VPN Interview Questions and Answers
- What is Trusted and Untrusted Networks?
Answer:
Trusted networks: Such Networks allow data to be transferred transparently. The machines using a trusted network are usually administered by an Administrator to ensure that private and secured data is not leaked. Access to this network is limited. Computers using trusted networks are more secured and confidential because of strong firewalls.
Untrusted networks: Such networks are usually administered by the owners. They can allow improper access to sensitive or personal data. These machines are usually separate. Such machines could me more prone to attacks.
Trusted networks: Such Networks allow data to be transferred transparently. The machines using a trusted network are usually administered by an Administrator to ensure that private and secured data is not leaked. Access to this network is limited. Computers using trusted networks are more secured and confidential because of strong firewalls.
Untrusted networks: Such networks are usually administered by the owners. They can allow improper access to sensitive or personal data. These machines are usually separate. Such machines could me more prone to attacks.
- Is there market penetration for these products?
Answer: Those companies who were early adopters of firewalls are the ones using VPNs today. VPNs are still early in the use cycle. Three years ago, they hardly existed. Then firewall products started to include them — first ANS Interlock, then TIS Gauntlet. Soon, customers started demanding VPN functionality in their firewalls, even though few of them actually used it. But the Security Architecture for Internet Protocol (IPSEC) standard is changing that — with IPSEC-compliant off-the-shelf products, using encryption to protect the privacy of communications will be an automatic decision. It may take awhile. I predicted that 1998 would be the "Year of the VPN," but maybe 1999 is more realistic. Look, over four years after the famous Internet password sniffing incident, most people still seem to be working with reusable passwords.
- What are the different authentication methods used in VPNs?
Answer:The authentication method uses an authentication protocol. The methods are:
EAP authentication method: Extensible authentication protocol authenticates remote access connection. The authentication mechanism is decided between the remote VPN client and authenticator (ISA). The mechanism is typical in which authenticator requests for authentication information and the responses are given by the remote VPN client.
MS Chap Authentication method: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) starts with the authenticator (Remote access server) challenge. The challenge to the remote access client sends a session identifier and challenge string. The client in response sends the nonreversible encryption of the string, the identifier and password. Authenticator checks the credentials and grants access on a successful authentication.
Unencrypted passwords (PAP): Uses plain text passwords. Does not involve encryption. Used for less secure clients.
Shiva Password Authentication Protocol (SPAP): It is a password authentication protocol. It is less secure as the same user password is always sent in the same reversibly encrypted form.
EAP authentication method: Extensible authentication protocol authenticates remote access connection. The authentication mechanism is decided between the remote VPN client and authenticator (ISA). The mechanism is typical in which authenticator requests for authentication information and the responses are given by the remote VPN client.
MS Chap Authentication method: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) starts with the authenticator (Remote access server) challenge. The challenge to the remote access client sends a session identifier and challenge string. The client in response sends the nonreversible encryption of the string, the identifier and password. Authenticator checks the credentials and grants access on a successful authentication.
Unencrypted passwords (PAP): Uses plain text passwords. Does not involve encryption. Used for less secure clients.
Shiva Password Authentication Protocol (SPAP): It is a password authentication protocol. It is less secure as the same user password is always sent in the same reversibly encrypted form.
- What security vulnerabilities are unique to or heightened by VPN?
Answer: Even though VPNs provide ubiquitous, perimeter security, firewalls are still needed. Walls around cities went away because it became inexpensive to bring them in closer to individual homes. Only a perimeter enforcement mechanism can guarantee adherence to an organization's security policies. However, as part of policy enforcement, a firewall might need to be able to look at the information in a packet. Encryption makes that rather difficult. VPNs — improperly deployed — take away a firewall's ability to audit useful information, or to make decisions beyond the level of "who is allowed to talk to whom." There are ways around this. The easiest way is to make the firewall a trusted third member of the conversation. People who value privacy above everything else chafe at this. But people who value the security of their organization realize that this is a necessity.
- What is VPN?
Answer: A VPN is a service that offers secure, reliable connectivity over a shared public network infrastructure such as the Internet. VPNs maintain the same security and management policies as a private network. They are the most cost effective method of establishing a virtual point-to-point connection between remote users and an enterprise customer's network.
- Is VPN a long-term solution or a short-term stop gap kind of thing?
Answer: VPNs are long-term solutions. VPNs may become ubiquitous and transparent to the user, but they will not go away. Because the problem VPNs address — privacy over a public network — will not go away. VPNs will exist from the desktop to the server, and at the IP packet level as well as the application data level.
- What are the different types of VPN?
Answer:
Remote Access VPN - Also called as Virtual Private dial-up network (VPDN) is mainly used in scenarios where remote access to a network becomes essential. Remote access VPN allows data to be accessed between a company’s private network and remote users through a third party service provider; Enterprise service provider. E.g Sales team is usually present over the globe. Using Remote access VPN, the sales updates can be made.
Site to Site VPN – Intranet based: This type of VPN can be used when multiple Remote locations are present and can be made to join to a single network. Machines present on these remote locations work as if they are working on a single network.
Site to Site VPN – Extranet based: This type of VPN can be used when several different companies need to work in a shared environment. E.g. Distributors and service companies. This network is more manageable and reliable.
Remote Access VPN - Also called as Virtual Private dial-up network (VPDN) is mainly used in scenarios where remote access to a network becomes essential. Remote access VPN allows data to be accessed between a company’s private network and remote users through a third party service provider; Enterprise service provider. E.g Sales team is usually present over the globe. Using Remote access VPN, the sales updates can be made.
Site to Site VPN – Intranet based: This type of VPN can be used when multiple Remote locations are present and can be made to join to a single network. Machines present on these remote locations work as if they are working on a single network.
Site to Site VPN – Extranet based: This type of VPN can be used when several different companies need to work in a shared environment. E.g. Distributors and service companies. This network is more manageable and reliable.
- What security vulnerabilities are addressed by VPN?
Answer: VPNs directly protect the privacy of a communication, and indirectly provide an authentication mechanism for a gateway, site, computer, or individual. Whether you need privacy or not is a function of your business, the nature of what you discuss electronically, and how much it is worth to someone else. Authentication is a side effect, even without IPSEC, because if site A knows it talks to site B over an encrypted channel, and someone else pretends to be site B, they will also have to be able to talk encrypted to site A, since site A expects it and will reciprocate. Typically, the secrets are sufficiently protected that no one could pretend to be site B and pull it off. Again, it comes down to the risk, which is a function of the information you are transmitting. The threats and vulnerabilities are there, in any case. It is very easy to capture traffic on the Internet or on your phone line. Is it important enough information to care? That is the question that most people answer wrong. It is my experience that while people may understand the value of what they have and they may understand the risk of losing or compromising what they have, few understand both at the same time.
- What are unreasonable expectations for VPN?
Answer: With firewalls, we went from a very small number of security-wise companies using real firewalls to firewalls becoming a "must have" on a checklist. But somehow, having a firewall became synonymous with "all my Internet security problems are solved!" VPNs and IPSEC have started off that way too. There has been a lot of "When we have IPSEC on the desk top we won't need firewalls." This is nonsense. VPNs cannot enforce security policies, they cannot detect misuse or mistakes, and they cannot regulate access. VPNs can do what they were meant to do: keep communications private.
- What are unreasonable expectations for VPN?
Answer: With firewalls, we went from a very small number of security-wise companies using real firewalls to firewalls becoming a "must have" on a checklist. But somehow, having a firewall became synonymous with "all my Internet security problems are solved!" VPNs and IPSEC have started off that way too. There has been a lot of "When we have IPSEC on the desk top we won't need firewalls." This is nonsense. VPNs cannot enforce security policies, they cannot detect misuse or mistakes, and they cannot regulate access. VPNs can do what they were meant to do: keep communications private.
- What are some of the tough questions to pose to VPN product vendors?
Answer: Many vendors claim to be IPSEC-compliant. The real requirement should be "list the other products with which you can communicate" Also, a customer should want to know how automatic the key exchange mechanism is? In a perfect world — in an IPSEC world — it would be automatic. If a Virtual Network Perimeter (VNP, not VPN) is used, how easy is it to deploy the software to mobile PC users? How much does it interfere with normal network operation from a mobile PC, if at all? What crypto algorithms are used? What key length?
- What kind of resources (staff, computational muscle, bandwidth, etc.) are required for VPN deployment, usage, maintenance?
Answer: VPNs are typically handled as just another job by the network or system administrator staff. Whoever is managing the firewall today can easily add VPN management to the plate because once a VPN is set up there is little else to do on most implementations.
- Who are the major players in the market?
Answer: Aventail is a leader in this market. All the major firewall vendors and router vendors are in it as well. On the client side, Timestep and V-ONE are big.
- What firewall issues are relevant to VPN selection and deployment?
Answer: Well, the perimeter security issues mentioned above, plus a firewall should give the option of VPN with or without trust. For example, I would prefer all sessions between my firewall and my clients and business partners to be encrypted — to be VPNs. But, I want all of them to run up against my firewall if they try to do anything besides what I permit. On the other hand, if I dial in from the speaker's lounge at a conference, I would like a private connection (that is to say, encrypted) that also looks and feels like a virtual "inside" connection, just as if I was sitting in the office.
- What kind of performance issues does VPN raise?
Answer: Encryption takes more horsepower than sending data in the clear. It really shows up on mobile PCs transmitting large hunks of data — for example, a PowerPoint presentation — over a dial-up phone line. Firewalls and other server systems should employ hardware crypto engines. With these there are no performance issues. I expect that this functionality for mobile PCs will migrate to PC cards with crypto engines. When will this happen? Within the next 18 months.
- What is the relationship between VPN and firewalls?
Answer: While VPNs were available before firewalls via encrypting modems and routers, they came into common use running on or with firewalls. Today, most people would expect a firewall vendor to offer a VPN option. (Even though most people today don't use VPNs.) Also, they want it managed via the same firewall management interface. But then, users today seem to want nearly everything on the firewall: mail server, name server, proxy servers for HTTP, FTP server, directory server, and so on. That's terrible and a subject in itself.
- Are VPNs used for specific kinds of applications or environments? If so, what are some examples of where and why VPNs would be deployed?
Answer: VPNs should be used for all information exchange. I don't want to have to "go encrypted" when something secret is about to be sent. I want everything to be encrypted. It should be as commonplace as people sending postal mail in sealed envelopes. It will also ensure that the VPN mechanism is working.
