* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Virtual Private Networking: An Overview
Network tap wikipedia , lookup
Computer network wikipedia , lookup
Airborne Networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
87-10-20 DATA SECURITY MANAGEMENT VIRTUAL PRIVATE NETWORKING: AN OVERVIEW Matthew Wallace INSIDE Benefits of Virtual Private Networking, Implementations of VPN, Risk versus Reward on the Cutting Edge, Pitfalls during Deployment, A Bigger Security Picture, Summary THE BENEFITS OF VIRTUAL PRIVATE NETWORKING The business world has found the Internet. The technology many companies have relied upon is becoming obsolete at a frenzied pace, as IS managers and networking professionals struggle to keep up with the pace of technology. New products and opportunities are emerging constantly. One of the most promising cost-cutting technologies available is that of virtual private networking, or VPN technology. Managers have been slow to turn to virtual private networking, either because they are unsure of the technology or unaware of the benefits they can reap. The path to using VPNs to benefit an organization includes understanding the business case for VPN deployment, learning the basics of the technology, and knowing a path for deployment. Understanding why VPN technology is so useful begins with understanding how networks are being used. The local network being the base unit of all networking, many companies with diverse physical locations find themselves needing to tie their local networks together, resulting in PAYOFF IDEA the wide-area networking common The technology arena, especially surrounding for companies with national and inthe Internet, is full of buzzwords, and one that is ternational presence. The cost of this heard ever increasingly is that of VPN, virtual private networking. Even with an ever-growing host networking can be exorbitant, beof products, some IT professionals are unsure cause many companies require the what its benefits are or where to go to seek anlines to be private. A DS-1 connecswers. This article presents an overview of virtual tion to the Internet can be relatively private networking, the benefits of using it, requirements to deploy, and pitfalls to be aware of inexpensive, but a DS-1 connection when implementing it. from San Francisco to New York can be very costly. When you start crossing the Atlantic, the costs skyrocket again. Frame-relay was one solution that allowed local frame relay connections and relatively inexpensive PVCs (Private Virtual Circuits) connecting companies through a share frame-relay mesh. Because of the lack of privacy, frame-relay ultimately has proved unacceptable to many companies needing wide-area connectivity. Network security experts are quick to warn against trusting the infrastructure your frame-relay circuits cross, as they can become vulnerable to redirection, and more commonly, packet sniffing. It is essentially these security concerns that have brought about the need for a wide-area solution, one that has a cost comparable to a local connection and privacy gained by private point-to-point lines. Many companies with strong security needs, those involved in transferring financial data or other highly sensitive information, may find even traditional point-to-point lines too untrustworthy for their applications. The second need for virtual private networking exists for companies with high remote access needs. Traveling sales people, office-less employees, telecommuters, or anyone needing access to the “LAN back home” often incurred exorbitant costs connecting via traditional dial-in setups. The cost of 800 numbers or even prepaid calling cards could run to hundreds or thousands of dollars for each employee with heavy remote access requirements. For those telecommuting from outside the local calling area, which is the norm, companies were forced to turn to private lines to avoid long distance costs. An unfulfilled need existed for inexpensive remote access. Ideally, a company could provide an employee with an inexpensive dialup Internet account, and the employee would access the company’s LAN via the shared Internet. Security concerns were again at the forefront of reasons why this was unfeasible. Any company trading in the exchange of sensitive information about their products, plans, or customers could find themselves victims of industrial espionage. One frequently unmentioned benefit of VPN use is that it allows access to servers on illegal addressing space, which are blocks of IP addresses that are unusable on the Internet, even across a WAN. Many companies now utilize these unroutable addresses. Using VPNs (those in tunnel mode, as will be explained later in this article), the real addresses are hidden and the traffic crossing the Internet is Internet legal. VPNs still give a remote user direct access to machines, without their needing to expose those machines to the Internet with addresses anyone can reach. By keeping servers unrouted and letting all access a VPN, there is no need for address translation to expose those addresses to the Internet. Virtual private networking technology was created in response to these needs. It allows a connection from anywhere; dial-up account, leased line, or frame-relay can connect back to a primary network safely, regardless of what networks the information had to transit to get there, via the use of strong encryption. By employing real-time encryption, the traffic from LAN to LAN or user to LAN could be encrypted, sent across an untrusted network, and arrive safely at the destination to be decrypted. Data intercepted or monitored in transit would be useless without the secret keys necessary to decrypt the traffic. WHAT ARE THE IMPLEMENTATIONS OF VPNS? The implementations of VPNs vary widely. In an effort to offer a more complete solution to their customers, many firewall vendors have offered VPN capability as a feature, either standard or as an additional module. The two varieties of VPNs found on firewalls are firewall-to-firewall tunnels, and user-to-firewall tunnels. These allow the two internal networks behind firewalls to communicate or a user to get safe access to machines behind a firewall, respectively. A full survey of companies offering VPN-capable firewalls would be quite extensive. Some of the leaders in VPNs include Raptor Systems with their Eagle and Eagle Remote firewalls, Check Point Software with the popular Firewall-1 product, and Trusted Information Systems and their Gauntlet firewall. They vary in the encryption types offered and their respective performances. Any consideration of VPN technology should include an examination of hardware VPN technology. One of the limitations of firewall-based encryption for VPNs is speed. Only so much traffic can be encrypted by a software package. For business needs that exceed those bandwidth requirements, companies producing hardware-based encryption have come forward. The use of hardware-based encryption allows much higher throughput, without taxing a company’s Internet firewall. Custom hardware tuned for encryption operations allows much higher rates of encryption. Some of the vendors pursuing this market include RedCreek and its Ravlin line, and VPNet and its hardware encryption products. The trend of the market is toward integration of products. Hardware-based VPN companies are partnering with firewall vendors and router manufacturers. A good example of this is VPNet’s private-label OEM agreement with Bay Networks, allowing a single vendor to service more needs of its customers. Digital Equipment’s Alta Vista Tunnel is available integrated into its firewall and as a standalone product. This is useful when companies have firewall solutions in place without VPN support, or with VPN support that does not stack up to their needs. There are a few key features to watch for when differentiating between VPN choices. First, make certain that the solution you select supports your application with its technology. A provider of financial data may only need to keep a stream of data private for a few seconds. After that, it is public knowledge; that few seconds of privacy can be protected with less-powerful encryption. On the other hand, a bank transmitting information about accounts or any application transferring credit card numbers may need to rely upon its encryption for a nearly indefinite period of time. Weaker ciphers, such as DES, are fine for applications not requiring long-term security, but rising computer capabilities combined with decreasing computer costs make the longevity of such ciphers questionable in applications requiring long-term security. An application requiring months or years of privacy for its transmitted information calls for a strong cipher like Triple DES or IDEA. In selecting a VPN product, it is critical to match capabilities with needs. One important feature to look for is called “dynamic rekeying.” Keys are used by a cipher to encrypt data. When a VPN is dynamically rekeyed, the new keys to be used in the tunnel are sent across the tunnel. Then the encryption resynchronizes using the new keys. If a VPN is rekeyed every 60 seconds, it means that even if an attacker compromises a key to read the encrypted data, only 60 seconds worth of data is available. What is critical, though, is that the VPN product exchanges the new encryption keys asymmetrically. If an attacker simply uses the tunnel to pass a new key, then once one tunnel is compromised after the data has been recorded, decrypting the succeeding key is trivial, regardless of the number of iterations. However, if the keys used are asymmetric, using a public key/private key pair, then a new public/private set can be used each time to exchange the actual keys for encryption. This is typical of public key encryption: asymmetrical encryption is used to establish a symmetrical key for the bulk data encryption, since the symmetrical encryption is much faster. Make sure not only that a VPN product re-keys dynamically, but that it exchanges the new keys for encryption with an algorithm that keeps the new keys secure even if the previous key set is calculated. Another difference in tunnels is the distinction between tunnel mode VPNs and transport mode VPNs. All IP packets have both a header (containing information about source and destination, size of the packet, and a number of relevant network flags) and a datagram, which is the payload of information used by the application. In transport mode, a tunnel only encrypts the datagram, that is, the payload, of a packet, leaving its header information visible in transit. In tunnel mode, a VPN takes the entire packet and encrypts it, and assigns it a new shell for transmission between the two VPN endpoints, whether those are firewalls or hardwarebased VPN machines. Virtual private networking, as a technology, is coming of age. The IPSEC standard allows different products to communicate cross-platform, allowing companies an easier way to secure communications with their business partners. The increased concern over network security and the availability of encryption at fast network speeds (up to 10MB) makes vir- tual private networking an increasingly appealing option for remote access and business communication. The evaluation of VPN products should bear in mind the strengths of technology already deployed in a company. If your company is Ciscosavvy, then its VPN features might appeal. If a company already uses a certain firewall brand, then adding on its VPN solution may be the easiest way. Because no one company has yet established itself as a VPN leader, there are tradeoffs to be made. The key issues are performance, ease of use, cost, and integration. Hardware stand-alone solutions excel in performance, but are only now beginning to integrate. The firewall solutions, using either SWIPE (software IP encryption) or the more interoperable IPSEC, tend to be easier to set up when a company is already using a firewall, but offer much less in terms of performance. RISK VERSUS REWARD ON THE CUTTING EDGE There was a time when virtual private networking was synonymous with compromise. Like many useful technologies, seamless integration was not available. Some of the complaints about VPN solutions from times past were low reliability, slow connections, and lack of knowledge. The last of those objections was certainly the obstacle. In an industry where up to 70% of CTOs and IT managers have reported that their most significant challenge was in keeping up with their personnel needs, it is little wonder that technical expertise familiar with virtual private networking was even more difficult to find. As the technology has become more widely deployed and the need for VPNs recognized, the blending of technology has helped solve the problem. As VPN capability joined the feature set of firewalls and routers, the industry has become familiar with what to expect, and with the next generation of software and hardware, the ability to implement the technology is more commonly within reach. Virtual private networking is now supported by Cisco routers, bringing availability on some of the industry’s most ubiquitous networking devices. The other factor is the consolidation of networking technologies. Many companies are striving to provide one-stop shopping for customers, especially in the security products market. Consolidation of access control, firewalls, network monitoring, VPNs, virus detection, content filtering, authentication servers, and other products are the trend, and likely to continue. The consolidated offerings are allowing vendors to add useful features to familiar products. Anyone using firewalls and investigating the use of VPNs should check with their vendor regarding vendorsupported products, as most major firewalls either directly incorporate the technology, or have partners they work with provide it. The bottom line of the risk versus reward discussion is that the technology has left its infancy behind. It is no longer in development. It is now in the integration stage. Vendors, consultants, and partners may be ready to help you benefit from the technology. With the amazing benefits and added security, VPNs are not just something to add or a product to buy, but something destined to become part of the networking paradigm. They are an improvement that will become the standard, rather than the exception. PITFALLS DURING DEPLOYMENT Deployment of virtual private networks within a company is subject to a few common pitfalls. The first is selection of appropriate technology. Be certain to clearly define your needs, in terms of bandwidth, interoperability among business locations, mobile users, and business partners. Consider the capacities of the staff that would manage the VPN solution, including supporting end users who might have their company dialup accounts replaced by generic internet dialups. This first area is the one in which technical consultants are most likely to be useful. Virtual private networking has reached the state where a decent engineer can manage the VPN capabilities of firewalls or standalone devices, with perhaps a little technical support from the vendor. However, matching a company’s needs against the available product choices is a task for someone specialized in the arena of network security. This might be a good chance though for a savvy IT professional to solicit a thorough security audit or evaluation, while using the benefits of VPNs as a cost justification. It is important to be aware of the technical capacity of your end user, and be aware of how much support they will require from you, and how much your vendor will support your end users, if at all. Much as with initial installations of company firewalls onto existing Internet connections, some users need assistance to make the change. Most non-technical users will need assistance to alter their network stacks on their individual machines if client software is used. The transition period can be significant with a large installation, and require as much as 30% more working hours to maintain in a networking intensive company. A consideration that must be kept in mind is compatibility with existing applications. Not all VPNs will pass any type of traffic. Some are valid only for TCP connections, and not tunneling UDP or ICMP traffic. UDP is used by a number of applications, including DNS and SNMP. This may or may not be important, depending on what type of remote access is needed. Which leads to the final point: recognizing maintenance issues. There is a higher cost for using VPN technology. Using encryption to replace the simpler security of private lines, or to obsolete a company modem pool, has upsides and downsides; but with careful planning, the transition can be smooth. The savings will far outweigh the additional costs of remote user access or private lines. The actual security of a company as a whole can actually significantly benefit from VPN use, since most experts agree that good encryption is a more reliable defense that relying on telecom company privacy. All security measures can be thought of as raising the bar a potential intruder needs to cross to circumvent security. To a determined intruder or concerted attack, properly deployed encryption can be a much greater deterrent than a private communications infrastructure, especially considering that the security of that infrastructure is in someone else’s hands, and not your company’s. PART OF A BIGGER SECURITY PICTURE One fact that deserves mention is that virtual private networking is only a part of a complete security scheme. The real point of using a VPN is to protect the link between two secure endpoints. If your endpoints have weaknesses, then the tunneling cannot do anything to protect them. Keep in mind that a VPN is not a license to freely trust the other end, especially one you don’t directly control. If one side of an unfiltered VPN is compromised, then the other side can be as well, with the VPN allowing direct access. This can be especially important with peer-to-peer VPNs, when one company connects to another. One way of keeping access restricted is to terminate the VPN just outside a firewall, where the traffic cannot be eavesdropped on any longer, but before the firewall applies its rules. With firewall-to-firewall tunnels, most products allow you to filter services. One company may allow FTP through a tunnel with a partner company, but not permit telnet, when that company has no reason to telnet to them. The most important thing to keep in mind is that a VPN is only as secure as its weakest point, especially when the VPN is not filtered between the trusted networks. Just because a user is authenticated and encrypted with the use of VPN software does not mean he or she should have unlimited access. Always explicitly deny any traffic you do not need to allow. Normal network auditing tools should be applied through VPNs when possible. If you employ some sort of attack detection software, such as Internet Security System’s SafeSuite, or Dan Farmer’s SATAN, try using the software from one side of the VPN to the other, to simulate a compromise. Do not exempt anyone from other security measures, such as authenticating on a particular machine with passwords or one-time passwords. With client-to-server VPNs, this is usually less of a concern. Client software usually requires authentication to open the tunnel, but considering that a large portion of network violations are reported to occur by insiders, consider physical access to workstations with VPN access when deploying. Carefully consider that when you provide one person with full VPN access to a secured network, anyone who has physical access to that machine has access to the secured network as well. SUMMARY Virtual private networking is an avenue to both savings and security. It allows a lower cost access for remote access and connection of remote sites. It provides a new level of data security by preventing monitoring by third parties, thus prohibiting loss of valuable data. In the future, as the security market continues to consolidate, expect more VPN capabilities to be integrated into all types of products. Savings and opportunities are available now, though, with VPN deployment through the use of VPN-capable firewalls, or independent software and hardware solutions. Matt Wallace is a Senior Network Security Engineer with Exodus Communications. He has 5 years of experience working with Internet security. He is currently focusing on security and network management for large-scale and high-bandwidth redundant networks. You can reach Matt via E-mail at [email protected].