Recently, we wrote a series of posts on our predictions for the top trends in cybersecurity for 2022, including the need to secure the distributed workforce. In this brief blog series, we’ll discuss VPN and other secure remote access technologies in more detail.
Rapid changes in the security landscape, as well as a pandemic-driven shift to remote working, have radically altered the work-scape. The new reality is decentralized offices, remote workplaces, and the “branch of one” as employers and staff alike have discovered important benefits in a distributed workforce.
In the early days of the pandemic, IT and security teams scrambled to support newly remote personnel. By and large, they turned to technologies already available in their infrastructures, primarily VPN. VPNs can help remote workers, branch offices, business partners and suppliers establish a trusted and secure connection with the company’s network, while ensuring the security and integrity of data.
While newer technologies like SD-WAN, ZTNA and SASE have begun to make inroads in supporting the distributed workforce, the reality is that VPN is likely to be with us for the foreseeable future, even if only as a foundation for the newer secure remote access methods. (More on that later.) Plus, forklifting existing infrastructure is costly, and re-educating workers is equally so. However, a smooth transition can be achieved in which the newer technologies co-exist and leverage existing VPN infrastructures.
Knowing the strengths – and weaknesses – of VPN solutions is therefore essential in planning for long-term support of remote and distributed workers.
Basic Principles of IPsec VPN
The two main types of VPN in use today are Internet Protocol Security VPN (IPsec VPN) at the network layer, and Secure Sockets Layer VPN (SSL VPN) at the session layer. Did you know? A third type – Point-to-Point Tunneling Protocol (PPTP) – exists, which operates at the data link layer but is considered obsolete due to multiple security issues.
IPsec VPN is widely used and is a complete architecture for network-layer security. It specifies how to select security protocols, how to determine security algorithms, how to exchange keys between peers, and how to provide network security services such as access control, data source authentication, and data encryption. In short, this technology is meant to bridge connectivity with security; hence, why it is still considered a core technology that will be here to stay, even as we transition toward SD-WAN, ZTNA and SASE to secure the distributed workforce.
IPsec supports monitoring and redundant backup, traffic diversion of plain-text packets, and IPv6 natively. Performance-enhancing features are also available through Intel CPUs, for example, and other means.
Two data encapsulation protocols are supported in IPsec. Authentication Header (AH) protocol protects against option and header insertion attacks, and guards the IP payloads and header fields, with the exception of a few header fields needed during transit. Encapsulating Security Payload (ESP) working in Tunnel Mode encapsulates the inner IP datagram, while the outer header is unprotected.
Either or both methods can be used depending on the security needs of each IPsec connection; ESP in general, however, adds processing overhead that may increase latency. Both ESP and AH provide data protection, though via different methods, but in some regions, ESP is not allowed due to restrictions on strong cryptography.
Depending on the chosen encapsulation option, a wide variety of key negotiation, encryption and authentication algorithms can be selected. Key negotiation (called security association, used by IPsec to establish VPN) can be manual or automatic via IKE methods, which can leverage XAUTH for further authentication. Encryption algorithms include 3DES, DES, AES and others; authentication algorithms include MD5, SHA, SHA256 and more.
IKE encompasses multiple other protocols like ISAKMP and Oakley to define negotiation and key exchange. One of its chief drawbacks is that it automatically defines VPN names that aren’t human-readable. This can make it extremely difficult to manage and debug, especially if a number of IPsec VPNs have been defined; however, certain technologies like Hillstone’s HSM v5.1 SD-WAN controller allow user-defined IKE VPN names for easier management.
Where to Use IPsec VPN
IPsec is widely used to connect branch offices or similar locations back to the corporate network. The VPN devices at each location are used to establish permanent secure encrypted links. Due to the complexity of set-up and cost for clients, it’s less common to use IPsec for remote workers – though it can be done. One scheme is to configure a single VPN tunnel at the corporate network, to which multiple remote devices then connect via a client.
Certain networking devices and most, if not all, next-gen firewalls (including Hillstone’s) support IPsec natively. Hillstone offers a number of cookbooks and user guides for setting up and configuring IPsec VPNs in various scenarios, including connections to cloud resources, as well as a comprehensive guide.
Alternatives and Transitions
As discussed earlier, remote working is no longer a phenomenon – rather, it has become the status quo – but legacy technologies like IPsec will probably be around for a long time. Looking ahead, IT and security teams can start preparing for the future by substituting or overlaying newer technologies over IPsec infrastructures.
For example, SD-WAN, a component of Gartner’s Secure Access Service Edge (SASE), can be deployed today to support branch offices and remote workers, by leveraging existing IPsec VPN connections. A Zero-Trust Network Architecture, another component of SASE, can also be implemented atop existing remote working connections to improve security.
In our next post, we’ll dive a little deeper into SSL VPN, how it works, and how you can start the transition to SASE there, as well. To learn more about Hillstone’s solutions and how they can support the transition to SASE, contact your local Hillstone representative or authorized reseller today.
