Archive for December, 2011

*Editor’s Note: This column originally appeared in TechTarget’s SearchEnterpriseWan

By Rainer Enders, CTO of Americas for NCP engineering

I define cloud VPNs as securely connecting from any location to resources (data and applications) that are provisioned in central data sites for the purpose of highly-available and reliable access. A cloud VPN must also offer specific characteristics which address the requirements for secure remote access from any device, over any type of network and from any location.

Companies that want their mobile employees to securely access the company network via the Internet have several solutions available to them: remote access out of the cloud, virtual private network as a service (VPNaaS) and managed security service provider (MSSP). Due to economic reasons, companies choose to outsource the operation of their VPNs to cloud, hosting or managed service providers.

The benefits for enterprises include the following:

  • no investment in hardware, software and in-house experts
  • a fast realization of a remote access VPN project
  • low monthly expenses

If the cloud VPN is software-based, it’s able to be virtualized and offers high scalability. Ideally, the cloud VPN solution would support multi-tenancy, be available for all major operating systems and device platforms and have a central management component.

*Editor’s Note: This questions originally appeared in TechTarget’s SearchEnterpriseWan

By Rainer Enders, CTO of Americas for NCP engineering

Why should you monitor your Internet VPN?

Monitoring your Internet VPN is essential for assessing the health of your enterprise wide area network (WAN) and collecting vital statistics for planning and maintenance purposes. It helps identify early signs of improper or inaccurate use.

This will allow enterprise IT or network security staff to take proactive measures to avoid major incidents in the first place. Monitoring your VPN also helps to identify and track malicious activities on the network. When incidents occur, data collected from monitoring events will help you analyze the ongoing problem and can assist in future incident response, analysis and potential prosecution.

Can cloud VPNs completely secure network traffic?

Complete security does not exist, cloud or no-cloud. However, there are specific cloud computing security-related and service-related considerations that must be addressed. An interesting question in cloud environments is the necessity of a network perimeter. Whereas servers and virtual machines can be secured tightly with a traditional perimeter, cloud VPNs may need a perimeter firewall in addition to the device and server firewalls which can be provided by the operating system and additional security software. Additionally, a network perimeter in the form of a UTM firewall may be particularly useful for enterprises which have a variety of networked devices that need to be protected. For other environments though, managing the devices, end-user access and central administrative control are critical to ensuring cloud VPN security.

*Editor’s Note: This column originally appeared in TechTarget’s SearchEnterpriseWan
By Rainer Enders, CTO of Americas for NCP engineering

Internet VPNs are not the same as Web SSL VPNs, although SSL VPNs are considered a type of Internet VPN.

Internet virtual private networks (VPNs) dominate the security domain in the corporate world. The proliferation of mobile working is driving the growing need to secure data communications over the Internet. The two major technologies for Internet VPNs are IPsec and Web SSL.

IPsec, an Internet Engineering Task Force (IETF) standard, is a set of protocols developed to secure data traffic over IP networks. It offers transparent communication of any IP-based application. IPsec has two main implementation scenarios:

  • gateway to gateway communication, which is used in hub-and-spoke or full mesh topologies to connect remote or branch office network locations; and
  • mobile device to gateway communication (also known as “dial-up VPN”).

IPsec has increasingly been criticized for major VPN breaches, such as interoperability, scalability, manageability and a client-centric approach. Despite those issues being perfectly addressed by some leading-edge VPN technology vendors, major network vendors and customers are increasingly focusing on and emphasizing the SSL protocol to establish secure VPN connections.

The fundamental differences between SSL and IPsec are that SSL relies on the web browser as the client technology, whereas IPsec rests on a platform-specific client that can be managed and controlled. IPsec is a central element in IPv6, the next version of Internet Protocol, security. One of the key weaknesses of SSL is in the authenticity aspect of secure communication. Major VPN security breaches, such as the Comodo and DigiNotar incidents, have been caused by a blind reliance on the technology’s certificate authority (CA) model.

Therefore, many network security experts today favor a hybrid approach of IPsec and SSL when it comes to Internet VPNs. The hybrid approach provides the best of both worlds and allows the highest level of security to be applied as required by the situation.


For the final myth in our series isn’t just about SSL – it’s about security. The prevailing attitude at organizations – no matter the size – is that the responsibility for security falls in the court of someone with a job title related to security, like application security specialist, cyber security guru or chief security officer, and so forth.  As a result, the well-known SSL vulnerability announcements (and any security alert for that matter) are often overlooked and ignored by the development staff.

But in reality, when employees use SSL technology, as provided by their company’s VPN client vendor to remotely log in to use sensitive company resources, they should bear some responsibility for ensuring security. Yet, few of these employees ever realize that effective security should be everyone’s concern.

Of course, this mentality is not entirely the fault of employees. The companies themselves and their executive leadership are ultimately responsible for ensuring all personnel have adequate security training. Legal statutes and regulatory regimes in every industry require companies to create a culture of awareness and security knowledge through effective training programs. When organizations lack definitive security policies, this type of thinking is more pervasive.

But in today’s world, the stakes are far too high for a single department to shoulder the full responsibility for securing an organization. All employees, no matter where they sit in the organization, should have some degree of security training.


Copyright (c)

What We’re Reading, Week of 12/12

Posted: December 16, 2011 in Highlights

SecurityWeek, 2011 IT Security Review. Will 2012 be the year of ubiquitous encryption?
 Dark Reading, VPN An Oft-Forgotten Attack Vector
Help Net Security, PCI DSS is working, but there are challenges to overcome
Laptop Magazine, How a Virtual Private Network Can Boost Your Security
SearchEnterpriseWan, Are SSL VPNs secure enough for enterprise use?