Hey Thomas,
I didn't forget about you! I have been out of the office for a bit. The last one we have to talk about is VPNs and TLS. When we think about HTTPS remember that this protocol encrypts the communication between a web browser and a server.
So take for instances a quick little diagram:
0_1533910780200_Screen Shot 2018-08-10 at 10.14.06 AM.png
In this diagram we have User01 needs to access a public website, so how to we make it to where a user traversing a public network can connect to our company's website in a secure manner that protects the confidentiality, integrity and availability of the communication, we implement HTTPS which uses the security layer today of TLS.
0_1533911732920_Screen Shot 2018-08-10 at 10.35.00 AM.png
Note the DMZ here, the first (external) firewall allows for public access to our company's internal resources which in this case is the company website. So what does this do for us?
What does this do?
1 - Allows access to our internal resources
2 - Does not expose our internal network to the outside world when accessing the company website
3 - Allows the customer confidentiality of the communication - via HTTPS-based encryption
4 - Allows for integrity of the communication as there is a certificate exchange/validation of the web server.
5 - Encrypts ```web-based`` communication or HTML-based communications.
What doesn't this do?
1 - Allow for access from a public network (Internet) to the internal network for authorized users
2 - Provide authentication, authorization or auditing of those external to internal connections for authorized users
So what can we do to allow authorized users or employees access to internal company resources. For example Remote User 01 works from home 3 days out of the week. This user also needs access to her work files stored in a centralized file server located on the internal company network.0_1533913795231_Screen Shot 2018-08-10 at 11.09.35 AM.png
We could (please do not....lol) do this
1 - Place the web application server in the DMZ
2 - Place the file server in the DMZ
0_1533914034897_Screen Shot 2018-08-10 at 11.13.39 AM.png
As I am sure you are aware this presents a major security risk:
The web application and file server are now exposed to the public (and all the bad actors)
Authentication and authorization has to be performed, which in this case will expose the user database to the public (and all the bad actors)
Sensitive information is now exposed to the public
....and more
This is not a solution. So we need to:
1 - Keep these resources protected inside the company's internal network
2 - Implement a remote access technology that will allow for public access to internal resources that are not limited to web-based technologies such as HTTPS.
3 - Allow for the implementation of authentication, authorization and auditing.
This is where HTTPS is not a viable option because while it does allow for an encrypted communication between a web browser and a web server but lacks the other attributes we need. So insert ```VPN`` technologies.
VPNs allow us to:
1 - Connect to internal resources over existing public networks
2 - Connections appear as though the remote user is connected to the physical network
3 - Do not expose internal resources to those public networks
4 - Authentication can be performed by implementing technologies like RADIUS, TACACS+, Diameter
5 - Protect the user database from exposure to the public and bad actors
6 - Provide confidentiality to sensitive internal data through application of strong encryption.
7 - Allows for connections to and utilization of resources that do not use HTTPS (such as FTP, SSH, LDAP, SMB, NFS to name a few)
When we implement the VPN technologies we get these and more benefits. To the end user it looks like they are connected to the LAN and can access resources (not just HTTPS or web-based technologies)
0_1533916466588_Screen Shot 2018-08-10 at 11.51.11 AM.png
And VPNs security layer can be TLS!
I hope this helps @Thomas-Pondant