I work as an IT Audit Project Manager and I am running into some confusion on VPN and the actual transmission of data in the VPN. My question is: If clear text is used to pass information through the VPN is there any encryption applied or is that only if the data was previously encrypted? Or is the encryption at the point that the VPN is created? If this were through a dial-in connection the data would still be vulnerable from what point? Or does the Web browser secure it from the computer to the ISP? Thanks in advance.
There are many different kinds of VPNs, and many ways of configuring them. While data encryption is usually used, that may not always be the case. Where the encryption occurs may also vary widely. Here are some possibilities to consider:
- Frame Relay VPN
Connections between sites are provided by frame relay. Since these connections are effectively point-to-point, encryption is usually not used. The security of this approach relies on the inaccessibility of the data by anyone other than the intended users and the carrier.
- MPLS VPN
Like frame relay, Multi-Protocol Labeled Switching provides virtual point-to-point connections through the switched network. Because data are only accessible by the customer and the carrier, encryption is typically not used.
- "Cloud-based" IP VPN
Some Internet Services Providers (ISPs) offer managed VPN services using encryption where the encryption terminates in the ISP's POP. Data are passed in the clear from the customer site to the ISP's POP, and are then encrypted for transmission over the Internet to the POP serving the remote end, where they are decrypted and sent in the clear to the remote site. So long as the link between the customer site and the ISP's POP is not shared (DSL, for example, rather than cable), encryption is not required to protect the data on that link.
- Customer Premises IP VPN
VPN devices may be installed at the edge of a customer's intranet, ensuring that all VPN traffic sent out will be encrypted. Data are sent and received in the clear within the intranet, and are encrypted on transmission to the public Internet.
- Remote Access Services VPN
A variety of VPN technologies exist to provide remote user access to a corporate intranet. These typically require special "client" software on the remote users' machines. These VPN solutions encrypt all data from the remote machine to the VPN gateway at the corporate site. They often also block all non-encrypted data exchange while the VPN is in operation.
- SSL-based VPN
A Web-based VPN solution uses an HTTP server and common browser software to provide access to secured resources. Encryption is provided through the Secure Sockets Layer (SSL). In an SSL-based solution data to and from the server are encrypted, but other data exchanges may be in the clear.