VPN Consultants Team in San Francisco Bay Area

We hope that this FAQ compiled by our VPN consultants will help you answer most basic questions. Whatever solution you eventually choose and given the complexity of the issues involved we strongly recommend that you work with VPN consultants or a network security firm, and humbly invite you to contact us for specific VPN questions or for a FREE ON-SITE EVALUATION.


Security Issues

Are VPNs really secure? 
As long as data packets travel on a publicly shared network like Internet, they are potential targets for malicious attackers.
VPNs answer that specific problem by multiplying the security mechanisms. The question is "how safe is safe enough?". The most popular VPN protocols have been deemed vulnerable to certain types of attacks. Therefore only VPN solutions that incorporate several mechanisms, from software patches to additional hardware devices and security standards, can make VPNs, if not totally safe, at least safe enough. In this context your main security flaws will be those caused by the VPN users, or VPN consultants, rather than the VPN itself. 

Back to FAQ

What are the VPN security standards? 
Secure VPNs only apply additional security protocols either to the network "tunnel" or to the data being transmitted in the tunnel. There is currently no universal VPN standard per se. Although the Internet Engineering Task Force (IETF) provides an international platform for developers' communities, it can only come up with recommendations more or less implemented, but mostly integrated within proprietary protocols. Among those, popular VPN security protocols such as PPTP, L2TP and IPsec are contending for becoming de-facto standards, each with its strong and weak points, but at this point of time there is no certainty about which will prevail if any. 

Back to FAQ

What is strong VPN security? 
Technically speaking, VPN security is mainly based on two techniques. Encryption to ensure data integrity and privacy.
Authentication to verify that users have the rights to access the private network and which data they can access. The stronger encryption and authentication mechanisms are, the safer the VPN is. As in real life, often you will have to settle for less freedom and management flexibility when opting for stronger security measures. 

Back to FAQ

How do I control VPN user access? 
By definition, a VPN generally requires configuration of some sort of access device, either software or hardware-based, to setup a secure channel using private encryption and security parameters. A casual user can't just "use" your VPN, since  some knowledge is required to allow the remote user or site access to my network (or even to begin a VPN handshake!). Allowing VPN access only in conjunction with strong authentication also prevents an intruder from successfully authenticating to your network, even if they somehow configured/captured a VPN session. 

Back to FAQ

How do I control VPN traffic? 
Depending on the VPN solution being implemented, there are a few ways to control the type of traffic sent over a VPN session. Many VPN devices allow you to define a user or group based filter, which can control IP address and protocol/port services allowed through a tunnel. In addition, IPSec-based VPNs allow you to define a list of networks to which traffic can be passed (Security Associations). The first mechanism allows the administrator to limit access to specific networks/machines and applications on her network. The second usually provides fully connectivity to the private network. 

Back to FAQ

What is strong encryption? Encryption systems depend on two mechanisms to guarantee data confidentiality. The encryption algorithm provides the mathematical "rules" that convert the plain text message to a random ciphertext message. The algorithm provides steps for convolving the plain text message with an "encryption key," a block of (typically) alphanumeric
data that introduces the random element into the ciphertext message. The longer the secret key is, the more time it takes for  an attacker to test all possible values of the key - and determine the plain text content of the message. This sort of attack is called a brute force attack. Only strict protocols such as IKE, PKI or ISAKMP can provide enough safety for private data to travel on the Internet. Decrypting one such protected data packet through brute force technique would presumably take a lifetime for an army of computers. But even if that's not the case, it certainly is a must in terms of VPN security. 

Back to FAQ

Does encryption affect performance? 
The encryption process increases the load on network devices, potentially limiting overall throughput. Since VPN encryption is processed up to 10baseT speeds, on connections like dial-up modems VPN encryption is too fast to even be noticed  compared to Internet delays. Most performance slowdowns will in fact result from inconsistent Internet connections rather than by encryption processing overhead. VPN systems that compress encrypted data before sending them may even slightly
improve connections in specific cases. For noncompressing VPN clients the average decrease in network traffic performance hovers around 20%. For usual applications, such as web browsing and e-mail, this is negligible. But interactive applications, such as virtual terminals may experiment as much as a 60% increase in network latency. Setting aside  connection performance problems, a 100Mb/s LAN can experience serious traffic slow-downs, especially if remote users frequently access local applications or transfer large amount of data. In other words, If you put a VPN into your network, be prepared to see quite a bit, and sometimes a lot of bandwidth disappear.

Back to FAQ

What is strong authentication? 
Many methods exist to provide user authentication. Usually one is not enough while integrating several of them can prove cumbersome, or simply unfeasible. Also keep in mind that the "weakest link" in the VPN fence remain the users themselves. Most VPN systems include local authentication, which looks up user information in a database stored on the VPN device or VPN management station, but you should probably also provide a gateway to some external authentication database to
avoid creating yet another password for users to forget. In the absence of official standard a consensus has been built around RADIUS (Remote Authentication Dial-In User Service) as the best network-based authentication gateway available. RADIUS servers provide an additional layer of security to Windows-based security policies as well as of other systems using tokens or smart cards, such as SecurID or Cryptocard. 

Back to FAQ

ActivSupport delivers consulting and outsourcing services across Microsoft, Linux, and Macintosh networks to small businesses and enterprises alike all over the U.S. For a free consultation, call ActivSupport at 1-877-ACTIVNET (1-877-228-4863) or use our online contact form.