For a long time, VPNs (Virtual Private Networks) existed more in theory than in reality. For years, I read about VPNs in books and magazines, but hardly ever saw anyone actually using one. However, that’s starting to change these days. More and more companies are starting to use VPNs as a cost-effective alternative to dedicated WAN connections. As more companies are beginning to use VPNs, I’ve started seeing more examples of the right way and the wrong way to implement them. In this article we will look at some VPN configurations to avoid.
In case you’re unfamiliar with VPNs, VPNs are a method of creating a secure connection between two networks over an insecure medium; typically the Internet. The premise behind the technology is that since practically everyone has access to the Internet, companies can use it as the route between their offices, rather than relying on expensive dedicated WAN connections. Because of the way that VPNs work, each network must have a computer that acts as a sort of VPN router. This computer’s responsibility is to determine which packets are destined for the remote network, secure those packets, and send them to their destination.
Because of the role of this server, many people try to use the same server both to control their VPN, and to host their company’s Internet connection sharing. However, bad things happen when you create a VPN connection on a computer that’s running Windows’ Internet Connection Sharing service. When you create such a configuration, all of the traffic from clients that would normally be destined for the Internet will be passed through the VPN link instead. This not only means that your clients won’t be able to access Internet resources, but it also means that all of the branch office’s computers will be passing data across a VPN connection using the credentials of the Internet Connection Sharing account, rather than using the security settings that you defined for the VPN connection. As you can see, this configuration in addition to not working correctly, poses great security risks.
Another bad configuration involves people trying to hook the raw Internet connection directly into a network hub. Typically, this occurs in situations in which DSL is used for Internet access, since most DSL modems plug directly into a network card in a server. However, I’ve seen administrators plug the DSL modem into a hub, and then try to plug a VPN server and an Internet connection sharing server into the hub. The problem with this approach is that it directly exposes your network to the Internet. Network clients can gain access to the Internet without even passing through a VPN server or Internet connection sharing server. Such a configuration exposes your entire network to the outside world, making it extremely vulnerable to attack or information theft. Instead, you should always have a firewall between your Internet connection and your VPN server. Many firewalls, such as Microsoft Proxy Server, can even act as a sort of Internet connection sharing server (without using the Internet Connection Sharing service).
As you can see, setting up a VPN incorrectly can cause your network to malfunction and can pose serious security risks. As you create a VPN, just remember not to use either of the configurations we’ve described.
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it’s impossible for him to respond to every message, although he does read them all.
