Making Sense Of VPN Systems, Standards, And Protocols.
Multi-vendor solutions are the challenge.
The Internet is now used by all parts of the expanding corporate enterprise, allowing for the proliferation of branch offices, telecommuters, and other external network users. However, the inherent insecurity of the Internet has created more holes to plug and more opportunities for infection or information leaks. Cryptography, virtual private networks (VPNs), and related technologies are evolving to meet security needs, but strained IT organizations often lack the time and expertise to implement them.
These organizations need to focus more on core business functions and less on managing the IT environment. To do so, they are increasingly outsourcing both network connectivity as well as key e-business and enterprise applications. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. market research firm Infonetics, the market for VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. services will exceed $35 billion by 2003, a growth rate of 606 percent between 2000 and 2004. This means service providers like Web hosts, colocation facilities, and managed security service providers are now responsible for protecting mission-critical customer data while accommodating a variety of products and platforms. This calls for highly scalable, interoperable solutions.
As outsourcing increases, the ability of security systems to scale and meet these requirements must also grow. Until recently, most service providers were forced to cobble together cobble together
[-bling, -bled] to put together clumsily: a coalition cobbled together from parties with widely differing aims
Verb 1. partial solutions from enterprise-oriented security solutions--primarily firewalls and VPNs. VPNs are quickly taking hold in an industry looking for Looking for
In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. easier and less expensive networking solutions. According to statistics from IDC and Infonetics, the purchase of firewall appliances will reach $1.4 billion by the year 2003, while VPN product sales will reach $3.3 billion.
Fueling these sales is an impressive list of VPN virtues. They provide an extremely high level of security using advanced encryption and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. protocols, yet they are extremely cost-effective compared to traditional leased-line networks. No more expensive 800-numbers or long distance calls to modem banks--with VPNs, remote users can connect to their corporate networks through a local Internet service provider Internet service provider (ISP)
Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISP (1) See in-system programmable.
(2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. ). VPNs also serve to connect remote offices via the Internet instead of using more expensive private networks such as Frame Relay A high-speed packet switching protocol used in wide area networks (WANs). Providing a granular service of up to DS3 speed (45 Mbps), it has become popular for LAN to LAN connections across remote distances, and services are offered by most major carriers. and dedicated lines. VPNs also benefit from a scalability cost advantage since users can add a virtually unlimited amount of capacity without adding significant infrastructure. A company can replace expensive servers and modem lines with a VPN appliance and a DSL DSL
in full Digital Subscriber Line
Broadband digital communications connection that operates over standard copper telephone wires. It requires a DSL modem, which splits transmissions into two frequency bands: the lower frequencies for voice (ordinary line, and leverage the ISP's infrastructure.
However, in order for VPNs to be effective they must work together with other security products, like firewalls. It's possible to overcome the mutually exclusive Adj. 1. mutually exclusive - unable to be both true at the same time
incompatible - not compatible; "incompatible personalities"; "incompatible colors" features of firewalls and VPNs, but to do so requires an understanding of the underlying challenges and standards that shape VPN technology.
The current standard for network and even dial-up connections is Internet Protocol See Internet and TCP/IP.
(networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol. Security, or IPSec. A very complex protocol, IPSec has become the clear standard, because it provides all of the elements expected of security:
*Authentication, which assures that the user is who she says she is.
*privacy, which means no one can see the data the user is transmitting.
* Non-repudiation, which provides proof that the addressee (communications) addressee - One to whom something is addressed. E.g. "The To, CC, and BCC headers list the addressees of the e-mail message". Normally an addressee will eventually be a recipient, unless there is a failure at some point (an e-mail "bounces") or the message is received the transmission and also prevents play-back attacks.
* Integrity, which means nothing if the transmission was changed in the middle.
Other protocols exist, most notably PPTP (Point-to-Point Tunneling Protocol) A protocol from Microsoft that is used to create a virtual private network (VPN) over the Internet. Remote users can access their corporate networks via any ISP that supports PPTP on its servers. and L2TP (Layer 2 Tunneling Protocol) A protocol from the IETF that allows a PPP session to travel over multiple links and networks. L2TP is used to allow remote users access to the corporate network. . Both have some of the key security elements, but neither is as comprehensive and effective as IPSec.
IPSec provides encryption, key management, and ironclad ironclad, mid-19th-century wooden warship protected from gunfire by iron armor. The success of the ironclad when first employed by the French in the Crimean War sparked a naval armor and armaments race between France and Great Britain. authentication in a way that proprietary remote access solutions can't, making it the only logical choice for the public line requirements of VPNs. It's worth noting that the next level of security standards will likely combine the robustness of L2TP within the security of IPSec.
Clearing Up The Complexity
All of that power makes IPSec an extremely complex protocol. Its basic encryption function alone can stress security hardware and software. And in order to set up a tunnel, IPSec requires more than encryption. It uses public key cryptographic algorithms to provide high security, authenticate each end of the tunnel, and ensure the privacy of data while traveling through the tunnel. Most firewalls offer content filtering See Web filtering and parental control software. and virus scanning features (key security concerns for any enterprise), but such features have the unfortunate side effect of Internet performance degradation. Adding another element, software-based encryption for remote access users is the surest way to bring the firewall to its knees.
Vendors are dealing with these limitations in a variety of ways. Some firewall vendors have turned to hardware-based encryption accelerators to attempt to ease the load of the software-based access control products. Adding hardware to a general-purpose computer Refers to computers that follow instructions, thus virtually all computers from micro to mainframe are general purpose. Even computers in toys, games and single-function devices follow instructions in their built-in program. can boost VPN performance somewhat, but bus speed and other architectural limits make this an intermediate solution. And when it comes to handling the special demands of remote access users and their encrypted tunnels, it's just not enough. Remote users are constantly logging on and logging off, and each new tunnel requires multiple public key operations. These operations require special-purpose hardware, the Ferraris of the VPN market.
High performance VPN systems and appliances boast a design that incorporates board layout, processor speed, driver optimization, and custom security ASICs for public key operations as well as encryption. Some tests have attributed such devices with product drive performance 5 to 10 times faster than even the hardware-accelerated configurations of software-based products.
In evaluating VPN systems, speed is only part of the story. Manageability is another. If you purchase separate VPN and firewall products, the first thing you need to determine is how to integrate them with one another--as well as with your Network Address Translation (NAT (Network Address Translation) An IETF standard that allows an organization to present itself to the Internet with far fewer IP addresses than there are nodes on its internal network. ), PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of , and routers. Bringing these functions and subsystems together in a cohesive security system is challenging because there are so many possibilities, restrictions, and incompatibilities.
Consider what happens when separate devices handle the IPSec VPN, the access control(firewall), and NAT. It's easy to get VPN traffic into your network because it's aimed at the VPN gateway. But it's much harder to get the VPN traffic out of the network through the correct device. IPSec services are so secure that they don't mix well with NAT services. A NAT device changing the IP addresses in the middle of a secure tunnel will transform packets in a way that resembles a "man in the middle" attack, thus causing the IPSec connection to fail. And some IPSec protocols, such as AH (authentication header) are fundamentally incompatible with NAT, because they guarantee the packet hasn't been changed.
Even if you find an IPSec protocol scenario that works, you've got other problems. The Internet Key Exchange Internet key exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. Overview
IKE is defined in RFC 2407, RFC 2408 and RFC 2409. IKEv2 is defined in RFC 4306. (IKE) management protocol, which is responsible for the exchange of symmetrical keys required by IPSec, does not authenticate securely through many NAT configurations.
VPNs And Firewalls
There are only two workable solutions: either IPSec has to occur after NAT processing, or the two must occur in the same system, as in integrated hardware VPN/firewall products (see Figure). If the VPN system is outside the firewall, then the firewall cannot differentiate between encrypted and unencrypted traffic--since it's all decrypted before the firewall sees it. You can't build a firewall policy that depends on the traffic being encrypted, since you can't tell. You may end up requiring users to authenticate two, three, or more times because you can't tell who's really at the other end of the line, even if the VPN gateway used digital certificates to authenticate.
However, the other alternative of placing the VPN gateway inside the firewall presents a different problem. In this case, the firewall must allow encrypted. traffic an trust the decrypting VPN device to implement the corporate security policy. A configuration with two systems raises compliance and coordination problems. Will the VPN device support the corporate security policy in the same manner as the firewall? Will the VPN device be synchronized with the firewall as policy changes?
Since IPSec VPN traffic encrypts all the original packet information, including source and destination address and application type, the firewall cannot apply any filtering. It sees only an IP protocol number and must be either allowed or blocked, without knowing any more details regarding the content of the packet. If you want to use perimeter content or virus scanning, you will find these completely useless on IPSec packets when the VPN gateway is inside the firewall.
Separating VPN and firewall functions can also lead to organizational problems. As VPNs and firewalls cross boundary lines between network infrastructure, security, and telecommunications they must be combined and configured to act as one security system that implements a security policy. It is critical that these configurations be under tight control to assure that organizational policies are followed and needs are met. If these functions are broken across multiple systems and multiple areas of responsibility, it is easy for portions of an organization's security policy to fall between the cracks.
What about interoperability testing? ICSA See TruSecure. Labs (www.icsalabs.com) conducts the most comprehensive testing, running each product through a battery of tests against products from eight other vendors. The tests even simulate how networks make bandwidth and other changes on the fly. For any VPN user-- especially service providers that must interact with a variety of platforms and products--ICSA-certified equipment gives you at least a fighting, chance of making products work together.
The Virtual Private Network Consortium (www.vpnc.org) provides a list of VPN products that have passed basic and rekeying In cryptography, rekeying refers to the process of changing the encryption key of an ongoing communication in order to limit the amount of data encrypted with the same key. compliance testing. VPNC itself reminds us that conformance and interoperability are not the same thing. Conformance means only that the product was tested against two different servers and it passed the test on each server. Further exploration indicates that products that passed conformance testing Conformance testing or type testing is testing to determine whether a system meets some specified standard.
To aid in this, many test procedures and test setups have been developed, either by the standard's maintainers or external organizations, specifically for often failed when linked together.
Even with interoperability testing and standards, however, it can be a challenge to make multi-vendor solutions work. These solutions, by nature, are hard to install and maintain because' individual vendors are constantly enhancing and reevaluating their products. With that said, interoperability does indeed exist and vendors spend a considerable amount of time ensuring interoperability to meet customer needs. But, given the state of the market, this is a less than optimal approach. Dealing with different interfaces, capabilities, and multiple vendor relationships can leave the customer with a decentralized de·cen·tral·ize
v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es
1. To distribute the administrative functions or powers of (a central authority) among several local authorities. , security solution.
A single integrated security device; that brings the VPN, firewall, NAT, and even traffic shaping Using methods to keep traffic flowing smoothly in a network. Although the term is often used synonymously with "traffic engineering," traffic shaping deals with managing the network moment to moment, whereas traffic engineering refers to the overall strategies employed in a network. together in a single management point allows the highest interoperability, compliance with standards, simplicity, and security. Single product security devices can be maintained with a minimum of staff, a minimum of time and cost, and many have approachable, consistent, simple-to-master interfaces. And an integrated VPN/firewall system eliminates concerns over deployment and interoperability while offering the ease of installation and use unavailable in a solution cobbled cob·ble 1
1. A cobblestone.
2. Geology A rock fragment between 64 and 256 millimeters in diameter, especially one that has been naturally rounded.
3. cobbles See cob coal.
tr. together using multiple security vendors.
In today's world, where the Internet can connect remote users (and hackers) with corporate data and applications, state-of-the-art security is a requirement. By combining firewall, NAT, and IPSec VPN functionality into a single system, users can achieve the highest level of security in the most manageable implementation. For the IT organization that does not have the resources to address these issues themselves, outsourcing to a service provider that offers managed security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the is another viable option.
Chris Roeckl is director of product marketing and alliances at NetScreen Technologies Inc. (Santa Clara Santa Clara, city, Cuba
Santa Clara (sän`tä klä`rä), city (1994 est. pop. 217,000), capital of Villa Clara prov., central Cuba. , CA).