Solved

Why is VPN Secure?

Posted on 2003-12-02
12
766 Views
Last Modified: 2011-09-20
I am just curious as to how VPN is more secure than other ways of connecting to a remote server. How would you justify the investment in VPN to a manager?
0
Comment
Question by:Leo_Nel
12 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 9862392
The investment in VPN is secure because all of the traffic is encrypted, and only the endpoints know the encryption key.  It takes a major effort by someone that has a vested interest in cracking your encryption to do so - an MDA5 hash is NOT easy to crack.

The benefit of using a VPN as opposed to a point-to-point connection in a site-to-site scenario is it costs MUCH less for comparable bandwidth, and is carried over the Internet.  Rather than paying for T1, fractional T1, frame-relay, T3, OC-3, etc, (depending on how fast you want it to be) all you need to pay for is a big enough "pipe" to the Internet at each site you want to connect.  You can take advantage of the cost savings between point-to-point technologies and business-class SDSL or business-class cable-modem, AND have your company's internet connectivity all covered in the same bill for virtually no extra money.

If you are talking about a client-to-server VPN, what you gain is the ability to take advantage of broadband home connections like DSL or cable-modem to connect through that always-on internet link, rather than taking up a POTS phone line.  It leaves your phone line available for voice use while you connect to your server securely over the Internet.  This applies to both home and branch-office connections.  The connections are also much faster, and you don't have to worry about per-minute long-distance charges either.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9862442
Point-to-point is more secure than VPN, because the traffic does not flow over the Internet.  It is MUCH more expensive for equivalent throughput.

Dialup is actually less secure than VPN, because the traffic all goes over the public telephone lines, and once a determined hacker discovers your dialup line, access is only a matter of time and effort, which is less effort than trying to hack the VPN encryption.  Dialup security is usually based on RADIUS, using PPP, with either PAP or CHAP authentication.  Other dialup authentication schemes are less secure than RADIUS, and CHAP is more secure than PAP because PAP sends the password in clear text over the POTS line.  You also get only a fraction of the throughput of a broadband client-to-server VPN connection.
0
 

Author Comment

by:Leo_Nel
ID: 9862471
How is the connection secured from the user's workstation to the Internet? Is the key the only source of security?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9862632
There are usually public keys and private keys.  

When establishing a VPN connection, at no point should any login or password information pass in clear-text format.

What I understand is that the connection and authentication request is encrypted before it leaves the client, and the server can decrypt it using the public key.  The authentication response is then encrypted using the private key and sent back to the client.  The client can then send an encrypted login request using the newly-established encryption code and the client's private key.  Once the authentication and login takes place, then the encryption has been agreed-upon between the client and server, and all traffic is encrypted and decrypted using that "hash" established during the connection and authentication phase.

Usually, VPN "tunnels" make use of a 128-bit encryption code, but the keys can be much larger, like up to 2Kbytes or more in length, making it virtually impossible, and definitely impractical to try, to come up with the combination needed to break into the VPN and capture any meaningful data.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9862650
As far as the keys being the only source of security, no.  You should still have to authenticate through your normal login and password method after the VPN is established.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9862675
I could have mixed a few metaphors or misstated a couple of key words in my description of how a client-to-server VPN works.  If you want, I can post some links to documents that accurately step through the actual process - if someone else doesn't post links before you say "sure, give me some links."  hehe.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Leo_Nel
ID: 9862790
Give me some links
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9862831
listening...
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 125 total points
ID: 9862864
0
 

Expert Comment

by:TIMFOX123
ID: 9867209
Just a sidelight on vpn.  The tunnel is encripted and is secure.  The computers at the end points are still vonerable.  Your tunnel is secure but you still need to protect or disable your local ports on both ends.  
0
 

Expert Comment

by:slaroche
ID: 9875486
There are only two ports that need to be open to create a PPTP-TCP VPN Connection.  Those ports are 47 and 1723.  These should be the only ports open on the devices.  Port Sniffers will see these ports as open, but as long as you use a strong password policy, breaking in should be near impossible.  Also, the Encrypted Tunnel is created before any username and password information is sent.  The higher the encryption, the slower the overall throughput will be.  You can expect to get 40% of your full bandwidth with 128bit MPPE encryption.  This is due to the size of the encryption headers that are placed on each packet.  That is also something to consider when comparing to a managed Point to Point service (frame-relay, ATM, etc).  You may be paying less for business DSL, but you'll only get about 700kbps on a 1.5mbps ADSL connection.  It may be a little better on an SDSL connection.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9878022
Yes, but an SDSL connection costs a bunch less than a 768Kbps fractional T1... and the loss due to encryption/decryption is dependent on the speed of the processor.  In other words, you DON'T want to use that spare 486 for your VPN!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now