Download Virtual Private Networking: An Overview

87-10-20
DATA SECURITY MANAGEMENT
VIRTUAL PRIVATE
NETWORKING: AN
OVERVIEW
Matthew Wallace
INSIDE
Benefits of Virtual Private Networking, Implementations of VPN, Risk versus Reward on the
Cutting Edge, Pitfalls during Deployment, A Bigger Security Picture, Summary
THE BENEFITS OF VIRTUAL PRIVATE NETWORKING
The business world has found the Internet. The technology many companies have relied upon is becoming obsolete at a frenzied pace, as IS
managers and networking professionals struggle to keep up with the
pace of technology. New products and opportunities are emerging constantly. One of the most promising cost-cutting technologies available is
that of virtual private networking, or VPN technology. Managers have
been slow to turn to virtual private networking, either because they are
unsure of the technology or unaware of the benefits they can reap. The
path to using VPNs to benefit an organization includes understanding the
business case for VPN deployment, learning the basics of the technology,
and knowing a path for deployment.
Understanding why VPN technology is so useful begins with understanding how networks are being used. The local network being the base
unit of all networking, many companies with diverse physical locations
find themselves needing to tie their
local networks together, resulting in
PAYOFF IDEA
the wide-area networking common
The technology arena, especially surrounding
for companies with national and inthe Internet, is full of buzzwords, and one that is
ternational presence. The cost of this
heard ever increasingly is that of VPN, virtual private networking. Even with an ever-growing host
networking can be exorbitant, beof products, some IT professionals are unsure
cause many companies require the
what its benefits are or where to go to seek anlines to be private. A DS-1 connecswers. This article presents an overview of virtual
tion to the Internet can be relatively
private networking, the benefits of using it, requirements to deploy, and pitfalls to be aware of
inexpensive, but a DS-1 connection
when implementing it.
from San Francisco to New York can be very costly. When you start
crossing the Atlantic, the costs skyrocket again. Frame-relay was one solution that allowed local frame relay connections and relatively inexpensive PVCs (Private Virtual Circuits) connecting companies through a
share frame-relay mesh.
Because of the lack of privacy, frame-relay ultimately has proved unacceptable to many companies needing wide-area connectivity. Network
security experts are quick to warn against trusting the infrastructure your
frame-relay circuits cross, as they can become vulnerable to redirection,
and more commonly, packet sniffing. It is essentially these security concerns that have brought about the need for a wide-area solution, one that
has a cost comparable to a local connection and privacy gained by private point-to-point lines. Many companies with strong security needs,
those involved in transferring financial data or other highly sensitive information, may find even traditional point-to-point lines too untrustworthy for their applications.
The second need for virtual private networking exists for companies
with high remote access needs. Traveling sales people, office-less employees, telecommuters, or anyone needing access to the “LAN back
home” often incurred exorbitant costs connecting via traditional dial-in
setups. The cost of 800 numbers or even prepaid calling cards could run
to hundreds or thousands of dollars for each employee with heavy remote access requirements. For those telecommuting from outside the local calling area, which is the norm, companies were forced to turn to
private lines to avoid long distance costs.
An unfulfilled need existed for inexpensive remote access. Ideally, a
company could provide an employee with an inexpensive dialup Internet account, and the employee would access the company’s LAN via the
shared Internet. Security concerns were again at the forefront of reasons
why this was unfeasible. Any company trading in the exchange of sensitive information about their products, plans, or customers could find
themselves victims of industrial espionage.
One frequently unmentioned benefit of VPN use is that it allows access to servers on illegal addressing space, which are blocks of IP addresses that are unusable on the Internet, even across a WAN. Many
companies now utilize these unroutable addresses. Using VPNs (those in
tunnel mode, as will be explained later in this article), the real addresses
are hidden and the traffic crossing the Internet is Internet legal. VPNs still
give a remote user direct access to machines, without their needing to
expose those machines to the Internet with addresses anyone can reach.
By keeping servers unrouted and letting all access a VPN, there is no
need for address translation to expose those addresses to the Internet.
Virtual private networking technology was created in response to
these needs. It allows a connection from anywhere; dial-up account,
leased line, or frame-relay can connect back to a primary network safely,
regardless of what networks the information had to transit to get there,
via the use of strong encryption. By employing real-time encryption, the
traffic from LAN to LAN or user to LAN could be encrypted, sent across
an untrusted network, and arrive safely at the destination to be decrypted. Data intercepted or monitored in transit would be useless without the
secret keys necessary to decrypt the traffic.
WHAT ARE THE IMPLEMENTATIONS OF VPNS?
The implementations of VPNs vary widely. In an effort to offer a more
complete solution to their customers, many firewall vendors have offered
VPN capability as a feature, either standard or as an additional module.
The two varieties of VPNs found on firewalls are firewall-to-firewall tunnels, and user-to-firewall tunnels. These allow the two internal networks
behind firewalls to communicate or a user to get safe access to machines
behind a firewall, respectively.
A full survey of companies offering VPN-capable firewalls would be
quite extensive. Some of the leaders in VPNs include Raptor Systems
with their Eagle and Eagle Remote firewalls, Check Point Software with
the popular Firewall-1 product, and Trusted Information Systems and
their Gauntlet firewall. They vary in the encryption types offered and
their respective performances.
Any consideration of VPN technology should include an examination
of hardware VPN technology. One of the limitations of firewall-based encryption for VPNs is speed. Only so much traffic can be encrypted by a
software package. For business needs that exceed those bandwidth requirements, companies producing hardware-based encryption have
come forward. The use of hardware-based encryption allows much higher throughput, without taxing a company’s Internet firewall. Custom
hardware tuned for encryption operations allows much higher rates of
encryption. Some of the vendors pursuing this market include RedCreek
and its Ravlin line, and VPNet and its hardware encryption products. The
trend of the market is toward integration of products. Hardware-based
VPN companies are partnering with firewall vendors and router manufacturers. A good example of this is VPNet’s private-label OEM agreement with Bay Networks, allowing a single vendor to service more needs
of its customers. Digital Equipment’s Alta Vista Tunnel is available integrated into its firewall and as a standalone product. This is useful when
companies have firewall solutions in place without VPN support, or with
VPN support that does not stack up to their needs.
There are a few key features to watch for when differentiating between VPN choices. First, make certain that the solution you select supports your application with its technology. A provider of financial data
may only need to keep a stream of data private for a few seconds. After
that, it is public knowledge; that few seconds of privacy can be protected
with less-powerful encryption. On the other hand, a bank transmitting information about accounts or any application transferring credit card
numbers may need to rely upon its encryption for a nearly indefinite period of time. Weaker ciphers, such as DES, are fine for applications not
requiring long-term security, but rising computer capabilities combined
with decreasing computer costs make the longevity of such ciphers questionable in applications requiring long-term security. An application requiring months or years of privacy for its transmitted information calls for
a strong cipher like Triple DES or IDEA. In selecting a VPN product, it is
critical to match capabilities with needs.
One important feature to look for is called “dynamic rekeying.” Keys
are used by a cipher to encrypt data. When a VPN is dynamically rekeyed, the new keys to be used in the tunnel are sent across the tunnel.
Then the encryption resynchronizes using the new keys. If a VPN is rekeyed every 60 seconds, it means that even if an attacker compromises a
key to read the encrypted data, only 60 seconds worth of data is available. What is critical, though, is that the VPN product exchanges the new
encryption keys asymmetrically. If an attacker simply uses the tunnel to
pass a new key, then once one tunnel is compromised after the data has
been recorded, decrypting the succeeding key is trivial, regardless of the
number of iterations. However, if the keys used are asymmetric, using a
public key/private key pair, then a new public/private set can be used
each time to exchange the actual keys for encryption. This is typical of
public key encryption: asymmetrical encryption is used to establish a
symmetrical key for the bulk data encryption, since the symmetrical encryption is much faster. Make sure not only that a VPN product re-keys
dynamically, but that it exchanges the new keys for encryption with an
algorithm that keeps the new keys secure even if the previous key set is
calculated.
Another difference in tunnels is the distinction between tunnel mode
VPNs and transport mode VPNs. All IP packets have both a header (containing information about source and destination, size of the packet, and
a number of relevant network flags) and a datagram, which is the payload of information used by the application. In transport mode, a tunnel
only encrypts the datagram, that is, the payload, of a packet, leaving its
header information visible in transit. In tunnel mode, a VPN takes the entire packet and encrypts it, and assigns it a new shell for transmission between the two VPN endpoints, whether those are firewalls or hardwarebased VPN machines.
Virtual private networking, as a technology, is coming of age. The IPSEC standard allows different products to communicate cross-platform,
allowing companies an easier way to secure communications with their
business partners. The increased concern over network security and the
availability of encryption at fast network speeds (up to 10MB) makes vir-
tual private networking an increasingly appealing option for remote access and business communication.
The evaluation of VPN products should bear in mind the strengths of
technology already deployed in a company. If your company is Ciscosavvy, then its VPN features might appeal. If a company already uses a
certain firewall brand, then adding on its VPN solution may be the easiest
way. Because no one company has yet established itself as a VPN leader,
there are tradeoffs to be made. The key issues are performance, ease of
use, cost, and integration. Hardware stand-alone solutions excel in performance, but are only now beginning to integrate. The firewall solutions, using either SWIPE (software IP encryption) or the more
interoperable IPSEC, tend to be easier to set up when a company is already using a firewall, but offer much less in terms of performance.
RISK VERSUS REWARD ON THE CUTTING EDGE
There was a time when virtual private networking was synonymous with
compromise. Like many useful technologies, seamless integration was
not available. Some of the complaints about VPN solutions from times
past were low reliability, slow connections, and lack of knowledge. The
last of those objections was certainly the obstacle. In an industry where
up to 70% of CTOs and IT managers have reported that their most significant challenge was in keeping up with their personnel needs, it is little
wonder that technical expertise familiar with virtual private networking
was even more difficult to find.
As the technology has become more widely deployed and the need
for VPNs recognized, the blending of technology has helped solve the
problem. As VPN capability joined the feature set of firewalls and routers,
the industry has become familiar with what to expect, and with the next
generation of software and hardware, the ability to implement the technology is more commonly within reach. Virtual private networking is
now supported by Cisco routers, bringing availability on some of the industry’s most ubiquitous networking devices.
The other factor is the consolidation of networking technologies.
Many companies are striving to provide one-stop shopping for customers, especially in the security products market. Consolidation of access
control, firewalls, network monitoring, VPNs, virus detection, content filtering, authentication servers, and other products are the trend, and likely to continue. The consolidated offerings are allowing vendors to add
useful features to familiar products. Anyone using firewalls and investigating the use of VPNs should check with their vendor regarding vendorsupported products, as most major firewalls either directly incorporate
the technology, or have partners they work with provide it.
The bottom line of the risk versus reward discussion is that the technology has left its infancy behind. It is no longer in development. It is
now in the integration stage. Vendors, consultants, and partners may be
ready to help you benefit from the technology. With the amazing benefits
and added security, VPNs are not just something to add or a product to
buy, but something destined to become part of the networking paradigm. They are an improvement that will become the standard, rather
than the exception.
PITFALLS DURING DEPLOYMENT
Deployment of virtual private networks within a company is subject to a
few common pitfalls. The first is selection of appropriate technology. Be
certain to clearly define your needs, in terms of bandwidth, interoperability among business locations, mobile users, and business partners.
Consider the capacities of the staff that would manage the VPN solution,
including supporting end users who might have their company dialup
accounts replaced by generic internet dialups.
This first area is the one in which technical consultants are most likely
to be useful. Virtual private networking has reached the state where a decent engineer can manage the VPN capabilities of firewalls or standalone
devices, with perhaps a little technical support from the vendor. However, matching a company’s needs against the available product choices is
a task for someone specialized in the arena of network security. This
might be a good chance though for a savvy IT professional to solicit a
thorough security audit or evaluation, while using the benefits of VPNs
as a cost justification.
It is important to be aware of the technical capacity of your end user,
and be aware of how much support they will require from you, and how
much your vendor will support your end users, if at all. Much as with initial installations of company firewalls onto existing Internet connections,
some users need assistance to make the change. Most non-technical users will need assistance to alter their network stacks on their individual
machines if client software is used. The transition period can be significant with a large installation, and require as much as 30% more working
hours to maintain in a networking intensive company.
A consideration that must be kept in mind is compatibility with existing applications. Not all VPNs will pass any type of traffic. Some are valid
only for TCP connections, and not tunneling UDP or ICMP traffic. UDP
is used by a number of applications, including DNS and SNMP. This may
or may not be important, depending on what type of remote access is
needed.
Which leads to the final point: recognizing maintenance issues. There
is a higher cost for using VPN technology. Using encryption to replace
the simpler security of private lines, or to obsolete a company modem
pool, has upsides and downsides; but with careful planning, the transition can be smooth. The savings will far outweigh the additional costs of
remote user access or private lines. The actual security of a company as
a whole can actually significantly benefit from VPN use, since most experts agree that good encryption is a more reliable defense that relying
on telecom company privacy. All security measures can be thought of as
raising the bar a potential intruder needs to cross to circumvent security.
To a determined intruder or concerted attack, properly deployed encryption can be a much greater deterrent than a private communications infrastructure, especially considering that the security of that infrastructure
is in someone else’s hands, and not your company’s.
PART OF A BIGGER SECURITY PICTURE
One fact that deserves mention is that virtual private networking is only
a part of a complete security scheme. The real point of using a VPN is to
protect the link between two secure endpoints. If your endpoints have
weaknesses, then the tunneling cannot do anything to protect them.
Keep in mind that a VPN is not a license to freely trust the other end, especially one you don’t directly control. If one side of an unfiltered VPN
is compromised, then the other side can be as well, with the VPN allowing direct access.
This can be especially important with peer-to-peer VPNs, when one
company connects to another. One way of keeping access restricted is to
terminate the VPN just outside a firewall, where the traffic cannot be
eavesdropped on any longer, but before the firewall applies its rules.
With firewall-to-firewall tunnels, most products allow you to filter services. One company may allow FTP through a tunnel with a partner company, but not permit telnet, when that company has no reason to telnet
to them.
The most important thing to keep in mind is that a VPN is only as secure as its weakest point, especially when the VPN is not filtered between the trusted networks. Just because a user is authenticated and
encrypted with the use of VPN software does not mean he or she should
have unlimited access. Always explicitly deny any traffic you do not need
to allow. Normal network auditing tools should be applied through VPNs
when possible. If you employ some sort of attack detection software,
such as Internet Security System’s SafeSuite, or Dan Farmer’s SATAN, try
using the software from one side of the VPN to the other, to simulate a
compromise. Do not exempt anyone from other security measures, such
as authenticating on a particular machine with passwords or one-time
passwords. With client-to-server VPNs, this is usually less of a concern.
Client software usually requires authentication to open the tunnel, but
considering that a large portion of network violations are reported to occur by insiders, consider physical access to workstations with VPN access
when deploying. Carefully consider that when you provide one person
with full VPN access to a secured network, anyone who has physical access to that machine has access to the secured network as well.
SUMMARY
Virtual private networking is an avenue to both savings and security. It
allows a lower cost access for remote access and connection of remote
sites. It provides a new level of data security by preventing monitoring
by third parties, thus prohibiting loss of valuable data. In the future, as
the security market continues to consolidate, expect more VPN capabilities to be integrated into all types of products. Savings and opportunities
are available now, though, with VPN deployment through the use of
VPN-capable firewalls, or independent software and hardware solutions.
Matt Wallace is a Senior Network Security Engineer with Exodus Communications. He has 5 years of experience
working with Internet security. He is currently focusing on security and network management for large-scale and
high-bandwidth redundant networks. You can reach Matt via E-mail at [email protected].