Assignment 13‐1 - LPouliot/Junior-Spring-NET-330-01-Network-Design GitHub Wiki

Assignment 13-1: VPN Research

  1. In a paragraph, define a site-to-site VPN and list 3 use cases in which they are employed

  2. In a paragraph, define user-to-site VPN and list 3 reasons that they are used

  3. In a paragraph, identify and explain an issue that might arise with private addressing, NAT, and site-to-site VPNs

  4. Research VPN offerings from the following companies:

Cisco

PaloAlto Networks

Juniper Networks

F5

Based on your research - select one that supports both site-to-site and user-to-site VPNs. Provide an explanation (paragraph) in the form of a short memo of why you selected that vendor.

Don't forget to cite your sources!

Please Review Rubric for Guidelines!

Define a site-to-site VPN and list 3 use cases in which they are employed

Site-to-site VPN focuses on connecting multiple networks, such as a network where numerous offices work alongside each other, or a network with a central office and branching offices in various locations. Through site-to-site, this VPN can give all sites full access to applications as if they existed within their physical locations. Historically, site-to-site VPNs intersect with the history of the internet, and can even be seen as the forebearer of the internet. This method was made possible by the original packet switching network called Advanced Research Projects Agency Network (ARPANET), along with Transmission Control Protocol/Internet Protocol (TCP/IP).

The first case of site-to-site VPN is a remote access VPN, which focuses on creating a temporary connection between two or more users and a central location. It is most commonly used to give each location access to a data center or to make use of Internet Protocol security (IPsec). Companies will use VPN, which allows them security at the gateway of each end, especially when they have remote workers away from the office. This allows the remote workers to access the server and any needed resources.

The second case of site-to-site VPN is internet-based. This type connects more than one local-area network (LAN) to form a wide-area network (WAN). Companies may also incorporate software-defined WAN (SD-WAN). These offer tools for combining resources in different offices in a secure manner, like everything were in the same physical location. This is helpful when each site either develops its resources or houses a unique process that the company would benefit from having access to.

The last case of site-to-site VPN is extranet-based. These are often used by two or more different companies that want to share certain resources but keep others private. Each company or entity connects to the VPN and chooses what they want to keep private or make available. This allows collaboration without exposing important information.

Define user-to-site VPN and list 3 reasons that they are used

There doesn’t seem to be a user-to-site VPN, but there is a client-to-site VPN, which connects a single device to a remote network, like a corporate or cloud network. Some examples of a client-to-site VPN can be OpenVPN or Cisco AnyConnect, which maintain the VPN tunnel. This software that runs the client-to-site VPN encrypts and decrypts the traffic, allowing the device to use the VPN server and access anything within the network, while making sure there is a secure connection. Tunnel mode allows the VPN to transport data packets over the Internet. There are actually two types, the other being transport mode. Transport mode only encrypts the payload of the data packets and leaves the original headers. Tunnel mode encrypts the entire data packet, including the headers, and adds new headers for routing. Because of this, it is slower than Transport mode. There are also many encryption methods available for client-to-site VPN, such as AES, DES, and Blowfish. This allows security and performance of the VPN tunnel, although depending on the type of encryption will change the processing power and bandwidth. Lastly, there are authentication methods that the VPN tunnel uses to verify the identity and integrity of the data packets. There are two main methods: pre-shared key (PSK) and certificate-based. PSK is the simpler option, with certificate-based being more complex, but it is far more secure as it uses both digital certificates and public key infrastructure (PKI). Although this all depends on the security requirements and complexity of the VPN tunnel.

Identify and explain an issue that might arise with private addressing, NAT, and site-to-site VPNs

There are a few issues that come with private addressing. The first one is limited accessibility. Private IP addresses are not available to the general public internet and will result in hiding internet community sources. There is also an interoperability problem, as integrating with external services may encounter those issues. With NAT, or network address translation, the overhead in terms of processing energy, latency, and complexity will prove to be difficult, especially in large-scale deployments.

For NAT, it has its own problems as well. There are some performance issues, as someone may request the remote server, so it will have to check and confirm whether the connection belongs to the NAT server or not. Some hosts use to perform security measures for the number of requests that can be accepted. Once this exceeds, they cannot make any further requests, which creates performance issues. There is also a problem with the application, as hosts inside the network might be unreachable. Applications in the NAT will then have compatibility issues, but that will depend on the end-to-end functionality of the network. Because of this, some networks will fail to supply them. The usage of protocols can become an issue when the values inside the headers can be changed in NAT, with some tunneling protocols like IPsec being complicated to use. When these are modified, the integrity checks will occur, which will then interfere and fail. Lastly, NAT will examine data packets of the incoming and outgoing services, which will convert the data packets into local and global IP addresses, too. Inside the memory, the translation details will get stored, taking up memory and consuming a lot of the work for the processor.

There are some considerations to take into account when using a site-to-site VPN. These settings and configurations must be monitored with care, especially when dealing with PKI. There must also be awareness of vulnerabilities in hardware and software. Hospitals with VPN vulnerabilities have been attacked in the past by ransomware groups. Site-to-site VPNs will also assume the use of central physical locations where employees are, because the VPN tunnel can only go between two locations. As more work is done from home, a site-to-site VPN may not work as effectively, where a cloud VPN, VPN service provider, or a Secure Access Service Edge for network security may work better.

Research VPN offerings from the following companies:

Cisco

Security Service Edge (SSE)

  • Single, multifunction client = Combine VPN and modern zero-trust capabilities into a single Cisco Secure Client. With a single client, IT can deploy and manage endpoint security agents while also providing users a better experience.
  • Single, multifunction client = Having one console to create and manage policies across all private and publicly hosted applications simplifies administration. Aggregated reporting and digital experience monitoring speed issue detection and resolution.
  • Consistent security = Strong, least-privilege access policies can be applied across multiple scenarios and device types. The AI policy assistant can help create effective policies in the proper format.
  • Better performance = Modern protocols enable faster connections, greater segmentation, and improved throughput. This enables better performance across users and devices.

Palo Alto Networks

Prisma

  • Least-privilege access for remote employees = Simplify remote access management with identity-aware authentication and client or clientless deployment methods for mobile users. Assess device health and security posture before connecting to the network and accessing sensitive data for Zero Trust Network Access. Seamlessly implement industry-leading security controls and inspection across all mobile application traffic, regardless of where or how users and devices connect.
  • More than secure enough = 48% increased security risk, 71% want cloud-based security, 51% ditch their VPN for ZTNA
  • Secure remote access made easy for IT = Extend consistent security policies to inspect all incoming and outgoing traffic. Deliver transparent, risk-free access to sensitive data with an always-on, secure connection. Eliminate blind spots in your remote workforce traffic with full visibility across all applications, ports, and protocols.

Juniper Networks

Juniper Secure Connect

Key Features

  • Securely and automatically validates that the most current security policy is enforced

  • Supports industry-leading external multifactor authentication (MFA) solutions

  • Provides integrated biometric authentication on devices with hardware support

  • Runs intrusion prevention system (IPS), Juniper Advanced Threat Prevention, and advanced security for all gateway access to identify and block unknown and known threats that originate from non-corporate networks

  • Available for Desktop and Mobile Devices = Provides flexible and secure access for managed and unmanaged devices.

  • Zero Touch Configuration = Deploy always up-to-date security policies, helping users stay secure and get access to the correct resources when they need them.

  • Multifactor and Biometric Authentication = Improve corporate security by implementing a second form of authentication for remote users.

  • Comprehensive Security and Visibility = Reduce risk and get the necessary visibility to help ensure that remote-access users aren’t introducing known or unknown threats.

F5

F5 BIG-IP APM

  • Unmatched Security and Flexibility = Provides a comprehensive security solution that extends beyond traditional VPN capabilities. APM offers secure, granular, and identity- and context-aware access to applications and data, regardless of where users are connecting from. This ensures that your organization can adapt to a hybrid work model without compromising on security.
  • Meet Critical Zero Trust Requirements = Utilizing BIG-IP APM Identity Aware Proxy (IAP) enforces identity to every application request, and meets the required level of logging put forth by the OMB M-21-31 memorandum for remote and application access. These capabilities assist agencies in better establishing a Zero Trust security environment, providing Zero Trust Application Access. To see how F5 products and F5 APM specifically map to M-22-09 “Federal Zero Trust Strategy”
  • Maximize Your Existing Investment = May already possess the licensing required to deploy F5 BIG-IP Access Policy Manager (APM). There's a possibility that you have the APM feature available, yet it remains underutilized By fully leveraging your existing F5 BIG-IP setup, including any pre-existing APM licenses, you can unlock a powerful, scalable, and secure access solution tailored to the modern demands of your organization.
  • Simplified Management and Scalability = F5 BIG-IP APM integrates seamlessly with your existing F5 ecosystem, allowing for simplified management of your security policies and procedures. Its scalability ensures that as your organization grows, your VPN solution can grow with you, without the need for a complete overhaul or complex additions to your network architecture.

Select one that supports both site-to-site and user-to-site VPNs. Explain the form of a short memo on why you selected that vendor.

After reviewing the options above, I have decided that Cisco would be the best choice. Cisco has the overall fit and unified management with its key strength in single clients, policies, and performance. This is a great fit for a modern, all-in-one option that makes it easy for both users and vendors, while making sure there is a transition from traditional VPN to Zero Trust. It combines VPN with Zero Trust in a single agent, which simplifies endpoint management for IT and users. There is also a centralized policy management, so one console for all applications, reducing administrative overhead. Cisco also exclaims about the modern protocols for better performance, making higher throughput and improvements, which are great for global latency and sensitive environments.

Citations

What is Site-to-Site VPN | Fortinet What are the main differences between site-to-site and client-to-site VPNs?

Difference between Private and Public IP addresses | GeeksforGeeks Advantages and Disadvantages of NAT | GeeksforGeeks Site-to-site VPN security benefits and potential risks | TechTarget

Wireless Access Points - Cisco Secure Remote Access | GlobalProtect - Palo Alto Networks Juniper Secure Connect | Juniper Networks US Strengthen Your VPN Security by Switching to F5 BIG-IP with APM