EtherFast
®
Cable/DSL VPN Router with 4-Port 10/100 Switch
75
Instant Broadband
®
Series
74
Appendix B: Maximizing VPN
Security
Just as you maximized your network security with a firewall router, you should
also maximize security for your data with the VPN Router.
IPSec is compatible with most VPN endpoints and ensures privacy and authen-
tication for data, while authenticating user identification. With IPSec, authen-
tication is based upon the PC's IP Address. This not only confirms the user's
identity but also establishes the secure tunnel at the network layer, protecting
all data that passes through.
By operating at the network layer, IPSec is independent of any applications
running on the network. This way, it doesn't harm your PC's performance and
still allows you to do more with greater security. Still, it is important to note
that IPSec encryption does create a slight slowdown in network throughput,
due to encrypting and decrypting data.
Some VPNs will still leave the IP headers decrypted. These headers contain the
IP Addresses for the users at both ends of the VPN tunnel and can be utilized
by the hacker in future attacks. The VPN Router, however, does not leave the
IP headers decrypted. Using a method called PFS (Perfect Forward Secrecy),
not only are the IP headers encrypted but the secret keys used to secure the tun-
nel are encrypted as well.
All of this protection actually comes at a lower cost than most VPN endpoint
software packages. The VPN Router will allow the users on your network to
secure their data over the Internet without having to purchase the extra client
licenses that other VPN hardware manufacturers and software packages will
require. With VPN functions handled by the router, rather than your PC (which
software packages would require), this frees up your PCs to perform more
functions, more efficiently. An additional benefit is that you aren't required to
reconfigure any of your network PCs.
As secure as the VPN Router makes your data, there are still more ways to max-
imize security. The following are a few suggestions on how to increase data
security beyond the VPN Router.
1) Maximize security on your other networks. Install firewall routers for your
Internet connections, and use the most up-to-date security measures for
wireless networking.
2) Narrow the scope of your VPN tunnel as much as possible. Rather than
allowing a range of IP Addresses, use the addresses specific to the end-
points required.
3) Do not set the Remote Security Group to Any, as this will open the VPN to
any IP Address. Host a specific IP address.
4) Maximize encryption and authentication. Use 3DES encryption and SHA
authentication whenever possible.
5) Manage your pre-shared keys. Change pre-shared keys regularly.
Data transmission over the Internet is a hole in network security that is often
overlooked. With VPN maximized, along with the use of a firewall router and
wireless security, you can secure your data even when it leaves your network.