Encryption & Network Security

Tutorial #10: VPN

  1. Consider a business with its head office in Melbourne and a branch office in Bendigo, 150km to the North West. This business has a need for a highly secure corporate intranet. Conventional wisdom states that the business would have a single, firewalled and highly-secure point of connection to the global Internet, probably in Melbourne. What factors would influence the businesses IT manager to choose a different configuration? Discuss.
  2. What's the problem with transport mode IPsec in relation to firewall filtering? In what respect does it make filtering more difficult?
  3. ESP data transfer mode in IPsec is designated as "IP protocol 50". What does this mean?
  4. What are the routing implications of IPsec? In other words, how is routing involved/configured in a VPN setup built over IPsec?
  5. A consultant to your business has suggested that the VPN function should occur within the private network at each of the sites involved, instead of in the DMZ, because the data involved is private and it's best not to expose private data to the DMZ. What do you think of this idea?
  6. In the "2xrouters+DMZ+Bastion" firewall architecture, where should the VPN function (encoding and decoding) occur? Give reasons.
  7. In the the lecture, mention was made of combining NAT and VPN. Why might you wish to do this? Give an example.
  8. Microsoft's PPTP protocol is built around the Internet-standard PPP protocol, commonly used for dial-in Internet access. What were they thinking? In other words, what do VPNs and dial-in access have in common?
  9. OpenVPN is a TLS based VPN - what does this mean? What are the benefits of this approach?
  10. OpenVPN can be configured to operate in "Ethernet Bridging" mode, rather than the traditional "Routing" mode used by most VPNs. How might this work and what advantages might it provide?
  11. With slight configuration mods, VPNs are an excellent way for (so-called) "road warriors" to stay in touch with "home base". Why is this, what is the alternative and why is the VPN approach considered to be better? Furthermore, what security implications might "road warriors" pose?
  12. In the lecture it was claimed that the use of tunnelling could be a significant security risk to an organisation. To what extent is this true? What has to happen for this risk to become apparent? How can the risk be minimised?
  13. Research question: investigate the encryption technologies used in IPsec.