How Secure Is Your Branch Networking?
By Rainer Enders
It was 2007 when the TJX hack, which exposed more than 45 million payment card numbers to criminals, brought the issue of unsecure branch networks into the spotlight. Now, nearly five years later, have organizations retained the lessons learned from that breach? Most have only addressed the core of the TJX example—safeguarding Wi-Fi data transmissions. But there’s a lot more to securing branch networks, including many more potential headaches if companies address only the problems brought to bear through known breaches.
To stay on top of your organization’s branch networking, it’s a good idea to periodically do a holistic assessment of your policies and technologies. The first place to start is to look into the type of network enabling your organization’s branch network.
Types of Networks
All branch office networks are either meshed or star-shaped. In meshed networks, branch offices are connected to one another in addition to being connected to the company headquarters. In star-shaped networks, all communication between the branch offices is channeled through one central location equipped with a “master” VPN gateway. While star-shaped networks are more prone to latency between branch offices, their management advantages make up for this. Star-shaped networks allow IT administrators to control the entire, secure network via one central monitoring system. This enables real-time detection and location of communication faults between the branch offices—an invaluable asset in the event of a breach.
Alternately, through a meshed network, it’s far more difficult to identify the source of communication failures. However, mesh networks are far more complex, which makes for a more complicated troubleshooting landscape than hub-and-spoke topologies. For instance, if a company has 100 branch offices, controlling and identifying a problem within this network would require substantial effort.
You’ll want to ensure that your VPN can bounce back immediately should any problems arise. The way to do this is to implement a highly available VPN. This is crucial for branch offices, like those of banks or retail chains, and would cause major business disruptions if they broke down. To guarantee high availability, professional VPNs support several reinforcement systems, carrying out backups that require a VPN connection. On top of this, the VPN gateway of the branch office should support several alternative media types (or communication mediums) for Internet dial-up.
It’s also important to make sure the VPN solution is able to automatically recognize a communication fault with a remote site. Then, when a fault is detected, the VPN gateway disconnects the standard connection automatically and sets up an alternative backup link. Most modern VPN software solutions support infinite backup connections. With these solutions, the major restricting factor is the number of communication mediums the hardware supports.
To properly secure branch networks, central management is an indispensible piece of the equation. The reality is that local network administration requires far too much time and money, even if there are only a few branch offices. And with M2M, local administration is hardly even possible. On the other hand, central management protects resources by automating the management of VPN gateways for remote and branch offices. The more VPN-relevant systems the central management contains, the better. This makes network manageability simpler for administrators. VPN-relevant systems are all the components/systems that participate in the VPN or are affected by the VPN; these can include users, devices, gateways, policies, and firewall rules.
In addition to the configuration and software, the following tasks should be included in the management software: management of digital software or hardware certificate (CA) rollout, an LDAP console for identity and rights management, as well as security monitoring of the end-devices (Network Access Control (NAC)/endpoint security).
A VPN system secures all data transfers in an encrypted tunnel. However, sealing the communication has to take place as early as Internet dial-up, which is the most frequent point for hacker attacks. The core problem is how the branch offices authenticate towards the central gateway. Pre-shared keys are one possibility for authentication; another possibility is the use of certificates. From a security perspective, certificates are better because they can be adapted. Essentially, this means old certificates can be locked and new ones can be issued when necessary. Certificate handling also has to be organized, so that if one certificate expires, the VPN management should offer automatisms that request and issue new certificates.
There’s another consideration with central management that’s sometimes overlooked: the firewall. For optimal security, the firewall should only allow IPsec connections. The firewall rules should be set so that communication to anywhere is only allowed while in VPN or VPN-friendly networks. This ensures all traffic is secure and under full control of the network administrator. Additionally, it will prevent traffic from third-party connections to traverse the tunnel and enter the company network uncontrolled.
Most commonly, branch offices connect to the Internet via a DSL router that protects the VPN gateway. Also, some VPN gateways support the communication medium PPPoE, which allows the gateway to directly be used for DSL dial-up, eliminating the need for a DSL router. In this case, too, the firewall must only allow IPsec connections. Maintenance of each of the branch offices' VPN gateways can also be enabled with direct dial-up via ISDN rather than via the Internet.
Masking means the branch offices’ IP networks are hidden behind an address when communicating with the headquarters. However, administrators often require transparent access to all branch office networks either from the headquarters or their management system. Of course, it’s easier to mask IP networks, but this isn’t compatible with what most administrators want.
If administrators want transparent access to all branch office networks, it is essential that each branch receives its own unique IP address range. This means all installed routers and end-devices have to be configured again. This is feasible for small networks, but for larger network environments, this involves a hefty time and money investment for reconfiguring routers and end-devices.
If transparent access is not absolutely necessary, masking the IP addresses via Network Address Translation (NAT) is a viable option. This means the IP address is changed into a VPN tunnel address, which the host or the central VPN management system recognizes and automatically allocates to the branch office—significantly reducing the time and money spent on configuration and rollout. For companies that don’t have the option to choose between masking and access to all end-devices, a mixed operation is also possible.
Fragmenting and Maximum Transmission Unit
Another potential issue is the size of the data packets when communicating via different Internet dial-up media. Large data packets often result in fragmented VPN IPsec data packets, which could lead to lost data. This can be solved by pre-fragmenting the data packets prior to tunneling, which means the IPsec tunnel header is added after fragmentation. With this method, the system only sends non-fragmented data packets that the Internet router/firewall accepts. Modern professional VPN solutions provide this intelligent method of dynamically reducing maximum transmission units. Such VPN gateways are able to automatically adapt the packet size of TCP connections to the defined size prior to connection setup.
Enforced 24-hour Disconnect for DSL Connections
Most organizations also have a 24-hour disconnect for site-to-site VPNs. However, remember that during peak times, a permanent connection has to remain established. Most providers automatically carry out the enforced disconnect 24 hours after the first connection setup. This means that the administrator has to pay attention as early as VPN installation to ensure the VPN gateway offers a feature that allows administrators to set the time of the enforced 24-hour disconnect.
These are the major factors to take into consideration when implementing a site-to-site VPN installation. It’s often the small details that make branch office networking difficult, even if the network has been in place for years. With the five-year anniversary of the terrible TJX hack nearly upon us, let’s all take time to make sure that we get the details right and continue to keep branch networking top-of-mind.