More and companies are extending their extra nets to capitalize on business-to-business opportunities. While the advantages of using the Internet to connect to remote workers, branch offices, suppliers, customers, and business partners are many, there is a built-in danger that sensitive data could fall into the hands of hackers and corporate spies as it travels over this cost-effective but public network.
As part of an overall network security strategy, most companies employ fire walls to control access to their networks. A fire wall prevents unauthorized users from accessing data and applications. However, once packets of data pass through the fire wall to the Internet, a company's information assets are at risk. To protect their data in transit, 56% of large organizations employed site-to-site VPN s in the year 2000, according to a study conducted by Infantries Research (http://www.infonetics.com/).
With an IP VPN, a company can exchange data with virtually anyone in the world for nearly half the cost of using dedicated and/or frame relay circuits. As an added benefit, the same VPN technology can securely connect networks to remote access users utilizing dial up links or broadband services such as x DSL and cable modems. Even though user confidence is growing, moving from private lines to a public network still raises concerns.
"Deciding which VPN technology to implement can be confusing and intimidating, given the myriad of choices available," said Johnnie Constants, Product Marketing manager for Check Point Software Technologies (http://www.checkpoint.com/), a leading provider of Internet security solutions. "Because of the differing VPN standards and interpretations used to implement them, interoperability problems among some VPN products can increase network complexity."
Add security concerns to the mix, and deciding on VPN equipment can be risky business. Search Networking talked to leading industry experts and developed the top twelve issues to consider when selecting large enterprise VPN solutions. We weren't surprised that security topped the list:
- Best-of-breed security: "To be compatible with the rest of the world, companies should select VPN solutions that use the standard IP sec protocol," said Matthew Close, Director Managed Security Services Group for Exodus Communications, a company that provides a worldwide network of Internet hosting operations (http://www.exodus.net/). "IP sec secures data by creating a virtual tunnel from point A to point B that 'looks' like a direct connection with no infrastructure [routers/hops] in between. To protect the payload even further, VPN s utilize a suite of IP Security protocols that include an Authentication Header (AH) and an Encapsulating Security Payload (ESP) to encrypt many of the protocol stack information items." "Sending data through this tunnel is like putting your money into a container traveling through a suction tube to a drive-thru bank teller," he explained. "Even though tunneling alone makes data relatively safe from hackers, with IP sec, companies must encrypt the payload, making it virtually impossible for a hacker to make sense of a stolen data stream."
- Tight integration with other security solutions: Any VPN solution you select must seamlessly integrate with network and other security solutions such as fire walls, content and URL filtering, Denial of Service (DoS), antiviral (AV) screening, intrusion detection (ID), etc. "The VPN solution must seamlessly fit into your router infrastructure," said Bob Reason, Senior Manager, Conicity Product Marketing for Nortel Networks, a provider of IP VPN solutions (http://www.nortelnetworks.com/). "You want to be able to map the users accessing your secured resources against existing directories and policies you have in place." Constants adds that in addition to using their operating system of choice, security managers must be able to manage all security solutions from one application, "so solutions can talk with each other rather than just alert someone to do something."
- Comprehensive: Large enterprises need a VPN solution capable of supporting Internet, intranet, and extra net communication across heterogeneous platforms and operating systems -- including remote clients. "Only integrated VPN/fire wall solutions are designed to deliver complete Internet security," said Constants. "VPN gateways deployed separately from the fire wall burden network administrators with many needless complexities. In addition, the placement of stand-alone VPN gateways with respect to the fire wall becomes critical since fire walls cannot enforce access control of encrypted traffic. "Standalone VPN s must terminate outside the fire wall so data is decrypted before it passes through," said Phil Gabardine, Director of Security Engineering for Storage Networks, a leading storage service provider (http://www.storagenetworks.com/). "That way you have a log of all traffic and a more secure environment."
- High availability: Guaranteed levels of service are difficult to deliver if you deploy VPN devices from multiple vendors. "If you stick with one vendor, interoperability will be more certain," said Reason. To that end, many companies are even specifying what equipment they will support for extra net partners. Close agrees, "If you can work with one best-of-breed vendor and stick with them across the corporate extra net, you'll have greater success making VPN connections."
- Centralized VPN management architecture: IT departments need the ability to centrally configure, manage, and troubleshoot VPN security across the organization. "Not all vendors deliver management software that can simultaneously distribute security policy information to all boxes," said Constants. "You need a common glue to inter operate with hundreds of disparate forms of security: to securely connect to otherwise incompatible application environments." Gabardine recommends finding a solution that offers a single console port with a GUI interface that makes it easy to create groups, add routes, etc. "It's important to test these solutions out, because some are more difficult than others to configure," Gabardine said. "Most vendors will offer a 30-60 trial period so you can make sure the advertised features work." In addition, the management software should aggregate all of the logs to create a granular audit trail. "Logged data should easily integrate with popular security reporting applications that will allow you to make determinations about protecting the network from attack," Constants said. In addition, Close says good debugging tools are a must. "If there's a problem making a connection, technicians must have debugging tools that will quickly determine if a shared key is incorrect or specifically what part of the IP sec protocol failed."
- Easy deployment and configuration: VPN solutions should be compatible with current, familiar servers, operating systems, and centralized security databases. "Tying a lot of devices together for multiple locations can be a daunting task," said Close. "The number of tunnels grows exponentially as you design a mesh topology connecting remote sites. Make sure that the management software allows you to maintain all of the information you need in one database, so you can design one configuration instead of 40. In addition, the solution should provide a secure, encrypted management link for pushing configuration information to devices in the field."
- Easy user interface: Installing VPN boxes at remote offices, configuring VPN client software on laptops, and establishing VPN connections should be easy for end users to implement. "Client software installation and authentication processes should be as easy and seamless as possible," Reason said. "In addition, the VPN switch terminating tunnel needs to be flexible enough to accommodate varying IP addresses, since mobile users will have temporary IP addresses."
- Interoperability: Open Platform for Security (OP Sec) is a Check Point specific alliance and certification process for ensuring product interoperability. Purchasing OP sec platform VPN solutions that support standardized authentication methods, tunneling protocols, and encryption types will minimize connectivity problems. However, because developers are interpreting the IP sec standard in many ways, interoperability between vendors can be difficult. "Be cautious of third party IP sec certifications. Stick with IETF [Internet Engineering Task Force]," Close said. "We're finding all kinds of interoperability problems even from one version to another for the same device." "Right now you have to married to one vendor if you want things to work," Gabardine agreed. "If you want to talk to the world, you may need to buy one of each."
- Scalability: "Supporting LAN to LAN tunnels connecting a large number of remote users, FTP database file transfers, and online transaction processing are the most demanding applications," Gabardine said. "However, the VPN usually isn't the bottleneck. The bandwidth to the Internet -- typically a T-1 line -- is the biggest problem." Constants said encrypted file overhead can significantly reduce VPN throughput. "Customers that want the fastest performing VPN gateway possible, independently of their WAN connection speed, need to ensure that their solution supports VPN acceleration. Since encryption is a very CPU-intensive process, it is often necessary to offload the task to an accelerator card which, in some cases, can more than double VPN throughput."
- Traffic control: The ability to manage bandwidth -- by user, by group, by application, by time of day, etc. -- is vital for maintaining availability and quality of service (Quos) guarantees. "You should be able to give priority to customers coming in over employees wanting to browse the Internet, allocate bandwidth to certain applications such as Net Meeting which will not work below certain levels, or make sure your CEO and specific user groups are given top priority to VPN resources," Constants said.
- Automated password/key management: Automated password and key management, especially for remote access VPN s, are vital for reducing security personnel workload. "Thousands of security management tasks -- issuing passwords, generating security policies, notifying certificate authorities of changes, revoking access privileges, etc. -- cannot be handled manually," said Constants.
- Supplier support: Large organizations need to work closely with a limited number of suppliers and vendors that will provide the level of support needed to select, implement, and maintain highly-available VPN solutions. "You need the ability to fix it over the phone," Gabardine said. "The big boys are better at doing that."
For additional information about selecting and purchasing VPN equipment, check out the following resources:
"Redefining the Virtual Private Network (VPN)" a Check Point white paper at http://www.checkpoint.com/.
"The business case for IP-VPN services" a white paper on the Nortel Networks website: http://www.nortelnetworks.com/.
"Virtual Private Networks: Your Guide to the New World Opportunity" a white paper available from Cisco Systems at https://www.cisco.com/.
"User Plans for VPN Product and Services in the US 2000" an Infantries Research white paper located at http://www.infonetics.com/.
"A Practical Guide to the Right VPN" available from the ZDNet IT Resource Centers http://techguide.zdnet.com/.
"Virtual Private Networks: Viable Products Now," Network World, 12/11/00 http://www.nwfusion.com/.
VPN Resources from ComputerShopper.com at http ://www.zdnet.com/computershopper/edit/cshopper/content/extra/9812biz/378000.html/.
"Why Choose Integrated VPN/Fire wall Solutions over Stand-alone VPN s?" a white paper on the Check Point website at http://www.checkpoint.com/.
"A Practical Guide to Network Security" prepared by Dr. Bill Hancock, CISSP, VP, Security Chief Security Officer, Exodus Communications at http://www.exodus.net/.
"Chapter 9 -- Virtual Private Networking" for Windows 2000 at http://www.microsoft.com/technet/.
"IP Security for Local Communication Systems," a paper outlining the Microsoft Solutions Framework?Best Practices for Enterprise Security at http://www.microsoft.com/technet/security/.
For more information about Storage Networks, visit their website at http://storagenetworks.com.
For more information on IP sec, read the Internet Engineering Task Force (IETF) Security Area at http://www.ietf.org/html.char terms/wag-dir.html#Security_Area/.
Linda Gail Christie, MA., is a contributing editor based in Tulsa, OK.