VPN - safe company branch connection
Safe information and communications infrastructure is one of the key aspects in every company. It should be provided on every IT structure level including the computer networks. On the other hand, a more and more common scenario is the company decentralization where a business is divided into branches and some of the employees work remotely and needs access to the data collected on the company servers from the outside of the local network. The problem solution of safe remotely- working user communication or combining company branches into one network is using the VPN technology or virtual private networks. They are somewhat applied on the public internet network creating logical connections between company routers, called the VPN tunnels. The essence of the VPN technology is the encryption and authentication of the whole VPN tunnel transmission. A series of cryptographic algorithms is used such as symmetric, asymmetric encryption, shortcut features, and certificates providing transmission securing in the VPN tunnels through the public internet network. From the point of view of the way of establishing the connection the following two types can be distinguished:
- Site-to-site tunnel – it is a VPN connection established between routers and most commonly used to connect the company branches. The connection is established permanently and the cross-branch traffic is routed according to the routing protocols. Site-to-site tunnels are also used for company connection with the public cloud providers such as Azure or AWS where we intend to build hybrid environment or transfer the whole infrastructure to the cloud. The data transfer between the company network and the cloud is encrypted.
- Client-to-site – it is a VPN connection between the routers and the user's device. The connection is established upon user's request who has to go through the authorization and authentication processes before establishing a connection. The user authentication can take place based on the login and password in connection with catalog services like Active Directory or certificate use. Client-to-site tunnel enables safe remote work.
The tunnels can be distinguished depending on the communication protocol:
- IPSec – it is the most popular set of communication protocols and works on the principle of encapsulation that is the original IP package is fitted with additional information and the content itself is encrypted. IPSec is a set of protocols created among others by NSA and the RFC documentation itself describing the IPSec is quite vague which can lead to discrepancies especially when we want to establish a connection between the devices of different manufacturers. Two basic stages are distinguished in communication. The authorization and transmission parameters negotiation stage such as the cryptographic algorithms collection used by both sides which can be related to IKE protocol collection. The second stage is the data exchange.
- WebVPN – a set of IT technologies using the TLS/SSL to ensure data transmission security between devices. The WebVPN technology features clientless functionality that is in case of the Client-to-site connections the user does not need to have a specialized application. An encrypted connection can be established thanks to a browser and a website. Moreover, the WebVPN protocols are not so sensitive to the network characteristics such as NAT compared to the IPSec.
Our company deploys IT services of safe cross-branch connection and remote work. We use the equipment of top manufacturers such as CISCO.