Virtual Private Networks (VPN) part 1 site to site

We use VPNs to enhance network security in two ways : site to site VPN and remote access vpn

A site to site VPN creates a connection between two private networks via the internet. The simplest example is a business with two sites. Each has its own internet connection

site 1 : router R1 external IP address

site 2 : router R2 external IP address

Ideally, each of the external IP addresses are static IP addresses – that is they do not change. The two routers create a secure tunnel between themselves and create a tunnel interface. Let’s say R1 has a tunnel interface of and R2 has a tunnel interface of

The static route from site 1 (network 1) to network 2 needs to be set in router 1 ie

Ip route

so an attempt to go to a computer on network 2 C2 from a computer in network 1 C1 is as follows

the C1 determines that the packet needs to go out of the subnet, sends it to the default gateway R1. R1 matches the destination against the static route and sends it to the tunnel interface on R2. R2 knows how to send the packet to C2 and does so

You will need the opposite route configured as well ie

Ip route

Now computers can see each other regardless of which site they are on.

This functionality is built into Next Generation Firewalls but often is available too on cheaper commodity modem routers as well. It is possible to tunnel from within the network with technology such as SoftEther or OpenVPN but the routing is more difficult

Remote File Systems

One feature of computer networks we use at the office is access to files that are on a remote server. This might be a shared drive, a networked attached storage or similar. The capability is also used by much medical and imaging software. Software on the client computer accesses files on a remote computer via a share. Underpinning this capability is a brilliant invention – the remote file system.

Although there are a number of these systems including AFS and NFS, almost all such communication is now done through the Microsoft Server Message Block (SMB) file sharing system. The system offers great flexibility including strong authentication of users, authorization of rights to those users and the ability to lock all or part of the file to prevent two users simultaneously accessing the file making incompatible changes.

In a Windows Active Directory, the system is even more powerful with the Domain controller performing authentication of users with a powerful encryption system known as Kerberos.

Unfortunately, the power of SMB file sharing also yields its key vulnerability to ransomware. Malware that runs within the context of a logged on user can use the credentials to traverse the network, finding network shares on all computers on the domain. Worse, for computers running Windows 8 or earlier, the malware can actually extract username and password from memory. If that user has domain administrator privileges, the malware can destroy the whole network. The malware can also run a dictionary attack within the domain to try to crack the “Administrator” account giving it supreme power within the domain – even able to lock out all existing users

Using SMB file sharing as the method between client and imaging server constitutes and unacceptable security risk by design. Software and hardware vendors should be strongly discouraged from using this technology – convenient though it is

The other consideration is that backups created using this technology are also extremely vulnerable to ransomware which will seek them out. It is much safer to send the backups to a remote location by a technology other than SMB file sharing

It is precisely the fact that the ransomware targets and often succeeds in destroying backups before or at the same time as attacking the primary files that makes paying the ransom often the only option

The way back – Static routes

Our recommendation is to segment part of the network behind a routed firewall to protect backups and virtual hosts. The problem is that computers on our general network cannot find the secure network segment.

Our general network, including our virtual servers (not hosts) are on the network with a gateway of Consider a computer on the network C2 with an ip address of

Our secure segment is behind a routed firewall. That network segment is with a gateway of Consider our host server H1 at

Our routed firewall F1 has two interfaces – one in each network. These are and

So C2 tries to communicate with the H1. C2 determines that the address of H1 is outside of its subnet so it sends the frame to its default gateway. The gateway sends the packet out to the internet and not to F1. The communication does not find H1.

The solution to this problem is to add a route to the gateway router. In Cisco IOS this would be

ip route

With Cisco ASA it can be configured through the web interface

with a Fortigate it can also be done through the web interface

This complexity is difficult but necessary to maximally protect the secure network from a compromise of the office network segment.


A firewall is a device that separates two network segments and filters the flow of packets between them.

In general, firewalls are routers (routed firewall) but they can be between separate physical parts of the same subnet. This is known as a transparent firewall. In this scenario, you would have two switches, each connected to different interfaces on the transparent firewall. The advantage of this is that the firewall can be removed and the two switches connected together if necessary. This won’t work for a routed firewall because the two parts are in different subnets and still need a router. Either type of firewall is much slower than a network switch and most routers when they are not firewalled

A simple firewall will track outgoing requests (for example an http request for a webpage) and will allow the return traffic – this is known as a stateful firewall. It will also allow specified traffic to pass from the unsafe to the safe interface if it conforms to certain rules (port, protocol, source IP address etc)

This sort of firewall is good for the segment boundary but is inadequate for the interface to the internet. For that, a next generation firewall (NG firewall) is required. This will check each packet against regularly updated lists of threats. NG firewalls need an annual subscription. Popular models include Cisco, Fortinet and PaloAlto

Network Address Translation (NAT)

In thIe previous example, we had a router connecting our two private networks – the office network (the /24 means a subnet mask of and

So C1 sends the data to an interface on R1, R1 determines the destination is via its other interface and send the data on to O1. O1 needs to send the reply back to C1. It sends the reply to its gateway – the interface on R1 which sends it back out the other interface back to C1. This all works fine.

When C1 wants to send a message to gmail for example, it finds the address of the server by DNS. (you can do this yourself by typing nslookup at a command prompt). resolves to the IP This is not in the subnet so the frame is sent to the router for the next hop.

The modem/router will have an IP address on the interface that faces the internet. This is known as the public IP address. You can find yours out by going to the website

What Is My IP?

without NAT, the return ip address for gmail will be the internal address of our computer C1 gmail has no way of sending a reply to that address and it won’t work.

What NAT does is that the router will change the return (source) address from C1’s address to its own public IP address (which gmail can find) and then when the return comes in to change the IP addresses again to C1’s address. It does this by maintaining a table of translations and manipulating ports. Ports are a feature of some level 4 protocols (above level 3) such as TCP and UDP. They are important to be aware of because firewall filtering can be done by port. Protocols that have no port cannot be processed by NAT. An example of this includes some of the protocols underpinning Virtual Private Networks (VPN). NAT will also make a mess of some other protocols including the Voice over IP protocol SIP


A router connects subnets. To do this it takes an ethernet frame, unpacks the IP (layer 3) packet within it, works out what to do with it, repackages it up into a new ethernet frame and sends it out another interface to the “next hop”. This consumes a fair amount of computing resources – routing is much slower than switching. An important point is that a router, even with gigabit physical interfaces, cannot perform the routing at anywhere near this speed.

Imagine that your practice is segmented with 2 switches:

  • The main network : Computers and the server connected together with a 10 port switch. Network address (devices IP addresses between and

    The default gateway is the router R1 at

    consider a computer C1 at

  • The imaging network : The OCT machine and other imaging devices connected together with a second 10 port switch. This network

    The default gateway is a second port on the router with address

    consider the OCT machine O1 at

So if C1 wants to see O1, it first checks whether the device is in the same subnet. It isn’t in this case so it sends the frame to the default gateway R1. R1 knows about both subnets so it routes the frame to O1 on the second subnet. Replys from O1 back to C1 do the same process in reverse.

We have now segmented the network. We have not yet made it much more secure though. If we had an insecure device – say a telnet client O2 at , it could still be reached from an intrusion (eg virus) on the other network segment at . The router will send our information from one network to the other and back again. All we have stopped is a virus scanning for open services on the other network. For this to be a security measure, we need to filter (or firewall) what goes from one network to the other.

Most people think of a router as synonymous with a modem. Indeed, the internet connection we have at home or office is in fact both a router and a modem. The router routes the packets from our private network to the outside world. The difference between this and the previous example above is that it does something special as well called network address translation or NAT.

The IP network

Recall that the MAC address was (usually) set by the manufacturer and should be globally unique for a device. But where does the IP address of a device come from?

The IP address of a device is set by the user or network administrator.  There are a number of key elements

  • IP address : 4 8 bit bytes for example
  • Subnet mask : 4 8 bit bytes that together with the IP address defines the network address of the device.  Each bit of the IP address are combined with the corresponding bit of the subnet mask in an AND operation.  eg the network address of with subnet mask gives

    there are online tools for this eg

    When an endpoint tries to contact another device on the ip network it needs to first work out if the destination is in the same subnet.  If not  the frame must be sent to the default gateway
  • Default gateway: This is the device where frames are sent if the destination ip address is not in the same subnet.  This is usually the internet router or firewall
  • DNS server: This is the ip address of the device that translates names eg or spectralis.local to the IP address.  In a home network this will usually be the ISPs DNS server or Google’s server (  In a business network, it will usually be the domain controller (Windows server)
  • DHCP server: This is the IP address of the  device that automatically allocates IP addresses.  In a home network this is usually also the internet router.  In a business network, it is normally the domain controller.

On a windows machine, you can retrieve the current information from a workstation or server by typing ipconfig /all at a command prompt

Network Switches

The network switch is like a powerboard for the network.  Each device is plugged in and it facilitates communication.  Devices might be

  • workstations
  • printers
  • network attached storage
  • OCT machine

and so on

They are essentially layer 2 devices – they work on Ethernet frames and MAC addresses.  The physical interface (the part where the network cables is plugged in) has a speed rating – now almost always 1Gb/s .  Thus the device is called a Gigabit Switch.  The number of ports can vary from 4 up to 48

An ethernet frame has within it the source address (where the frame comes from) and the destination address (where it is going ) Fundamentally, when a frame arrives on an interface on a switch it needs to very quickly decide whether to do one of 3 things to the frame based on the source and destination address

  • Flood it.  If the switch does not know which interface to send it to it will send it out all interfaces except for the one on which it arrived
  • Forward it.  If the switch knows (based on previous frames) which interface the destination is connected to, it will send the frame out only that interface
  • Drop it.  Under certain circumstances the switch will drop the frame.  It will then be up to higher layers of the network to detect this and ask for retransmission (or not)

A typical medical business might need up to 24 devices on the network.  There are a wide range of switch models available that are gigabit and 24 ports.  For example

a very economical switch $129 new
a much more expensive switch – up to $2000

The difference is not obvious at first – both switches are “Gigabit”.  There are significant differences though

  • Higher end switches are “managed” that is they have an interface at layer 3 so the user can log in and configure the switch.  They often have layer 3 (IP) functions as well such as performing some of the tasks of a router
  • Higher end switches have faster dedicated memory and hardware.  Although the interfaces may be rated at 1Gb, it does not mean that the switch can switch the frames at that speed.  That is dependent on other hardware within the switch
  • Higher end switches will have more reliability when connected to other devices

For a medical business, there is often just one core switch.  It is a false economy to use a cheap unmanaged switch for this task

Switches, Routers and Firewalls

These devices are the hardware that connects the endpoints on the network

A switch is essentially a layer 2 Ethernet device

A router is a path between two subnets

A firewall is a device that controls the traffic between two network segments

The small office network

The typical medical office will have a network. Usually this will be a Windows Active Directory network with a domain controller.

It is useful to consider networks at various layers:

  • Layer 1 – the physical network – cat6 cabling and/or wireless (bits)
  • Layer 2 – the data-link layer – ethernet or 802.1 wireless (frames)
  • Layer 3 – the network layer – IP (packets)
  • Layer 4 – the transport layer – TCP, UDP etc

Each device (printer, computer, network switch etc) has a Layer 2 address (the MAC address) and a layer 3 address (the IP address). The MAC address is usually set by the manufacturer and the IP address is set by the user as part of the network setup

All devices connected together at layer 2 form what is known as the broadcast domain. Typically this would be all of the devices on the office network. They are linked together by a layer 2 switch or wireless access point

Every IP address (layer 3) is a member of a subnet. The subnet is defined by a combination of the IP address and the subnet mask. A typical office network has a maximum of 254 IP addresses on a subnet for example :

the addresses between and with a subnet of

If a device tries to communicate with one at a different subnet – for example the Google DNS server at the layer 2 frame needs to be sent to a device within the subnet that can forward the layer 3 packet out of the network towards the destination. That device is known as the gateway or router.