Corporate VPN: A brief guide
What is a VPN?
For many, this term–VPN might have been unheard of, before the work from home situations arose. For others, this term would have been highly familiar already. VPN is an abbreviation for Virtual Private Network. This blog post will be focusing on Corporate VPN and not personal VPNs.
Virtual means, a tunnelling protocol is created on a virtual medium. There is no physical connection. It’s a tunnel that cannot be accessed by the public, hence the name Virtual Private Network. The encrypted tunnel helps connect 2 endpoints i.e., your PC to the VPNs’ remote Server/Service Provider.
But for it to remain private and provide full protection, it demands encryption. The public network can see that a tunnel exists but it would not know what data flows through it because of encryption via IPSec (Internet Protocol security), SSL or other such protocols. The people who have the decryption key or password are the only ones who can view and access the information that flows through it.
What is a Corporate VPN?
A Corporate VPN enables secure access and end-to-end encryption between devices in the same internal network no matter where they are working from. It has fewer limitations and provides enhanced security and more flexibility.
The most common advantage– it creates a corporate environment from the comfort of your own house. Employees can access files and do their work as if they are present in the office, physically.
Table of contents
- What is a VPN? What is a Corporate VPN
- Out of IPSec, SSL, L2TP, and PPTP, which one is the most secure?
- Split Tunnel and Full Tunnel
- Types of Corporate VPN
- VPN Security Best practices
Some organizations use Virtual Desktop Infrastructure for convenience but VPNs are more cost-effective and also gets the job done by providing you with the needed security features.
VPNs provide full anonymity by encrypting your connection, disguising IP and prevent ISPs or the government from prying on any confidential information. Your IP Address becomes distorted when your data passes through the encrypted tunnel enabled by the VPN. VPN users would all have an IP address different from their original IP, which is made possible with the help of a VPN Gateway.
What is VPN Gateway?
A VPN gateway, also sometimes referred to as a VPN Concentrator, is a networking device that helps connect 2 or more nodes.
It connects, routes, blocks or passes VPN Traffic across multiple users present in remote locations. Encryption and decryption of data and end-to-end delivery is ensured. The Gateway can be a router, a server or a UTM firewall, whose function is to assign IP addresses and manage multiple VPN Tunnels simultaneously.
Out of IPSec, SSL, L2TP, and PPTP, which one is the most secure?
Several tunnelling protocols are prevalent but corporate VPNs use either an IPSec, SSL or an MPLS protocol (MPLS will not be discussed in this blog post as it is a vast topic which would require an entire blog dedicated to it).
1. IPSec Protocol
IPSec verifies the session and encrypts each data packet. It can be used with other security protocols to improve security. Additionally, the user and the server must negotiate the parameters to keep the tunnel secure.
2. SSL/TLS Protocol
SSL VPN uses the SSL/TLS protocol. It is much simpler than IPSec.The data flowing through this tunnel is encrypted using the SSL or TLS Protocol. All traffic flowing between a web browser and an SSL VPN device is encrypted with this protocol. It is the most secured VPN protocol out of all the others. SSL is not preferred for network-to-network communication but is predominantly used for client-to-network communication.
3. Layer 2 Tunneling Protocol(L2TP)
Often combined with IPSec to establish a super secure, double encapsulated connection. L2TP creates a tunnel between two L2TP points and IPSec helps encrypt the data for enhanced security. L2TP doesn’t provide encryption of its own. It relies on IPSec for its cryptographic requirements.
4. Point to Point Tunneling Protocol (PPTP)
PPTP is easy to set up but not as safe and secure as all the other types. It is speedy because of its low encryption level. No additional software is needed but it has many loopholes and can be blocked by firewalls.
A major issue that people usually face while working from home was, their bandwidth getting hampered because of corporate and personal data being flowed through the same encrypted tunnel. The solution to this is the Split Tunnel VPN.
Split tunnelling is a feature which enables the movement of corporate data through an encrypted tunnel and personal data to move through an unencrypted tunnel.
However, features like these come with their own set of Pros and Cons. Let us dive into both.
- Conserves Bandwidth as your internet traffic does not have to pass through the VPN Server
- Reduced traffic through each tunnel
- Increased bandwidth speed
- Assume that a hacker has penetrated an employees’ network, and the split tunnel is poorly encrypted; it leaves room for the hacker to hack the corporate data.
The entire web traffic, corporate or personal would pass through a single, encrypted tunnel. All policies are set by the company, where access is denied for websites or apps that hamper employee productivity. Employee activity is tracked throughout the entire day.
Types of VPN
Remote Access VPN (Host-to-Site VPN)
Remote Access VPN is feasible for connecting an individual, to the corporate internal network. A virtual tunnel is created between the employee and his/her company. And these are also secure and affordable.
This can be further split into:
NAS (Network Access Server)
Could be a server or a software application. NAS asks for credentials to let the user sign in to the VPN
VPN Client Software
Users will have to install client software or a specific application, to enable this. The software creates the virtual tunnel connection to the NAS and also looks after the encryption.
Here, two hosts are connected through a VPN Tunnel to enable secured data transfer. Before any type of transmission, the user is authenticated and encrypted keys are exchanged between the two users.
This type is most common in large business organizations. When remote, these are further divided into 2 types. Intranet-based Site-to-Site VPN and Extranet based Site-to-Site VPN. Let’s take the example of Infrassist itself, we have our head office in Ahmedabad, India and we have a branch office in Sydney, Australia; to ensure a secure connection between the two offices, an Intranet based site-to-site VPN is used.
And if Infrassist is communicating with another organization, the secure transmission of data would be done using Extranet-based Site-to-Site VPN.
When it comes to a corporate VPN, two types of topologies are present which could be explained easily through an example.
Let’s suppose that Infrassist Technologies Pvt. Ltd has its Head Office (HO) in Ahmedabad, India and has 10 branch offices (BO) spanning across the globe. So, that means 11 offices in total.
Assume that the company has structured its networks and tunnels in a mesh topology formation. If BO 1 is communicating with BO 2, the information is directly passed through the tunnel between them. No information is passed via the head office.
Branches remain independent so if the server at the HO goes down, the branches will remain functional and will not face any issue or glitch.
If one branch in the network goes wrong, it doesn’t affect the routing between other nodes (Branch offices)
- The HO does not have any control over the information flowing between its branches.
- If a 12th branch gets added, or every time a new branch is opened, a new VPN Configuration will have to be established on each of the other BOs.
Hub & Spoke Topology
It is a simple network structure where a central node is connected to all the other nodes. In a hub & spoke topology, every communication that happens across branches, will all have to pass via the head office.
- Better control over the communications that take place across branches.
- If a new branch is to be added in the network, the configurations for the same will be done only at the HO, branches need not carry out separate configuration.
- If one branch in the network goes wrong, it doesn’t affect the routing between other nodes (Branch offices)
- If the server at the head office goes down, the entire network structure/topology will get affected.
- Lots of traffic is accumulated in the Head Office.
- High processing power is required at the Network Centre.
VPN Security Best Practices
When a large number of people work remotely, cyber threats are bound to arise. This has nothing to do with the dangers or security concerns associated with the VPN; the reasons could be that-
- Organizations associated with a cheap VPN Vendor
- Organizations don’t often update their VPNs with the latest security patches
To mitigate these risks, Cybersecurity and Infrastructure Security Agency (CISA) has recommended the following best practices-
- Strong passwords should be set
- MFA should be enabled
- Update VPNs with the latest patches
A few other VPN best practices include,
- Geo-boundaries can be set. If you are a company that is confined to Sydney only and you have 2-3 branches in the same city, you can set geo-boundaries so that no one else residing outside Sydney will have access to the corporate network.
- Minimalistic Access: Only a limited number of employees can access a certain folder. For example, the senior management or the directors will have access to a folder which is restricted for use to other employees.
- Reauthentication: You can set policies wherein the user is reauthenticated every 4 hours or every week etc.