By Arleen Thukral, MS

A virtual private network (VPN) is used to connect remote points—including users, databases, or whole offices—to an organization’s central secured network. Businesses use VPNs to connect remote datacenters while individuals often utlize them to get access to network resources when they’re not physically on the same local area network, or to secure and encrypt their communication when they’re using an untrusted public network.

Note: This may be cheaper than a dedicated leased line connection for the average small- to medium-sized enterprise. The rationale for creating a VPN installation, however, comes from a need for security and dedicated data control.

How It Works

When a VPN client establishes a VPN connection, a virtual interface is created on the VPN client that represents the interface connected to the VPN server. The virtual interface of the VPN client and the VPN server must then be assigned Internet Protocol (IP) addresses.

By default, the VPN server obtains IP addresses for itself and VPN clients using the Dynamic Host Configuration Protocol; otherwise, a static pool of IP addresses can be configured to define one or more address ranges. But in order for a VPN to perform properly, the server must have enough bandwidth to accommodate the number of active users at any one time.

Types of VPNs

There are numerous types of VPNs. Internet Protocol Security (IPSec), for starters, is a standard VPN that is flexible and configurable in terms of its ability to connect two networks. With IPSec, traffic is encrypted and authenticated to protect it against undetected alteration. But it’s important to remember that data encryption should always be used for VPN connections where private data is transmitted across a public network, such as the Internet.

Furthermore, Secure Sockets Layer (SSL) links a single computer to an application gateway on a corporate network. Because SSL VPNs use the client’s web browser as an interface, the client machine often needs additional software. Also, operating system compatibility considerations are required for the extra client software download.

Healthcare organizations (HCOs) typically deploy this type of VPN connection for internal employee use. With healthcare being a vast and complex environment, HCOs should develop guidelines—for instance, megapixel requirements for remote diagnostic review software. And biomedical engineers and technicians should be at the frontlines of decision-making regarding the use of personal devices for telemedicine.

Moreover, mobile VPNs (mVPNs) are integral to certain industry use cases, such as public safety and emergency services. What differentiates mVPNs from traditional VPNs, however, is the lack of fixed endpoints. Unlike traditional VPNs, the mVPN must maintain the user’s connection while dealing with the logins to each new endpoint—using a client to do so.

Furthermore, a number of VPN service providers (i.e., OBS VPN Galerie) are now beginning to offer integrated public cloud services as part of their VPN offer (cloud-centric VPN 2.0).

Another VPN option is site-to-site, where a tunnel is built statically between a client’s site and their hosted firewall. Tunneling is a method of using a network infrastructure to transfer data from one network over another network. Instead of sending a frame how the originating node produces it, the tunneling protocol encapsulates the frame in an additional header, which provides routing information. (For reference: A tunnel is the logical path that the encapsulated packets traverse the network.) This means users pass secure traffic, although they can only initiate when at a specified location.

Security and Privacy Controls

There are many security and privacy controls to be aware of for information systems, per the National Institute of Standards and Technology (NIST) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. One of the jobs of an information security officer is reviewing access control for each type of VPN.

Note: There may be regulations that govern the flow of information within a system and between interconnected systems, such as “copy/paste.” And the principle of least privilege provides only authorized users with the access to accomplish assigned tasks. Also, session locks prevent access to the system after a certain period of inactivity.

What’s more, contractor VPN accounts can be established, which have implemented IP restrictions that limit vendor remote access to a subnet of internal IP space. Even so, if the systems are already access-controlled, an organization may deem this security control “low risk.”

Finally, the latest generation of VPN features self-contained hardware solutions. And since they’re self-contained, the VPN hardware cuts down on file server usage. These new VPNs—which are small and easy to set up—use, but still contain, all the necessary security and performance features. So, to sum it up, the popularity of VPNs continues to grow and evolve, providing institutions of all sizes a means to leverage the Internet to reduce communication costs.

Arleen Thukral, MS, is chief biomedical engineer at VA Central California Health Care System in Fresno. Questions and comments can be directed to kstephens@medqor.com.