WLAN. Some of these solutions are even implemented as specialized hardware devices. Although something is better than nothing, in our opinion such "solutions" are a waste of both money and time. They might also give you a false sense of security. Let's...