Virtual Private Network (VPN) Certification:


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Virtual Private Network (VPN) Certification:

  1. 1. White Paper September 2007 Virtual Private Network (VPN) Certification: iBAHN® Keeps Mobile Workers Productive and Secure “iBAHN’s VPN certification program has improved my hotel’s ability to work with large corporate customers, like Lockheed-Martin. Now when they schedule corporate events and travelers at my hotel, I can be sure that the HSIA service will be secure, and will work flawlessly for them.” – Lon Breedlove General Manager, Residence Inn by Marriott, Minneapolis-St. Paul Airport (Eagen)
  2. 2. Virtual Private Network (VPN) Certification What Is a Virtual Private Network (VPN)? while traveling has to wait. And, if it is simply too difficult With an ever-increasing mobile workforce, organizations to gain and maintain a secure connection, workers are have had to provide a method for secure connections unable to perform critical tasks and to stay in touch easily to enterprise networks for traveling or mobile workers. with the corporate enterprise. That is the purpose of a VPN; giving mobile or traveling workers secure access network resources over the While the ability to be productive is a critical issue to the Internet or other networks. While VPNs function over public vast majority of traveling or mobile workers, security is networks, they “inherit” the characteristics of the private almost equally important. In the same survey, respondents corporate network, thus the “Virtual” Private Network. At revealed that 39% of them had been the victim of malicious its most basic definition, a virtual private network is an attacks, including viruses, data theft and malware while extension of a private corporate or organizational network traveling on business, and 43% while on personal trips. that aggregates links across shared or public networks like the Internet. With a VPN, you can send information between two computers across the Internet that mimics the Why Does VPN Certification Matter? traditional home network point-to-point private link. VPNs Many hospitality broadband service providers have use tunneling, encryption, authentication, and access taken the time to check standard VPN configurations control to establish and maintain a secure connection. to ensure they will generally work on their networks. Leading providers, like iBAHN, have taken additional steps to set up certification programs for specific corporation Why Should You Care? configurations, to ensure their seamless operation. In a recent survey of business travelers performed by FGI Research, nearly 50% of the respondents There are literally thousands of combinations of admitted to using public, open Wi-Fi networks in locations software, hardware, chipsets and configurations for such as parks, coffee shops, and hotelsi. These locations all those business travelers’ devices — and there is are typically using non-secure network services, thus no “one size fits all” VPN solution. There is simply no exposing the business traveler to malicious attacks both way for any network provider to consider all of the on their data transmissions and on the data stored on combinations and configurations that might occur. The their laptop hard drive. Interestingly, 86% of these same iBAHN VPN certification program is unique in addressing respondents ranked public Wi-Fi hotspots as extremely the major challenge faced by business travelers — VPN insecure to fairly insecure; indicating they are aware of the configurations that will not easily connect through the lack of security, yet will still use the service. How then, can hotel network. companies protect their mobile workers and help them to stay productive, while using open Wi-Fi networks? The Lack of sufficient IP addresses — another key issue — is answer: Providing Virtual Private Networks. also solved by the iBAHN patented private network. VPN access requires a discrete IP address for each user. Many Being productive is driven by several factors; among those connectivity providers to hotels can only allocate a few factors are security and ease of use. If a mobile worker is discrete IP addresses at each individual property; thus unable to find a way to connect to his or her corporate or users can be “locked out” of their corporate VPNs, and organizational network securely, work that could get done unable to complete the work they need to do. Because Page 2
  3. 3. Virtual Private Network (VPN) Certification iBAHN owns its managed network, the company is able connection to the same public network, thereby to provide a virtually unlimited pool of IP addresses to saving money on long private leased-lines. Site-to- assign. The result: employees remain productive, and site VPNs can be further categorized into intranets or critical corporate data remains secure. extranets. A site-to-site VPN built between offices of the same company is said to be an intranet VPN, while It is not good enough to be compliant with standard a VPN built to connect the company to its partner or VPN configurations. A true VPN certification process for customer is referred to as an extranet VPN. corporate networks includes a thorough understanding of the corporation’s specific and unique VPN configuration and how that setup relates to the iBAHN network. Once VPN Technologies: What Does it All Mean? a company’s VPN is certified, its business travelers and Internet Protocol Security (IPSec) mobile workers are ensured the highest level of Internet Protocol Security Protocol (IPSec) provides reliable connectivity, security, and ease of use at all enhanced security features such as stronger encryption iBAHN-enabled hotels. algorithms and more comprehensive authentication. IPSec has two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet What Kind of VPN Should You Consider? while transport mode only encrypts the payload. Only The landscape of VPN products and services offered by a systems that are IPSec-compliant can take advantage of wide variety of vendors continues to evolve. Typically VPN this protocol. Also, all devices must use a common key or usage falls into two broad categories, Remote access and certificate and must have very similar security policies set up. Site-to-Site access. Each has its own features, benefits and issues. Advantages: • Very secure – good encryption and authentication • Remote Access - This is a user-to-LAN connection • Supports a wide variety of encryption algorithms used by companies where employees must connect to the enterprise network from remote locations, such Disadvantages: as an office at home over a broadband connection • More difficult to setup or a road warrior over a broadband connection. A • Requires some type of client good example of a company that needs a remote- • Various vendors have different ways of implementing access VPN would be a large firm with many sales • Doesn’t work well with PAT people in the field. Remote access VPNs permit secure, encrypted connections between a company’s Uses ISAKMP (udp 500 or tcp 500) for key exchange. IP private network and remote users through a third-party protocol 50 (ESP) is then used for data transport. service provider. For remote-access VPN users, some form of third-party • Site-to-Site Access - Through the use of dedicated software package provides the connection and encryption equipment and large-scale encryption, a company on the users PC. IPSec supports various encryption can connect multiple fixed sites over a public network algorithms such as 56-bit (single-DES) and 168-bit such as the Internet. Each site needs only a local (triple-DES) encryption. Page 3
  4. 4. Virtual Private Network (VPN) Certification Point-To-Point Tunneling Protocol (PPTP) Secure Socket Layer (SSL) Advantages: One of the newest technologies in the VPN marketplace • Easy to setup – included with every Windows OS is called a SSL VPN. Some companies prefer Secure • Provides “reasonable” security Sockets Layer (SSL) to the traditional IPSec enterprise VPN technology. One of the many benefits of an SSL VPN Disadvantages: over traditional technologies is the flexibility inherent in ini- • Authentication uses weak algorithms – some versions tial user setup. SSL VPNs have also been cited as easier of PPTP can leak user’s password to connect over remote networks, and also do not require • Some encrypted data can be unencrypted by a third client side software to run. party with reasonable effort • Easier to pass through PAT, but still has problems in There are several immediate advantages to Secure Socket many cases Layer VPNs, including: • It will be a clientless VPN, making set-up and use Security Problems: easier • password hashing – weak algorithms allow eaves- • It will provide application layer security for its users droppers to learn the user’s password • Because it is a higher lever of security for users, it • Challenge/Reply Authentication Protocol – a design will provide increased protection when using insecure flaw allows an attacker to masquerade as the server public networks • encryption – implementation mistakes allow encrypted data to be recovered There are, however, some immediate disadvantages, • encryption key – common passwords yield breakable including: keys, even for 128-bit encryption • An SSL VPN will require a significant amount of time in • control channel – unauthenticated messages let administrative set-up attackers crash PPTP servers • Applications that can be used may be limited to those available on the VPN concentrator. Uses TCP port 1723 for connection negotiation and IP protocol 47 (GRE) for data transport. In Summary MPPE uses unique keys in each direction. This is to prevent It is increasingly clear in our digital world that business the trivial cryptanalytic attack of XORing the text stream in travelers face a unique set of challenges in working each direction to remove the effects of the encryption. productively and safely while on the road. The implementation of a VPN, and subsequent certification, This protocol is still vulnerable to offline password-guessing will help to ensure that mobile workers can continue to do attacks from hacker tools. their work via secure, easy-to-use connections provided by iBAHN. Page 4
  5. 5. Virtual Private Network (VPN) Certification iBAHN applies additional measures to its managed Contact Us network services to ensure the highest levels of security For more information on the contents of this paper or the for mobile travelers staying at iBAHN-enabled hotels and exclusive iBAHN VPN Certification program, please contact: conference centers. • iBAHN secures the wired and wireless systems Carl Berg access ports so that all user traffic is directed to the VPN Certification Manager iBAHN security systems located at the hotel and on 801.563.2261 iBAHN’s network POPs (points of presence). • iBAHN secures the wired and wireless systems so iBAHN Corporate Headquarters that a user may not “see” other users or devices on 10757 South River Front Parkway, Suite 300 the system. Salt Lake City, UT 84095 • iBAHN builds in multiple layers of firewalls to prevent For general inquiries, call 801.563.2000. unwanted snooping. • iBAHN runs a private network to prevent unauthorized Disclaimer: The contents of this White Paper are meant for informational purposes only and are not meant to take the place of technical VPN snooping or phishing, spamming, and virus-laden design and implementation consulting services on the enterprise email messages. level. For such services, it is recommended that you consult with IT • iBAHN uses only private IP addresses which means professionals in that field. no person outside can “see” the computers of users on the network. References i “US Hotel Property Satisfaction and Loyalty,” a study conducted by FGI About iBAHN Research, 2006. • Founded in 1998 • Manages secure IP network services in 22 countries worldwide • Services 2,200 hotels and meeting centers in nearly 300,000 guestrooms • Manages 1,000+ wireless “hot spots” • Manages Internet services for 50,000 meetings/ conferences in 9.5 million square feet of meeting space worldwide • Partners with industry giants (Cisco, Verizon Business, HP, and others) • Provides fully managed and secure private network ___________________________________________________ services Copyright © 2007 iBAHN Inc. or its affiliated companies. All rights reserved. iBAHN and the iBAHN logo are either registered trademarks For a complete list of hotels and conference centers that or trademarks of iBAHN or its affiliated companies in the United States have iBAHN proprietary managed network services, and/or other countries. Other names or brands may be claimed as the please visit property of others. Page 5