Lately I've been dealing with managing security for multiple networks. Things have gotten completely complex as I add more computers, more data, connect to more remote networks, and allow other people to connect to my local network. Security is not something that comes natural in such a setup. Each time I add another remote connection or take on more liability for intellectual property, I first think how I plan on segmenting the data and network into my existing security plan.
Segmentation provides security by allowing me to build walls between everything on my network so that I can conceptually understand where everything resides on the network. I need to always be aware of where my private personal data is.... as well as my employer's private data, so that I can insure I won't be the weak link and result in unknown damages.
I have my home network which contains all my personal information, the remote office network that contains work related private data (I also have local office data because network speeds are too slow for large data), and from time to time there are reasons that I would like to be able to allow my friends and family to connect to my network.
It is important that my own network be very secure and that all the networks that I connect to are also very secure. Otherwise, I don't know what is going on in my network... and I might as well publish the data I hold for anyone to read.
There are many solutions when it comes to virtual private networking (VPN). There are hardware based (many solutions that claim to be hardware are actually simple hardware running software VPN---beware.) solutions that allow you to set and forget, typically with a web interface for administration. There are also straight software solutions that allow you to connect your OS to a VPN tunnel.
There are many VPN protocols to choose from like: simple SSH tunnelling, PPTP, IPSec, SSL/TLS, and other propritary protocols.
Making sense of what to use for your own VPN can be a hard decision. For a long time I stayed away from VPN and used simple dynamic firewalls that would allow me to block everyone from my internal network but allow those people who knew the special "open seaseme" passwords to come in. This worked well for simple authentication, but I still needed to ensure that all the protocols I used were encrypted using SSH or SSL. This solution does provide a nice way of hiding services but it doesn't allow for remote users to actually enter the network to participate in network broadcasts and give them the ability to really feal like they are connected to the network.
I'm starting to think that the best solution is a Linux-based VPN endpoint. While this does require more work upfront, it also provides the greatest flexibility. Using Linux as a VPN endpoint not only allows me to connect to enterprise VPN endpoints like SonicWall but it allows allows me to be a VPN gateway for my local network.
The only drawback I see with this approach is that any solution I create must be supported by me... and I have to be always mindful of network vulnerabilities that might arise in software I use. Then again, I think that the problem of support and maintenance is a problem if you roll your own device or if you buy a device off the shelf.
Some VPN solutions I'm looking at now are:
OpenVPN - SSL VPN for most every OS out there. Since it uses SSL and not PPTP it will require the installation of a client on the OS of your choice. For example OpenVPN GUI for Windows allows you to connect to an OpenVPN server from your windows machine. There are many good HOWTOs and readmes on setting this solution up, and it seems pretty straight forward.
CIPE - a project that looks to tunnel IP packets in encrypted UDP packets. The whole idea of the project is to be as simple as possible. There are implementations for both linux and windows. I've heard some good things about this solution because it is easy to setup.