Automating VPN management; second generation equipment makes VPN setup and management faster and more secure.
In fact, VPN setup and management have proven problematic for network managers for three reasons.
* The basic, setup functions for VPN devices must be performed manually and, often, at the remote installation site. This introduces risks of inconsistent policy settings and potential security breaches.
* Manual setup takes time and introduces complexity into larger system installations. The VPN configuration that worked in a controlled, laboratory environment may not be able to scale up to the real-world needs of an aggressive rollout schedule.
* Network topologies change continuously, and VPN devices have been severely limited in their abilities to adapt to such changes.
For network managers everywhere, VPN management has become a serious concern. Standards, such as the IETF's IPSec security protocol suite, represent a strong beginning. But the greater management challenges posed by production VPNs are more likely to be solved by newer VPN technologies that are putting advanced automation tools to work in second-generation products.
Still, VPNs do come at a price, and--as some network managers have discovered--that price can include healthy doses of time and effort required to set up and manage the VPNs themselves. Now, thanks to increasing degrees of automation to help with the care, feeding, and handling of VPN devices, network managers are finding their own reasons to like the new technology.
Although software-based VPN applications are available today, hardware-based VPN architectures have grown popular largely because of their greater performance.
First-generation units were typically single-function devices, able only to create tunnels or implement security protocols. They were limited in scalability and difficult to manage in large networks. Newer, second-generation devices have now integrated networking intelligence and management automation with their tunneling and security functions.
Second-generation VPN devices generally include basic encryption/decryption units and multi-user concentrators. VPN remote encryption/decryption devices are frequently placed in campus buildings and branch offices; me concentrators go in corporate or division headquarters.
A simple VPN setup might consist of two VPN edge devices talking to the head-office VPN concentrator. This is all controlled via a management console, with each device consulting its routing tables to make forwarding decisions.
The VPN devices typically serve as gateways for users on LAN subnets, and all use the IPSec protocol to create the tunnels and supply the security framework for the tunneled packets.
Setting up the VPN devices requires management attention at a number of points in the process: in security for device authentication, authorization and setting overall security policies; and in network connectivity for configuring, provisioning, and managing the devices.
Performed manually, these steps require trained workers to be on site--otherwise, setup is left to local office personnel who are unfamiliar with the complexities of security and networking. Automation solves this problem by permitting central setup and safe, automated administration throughout these major setup steps.
As the network grows, management automation becomes increasingly critical in a dynamic, meshed environment. Note in the network diagram that the management console created a second VPN path between Subnet A and Subnet B (VPN 3) to accommodate an increase in traffic. In an automated system, this scenario can be multiplied hundreds of times and still work effectively and efficiently--something that is impossible with manual setup.
The first step in adding a new VPN device to a network is to authenticate that device's identity. With first-generation units, the network manager or technician would perform authentication manually. The technician would use a "shared-secret" password technique to authenticate the new device with another (known) member of the network. This would require traveling to the remote site, or sending the password via diskette or regular mail.
By contrast, in an automated system the network manager or technician starts by loading the automated management software into a central policy server. From that central site, the management software communicates through a highly secure control protocol to perform device authentication remotely.
Device authentication is now a process of exchanging digital certificates, based on the X.509 standard defined by the International Telecommunications Union. The integrity of digital certificates is guaranteed and certificates are issued by a trusted third party known as a certificate authority (CA).
This represents an improvement over the password method, but the need for the CA also adds its own measure of complexity. As a solution, some second-generation systems further automate and simplify the process by permitting X.509 certificates to be burned into VPN devices at the time of manufacture. These devices now have a hardware-strength cryptographic identity, and they avoid the remote security risk of device substitution, which might foil even the CA-issued certificates.
The next setup step is to determine the new device' s database and network access privileges. With a manual installation, authorization is vulnerable because it is performed at the remote site. Anyone who can access the VPN device can modify authorization parameters. In an automated system, authorization is performed from the management console, so it is inherently simpler--and more secure.
Security policy can cover a half dozen items, from type of encryption protocol to key rollover interval (encryption keys are "rolled over," or changed, at regular intervals). Performed manually, the process is both tedious and risky, since few remote offices have security-savvy technicians on site. An automated system permits security settings to be maintained centrally, then downloaded to new devices as needed. This ensures setup quality and maintains consistency with corporate policy guidelines.
Automated wizards can be applied to make the job easier. For instance, a security policy wizard might have several strength levels, each based on predetermined corporate policy, plus a custom setting to override the defaults.
The highest-level setting might be used for highly sensitive applications such as transmitting financial information. It might feature the greatest key strength for encryption (3DES, for example); the shortest-duration rollover interval; per-packet (rather than per-session) authentication, plus several other parameters--all selectable via a single mouse click.
For device configuration, the network manager or technician sets the device's modes of operations and its network identity. Parameters include the VPN device' s IP address and the IP addresses of supported devices and subnets; plus SNMP parameters, default parameters, routing modes. In an automated system, these parameters can be set centrally and applied automatically as new devices are introduced.
VPN provisioning involves the distribution of the device's network connections and configuration of its routing tables. To do this manually, the technician must possess comprehensive knowledge of the organization's network topologies--especially difficult in large, heavily networked environments. In branch offices, provisioning might fall to an office worker who provides instructions from a desktop PC through a serial cable.
In an automated system, provisioning takes place where the network expertise and the network-diagramming tools reside--centrally. Moreover, the network manager or technician can make use of provisioning templates that simplify the process. And in some systems, the network manager can assign multiple logical VPN connections to a single-port VPN device--the device will find the most cost-effective path for each new VPN session.
By their nature, VPNs should be easy to add, delete, and modify. First-generation systems carried only limited router intelligence, however, so changes in network connections or subnet topologies required manual updates of static routing tables. Worse, network failures could go undetected--except, of course, by the VPN users.
Newer VPN systems are using intelligent, dynamic routing protocols such as RIP (routing Internet protocol) and OSPF (open shortest path first) to automate the optimization of VPN routes and to implement self-discovery and self-correcting paths.
For instance, intelligent VPN devices can now update their own routing tables based on status messages sent regularly from other intelligent VPN devices. If a device fails, or if its communications link goes down, its status messages stop, and the other devices automatically update their tables to exclude the failed link.
Also, in a RIP-based system, the number of hops required for each VPN connection is part of each device's forwarding decision. With OSPF, other information can be used, including delay, available bandwidth, or shortest path. In the case where the network manager provisioned multiple logical VPN paths, the intelligent device consults its table as each new session is activated to determine which available path is most cost effective and highest performing.
Thanks to the management tools and techniques available in second-generation VPN systems, the newer encryption/ decryption devices come very close to being both self configuring and self healing.
RELATED ARTICLE: VPN Basics
Virtual private networking has quickly become an important productivity tool for organizations of all sizes and across all major industries. The VPN works by building a tunnel--actually a circuit-like path--through a common WAN infrastructure such as the Internet.
For companies deploying VPNs, the benefits are substantial. First, they take advantage of the lower telecom costs and unparalleled flexibility of Internet communications. Second, they preserve the privacy and inherent security of private-line and frame relay networks.
To the user on a LAN, or the telecommuter dialing into the enterprise via an ISP, encryption and tunneling are completely transparent.
Hilton is vice president, product management, at Assured Digital, Inc., Littleton, Mass.
Circle 267 for more information from Assured Digital
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Technology Information; Special Focus: Network Management|
|Date:||Sep 1, 1998|
|Previous Article:||The access piece; an ATM passive optical network (PON) increases bandwidth to the home.|
|Next Article:||Controlling microwave links in wireless networks.|