The key to data security depends on the network topology and security configuration of your network. A typical IT infrastructure is made up of many different components, each of which is uniquely vulnerable to attack. It is important to strike a balance between security and flexibility, as a very inflexible security policy will often result in users either unable to work efficiently, or potentially compromising security.
In order to facilitate secure remote working, a VPN system needs to be implemented.
Typically, an IT infrastructure is made up of some or all of the following resources:
- File Servers
- E-Mail/Groupware Servers
- Domain Servers
- IP Phone Servers
- Application Servers
- Database Servers
- Web Servers
- Web Services
We specialise in setting up flexible and effective IT security policies, which allows granular remote and local user access to specific resources, including user logging, monitoring and attack prevention.
Steps we typically perform before implementing a VPN system include:
- Determine possible attacks and sensitivity of resources
- Enumerate threats
- Establish security goals for IT resources (i.e. confidentiality, integrity, availability)
- Develop an overall system security policy
- Implement security mechanisms consistent with the required level of assurance
A VPN server for remote access provides the following benefits:
- Remote access control can be controlled via a central point
- All sensitive resources are not directly accessible via the Internet
- Users can be restricted to certain resources and all actions the user takes can be logged
The following diagram represents the network topology of a secure network, with all remote access controlled via VPN
VPN server and options we offer:
- SSL VPN and IPSec VPN:
- Transparent, controlled via hardware, such as a dedicated VPN box
- Web based SSL, available for third parties or roaming users, no software required
- Software, using an OpenVPN client on the users computer. Provides a dedicated VPN connection, suitable for remote users with no expensive hardware requirements
- VPN Control panel for granting, revoking and monitoring user access
VPN options within the Amazon AWS environment
Run your website or network resources within a VPC (Virtual private cloud) hosted at Amazon and combine security with flexibility.
Access to internal resources through a VPN Gateway instance which controls outbound connections from internal servers and runs a VPN service for secure remote access from an office or as a roaming user.
Harden your online assets by combining VPN, private networks and firewalls
The following diagram illustrates how to harden the security of your web assets (eCommerce, websites, extranets) by modifying the network topology and implementing a secure VPN gateway.
Public facing websites are under constant attack from a variety of sources. Websites using open source or popular scripts are more vulnerable to zero-day-exploit due to the availability of the source code. If security upgrades are not applied very soon after the vendor releases patches your site may be compromised and potentially data stolen.
One way of limiting the damage of a security breach is to separate the frontend and database servers. This means an attack which manages to gain access to the web server will not instantly have access to the database directly. This can buy valuable time for an IDS (intrusion detection system) to identify the attack and for system administrators to take necessary action.
By minimising the number of available ports and services open to the Internet, the risk of breaches by security flaws in software can be reduced.
The following diagram demonstrates an example network topology of a typical eCommerce or website which is hosting sensitive data.
The only publicly open port is 443 (SSL) on the load balancers, which are the entry point for the application, after the firewall.
The load balancers forward requests to the web servers (not accessible directly). The web servers then access the database layer via a secure VPN connection on a separate network interface.
To further improve security, various components can be installed at each network layer. For example:-
- Real time anti virus scanning of file uploads managed by the load balancers / proxy servers
- Web application firewall configured on the web server(s), which scan each request for XSS (Cross-site scripting attacks), SQL injection and more
- IDS (Intrusion detection system) scanning traffic packets between load balancers, web servers and database servers
Contact us to discuss your remote working and VPN requirements, with no obligation.