ITSD Computing and Communications Services News
November, 2004

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
 

Make VPN Work for You

Virtual Private Network (VPN) provides offsite users with a secure connection to the Lab’s internal network services. It enables users to access certain online journals, MS Networking shares, Novell shares and certain Web pages. Users are encouraged to use VPN if they send sensitive data and passwords, which need to be protected from interception as they travel to and from the Lab.

In addition to LDAP password-based access, Lab access is sometimes restricted on the basis of your IP address. The following Internet addresses are considered "inside" the Lab of they fall into one of these two ranges: 128.3.0.0 to 128.3.255.255 or 131.243.0.0 to 131.243.255.255.

In the past, the solution was to use dial-in PPP with a modem, which provided an inside address and a point-to-point connection. But now most people have broadband at home or on the road, so a 56K dial-in (at best) is a slow (and increasingly expensive) solution.

Software vs. Hardware
ITSD recommends that users get VPN software, which is a program that can run on your home desktop or laptop. The software is easy to install and use. VPN is also available as hardware—a small "P-Rav" box hooked up between your computer and your cable or DSL modem. In both cases, VPN sets up a virtual “tunnel” through the Internet to a VPN server inside the Lab. Your home computer or laptop is given an IP address from inside the Lab. All traffic between the two endpoints is securely encrypted.

Wireless
If you use wireless networking at home (or in a remote venue), software VPN is the only way to securely communicate with the Lab. With VPN all wireless traffic is encrypted before it leaves your laptop. All wireless access points at the Lab have IP addresses that fall outside the ranges noted above, so VPN is necessary for wireless users to appear logically inside the Lab, even when you are physically here.

Considerations
However, there are a few complications when using VPN. If you use a network-attached printer at home, your printer is no longer considered local once you’ve established a VPN tunnel. Hardware VPN users must unplug and replug cables to access their local printers. Software VPN users will need to click the VPN icon and temporarily disconnect from the Lab to print locally.

Your computer which uses VPN — whether it’s Lab-owned or your own personal computer — should be up to date with the latest patches and anti-virus software, because it could be a potential point of vulnerability for the Lab’s network.

Some locations (including other national labs) may have firewalls in place that prevent VPN traffic. Sometimes these can be circumvented by converting your transport protocol to TCP from the default UDP. Details here.

Also, please keep in mind that when you’re on VPN, you are part of the Lab’s network and subject to Lab policies regarding acceptable use.

Costs
VPN hardware or software is available to anyone with an LDAP login and password and an account number to pay the $80.00 one-time charge with no recurring charge at this time. In addition, if you have an unused hardware VPN device gathering dust, please return it to LBLnet at 50E-101, and LBLnet will close your hardware account.

For more information or to sign up, go to the LBLnet homepage or call the Help Desk at x4357.