This is a high-level, crash course on two common types of VPNs (Virtual Private Network) and implementations in use at companies worldwide.

In today's dynamic work environment, employees value the ability to work remotely. End-users are often more concerned with the performance and reliability of a VPN and often worry less about how secure it is. VPN is commonly used as a term to describe a way to access company network and data resources when outside the office. While this is fairly accurate, this common understanding leaves end-users with the risk of assuming that all VPNs behave the same.

Let's say that you're operating under the assumption that when you remotely connect using your company-issued VPN, your computing experience is no different than if you were physically at the office (albeit potentially slower). In truth, it completely depends on the type of VPN in use and how it is implemented. Let's look at two common types of VPNs and their implementations.

To start with, two common and widely implemented VPNs are the SSL VPN and IPsec VPN.

SSL VPNs
Even if you haven't heard of an SSL (Secure Sockets Layer) VPN before, you are likely more familiar with this technology than you think. The last time you logged into your bank account online or visited your favorite search engine website, you likely encountered the following:

image-1

This indicates an SSL protected browser session, meaning that your browser accepted the website's SSL certificate as authentic and created an encrypted session between your computer's browser and the website. The data you enter on this website is encrypted in transit.

image-2

 

If you were to look further at the certificate details (e.g., in Google Chrome), you may see the following:

image-3

 

Now, if your browser does not trust the certificate received from the website, this is what happens:

image-4

 

If you were to look further at the certificate errors (e.g., in Google Chrome), you may see the following:

image-5

Many SSL VPNs support a browser-based SSL VPN session. In this scenario, the SSL VPN operates like a typical web session (Figure 1) and access to company network and data resources are presented as links or web applications after you log onto the browser-based SSL VPN website.

Another type of SSL VPN is the client-based VPN. In this scenario, the VPN is an installed application such as the Cisco AnyConnect VPN, Pulse Secure VPN, and SonicWALL Global VPN (to name a few).

The difference between the two SSL VPNs (browser-based and client-based) is primarily about where the connection initiates and is maintained. With the client-based SSL VPN, the application installed on your computer maintains a network level connection, unlike the browser-based SSL VPN – which maintains a browser session. A network level connection acts as if you are actually connected to the remote network (e.g., allowing access to network file shares).


IPsec VPNs

The IPsec VPN operates using a completely different protocol/technology than SSL. You guessed it – the IPsec protocol (internet protocol security). This type of VPN requires an installed application (like the client-based SSL VPN). Examples of commonly used IPsec VPNs include the Cisco AnyConnect VPN and SonicWALL Global VPN.

In the IPsec VPN, the installed VPN application communicates with the VPN hardware back at the office to establish an encrypted tunnel (connection) between your computer and the office network. The functionality of the VPN and resources made available to you will be determined by how the VPN was configured by your company.

Implementation: Full-Tunnel vs Split-Tunnel VPN

Most VPNs can be implemented as full-tunnel or split-tunnel. This is important to understand, as it determines what data is sent through the encrypted tunnel to your office network.

Full-Tunnel VPN

image-6

In a full-tunnel VPN, all network traffic is sent through the encrypted tunnel to your office network. This is like being physically connected to your office network.

Split-Tunnel VPN

image-7

In this scenario, only access to company resources (green arrow) is sent through the encrypted tunnel. All other access (e.g., Gmail, Yahoo, internet banking) is not sent through the tunnel and goes directly out to the internet (passing through any local firewall or security devices that may be in place).

A split-tunnel VPN does not operate as if your computer was 'in the office'. Only the full-tunnel VPN treats your computer as if it were directly connected to the office network.

Remember, if you navigate to a website or company resource that has a certificate error:

image-8

Do not trust it or continue to use that site. It is important that you contact your IT department so they can review the situation for security concerns.

Additionally, if you are visiting a website that does not have https://, such as the following:

image-9

Your session is not encrypted and you should not enter any confidential or sensitive information (e.g., username, password, credit card information).

Thank you for reading and please feel free to reach out to Delap's cyber security professionals if you have any questions or would like to discuss the more technical aspects of encryption and VPN implementations!

Delap LLP is one of Portland’s largest local tax, assurance, wealth advisory, and information security consulting firms, located in Lake Oswego, Oregon.


Terms:
VPN – Virtual Private Network

SSL – Secure Sockets Layer, the technology used to protect websites and SSL VPNs is still referred to as SSL, although it has been superseded by TLS (Transport Layer Security).

Client-Based VPN – A VPN that uses an application installed locally on your computer or mobile device to establish an encrypted network connection to remote resources.

Browser-Based VPN – A VPN that uses your browser to establish an encrypted web session that provides access to remote resources.

VPN – Virtual Private Network.

 

For questions, contact David Buchanan.