Answers from Copilot

Question:
The office is about 50 km away from the managers' houses, is there a
secure way to let the managers connect to the server in the office from
their homes through the internet?

Certainly!
To enable secure remote access for your managers to connect to the
office server from their homes, consider implementing a Virtual Private
Network (VPN). Here’s how it works:

1) VPN Basics:
A VPN creates a secure virtual tunnel over the public internet,
allowing remote users to access internal resources (like your office
server) securely.
2) Setting Up a VPN:
Download VPN Client Software:
Managers should download the VPN client software provided by
your organization
(usually available for free from vendors like SonicWall, Checkpoint,
WatchGuard, or Meraki).

Install the Software:

Install the downloaded software on their home computers.

Enter Public IP Address:

Managers enter your organization’s public IP address (which
points to your office network).

Username and Password:

They enter their username and password to establish a secure
connection.
3) Types of VPNs:
IPSec VPN:
Widely used and provides protection at the IP level (Layer 3).
Ideal for securing communication between the office network and
home computers.

SSL VPN:
Another option, which uses SSL encryption.
It’s often used for web-based access to specific applications or
services.

Remember to configure your office firewall to allow VPN traffic.

With a VPN in place, your managers can securely access office

resources from their homes, ensuring business continuity even during
disruptions
https://www.comparitech.com/blog/vpn-privacy/setup-remote-access-vpn/

Many businesses are going through unprecedented challenges due to the

ongoing Covid-19 pandemic.

Most IT departments are having to think on their feet to ensure

employees can still be productive during what might be an extended
period of disruption.

At times like this remote access solutions and free remote desktop
software become critical to ensuring continued business operation.

Most organizations may have previously done this to some degree; for
others, this is an entirely new concept.

Whichever case, the need is now greater than ever to ensure staff is able
to remotely and securely access office resources to carry on with
critical activities.

Some companies are stuck between adopting a complete or partial

remote-working scenario, struggling with upgrades that are required to
allow employees to work from home.

One key technology that is crucial to enabling secure remote access to

your organization’s internal network is a Virtual Private Network
(VPN).

In a small office where only an individual or two needs to connect to one

or two office computers from home, a remote desktop application like
GoToMyPC or PCAnywhere may be preferable.

However, if business needs require multiple remote connections, a full

VPN is the most viable option.
How a VPN Works

A VPN allows you to create a secure virtual tunnel to your office

network through the public network such as the internet.

It protects confidentiality (data remains secret via encapsulation) and

integrity (data remains unaltered via encryption) of data as it travels over
the public internet.

Establishing a secure VPN connection is relatively simple.

The user connects to the internet and

then initiates a VPN connection via a locally installed client software or

web browser to the VPN server located in the office.

The VPN server, based on your access level permission, grants you
access to internal company resources, via the secure tunnel; thus,
keeping data secure and private over the internet.

Below are the different possible ways you can implement an office
VPN so your employees can remotely access office resources without
compromising security.
1. Remote access VPN
2. Cloud VPN
3. SD-WAN VPN
Remote Access VPN

Users can access the resources at the office computers as if they were
directly connected to the office network.

The two most commonly used technologies in remote access VPNs are
IPSec and SSL.

IPsec is the most widely used VPN technology.

IPsec provides protection at the IP level layer (Layer 3), it can be

deployed to secure communication between the host at the office
network and a remote computer used at home.

A Client Application is required on the remote computer in order to

establish a connection.

IPsec was designed to ensure data integrity and confidentiality, and

offers enterprise-grade security features.

-----------------------------------------------------------

The greatest strength of SSL VPN comes from the fact that it is
platform-independent.

You do not have to depend on a third-party VPN client to initiate

connections.

Using any web browser, you can access resources remotely without
worrying about the underlying operating system.
In order to setup an office VPN (IPsec or SSL VPN) to support working
from home,

you’ll need to

purchase, install and configure a

hardware device known as VPN Gateway in your office location.

Some of the leading VPN hardware vendors/products include:

Cisco ASA (Adaptive Security Appliance) firewall for SSL VPN and
IPsec VPN,

Check Point Next Generation Firewall, and

Sophos XG Firewall, among others.

Configuring the VPN itself is quite vendor-specific and would require

the services of qualified personnel such as a Network Engineer or a
third-party service provider, but some devices have a GUI user interface
or a wizard-type configuration process.

The initial investment needed to set up a remote access VPN is minimal

and they can easily be scaled as a company grows.

This is especially true if a VPN service provider is used.

Remote access VPNs are affordable and secure, so organizations can

deploy them and allow their employees to work from home.
Cloud VPN

A Cloud VPN, also known as VPN as a Service (VPNaaS) is a novel

VPN technology that’s specifically designed for cloud-based
applications and data.

Many modern businesses have transitioned their local network

environment, business applications and data into the cloud, and
conventional VPNs such as those described above are no longer enough
to ensure data security.

Employees usually access these cloud applications and data from the
office network;

but with the COVID-19 pandemic, for example, employees are

increasingly relying on their own home network, personal computers
and mobile devices to access these applications. This raises a lot of
security concerns.

While cloud service providers offer the network infrastructure, it does

not provide security for personal devices used by end-users.

The objective of cloud VPN is to give employees and remote workers

secure access to cloud resources through a cloud-based VPN
infrastructure over the public Internet from any location in the world
without undermining security.

Unlike traditional VPNs, which require some sort of on-premise VPN

infrastructure, a Cloud VPN provides a globally accessible secure
connection.

For organizations whose business LAN environment or day-to-day

business applications (such as ERP or Active Directory Services) have
moved to the cloud, Cloud VPN offers the best alternative for cheap and
secure access.
Cloud VPN services can be obtained from providers such as Perimeter
81 and NordLayer can be configured in a matter of hours or minutes to
establish a Site-To-Site IPSec VPN tunnel to your cloud servers.

Most cloud service providers such as Google, Microsoft and Amazon

also provide Cloud VPN services.

=============================================
VPN encryption explained: IPSec vs SSL
VPN encryption prevents third parties from reading your data
as it passes through the internet. Find out about IPSec and
SSL -- the two most popular secure network protocol suites
used in Virtual Private Networks, or VPNs.
PAUL BISCHOFF TECH WRITER, PRIVACY ADVOCATE AND VPN EXPERT

@pabischoff UPDATED: September 8, 2023

Plenty of other articles out there compare and contrast IPSec vs SSL
VPNs from the perspective of a network admin who has to set them up.
This article, however, will examine how major commercial VPN
providers utilize SSL and IPSec in their consumer services, which
are intended to provide access to the web and not a corporate network.

VPN protocols that use IPSec encryption include L2TP, IKEv2, and
SSTP. OpenVPN is the most popular protocol that uses SSL
encryption, specifically the OpenSSL library. SSL is used in some
browser-based VPNs as well.

This article compares and contrasts IPSec vs SSL encryption from the
VPN end-user standpoint.

The basics of VPN encryption

VPN encryption scrambles the contents of your internet traffic in such a
way that it can only be un-scrambled (decrypted) using the correct key.
Outgoing data is encrypted before it leaves your device. It’s then sent to
the VPN server, which decrypts the data with the appropriate key. From
there, your data is sent on to its destination, such as a website. The
encryption prevents anyone who happens to intercept the data between
you and the VPN server—internet service providers, government
agencies, wifi hackers, etc—from being able to decipher the contents.
Incoming traffic goes through the same process in reverse. If data is
coming from a website, it first goes to the VPN server. The VPN server
encrypts the data, then sends it to your device. Your device then
decrypts the data so you can view the website normally.

All of this ensures that VPN users’ internet data remains private and out
of the hands of any unauthorized parties.

The differences between varying types of encryption include:

 Encryption strength, or the method and degree to which your data

is scrambled
 How the encryption keys are managed and exchanged
 What interfaces, protocols, and ports they use
 What OSI layers they run on
 Ease of deployment
 Performance (read: speed)

What is IPSec and what is SSL?

 SSL (Secure Sockets Layer) operates at the application layer of
the OSI model. It encrypts the data exchanged between the user’s
browser and the web server.
 IPsec (Internet Protocol Security) secures internet
communication at the network layer. It is a suite of protocols for
encrypting and authenticating network traffic.

For a more detailed explanation of the two protocols, check out our in-
depth guide on common types of encryption.

Security
In short: Slight edge in favor of SSL.

IPSec connections require a pre-shared key to exist on both the client

and the server in order to encrypt and send traffic to each other. A pre-
shared key (PSK) is a is a piece of data — known only to the parties
involved — that has previously been securely shared between two
computers before it needs to be used.
The exchange of this key presents an opportunity for an attacker to
crack or capture the pre-shared key. PSKs are vulnerable to Man-in-the-
Middle (MitM) attacks, brute force and dictionary attacks.

SSL VPNs don’t have this problem because they use public key
cryptography to negotiate a handshake and securely exchange
encryption keys. Public key cryptography, also known as asymmetric
cryptography, uses a pair of keys for secure communication: a public key
and a private key. Unlike symmetric cryptography, where the same key
is used for both encryption and decryption, public key cryptography uses
two different but mathematically related keys.
SSL vulnerabilities

Despite this, TLS/SSL has a long list of its own vulnerabilities. These
include Padding Oracle on Downgraded Legacy Encryption (POODLE),
Browser Exploit Against SSL/TLS (BEAST), Browser Reconnaissance
and Exfiltration via Adaptive Compression of Hypertext (BREACH), and
Heartbleed.

Some SSL VPNs allow untrusted, self-signed certificates and don’t verify
clients. This is particularly common in “clientless” SSL VPN browser
extensions. These VPNs that allow anyone to connect from any machine
are vulnerable to man-in-the-middle (MITM) attacks. However, this is not
the case with most native OpenVPN clients.

SSL typically requires more frequent patches to keep up to date, for both
the server and client.

The lack of open-source code for IPSec-based VPN protocols may be a

concern for people wary of government spies and snoopers. Open-
source code allows anyone to examine it for vulnerabilities and suggest
fixes. Closed-source code is manipulated in-house and hidden from the
end-user.

In 2013, Edward Snowden revealed the US National Security Agency’s

Bullrun program actively tried to “insert vulnerabilities into commercial
encryption systems, IT systems, networks, and endpoint
communications devices used by targets.” The NSA allegedly targeted
IPSec to add backdoors and side channels that could be exploited by
hackers.

In the end, strong security is more likely the result of skilled and mindful
network administrators rather than choice of protocol.

Firewall traversal
In short: SSL-based VPNs are generally better for bypassing firewalls.

NAT firewalls often exist on wifi routers and other network hardware. To
protect against threats, they throw out any internet traffic that isn’t
recognized, which includes data packets without port numbers.
Encrypted IPSec packets (ESP packets) have no port numbers assigned
by default, which means they can get caught in NAT firewalls. This can
prevent IPSec VPNs from working.

To get around this, many IPSec VPNs encapsulate ESP packets inside
UDP packets, so that the data is assigned a UDP port number, usually
UDP 4500. While this solves the NAT traversal problem, your network
firewall may not allow packets on that port. Network administrators at
hotels, airports, and other places may only allow traffic on a few required
protocols, and UDP 4500 may not be among them.

SSL traffic can travel over port 443, which most devices recognize as the
port used for secure HTTPS traffic. Almost all networks allow HTTPS
traffic on port 443, so we can assume it’s open. OpenVPN uses port
1194 by default for UDP traffic, but it can be forwarded through either
UDP or TCP ports, including TCP port 443. This makes SSL more
useful for bypassing firewalls and other forms of censorship that
block traffic based on ports.

Speed and reliability

In short: Both are reasonably fast, but IKEv2/IPSec negotiates
connections the fastest.

Most IPSec-based VPN protocols take longer to negotiate a connection

than SSL-based protocols, but this isn’t the case with IKEv2/IPSec.

IKEv2 is an IPSec-based VPN protocol that’s been around for over a

decade, but it’s now trending among VPN providers. Driving its
deployment is its ability to quickly and reliably reconnect whenever the
VPN connection is interrupted. This makes it especially useful for mobile
iOS and Android clients that don’t have reliable connections or those that
frequently switch between mobile data and wifi.

As for actual throughput, it’s a toss-up. We’ve seen arguments from both
sides. In a blog post, NordVPN states that IKEv2/IPSec can offer faster
throughput than rivals like OpenVPN. Both protocols typically use either
the 128-bit or 256-bit AES cipher.

The extra UDP layer that many providers put on IPSec traffic to help it
traverse firewalls adds extra overhead, which means it requires more
resources to process. But most people won’t notice a difference.

On most consumer VPNs, throughput is determined largely by server

and network congestion rather than the VPN protocol.

See also: Fastest VPNs

Ease of use
In short: IPSec is more universal, but most users who use VPN
providers’ apps won’t notice a huge difference.

IKEv2, SSTP, and L2TP are built-in IPSec-based VPN protocols on most
major operating systems, which means it doesn’t necessarily require an
extra application to get up and running. Most users of consumer VPNs
will still use the provider’s app to get connected, though.
SSL works by default in most web browsers, but a third-party application
is usually necessary to use OpenVPN. Again, this is usually taken care
of by the VPN provider’s app.

In our experience, IKEv2 tends to offer a more seamless experience

than OpenVPN from an end-user standpoint. This is largely due to the
fact that IKEv2 connects and handles interruptions quickly. That being
said, OpenVPN tends to be more versatile and may be better suited to
users who can’t accomplish what they want with IKEv2.

When it comes to corporate VPNs that provide access to a company

network rather than the internet, the general consensus is that IPSec is
preferable for site-to-site VPNs, and SSL is better for remote access.
The reason is that IPSec operates at the Network Layer of the OSI
model, which gives the user full access to the corporate network
regardless of application. It is more difficult to restrict access to specific
resources. SSL VPNs, on the other hand, enable enterprises to control
remote access at a granular level to specific applications.
Network administrators who operate VPNs tend to find client
management a lot easier and less time-consuming with SSL than with
IPSec.

IPSec vs SSL VPNs: Conclusion

All in all, for VPN users who have both options, we recommend going for
IKEv2/IPSec first, then turning to OpenVPN/SSL should any issues crop
up. The speed at which IKEv2 is able to negotiate and establish
connections will offer a more tangible quality-of-life improvement for the
average, everyday VPN user, while offering comparable security and
speed — but it may not work under all circumstances.

OpenVPN/SSL was until quite recently considered the best VPN

combination for most users of consumer VPNs. OpenVPN, which uses
the OpenSSL library for encryption and authentication, is reasonably
fast, very secure, open source, and can traverse NAT firewalls. It can
support either the UDP or TCP protocol.
IKEv2/IPSec presents a new challenger to OpenVPN, improving on
L2TP and other IPSec-based protocols with faster connections, more
stability, and built-in support on most newer consumer devices.

SSL and IPSec both boast strong security pedigrees with comparable
throughput speed, security, and ease of use for most customers of
commercial VPN services.

Image credit: “IPsec in de netwerklaag” by Soufiane Hamdaoui licensed

under CC BY-SA 3.0

IPSec vs SSL VPNs FAQs

Do SSL VPNs hide IP addresses?

SSL VPNs can provide anonymity by hiding IP addresses, but they can
also be configured to reveal IP addresses. It all depends on how the SSL
VPN is configured. If you want complete anonymity, you’ll need to make
sure that the SSL VPN is configured properly to avoid activities leaking
to your ISP.

https://www.comparitech.com/blog/vpn-privacy/ipsec-vs-ssl-vpn/
for a VPN IPSec solution, what is the best choice?