A Smart VPN
12 Insights into ViPNet Technology
Preface
When security issues arise, you search for a powerful and compatible security solution. Today
an entire range of advanced functional solutions singles out the ViPNet technology among
other tools for building virtual private networks (VPN).
A ViPNet VPN is a secure and reliable VPN solution with reasonable implementation cost. It’s
been designed for most convenient and effective usage and transparent centralized management. It can embrace thousands of hosts and yet be flexible and easy to manage.
Contens
Intro
■■ What is a ViPNet VPN?
■■ ViPNet VPN: Advantages at a Glance
Security
■■ 1. Strong Encryption
■■ 2. Local Traffic in a LAN is Protected
■■ 3. Cloud Data is Secure
Convenience
■■ 4. Centralized Management
■■ 5. Flexible Topology
■■ 6. A Scalable VPN
■■ 7. No IP Address Conflicts
■■ 8. Flexible Access Policies
Reliability
■■ 9. Easy and Stable Roaming
■■ 10. Automatic Routing
■■ 11. Reduced VPN Server Load
■■ 12. Safe Simultaneous Access to VPNs and the
Web for Remote Clients
Appendix
■■ ViPNet VPN Components
■■ Free Trial Version
2
Intro
What is a ViPNet VPN?
ViPNet VPN is a comprehensive software suite for
maintaining a secure and reliable VPN. It implements
strong symmetric encryption with pre-shared keys
and a safe automated system of encryption key distribution over protected VPN channels.
ViPNet VPN provides direct peer-to-peer (P2P)
connection of clients. Unlike other VPN solutions
supporting P2P, ViPNet offers all its benefits as readyto-operate implementations, which even a user with
basic-level computer experience can enable and
maintain:
ViPNet is a VPN with transparent and centralized management,
featuring seamless implementation and convenient usage.
ViPNet hosts address each other by special identifiers,
in an MPLS-like manner. This frees customers from
complicated routing configurations. A ViPNet VPN
can be deployed over networks including NAT devices
without any additional configurations.
ViPNet VPN components:
■■
■■
■■
protection of a LAN from insider threats,
reduced VPN server load,
support of services with direct communication of
clients (like Skype and live video).
■■
■■
Among other VPN solutions, ViPNet is especially
designed for customers’ convenience. VPN client
users are free from the need to have any experience
with VPN. After VPN deployment, users’ accustomed
workflow does not change. When accessing a VPN
from mobile devices, a user can forget about reconnection lags and reconfigurations associated with
roaming between web access points.
■■
■■
Administrators manage the VPN centrally, in an intuitive manner. With the robust service data distribution
system, administrators update VPN host configurations, software, and encryption keys remotely in
background mode.
VPN clients, which securely connect computers,
mobile, and other network devices to a VPN. VPN
clients are protected with an integrated firewall.
VPN servers (coordinators), which
■■ organize communication between VPN clients
(including remote clients),
■■ function as VPN gateways, protecting VPN
connections with tunneled resources (hosts
without VPN client software),
provide network services for your LAN, such as
NAT, proxy filtering, SIP server, wireless access
point, etc.
Tools for VPN management and monitoring.
Below, please explore why we call ViPNet a genuinely
secure, convenient, and reliable technology.
A SMART VPN: 12 insights into ViPNet technology
3
Intro
ViPNet VPN: Advantages at a Glance
Strong Protection
■■ Pre-shared symmetric keys provide reliable and
safe VPN connection.
■■ The unique P2P VPN is best for channel protection.
■■ VPN clients and servers are equipped with an integrated firewall.
Support for Heterogeneous Networks
■■ A ViPNet VPN can be deployed over any existing IP
networks without reconfiguration.
■■ The ViPNet technology does not interfere with
common network services
■■ (firewalls, DHCP, WINS, DNS, NAT, PAT, VoIP, and
live video).
■■ A ViPNet VPN can be securely connected to an
IPsec network via a ViPNet–IPsec gateway.
Convenient Security
■■ ViPNet clients stay connected and ensure permanent protection of user devices without the need
for any user actions.
■■ Users access the VPN from home, office, or airport
over any available connection (wired, Wi-Fi, 3G/
LTE, satellite) without reconfiguring their mobile
clients.
■■ Users do not perform any maintenance; this is
performed automatically or by the centralized
management.
4
Scalable Solution
■■ As your business grows, you scale your ViPNet
VPN to a large and versatile geographically distributed VPN with an elaborate logical structure and
easily establish VPN links with hosts in VPNs of
your partners.
■■ ViPNet VPN servers (gateways) support a network
structure of any level of complexity, including
cascade, full mesh, or custom links.
Security
With the ViPNet technology, you incorporate best practices of VPN security implemented in a
solution friendly with common office workflows.
1. Strong Encryption
ViPNet implements symmetric AES encryption.
Compared to asymmetric, equal-strength symmetric
encryption requires fewer computations.
■■
AES symmetric encryption
■■
No handshake, safe against MITM attacks
■■
Packet encapsulation masks the data structure
In ViPNet VPN, each pair of communicating hosts
share a unique symmetric data exchange key, not
used with any other hosts. If this key is stolen, this will
compromise the host’s communication with only one
other host. With the centralized VPN management
facilities, the administrator can immediately block the
communication encrypted with the compromised key
and promptly replace it with a new and valid encryption key.
ViPNet VPN uses pre-shared keys, so that the
protected communication is not preceded with
the keys exchange procedure (the handshake). This
prevents the VPN from man-in-the-middle (MITM)
attacks, which is a serious threat for VPNs with public
key distribution.
As long as VPN traffic passes over public networks, a
malicious party may intercept some packets for analysis. ViPNet implements special protection against
data analysis:
■■
■■
The network topology and the traffic structure is
masked by encapsulation of the encrypted traffic
in UDP packets.
A malicious party may want to calculate the
exchange key by analyzing a substantial sample
of IP packets. In a ViPNet VPN, each IP packet is
encrypted with another derivate of the symmetric
data exchange key; intercepting a packet sample
will not yield the key, because it is not constant.
A SMART VPN: 12 insights into ViPNet technology
5
Security
2. Local Traffic in a LAN is Protected
■■
P2P connection protects a LAN from the inside threat
■■
Clients can access VPN and public resources concurrently
Originally VPN technologies were designed for secure
data transfer between trusted areas over the Internet.
It was assumed that there is no risk of confidential
information being intercepted within a LAN. This
approach still persists in most VPN technologies, and
traffic between a VPN gateway and the endpoint in
a LAN is not encrypted. Data directed into the LAN
is decrypted on the VPN gateway and is potentially
available for interception from inside the LAN when
transferred to endpoints.
With ViPNet VPN client software installed, the clients
act as hosts in the LAN and encrypt/decrypt the
traffic themselves. The VPN server on the edge of the
LAN just forwards the encrypted traffic to these hosts.
At the same time clients can safely access the Internet
as usual without traffic encryption. This is because
clients are protected with an integrated firewall, which
analyzes the encrypted traffic and the public traffic
separately so that all VPN traffic remains secret.
ViPNet VPN ensures protection of local traffic for any
topology, including the connection of a remote VPN
client to resources on a corporate network. VPN traffic
will remain encrypted until it reaches its destination.
6
3. Cloud Data is Secure
Storing data in the cloud is handy, but this data is
vulnerable for access and modification because it is
uploaded and accessed over public channels and is
available to malicious parties.
VPN protection of connections to the cloud and cloud servers
secures cloud users’ data
More than that, the cloud itself is a spatially distributed media. The data in the cloud travels over public
channels too.
When cloud servers are protected with a ViPNet VPN,
the customer’s data exchange with the cloud as well
as the traffic inside the cloud over public channels is
encrypted. It cannot be intercepted either by any third
parties or by the cloud provider itself.
A SMART VPN: 12 insights into ViPNet technology
7
Convenience
What makes a VPN secure is not just strong cryptography. Complicated maintenance would
impose a threat of management misconfigurations and other errors, violating the VPN security.
ViPNet VPN is specially adapted for convenient usage and transparent centralized management.
4. Centralized Management
With common VPN solutions, each configuration of
network topology may require coordinated and elaborate actions on several hosts, in several programs.
■■
Automated routine operations
■■
Solutions are available that cover all VPN maintenance tasks
Unlike described above ViPNet is managed from
one center where as many features as possible are
automated; things that need to be done on several
hosts coherently are coordinated automatically. A
ViPNet VPN administrator is equipped with everything needed for VPN management from a single
workstation.
The VPN management consists of the following:
■■ VPN topology configuration (allowing VPN
connections between hosts),
■■ generation and secure distribution of encryption
keys through encrypted channels,
■■ remote host configuration and user support (by
remote desktop access),
■■ remote VPN software upgrade,
■■ management of VPN hosts’ access policies,
■■ host health monitoring (including hosts without
ViPNet software installed, e.g. data servers on a
corporate LAN).
VPN maintenance is built on solutions from a single
vendor, which are compatible and do not require any
integration efforts. Due to this, you do not need a
large VPN support team. A single administrator can
maintain and support a network of thousands of
hosts with elaborate topology.
8
Unlike other VPN solutions, ViPNet VPN does not
allow users to modify any security-relevant host
configurations, like encryption keys or allowed VPN
connections; so, there is no threat of a user violating
any security policies, either by chance or on purpose.
5. Flexible Topology
You can define network topology by linking hosts
individually or implement a common topology for all
hosts (for example, the full mesh). The connections
will automatically adapt to policies of networks that
underlie the VPN:
■■
■■
■■
■■
Custom topology
■■
Adapting to policies of the underlying network
For ViPNet VPN connections, NAT devices are
transparent. ViPNet clients connect to each other
without any additional configurations even if they
are located behind dynamic NAT devices. You
can easily build a VPN over channels like those of
non-corporate Internet access providers, which
frequently distribute dynamic IP addresses to their
clients.
Some web access providers severely restrict the
permitted traffic type. For example a wireless web
access point in a hotel may allow only TCP traffic
over ports 80 and 443. For common VPN solutions
this will require complicated configurations or even
restrict you from using a VPN.
With ViPNet your client will automatically establish
an open TCP connection (over one of permitted
ports) with its VPN server and will transmit UDP
packets over this connection. The server will
forward the packets further without decryption.
The other VPN hosts will be also able to initiate
connections with your client.
A SMART VPN: 12 insights into ViPNet technology
9
Convenience
6. A Scalable VPN
As your business grows, you can add new VPN clients
and servers to your network. This takes just a few
steps (refer to the diagram below):
■■ In ViPNet Network Manager:
■■ Add a new host and create a key set for it.
■■ With just one click, send key updates to other
VPN hosts. The updates are transferred securely
over the VPN and are accepted on hosts
automatically.
■■ On the new host, install ViPNet software and its
key set. Then start the ViPNet software.
Add new hosts from one workstation with just a few clicks
After that, the new host becomes accessible for other
VPN hosts.
7. No IP Address Conflicts
Common VPN solutions base their routing on IP
addresses. When you change a host’s IP address
you need to be sure that there will be no IP address
conflicts with hosts on other LANs connected to the
VPN. You may need to perform additional configuration on other VPN hosts. The more elaborate the VPN structure is, the more complicated the required
configurations will be.
In ViPNet VPN host users and applications are free to
change IP addresses on hosts (manually or automatically) without losing the VPN connectivity regardless
of possible IP address conflicts. This is because in
a ViPNet VPN hosts address each other by special
ViPNet identifiers, which are independent of IP addresses.
10
No IP address conflicts with other LANs
As long as applications on a VPN host use IP addresses and not ViPNet identifiers, each identifier has an IP
address-like alias called a virtual IP address. So, applications think that they are working with IP addresses while
they actually use ViPNet identifiers. You can put two computers with similar IP addresses in different LANs onto
a VPN (as VPN clients or tunneled computers) without reconfiguring their environment against the address
conflict.
8. Flexible Access Policies
VPN hosts’ access policies are managed centrally
Each ViPNet host has an integrated firewall that filters its traffic. The set of firewall rules determine host’s
allowed public and VPN connections and therefore regulates its access policies. The allowed VPN connections
are called VPN links. By specifying host’s links, you define its accessible VPN hosts.
If necessary, you can make a host inaccessible from public networks, allow it to be accessed only from a single
VPN host or IP address, split your VPN into separate logical segments, or implement any other elaborate
topology.
Examples of Security Policies
Type of Host
Policy Description
Actions Required
Remote general-use workstation
Can access the Internet
and corporate resources
in a VPN
On a ViPNet client:
■■ allow unencrypted data exchange with public IP addresses
■■ allow encrypted data exchange with remote VPN hosts and tunneled
hosts
Core team
collaboration data
storage
Accessible only for the
core team
On a ViPNet client:
■■ block any unencrypted connections
■■ allow encrypted connections only with core team members’ hosts
Hosts in a DMZ
A LAN is split into the
secure area and the DMZ
■■ Put a coordinator between two LAN segments (the secure area and the
DMZ) and the Internet
■■ On the coordinator, configure the firewall to allow Internet connections
from the DMZ segment and to block Internet connections for hosts in the
secure area
■■ Allow data traffic between the two LAN segments initiated from the
secure area
The host’s access policies are centrally managed with the ViPNet Policy Manager software. If needed, the VPN
administrator can configure access policies (firewall rules) on each VPN host manually (locally or over a remote
desktop connection).
A SMART VPN: 12 insights into ViPNet technology
11
Reliability
High-scale encryption technologies must provide strong encryption, but not at the cost of
customer’s time. ViPNet VPN implements a variety of approaches that save your time and
resources, making your work on the VPN reliable and fast.
9. Easy and Stable
Roaming
■■
No connection lags when roaming between access points
■■
No reconfiguration at reconnections
The parties on a VPN need to share keys prior to
starting their communication. Many other VPN solutions perform the procedures associated with key
sharing (the handshake) over the network channel
that will then be used for communication. To make
this procedure secure, the parties do some encryption/decryption, which takes time and results in a
connection lag. The user and the running applications
experience this lag at each reconnection, which occurs
whenever a VPN client travels from one wireless
access point to another.
In a ViPNet VPN, parties use pre-shared keys, which
are distributed to users only once at the VPN client
initialization. At each reconnection, VPN clients can
start secure data exchange immediately after they
connect to the Internet. This makes roaming between
wireless access points free of connection lags associated with the handshake.
When a user wishes to leave the office and continue
working at home or at the airport, he or she just
disconnects from the web at their office and then
reconnects at the other location. The client will
immediately be on the VPN without the need for any
additional configuration.
12
10. Automatic Routing
VPN traffic automatically finds the optimal route
ViPNet VPN is designed to free the customer from
complicated routing configurations.
Imagine that two clients communicate over a mazy
VPN, like the one you can view on the right. To
complicate matters, the coordinators that pass the
traffic are separated with each LAN having its own IP
address space.
With common VPN solutions, you would need to
introduce some complicated routing rules to resolve
this connection. But here there are not just two
but multiple clients on the VPN — just think of the
amount of required configurations!
In a ViPNet VPN, routing is performed automatically
in an MPLS-like fashion with the use of ViPNet identifiers. VPN users and administrators do not configure
any routing. VPN hosts have each other’s up-to-date
access parameters. When two hosts communicate, the
ViPNet technology automatically paves the optimal
way for the traffic.
Whatever your VPN topology is, the VPN traffic finds
the shortest way, reaching its destination directly and
never getting looped.
11. Reduced VPN
Server Load
The peer-to-peer VPN scheme distributes the traffic
processing load
Compared to client-to-site and site-to-site VPNs,
a P2P VPN reduces the traffic processing (encryption/decryption) load on a VPN server because the
processing is performed on clients. The main obstacle
to implementing P2P with common VPN solutions is
the NAT. If the clients communicate from different
address spaces, you need to implement and configure
additional solutions. All this is usually quite complicated.
Among other VPN solutions ViPNet provides convenient facilities for establishing a P2P VPN over any
IP infrastructures without their reconfiguration. The
P2P VPN can embrace thousands of hosts with the
most elaborate connection topology, and this will
not load the VPN servers with traffic processing and
forwarding because clients will communicate directly.
A SMART VPN: 12 insights into ViPNet technology
13
Reliability
12. Safe Simultaneous Access to VPNs
and the Web for Remote Clients
Remote clients access VPN and public resources directly
With common VPN solutions it is not safe for a
remote VPN client to have concurrent access to VPN
resources and the Internet because in this case the
client’s Internet access is not regulated by corporate
web access policies.
With ViPNet solution remote clients have a firewall.
It is configured centrally by the VPN administrator
so that the corporate policies can be implemented
locally. ViPNet client’s connectivity does not depend
on the state of the OS routing table.
■■
■■
Therefore a remote VPN client usually connects to the
Internet via its VPN server. The traffic directed to the
Internet passes through the VPN tunnel. The server
decrypts it and processes it as a corporate proxy
according to corporate policies. This means that both
the client and the server have to encrypt and decrypt
all the client’s data exchange with the Internet.
Moreover, for most VPN solutions this scheme
requires proper configuration of the OS routing table.
The routing table is not protected well from modification by third parties. A malicious user accessing
the host’s routing table may enable a client’s direct
connection to the Internet, which allows unwanted
access to VPN resources from the web.
14
■■
ViPNet VPN users safely establish direct connections to the Internet and VPN resources without
any threat to the VPN security.
Clients and servers encrypt only the VPN traffic
while public connections are direct and unencrypted. Due to this the traffic processing load on
VPN servers is decreased.
Clients may access more than one VPN resource
simultaneously without reconfiguring the OS
routing table. In the diagram a client is accessing a
cloud protected with a VPN and two other VPNs.
Appendix
ViPNet VPN Components
Type
Computer Experience
Required for Use
Software
Advanced
ViPNet Policy Manager
(VPN security policy management)
Software
Advanced
ViPNet StateWatcher
(network equipment health monitoring)
Software
Advanced
ViPNet Coordinator HW
Appliance
Advanced
ViPNet Coordinator VA
Virtual appliance
Advanced
ViPNet Coordinator for Windows
Software
Advanced
ViPNet Client for Windows
Software
Basic
ViPNet Client for Mac OS X
Software
Basic
ViPNet ThinClient
Appliance
Basic
Host Type
VPN management
ViPNet Network Manager
(general VPN management)
VPN servers
VPN clients
Free Trial Version
■■
■■
Have an overview of the ViPNet VPN and its components.
Try ViPNet VPN with a 60-day trial version.
Get a trial version
https://www.infotecs.biz/products/
User guides
https://www.infotecs.biz/doc_vipnet/ENU/index.htm
A SMART VPN: 12 insights into ViPNet technology
15
Infotecs GmbH
Oberwallstraße 24
D-10117 Berlin
Tel: +49 30 206 43 66-0
Fax: +49 30 206 43 66-66
Mail: [email protected]
Web: www.infotecs.biz