Question

Suppose you have been hired as a security consultant in a large organisation ABC.org, which has offices in three different countries: New Zealand, the USA, and the UK. This organisation wishes to use a VPN (Virtual Private Network) for internal employees. This organisation has decided to use IPSec-powered VPN. This organisation also uses NAT (Network Address Translation) and multiple network firewalls.

Question:

Please explain how the IPSec gateway, NAT router, and personal firewall must be arranged to provide efficient and effective functioning of the organisation.

Answer 1

VPN (virtual private network)

A virtual private network (VPN) is programming that creates a safe, encrypted connection over a less secure network, such as the public internet. A VPN uses tunneling protocols to encrypt data at the sending end and decrypt it at the receiving end.

At its most basic level, VPN tunneling creates a point-to-point connection that cannot be accessed by unauthorized users. To actually create the tunnel, the endpoint device needs to be running a VPN client (software application) locally or in the cloud. The client runs in the background. It is not noticeable to the end user, unless there are performance issues.

The performance can be affected by many factors, like speed of users' internet connections, the protocol types an internet provider may use, and the type of encryption it uses.

VPN protocols ensure an appropriate level of security to connected systems, when the underlying network infrastructure alone cannot provide it. There are several different protocols used to secure and encrypt users and corporate data. They include:

• IP security (IPsec)
• Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
• Point-To-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• OpenVPN

Remote access clients connect to a VPN gateway server on the organization's network. The gateway requires the device to authenticate its identity before granting access to internal network resources. This type usually relies on either IP Security (IPsec) or Secure Sockets Layer (SSL) to secure the connection.

What is IPsec?

IPsec (IP security) is a suite of protocols developed to ensure the integrity, confidentiality and authentication of data communications over an IP network. While the flexibility of the IPsec standards has drawn the interest of the commercial sector, this same flexibility has resulted in the identification of several problems with the protocols because of their complexity. As with other security systems, poor maintenance can easily lead to a critical system failure.

IPsec may be used in three different security domains: virtual private networks, application-level security and routing security. At this time, IPsec is predominately used in VPNs. When used in application-level security or routing security, IPsec is not a complete solution and must be coupled with other security measures to be effective, hindering its deployment in these domains

IPsec operation

IPsec has two modes of operation, transport mode and tunnel mode. When operating in transport mode, the source and destination hosts must directly perform all cryptographic operations. Encrypted data is sent through a single tunnel that is created with L2TP (Layer 2 Tunneling Protocol). Data (ciphertext) is created by the source host and retrieved by the destination host. This mode of operation establishes end-to-end security.

When operating in tunnel mode, special gateways perform cryptographic processing in addition to the source and destination hosts. Here, many tunnels are created in series between gateways, establishing gateway-to-gateway security When using either of these modes, it's important to provide all gateways with the ability to verify that a packet is real and to authenticate the packet at both ends. Any invalid packets must be dropped.

Two types of data packet encodings (DPE) are required in IPsec. These are the authentication header (AH) and the encapsulating security payload (ESP) DPEs. The AH can establish security between multiple hosts, multiple gateways, or multiple hosts and gateways, all implementing AH .The ESP header provides encryption, data encapsulation and data confidentiality. Data confidentiality is made available through symmetric key .

important part of IPsec is the security association (SA). The SA uses the SPI number that is carried in the AH and ESP to indicate which SA was used for the packet. An IP destination address is also included to indicate the endpoint: This may be a firewall, router or end user. A Security Association Database (SAD) is used to store all SAs that are used. A security policy is used by the SAD to indicate what the router should do with the packet. Three examples include dropping the packet altogether, dropping only the SA, or substituting a different SA. All of the security policies in use are stored in a security policy database .

Problems with IPsec

In some cases, direct end-to-end communication (i.e., transport mode) isn't possible.One of the biggest drawbacks of IPsec is its complexity. While IPsec's flexibility has contributed to its popularity, it also leads to confusion and has led security experts to state that "IPsec contains too many options and too much flexibility"

IPsec incorporates all of the most commonly employed security services, including authentication, integrity, confidentiality, encryption and nonrepudiation. However, the major drawbacks to IPsec are its complexity, the confusing nature of its associated documentationand wide access range . In spite of these various drawbacks, IPsec is believed by many to be one of the best security systems available.In short, it is possible to guarantee the highest levels of privacy by using security and encryption features in IPSec. In short, it is possible to guarantee the highest levels of privacy by using security and encryption features in IPSec.

NAT ROUTER

Network Address Translation (NAT) is designed for IP address conservation.NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network

NAT provides the following benefits:

• IP address spaces can be saved because many hosts connect to the global Internet by using a single dynamic external IP address.
• Private IP addresses can be reused.
• The security of private networks can be enhanced by hiding the internal addresses from external networks.

The most popular type of NAT configuration, Overloading is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different ports. It's also known as Port Address Translation (PAT).

There are 3 types of NAT:

• Static NAT – In this, a single private IP address is mapped with single Public IP address, i.e., a private IP address is translated to a public IP address. ...
• Dynamic NAT – In this type of NAT, multiple private IP address are mapped to a pool of public IP address . ...
• Port Address Translation (PAT)

Disadvantages of NAT

• Network Address Translation (NAT) consumes the processor and memory because NAT need to translate IPv4 addresses for all incoming and outgoing IPv4 datagram and to keep the translation details in memory.
• It slows down the network performance, therefore it creates a problem in real-time protocols.

personal firewall (desktop firewall)

A personal firewall (sometimes called a desktop firewall) is a software application used to protect a single Internet-connected computer from intruders. Personal firewall protection is especially useful for users with "always-on" connections such as DSL or cable modem.

When most people think of firewalls, they think of an ironclad wall of protection that can stop viruses, malware, and hackers. But realistically, if you want all those security features, you'll need something more than a basic router. Hardware firewall routers offer extra protection to keep your company's data safe.

A personal firewall differs from a conventional firewall in terms of scale. A personal firewall will usually protect only the computer on which it is installed, as compared to a conventional firewall which is normally installed on a designated interface between two or more networks, such as a router or proxy server. Hence, personal firewalls allow a security policy to be defined for individual computers, whereas a conventional firewall controls the policy between the networks that it connects.

Features of personal firewall

• Standard and custom protection levels  
• Smart Advice
• Management of Internet access for programs
• Gaming protection
• HackerWatch information integration
• PC startup protection
• System service port control
• Management of PC connections
• Personal Firewall Lockdown
• Personal data protection
• Intrusion prevention
• Sophisticated traffic analysis

Among personal firewalls McAfee Firewall, Norton Personal Firewall, and ZoneAlarm Pro are great choices. These three firewalls are feature-rich and integrate well with antivirus and privacy tools. Norton Personal Firewall is the most secure, but McAfee Firewall is the easiest to use.