Introduction

When you connect to the Internet through your ISP's equipment, you're provided with a Public IP Address. That address is (in most cases) unique to your company, and when you make a request on the internet, this is the address that is provided so that whatever you requested, knows how to get the response back to you. Think of it like an address, if you send a letter and require a response, you would add a reply-to address, this is the same but on the internet.

VPN Image

LAN and WAN

A long time ago, every computer in your company would have its own public IP Address, and your router would route traffic between the rest of the Internet and your computers, but as the Internet exploded in popularity it became immediately clear that even with 16 billion IP addresses, we were going to run out fairly fast. To solve this problem, NAT was created or Network Address Translation. With NAT, your computers can have a private IP address (LAN), and then only have 1 public IP Address (WAN). Your router now has to do all the work, so let's look at an example assuming
your Private(LAN) IP is 192.168.1.10,
your public(WAN) IP is 100.200.1.1, and you wanted to reach google.com:

  • 192.168.1.10 -> router (send this to google.com)
  • 100.200.1.1 router -> google.com
  • google.com -> 100.200.1.1 router
  • router(reply from google.com) -> 192.168.1.10

We can see that the router has to remember who asked for Google.com, then send the request to google.com, receive the answer, then send that answer to the private IP who made the request. This isn't that complex, and the router maintains a list of 'sessions' between Private IP's and Public IP's so it can track who wants what.

Using NAT means you can quite literally have as many computers as you want, and they will all be able to use the same public IP address.

Security

Another fantastic feature of the Internet that we didn't have in the beginning is hackers (aka script kiddies) who seem to spend their days trying to ruin yours. When you're computers have a Public (WAN) IP address themselves, anyone from the Internet can reach your computer directly. If you're running Windows, for example, then you computer would be virus infected in minutes. Using NAT means that the router will only send traffic in one direction, that is, it will only send traffic to your computer in response to a request from your computer. There is no way for anyone on the internet to initiate a connection to your computer directly, and this is good.

If you're a GEN Customer when your router will be a high end model which is also capable of performing dynamic screening, DDoS protection and even intrusion detection.

Virtual Private Networking

In the business world, a virtual private network is used to connect two nodes securely over the Internet. That is, let's assume your company has two offices, one in the UK and one in Europe somewhere, and you wanted to connect them together so you can share the same telephone system, email system, and internal systems like a CRM or database. This is common place, and because we don't want anyone else to 'see' the data we're sending from site to site, a VPN is ued.

The VPN is essentially a layer of encryption that is applied to the data as it leaves one branch office, and is then decrypted by the other. This way, even if the data is intercepted, it cannot be decrypted (easily). The level of encryption is a trade-off between speed and security. You can, for example, have a double encrypted VPN, where the data is encrypted before it reaches the VPN, then encrypted by the VPN, and this form of double encryption is fairly common in the business world.

A Node of course doesn't have to be a branch office, it can be a remote worker. In my job here at GEN, I quite often find myself on a customers site, in a car park, in a train station, in a coffee, and so on, but I need access to the systems at GEN. To achieve this I use a VPN that connects me to a router at GEN and allows me to access those systems. In the case of remote workers, the configuration of the VPN is more important because we don't want the remote worker to have complete and unrestricted rein over the LAN, so we impose restrictions. In my case, those restrictions allow me to access only a few services remotely, which is a fair trade-off given the potential risk.

Before you consider setting up a VPN, take professional advice to ensure its going to be secure

Jump Points

Another concept in Virtual Private Networking, is LAN or Extranet jump points, which are, one or more computers hosted on the LAN that you can access via the VPN and take control of. A common example of this is Microsoft Terminal Server, or Indeed any computer on the LAN if so configured. Jump Points are used when the remote client needs access to an internal desktop, or perhaps their job involves large files which would be impracticable to download and upload over a slower connection. Consider someone who uses a CAD system at work and requires remote access, we all know that licenses for CAD systems are exorbitant, and licensing every remote laptop would be a nightmare, so no need - configure a computer in the office as a jump point and then take control of that remotely. I speak about this one example because its a job we're just deployed for a customer.

Other VPN's

In recent years there has been a 'market' for personal VPN's, which has been driven by a justified paranoia about ISP's tracking people's browsing habits, combined with streaming companies (and other websites) blocking customers based on the location of their Public IP Address. This is unfortunately the world we now live in, and this does make the case for personal VPN's, but...

A personal VPN is not a VPN in the classical sense, its more like a proxy which allows you to change your Public IP address to one in the country of your choice, and in some cases this will allow you to bypass websites location blocking. But does it stop ISP tracking?


ISP Tracking

No, in most cases it does not. ISP's use 'DNS" to track you, and a personal VPN in most cases does not also carry DNS, leaving DNS still being sent to, and received from your ISP's servers. You can, switch your DNS to another provider, but unless you're using DNSSEC and you've got a computer that supports it, a router that supports it and a public DNS Server that supports it, then this isn't going to help. Ideally, you would want DNS to travel over the VPN to the VPN providers secure DNS but none of the popular ones support this, and actually a personal VPN can be dangerous if you're not very careful.


The dangers

Your Router with its NAT and Firewall does a fair job at protecting you, and if you're a GEN Customer then your router does a fantastic job of protecting you, but when you use a personal VPN then you're bypassing that protection. Some personal VPN's are bidirectional, and that means once your connected, your computer is visible on the Public Internet, and that's a big problem especially for users on Windows.

I highly recommend that you take professional advice before using a personal VPN.

Firewalls

When GEN Setup a VPN Service for a customer, we're able to use firewall rules to greatly limit the threat. We do this in two main ways:


Geolocation

We block traffic from everywhere except the UK, and we do this at the firewall level. This means that from the rest of the world, your VPN services doesn't even exist. This is a way of reducing the 'attack surface' which is a technical term meaning that we're reducing the number of possible bad people who can see your VPN and who can then attempt to exploit it.


Service Screening

Service Screening means that when you connect to the VPN, you're not actually connected to the companies LAN. You're connected to a 'virtual' network that only exists in the router. From this virtual network we then prove some rules that will allow only a limit set of services to be reachable. If, for example, you have an internal CRM system at 192.168.1.100 and its accessed using a browser, then we can setup a rule that allows VPN users to reach 192.168.1.100 at port 80 and 443 (web) but nothing else. This sort of screening is absolutely VITAL because you're staff will leave their devices on the train, unattended in costa, or even worse let their children play on them.

GEN's Centralised VPN

For customers using GEN's wide area networking solutions, we don't need to supply or setup your own VPN routing hardware, our centralised VPN concentrator is able to handle all the VPN needs from GEN. This works because the hardware/software we use allows us to isolate or segment users from different companies. When you connect into a GEN Centralised VPN Service, you're given your own 'virtual' network that is unique to your company, and it has unique rules allow access to only your companies services that you are permitted access to. This service is monitored and managed by the staff at the GEN NOC to provide a high level of security oversight, and at the same time reducing the risk, and cost of such a solution. In a GEN managed VPN, we handle the on-boarding and off-boarding of staff, as well as support them with any issues they may have. We can dynamically change the filters based on the needs of your company, if for example an executive will be in the middle east for two weeks, we can 'permit' that but only for those two weeks.

Cyber Security

Having a robust and reliable cyber security team is vital for modern businesses, whether that's in house or outsourced, and its vital that any VPN is discussed with that team to ensure you're not blowing a hole in the protection strategy they've deployed. If you don't have a cyber security team, then you should seriously look into getting one, or outsourcing it. A data breach in today's economy can in some cases be commercially terminal, unless you're large enough to withstand such an event and the significant costs it wll incur.

ps: Don't use Equifax, who had a massive data breach, tried to cover it up, and are still selling 'cyber security' services. The Irony is simply staggering. Citation


Version 1.009  Copyright © 2024 GEN, its companies and the partnership. All Rights Reserved, E&OE.  ^sales^  0115 933 9000  Privacy Notice