Networking On The Road
August 2006 • Vol.10 Issue 5
Page(s) 102-105 in print issue
Tunnel Into Your Network With VPN
Take Your Office With You
Before the Internet and broadband technology came along, companies had to pay lots of money for private communications between remote computers and their corporate networks. Today, VPNs (virtual private networks) use the power of the Internet and security technologies to protect sensitive information. Thanks to VPN technology, if you telecommute or travel, you can access your company’s network from home or while on the road (whether you want to or not!). And as VPN technology spreads to more types of network devices, you can even access some small or home-based networks remotely.
Traditionally, larger companies have been the main users of VPN technologies. With a VPN connection, remote workers can securely log on to a corporate network. VPNs also allow secure network-to-network connectivity, such as a branch office network securely communicating with a main office network.
With the increasing use of high-speed Internet connectivity and new low-cost, entry-level VPN devices, VPNs have become more practical for SOHO (small office/home office) users. In this article, we take a closer look at VPNs and how SOHOs can use them.
Is A VPN Right For You?
A VPN makes sense for SOHOs with mobile employees who regularly need access to the company network from remote locations. Also, if you are frequently away from your home office and need secure access to your home network, a VPN can help you get into your network anytime, day or night.
A VPN can include both monetary and productivity costs. If you have a typical small network with a router or wireless AP (access point) connecting several PCs, you will likely need to purchase additional VPN equipment. Depending on how it’s configured and the equipment you choose, a VPN can slow down your network’s performance. And working on your network over a VPN connection is definitely slower than working directly on the network.
How It Works
A VPN creates a private, secure “tunnel” from one endpoint to another endpoint. The endpoints can be a remote user’s notebook computer to a network gateway (client to gateway). A network gateway is a designated entry point into a network, such as a router or wireless AP. Another endpoint configuration for a VPN is connecting a network gateway in one location to a network gateway in another location (gateway to gateway). This article focuses on a client-to-gateway scenario for mobile, remote access to your SOHO network.
To create the secure tunnel, a VPN uses a variety of technologies that support encryption, authentication, and/or data integrity. Encryption is the process of making information unreadable to unauthorized users by converting it to cipher text. Authentication ensures that users attempting to access your network are who they say they are. Authentication methods include passwords, usernames, and PKI (public-key infrastructure; a means of verifying users and network devices). Data integrity guarantees that the transmitted information is not altered or tampered with.
The common protocols (rules of communications between computer systems) for VPN connections are PPTP (Point-to-Point Tunneling Protocol), L2F (Layer 2 Forwarding) protocol, and L2TP (Layer 2 Tunneling Protocol). Of these, L2TP is generally the recommended protocol for remote access directly to a VPN gateway on a network. Less common are the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) security protocols that are also known as Web VPNs. This type of VPN is a newer type of implementation that has not yet trickled down to the SOHO market.
L2TP is usually protected by IPsec (Internet Protocol security). IPsec is a collection of security protocols defined by the IETF (Internet Engineering Task Force; www.ietf.org). IPsec provides encryption, authentication, and data integrity to secure data transmissions. Because it provides the highest level of security, the L2TP/IPsec combination is the best choice if you are implementing a VPN for remote user access to a network.
What You Need
To implement a VPN, you need two endpoints with VPN capabilities. One end is the VPN gateway. The other end can be another VPN gateway to bridge two networks, or it can be a client in the form of a notebook or laptop PC for remote access to the network when you’re telecommunting or traveling (the focus of this article).
For practical purposes, you also need an always-on broadband Internet connection for your network. A dial-up connection is too slow and is not continuously available.
Gateway. For a SOHO scenario, the easiest method of providing VPN access to your network is a gateway device, such as a router or firewall. Because firewalls already have numerous built-in security features, they are the most common method of implementation.
Although VPN endpoint support is included in some SOHO network equipment, it is not a common feature. If your network already has a firewall device or router, the device probably does not include VPN endpoint capabilities. Note that if you check the device’s specs, you may see VPN pass-through listed as a feature. VPN pass-through means that the device allows VPN traffic to pass through it. This is different from the ability to offer VPN endpoints or tunnels to remote users.
Examples of VPN gateway devices for the SOHO market include:
• NETGEAR FVG318 ProSafe 802.11g Wireless VPN Firewall 8 ($179.99; www.netgear.com)
• NETGEAR FVS318 Cable/DSL (digital subscriber line) ProSafe VPN Firewall ($129.99)
• D-Link Express EtherNetwork VPN Router DI-804HV ($59.99; www.dlink.com)
• D-Link DI-824VUP AirPlus XtremeG Wireless 802.11g VPN router ($159.99)
• SonicWALL TZ 150 Wireless ($429; www.sonicwall.com)
All of these devices include a router, firewall, and Ethernet connections for PCs and other network devices. The wireless devices also include an 802.11g wireless AP. For VPN connections, they feature support for IPsec, L2TP, and multiple simultaneous tunnels so that more than one remote user can establish a VPN connection at the same time.
The NETGEAR and D-Link devices are most appropriate for smaller operations where the remote users are logging on using a notebook or PC that you know is secure, virus-free, and known to the network. The SonicWALL TZ 150 device offers more advanced security features, including antivirus, antispyware, intrusion detection, and wireless guest services. It also comes with hardware acceleration to offload the processor-intensive encryption routines. Some of the TZ 150’s security features are purchased separately in the companion gateway software bundle ($145).
Client software. In order for a remote notebook or desktop computer to connect to the VPN gateway, it needs to be able to understand the VPN protocols. Vendor software is available to handle this, and the Windows OS (operating system) includes support for some of the VPN protocols. There are also third-party products available.
Vendors such as NETGEAR, D-Link, and SonicWALL normally create companion client software for their VPN network devices. The software is designed to easily integrate with the vendor’s VPN devices. It may also include other features not available in the Windows OS. However, vendor client software is not free; you’ll pay $40 to $50 per copy, and you need to install it on each computer that will access the VPN.
Windows 98/Me/2000/XP PCs come with support for the PPTP protocol. As we noted earlier, however, most VPN experts recommend using the L2TP/IPsec protocol. Only WinXP/2000 offers built-in support for L2TP/IPsec.
An example of a third-party VPN client program is SafeNet SoftRemote ($149; www.safenet-inc.com). SoftRemote is compatible with most Windows OSes, and it offers additional features such as policy management and support for smart cards.
If you don’t need a lot of extra features and your remote computers run WinXP, you can try the built-in VPN support in WinXP. If you need additional features and want an integrated solution, the software provided by the manufacturer of your hardware VPN is the way to go. And if the hardware manufacturer’s software doesn’t provide everything you want, third-party programs are another option.
How to Set Up An L2TP/IPsec Remote User VPN
Configuring a remote user VPN is a three-part process. The first part of the process is configuring the VPN gateway device. Then you need to configure your remote computers to access the VPN gateway. The final step is testing the VPN connection.
Connect and configure the VPN gateway. Specific instructions for configuring your gateway device are best acquired from the documentation available from the vendor. However, a number of configuration tasks and VPN-related settings apply to most devices.
To begin, you must connect the device to your existing network. If your current network router or wireless AP does not support VPN, you can replace it with a new VPN firewall/router similar to those we noted previously. We also assume you have a high-speed cable or DSL modem for Internet access.
Turn off all equipment and connect the modem to the VPN firewall/router, and connect the router to the Ethernet port of the main computer (the computer that was connected to the Internet when the modem was originally installed). Plug in and turn on the modem and wait a few minutes. Next, plug in and turn on the router, and then turn on your computer. Verify the appropriate indicator lights—for example, Power, Internet, LAN (local-area network), and Wireless—are activated on the router.
To configure the firewall/router, most vendors supply a Web-based administration tool that you access from a computer connected to the device. When you open the Web browser on that computer, the configuration screen may automatically display. If not, refer to the documentation from the device vendor and enter the appropriate Web address in your browser to access the router’s configuration screen. Follow the vendor’s instructions for logging into the device’s administration tool. Configuring the device entails more than VPN settings; however, we’ll focus on VPN-related tasks here.
Defining the VPN information involves creating a security profile for both endpoints of the VPN connection. You will create a security profile for the VPN firewall (gateway) device and the VPN client, so that each endpoint can identify the other. The VPNC (Virtual Private Network Consortium) recommends specific settings for certain parameters, as seen in the chart, “VPN Settings.”
The VPNC (Virtual Private Network Consortium)-recommended settings provide the best security for most systems. However, there are productivity tradeoffs. For example, 3DES (triple DES; a cipher or code for encrypting information) is slower but more secure than DES (Data Encryption Standard), and SHA-1 (Secure Hash Algorithm-1; a formula for authenticating information) is slower but more secure than MD 5 (Message Digest 5; another type of algorithm or formula for authenticating information). Also note that the settings above are not all-inclusive, and your VPN configuration settings will contain additional parameters.
Depending on how your VPN firewall/router manufacturer handles configuration settings, you may also need to consider whether your home network connects to the Internet with a dynamic IP (Internet Protocol) address. ISPs (Internet service providers) generally do not assign a single, static IP address to your network for Internet access. Instead, the IP address changes periodically (a dynamic IP). This can become an issue when a remote user wants to connect to the network through the VPN, because the remote user’s system doesn’t have a fixed IP address to go by.
Vendors recommend different methods to handle dynamic IP addressing. You can use a dynamic DNS (Domain Name System) service to assign a domain name to your VPN firewall. Service providers include www.tzo.com and www.dynDNS.org, and the assigned name will be something like mycompany.tzo.com or myname.tzo.com. Different devices handle dynamic IP addressing in different ways, so it’s best to refer to the product documentation for recommendations.
A remote computer’s VPN client software will need the gateway’s security profile so that the remote computer can connect to the VPN gateway. Before you configure your remote computer, note the following information from the VPN gateway configuration:
• Preshared key
• VPN tunnel/connection name
• VPN device IP address
• LAN subnet mask
You’ll also need the information you entered for the parameters noted in the VPN Settings chart.
Configure the remote computer. If you’re using a vendor-supplied or third-party VPN client software program, follow the product documentation to enter the security profile information for the VPN gateway.
If you want to try using WinXP to connect to the VPN, click Start, Control Panel, and Network And Internet Connections. Click Create A Connection To The Network At Your Workplace in the Pick A Task section to display the Network Connection Wizard. Select Virtual Private Network Connection and click Next. Type a Company Name (this does not need to match the VPN connection name), and click Next. Select Do Not Dial The Initial Connection and click Next. Type the IP address of the VPN gateway and click Next. Note that if the gateway is a router or wireless AP, the IP address is the same as the IP address you type to open the device’s Web-based configuration tool. Select Add A Shortcut To This Connection In My Desktop if you want a shortcut for the VPN connection and click Finish.
In the Control Panel, click Network And Internet Connections in Category view, and then click Network Connections to display the computer’s list of network connections. Right-click the VPN connection you just created and click Properties. Click the Security tab and select the IPsec Settings button. Select the Use Pre-Shared Key For Authentication check box and type the preshared key you defined for the VPN gateway. Save the new Property settings and close the dialog box.
Test it. Now that your VPN is configured, try to access your network through the VPN connection on the “remote” computer. Make sure the remote computer is connected to the Internet first, and then try connecting to the VPN. To initiate the connection, simply double-click its shortcut or System Tray icon.
If you are unable to establish a connection, double-check the VPN gateway and client configuration. Common issues include mistyped profile information or non-matching information. Also look for disconnected wires or no Internet connection. If you’re using WinXP as the VPN client, it may or may not work well with the gateway device. You may want to try the router or wireless AP manufacturer’s VPN client software instead.
Another possible problem is a personal firewall on the remote computer, such as Windows Firewall. Try disabling the firewall and connecting. If that works, then you need to create an exception for the VPN client software in the firewall settings. Check the VPN client software documentation for specific instructions.
Secure, Private Access
If your SOHO business can make use of a VPN, there’s no need to wait. Today, you can purchase a VPN firewall with router features, wireless AP features, and more, for $60 to $500. Even if you don’t think you need a VPN and you’re in the market for a firewall, router, or wireless AP, consider purchasing one with VPN endpoint capabilities—you never know what the future might bring.
-by Carmen Carmack
August 2006 • Vol.10 Issue 5
Page(s) 102-105 in print issue
Tunnel Into Your Network With VPN
Take Your Office With You
Before the Internet and broadband technology came along, companies had to pay lots of money for private communications between remote computers and their corporate networks. Today, VPNs (virtual private networks) use the power of the Internet and security technologies to protect sensitive information. Thanks to VPN technology, if you telecommute or travel, you can access your company’s network from home or while on the road (whether you want to or not!). And as VPN technology spreads to more types of network devices, you can even access some small or home-based networks remotely.
Traditionally, larger companies have been the main users of VPN technologies. With a VPN connection, remote workers can securely log on to a corporate network. VPNs also allow secure network-to-network connectivity, such as a branch office network securely communicating with a main office network.
With the increasing use of high-speed Internet connectivity and new low-cost, entry-level VPN devices, VPNs have become more practical for SOHO (small office/home office) users. In this article, we take a closer look at VPNs and how SOHOs can use them.
Is A VPN Right For You?
A VPN makes sense for SOHOs with mobile employees who regularly need access to the company network from remote locations. Also, if you are frequently away from your home office and need secure access to your home network, a VPN can help you get into your network anytime, day or night.
A VPN can include both monetary and productivity costs. If you have a typical small network with a router or wireless AP (access point) connecting several PCs, you will likely need to purchase additional VPN equipment. Depending on how it’s configured and the equipment you choose, a VPN can slow down your network’s performance. And working on your network over a VPN connection is definitely slower than working directly on the network.
How It Works
A VPN creates a private, secure “tunnel” from one endpoint to another endpoint. The endpoints can be a remote user’s notebook computer to a network gateway (client to gateway). A network gateway is a designated entry point into a network, such as a router or wireless AP. Another endpoint configuration for a VPN is connecting a network gateway in one location to a network gateway in another location (gateway to gateway). This article focuses on a client-to-gateway scenario for mobile, remote access to your SOHO network.
To create the secure tunnel, a VPN uses a variety of technologies that support encryption, authentication, and/or data integrity. Encryption is the process of making information unreadable to unauthorized users by converting it to cipher text. Authentication ensures that users attempting to access your network are who they say they are. Authentication methods include passwords, usernames, and PKI (public-key infrastructure; a means of verifying users and network devices). Data integrity guarantees that the transmitted information is not altered or tampered with.
The common protocols (rules of communications between computer systems) for VPN connections are PPTP (Point-to-Point Tunneling Protocol), L2F (Layer 2 Forwarding) protocol, and L2TP (Layer 2 Tunneling Protocol). Of these, L2TP is generally the recommended protocol for remote access directly to a VPN gateway on a network. Less common are the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) security protocols that are also known as Web VPNs. This type of VPN is a newer type of implementation that has not yet trickled down to the SOHO market.
L2TP is usually protected by IPsec (Internet Protocol security). IPsec is a collection of security protocols defined by the IETF (Internet Engineering Task Force; www.ietf.org). IPsec provides encryption, authentication, and data integrity to secure data transmissions. Because it provides the highest level of security, the L2TP/IPsec combination is the best choice if you are implementing a VPN for remote user access to a network.
What You Need
To implement a VPN, you need two endpoints with VPN capabilities. One end is the VPN gateway. The other end can be another VPN gateway to bridge two networks, or it can be a client in the form of a notebook or laptop PC for remote access to the network when you’re telecommunting or traveling (the focus of this article).
For practical purposes, you also need an always-on broadband Internet connection for your network. A dial-up connection is too slow and is not continuously available.
Gateway. For a SOHO scenario, the easiest method of providing VPN access to your network is a gateway device, such as a router or firewall. Because firewalls already have numerous built-in security features, they are the most common method of implementation.
Although VPN endpoint support is included in some SOHO network equipment, it is not a common feature. If your network already has a firewall device or router, the device probably does not include VPN endpoint capabilities. Note that if you check the device’s specs, you may see VPN pass-through listed as a feature. VPN pass-through means that the device allows VPN traffic to pass through it. This is different from the ability to offer VPN endpoints or tunnels to remote users.
Examples of VPN gateway devices for the SOHO market include:
• NETGEAR FVG318 ProSafe 802.11g Wireless VPN Firewall 8 ($179.99; www.netgear.com)
• NETGEAR FVS318 Cable/DSL (digital subscriber line) ProSafe VPN Firewall ($129.99)
• D-Link Express EtherNetwork VPN Router DI-804HV ($59.99; www.dlink.com)
• D-Link DI-824VUP AirPlus XtremeG Wireless 802.11g VPN router ($159.99)
• SonicWALL TZ 150 Wireless ($429; www.sonicwall.com)
All of these devices include a router, firewall, and Ethernet connections for PCs and other network devices. The wireless devices also include an 802.11g wireless AP. For VPN connections, they feature support for IPsec, L2TP, and multiple simultaneous tunnels so that more than one remote user can establish a VPN connection at the same time.
The NETGEAR and D-Link devices are most appropriate for smaller operations where the remote users are logging on using a notebook or PC that you know is secure, virus-free, and known to the network. The SonicWALL TZ 150 device offers more advanced security features, including antivirus, antispyware, intrusion detection, and wireless guest services. It also comes with hardware acceleration to offload the processor-intensive encryption routines. Some of the TZ 150’s security features are purchased separately in the companion gateway software bundle ($145).
Client software. In order for a remote notebook or desktop computer to connect to the VPN gateway, it needs to be able to understand the VPN protocols. Vendor software is available to handle this, and the Windows OS (operating system) includes support for some of the VPN protocols. There are also third-party products available.
Vendors such as NETGEAR, D-Link, and SonicWALL normally create companion client software for their VPN network devices. The software is designed to easily integrate with the vendor’s VPN devices. It may also include other features not available in the Windows OS. However, vendor client software is not free; you’ll pay $40 to $50 per copy, and you need to install it on each computer that will access the VPN.
Windows 98/Me/2000/XP PCs come with support for the PPTP protocol. As we noted earlier, however, most VPN experts recommend using the L2TP/IPsec protocol. Only WinXP/2000 offers built-in support for L2TP/IPsec.
An example of a third-party VPN client program is SafeNet SoftRemote ($149; www.safenet-inc.com). SoftRemote is compatible with most Windows OSes, and it offers additional features such as policy management and support for smart cards.
If you don’t need a lot of extra features and your remote computers run WinXP, you can try the built-in VPN support in WinXP. If you need additional features and want an integrated solution, the software provided by the manufacturer of your hardware VPN is the way to go. And if the hardware manufacturer’s software doesn’t provide everything you want, third-party programs are another option.
How to Set Up An L2TP/IPsec Remote User VPN
Configuring a remote user VPN is a three-part process. The first part of the process is configuring the VPN gateway device. Then you need to configure your remote computers to access the VPN gateway. The final step is testing the VPN connection.
Connect and configure the VPN gateway. Specific instructions for configuring your gateway device are best acquired from the documentation available from the vendor. However, a number of configuration tasks and VPN-related settings apply to most devices.
To begin, you must connect the device to your existing network. If your current network router or wireless AP does not support VPN, you can replace it with a new VPN firewall/router similar to those we noted previously. We also assume you have a high-speed cable or DSL modem for Internet access.
Turn off all equipment and connect the modem to the VPN firewall/router, and connect the router to the Ethernet port of the main computer (the computer that was connected to the Internet when the modem was originally installed). Plug in and turn on the modem and wait a few minutes. Next, plug in and turn on the router, and then turn on your computer. Verify the appropriate indicator lights—for example, Power, Internet, LAN (local-area network), and Wireless—are activated on the router.
To configure the firewall/router, most vendors supply a Web-based administration tool that you access from a computer connected to the device. When you open the Web browser on that computer, the configuration screen may automatically display. If not, refer to the documentation from the device vendor and enter the appropriate Web address in your browser to access the router’s configuration screen. Follow the vendor’s instructions for logging into the device’s administration tool. Configuring the device entails more than VPN settings; however, we’ll focus on VPN-related tasks here.
Defining the VPN information involves creating a security profile for both endpoints of the VPN connection. You will create a security profile for the VPN firewall (gateway) device and the VPN client, so that each endpoint can identify the other. The VPNC (Virtual Private Network Consortium) recommends specific settings for certain parameters, as seen in the chart, “VPN Settings.”
The VPNC (Virtual Private Network Consortium)-recommended settings provide the best security for most systems. However, there are productivity tradeoffs. For example, 3DES (triple DES; a cipher or code for encrypting information) is slower but more secure than DES (Data Encryption Standard), and SHA-1 (Secure Hash Algorithm-1; a formula for authenticating information) is slower but more secure than MD 5 (Message Digest 5; another type of algorithm or formula for authenticating information). Also note that the settings above are not all-inclusive, and your VPN configuration settings will contain additional parameters.
Depending on how your VPN firewall/router manufacturer handles configuration settings, you may also need to consider whether your home network connects to the Internet with a dynamic IP (Internet Protocol) address. ISPs (Internet service providers) generally do not assign a single, static IP address to your network for Internet access. Instead, the IP address changes periodically (a dynamic IP). This can become an issue when a remote user wants to connect to the network through the VPN, because the remote user’s system doesn’t have a fixed IP address to go by.
Vendors recommend different methods to handle dynamic IP addressing. You can use a dynamic DNS (Domain Name System) service to assign a domain name to your VPN firewall. Service providers include www.tzo.com and www.dynDNS.org, and the assigned name will be something like mycompany.tzo.com or myname.tzo.com. Different devices handle dynamic IP addressing in different ways, so it’s best to refer to the product documentation for recommendations.
A remote computer’s VPN client software will need the gateway’s security profile so that the remote computer can connect to the VPN gateway. Before you configure your remote computer, note the following information from the VPN gateway configuration:
• Preshared key
• VPN tunnel/connection name
• VPN device IP address
• LAN subnet mask
You’ll also need the information you entered for the parameters noted in the VPN Settings chart.
Configure the remote computer. If you’re using a vendor-supplied or third-party VPN client software program, follow the product documentation to enter the security profile information for the VPN gateway.
If you want to try using WinXP to connect to the VPN, click Start, Control Panel, and Network And Internet Connections. Click Create A Connection To The Network At Your Workplace in the Pick A Task section to display the Network Connection Wizard. Select Virtual Private Network Connection and click Next. Type a Company Name (this does not need to match the VPN connection name), and click Next. Select Do Not Dial The Initial Connection and click Next. Type the IP address of the VPN gateway and click Next. Note that if the gateway is a router or wireless AP, the IP address is the same as the IP address you type to open the device’s Web-based configuration tool. Select Add A Shortcut To This Connection In My Desktop if you want a shortcut for the VPN connection and click Finish.
In the Control Panel, click Network And Internet Connections in Category view, and then click Network Connections to display the computer’s list of network connections. Right-click the VPN connection you just created and click Properties. Click the Security tab and select the IPsec Settings button. Select the Use Pre-Shared Key For Authentication check box and type the preshared key you defined for the VPN gateway. Save the new Property settings and close the dialog box.
Test it. Now that your VPN is configured, try to access your network through the VPN connection on the “remote” computer. Make sure the remote computer is connected to the Internet first, and then try connecting to the VPN. To initiate the connection, simply double-click its shortcut or System Tray icon.
If you are unable to establish a connection, double-check the VPN gateway and client configuration. Common issues include mistyped profile information or non-matching information. Also look for disconnected wires or no Internet connection. If you’re using WinXP as the VPN client, it may or may not work well with the gateway device. You may want to try the router or wireless AP manufacturer’s VPN client software instead.
Another possible problem is a personal firewall on the remote computer, such as Windows Firewall. Try disabling the firewall and connecting. If that works, then you need to create an exception for the VPN client software in the firewall settings. Check the VPN client software documentation for specific instructions.
Secure, Private Access
If your SOHO business can make use of a VPN, there’s no need to wait. Today, you can purchase a VPN firewall with router features, wireless AP features, and more, for $60 to $500. Even if you don’t think you need a VPN and you’re in the market for a firewall, router, or wireless AP, consider purchasing one with VPN endpoint capabilities—you never know what the future might bring.
-by Carmen Carmack