Virtual Private Networks (VPN) part 1 site to site

We use VPNs to enhance network security in two ways : site to site VPN and remote access vpn

A site to site VPN creates a connection between two private networks via the internet. The simplest example is a business with two sites. Each has its own internet connection

site 1 : 192.168.0.0/24 router R1 192.168.0.1 external IP address 203.45.30.45

site 2 : 192.168.10.0/24 router R2 192.168.10.1 external IP address 84.33.24.77

Ideally, each of the external IP addresses are static IP addresses – that is they do not change. The two routers create a secure tunnel between themselves and create a tunnel interface. Let’s say R1 has a tunnel interface of 10.10.10.1 and R2 has a tunnel interface of 10.10.10.2

The static route from site 1 (network 1) to network 2 needs to be set in router 1 ie

Ip route 192.168.10.0 255.255.255.0 10.10.10.2

so an attempt to go to a computer on network 2 C2 192.168.10.90 from a computer in network 1 C1 192.168.0.55 is as follows

the C1 determines that the packet needs to go out of the subnet, sends it to the default gateway R1. R1 matches the destination against the static route and sends it to the tunnel interface on R2. R2 knows how to send the packet to C2 and does so

You will need the opposite route configured as well ie

Ip route 192.168.0.0 255.255.255.0 10.10.10.1

Now computers can see each other regardless of which site they are on.

This functionality is built into Next Generation Firewalls but often is available too on cheaper commodity modem routers as well. It is possible to tunnel from within the network with technology such as SoftEther or OpenVPN but the routing is more difficult

How Much can a NGFW do?

A next generation firewall can add a great deal of security to the network. Configured correctly it will not allow connection to known malicious sites. It will scan all unencrypted traffic so has a good chance of blocking the downloading of a virus from a website if that download is not using encryption. One hopes that malicious websites do not have a certificate that is trusted although that cannot be relied upon. Malware authors have previously hijacked certificates to allow such traffic through. In general, the NGFW will not scan the contents of encrypted (https) webpages unless configured for deep ssl inspection. If so configured, many services within the network such as Windows Update may stop working .

Webmail clients such as gmail use https for communication with their servers so unless deep ssl inspection is enabled for webmail services then the NGFW is not protecting against ransomware delivered by that vector.

In order to enable the use of this email with the deep inspection necessary to detect the viruses it is necessary to install the NGFW certificate on all of the client computers that will use the email. Email remains the number one infection route for ransomware so this is a very important albeit moderately difficult to do step.

Versioning

A backup system with versioning allows the reconstruction of a given file or set of files at a particular point in time.

Say you have a file important_stuff.docx

and this file gets corrupted – by you, by accident or by ransomware

Without a versioning system, the backup will be corrupted along with the original. Obviously with many and large files, the problem is that storing multiple copies of the file starts to use up a lot of disk space.

Efficient backup systems will store either the original (O) and the changes so that the 3rd version can be created from O+1+2+3 or will store the most recent (C) and the reverse changes so that the third version of 4 can be created from C -1 .

Most ransomware will attempt to modify the file in place and then rename it. Backup software without versioning works most of the time (assuming the location is safe) by keeping the original and the corrupted version. However, some versions of ransomware do not rename the file and without versioning, the backups will also be corrupted.