Search our
entire site
Enter your search
terms below, or visit
our search page

Search case
studies only
Enter your search
terms below:

For the table
of contents and
hyperlinks to
general topics
proceed to toc

VPNs For Enterprise Internetworking

JULY 1998

Only a handful of VPNs provide adequate security. Here's how to determine the best solution for your business.

Virtual Private Networks (VPNs) are a hot commodity right now. They have been embraced primarily by the remote-access market as an inexpensive way for employees who are traveling or off-site to connect back to the corporate network, though companies are beginning to derive greater value from connecting extranet users over the Internet. VPNs come in many flavors from hardware to software--with a range of security levels. The most secure VPNs go beyond basic encrypted tunneling to provide end-to-end security, which enables full-scale electronic business. According to Infonetics Research, the VPN market is expected to reach $11.6 billion by the year 2001. No one has clear data on how much the market is worth today, but International Data Corporation (IDC) and Link Research forecast that it will continue to grow at an 45 percent annually. GartnerGroup predicts that VPN technology will be used in 30 percent of e-business extranets. Of course, what qualifies as a VPN varies among analysts and vendors, but a VPN is most commonly defined as a private network that uses public backbones (like the Internet) for transporting data. The privacy aspect of VPNs comes from encryption, authentication, and in some cases, access control (see Figure 1).

Today, only a handful of VPN solutions provide adequate security for mission-critical internetworking. Those that do enable companies to develop fully functional electronic business-to-business applications, such as systems for online sales negotiation, order fulfillment, and ongoing support. In addition to helping the sales process, VPNs can provide a secure framework for automating a supply chain, facilitating collaborative projects with partners, and improving productivity for both in-house and remote employees through streamlined, secure access to critical information.

Costs

With so many new network systems regularly being introduced, companies often require that their administrators be able to demonstrate a quantifiable return on investment before implementing a VPN. Many corporations, burdened by the effort of maintaining large modem pools and the expense associated with long-distance charges, are finding that using the Internet as a backbone for remote access is more affordable and easier to implement and maintain than traditional solutions. In the past, dial-up remote access was used to give customers access to corporate networks, while leased lines were installed to enable partner corporations to access each other's networks.

For dial-up remote access, the initial and recurring costs to support a modem-bank system include:

• installation of remote-access servers, ports, modems, and lines
• maintenance of dedicated remote-access hardware
• purchase of remote-access client-server software
• administration of remote-access software
• ongoing carrier-access charges, which can be long-distance or toll-free

With leased lines, the communications channel itself is secure, but if either network is compromised, the network at the other end inherits the security problem. Another major drawback of leased lines is that they are not as flexible as a VPN. When new sites need to be added to the network, leased lines require a duplication of the infrastructure at each additional site. The leased-line infrastructure includes:

• installation of the dedicated leased lines (such as 56K or frame relay), which could necessitate the expansion of an existing Public Branch Exchange (PBX)
• special data services from the telecommunication vendor
• proprietary security hardware/software for encryption and authentication that must be installed and configured symmetrically at each end of the connection by corporate IS staff
• recurring charges for leased lines and associated services
• upgrading or retrofitting the proprietary security hardware/software

Both leased lines and dial-up remote access require a significant time and money investment in a bulky infrastructure. VPNs usually are half the cost and require only a minimal initial investment. The long-term savings, flexibility, and scalability that result from using the Internet are particularly helpful to large, dynamic corporations.

Encrypted Tunnels vs. Highly Secure VPNs

Most VPNs provide encrypted tunneling from one LAN to another, which protects data from being read if intercepted by an unintended recipient en route. In the basic remote-access and intranet scenario, where employees typically are the end users, companies tend to assume a low-level security risk. In other words, they trust their employees. If this assumption is right, and companies control both the source and destination nodes, then encrypted tunneling might be sufficient. Many firewall, router, and frame-relay vendors, as well as some ISPs, offer this type of solution for quickly transferring high volumes of data.

However, companies should be aware that security threats often come from within an organization. In fact, according to a 1996 study issued jointly by the FBI and the Computer Security Institute, almost half of all computer break-ins occur from within a company. If a company is concerned about proprietary information being leaked by employees, whether intentionally or accidentally, or if a company routinely applies different levels of trust to branch offices or individuals, the VPN solution should control the information flow on a user-by-user basis from one endpoint to another, not from one IP address on a LAN to another LAN's perimeter. In other words, when a high level of security is needed, companies should not rely on "plumbing" or low-level hardware for their VPN needs because these solutions cannot carry specific permissions beyond network perimeters. Access control is better managed with software running on top of operating systems and routers.

High-security VPNs go beyond encrypted tunneling to provide user-based authentication and tiered access control. While strong authentication and encryption are critical components of the VPN, they are relatively simple to deploy and verify. Access control, on the other hand, is relatively complex because its deployment is tied intimately to every other security tool. Roughly speaking, the security of a VPN is a function of how tightly its authentication, encryption, and access control are connected. If one component is lacking, the VPN is incomplete. When implemented correctly, VPNs protect network resources from viruses, snoops, corporate spies, and other known threats that allowed access from mistakes in configuration, lack of system management, weak authentication, and back-door entry points to the network.

The most secure VPNs are built around a "directed" architecture, as opposed to a bi-directional "tunneled" method. Directed VPNs (see Figure 2) transmit encrypted information at a higher level (layer five in the ISO OSI network model) in the networking protocol stack than tunneled VPNs, which operate at layers two and three. Security and control increase as functionality moves up the network hierarchy. Directed VPNs act as proxy servers, which means they do not open any direct connections into corporate networks, preventing IP addresses from being "spoofed," or mapped. Tunneled VPNs, as the name implies, open tunnels within the Internet and secure information traveling through them with basic packet filtering. This approach gives participating companies weakly secured access to each other's networks, with no way to fine-tune access control. These types of solutions often are based on the mistaken assumption that there should be peer-to-peer trust among companies connected by VPNs. When trading partners or customers are involved, that rarely is the reality.

In directed VPNs, all credentials are checked and security rules applied before any session is allowed. The VPN server then proxies all allowed traffic to the appropriate resources. Because all data is proxied, information about who has been trying to gain access to the network and how often is recorded, making it easy for administrators to audit their security system. Unlike tunneled VPNs, directed VPNs protect connected networks from each other's security flaws. Directed VPNs do not assume a two-way trusted relationship between connecting parties. If security is breached in the directed model, only the attacked network is exposed, not the linked networks. In the tunneled model, when one network is attacked, each successive network is susceptible to the same attacker. In the directed model, each company's IS managers can set their own access privileges and be confident they are not exposing their networks to unknown security problems.

VPNs cannot be configured to be directed. They are either directed or are not, based on the technology used. Some VPNs are built on SOCKS v5, which is the IETF-approved standard for authenticated firewall traversal. SOCKS v5 controls the flow of data at the session, or circuit, layer, which maps approximately to layer five of the OSI networking model. Because of where it functions in this model, SOCKS v5 provides far more detailed access control than protocols operating at the lower layers, which permit or reject packets based solely on source and destination IP addresses. SOCKS v5 establishes a virtual circuit between a client and host on a session-by-session basis and provides monitoring and strong access control based on user authentication without the need to reconfigure each new application.

Because SOCKS v5 and SSL operate at the session layer, they have the unique ability to interoperate on top of IPv4, IPSec, PPTP, L2TP, or any other lower-layer VPN protocol. In addition, SOCKS v5 and SSL record more information about the applications running above them than lower-layer protocols do, so they can provide sophisticated methods of securing traffic (see Figure 3).

VPNs built using SOCKS v5 protect destination computers essentially by proxying traffic between source and destination computers. When used in conjunction with a firewall, data packets are passed through a single port in the firewall (port 1080 by default) to the proxy server, which then filters them to a destination computer. This prevents administrators from opening multiple holes in their firewall for different applications. For additional security, the VPN proxy server hides the address structure of the network, making it more difficult for confidential data to be cracked.

SOCKS v5 is also highly flexible. It works easily with multiple security technologies and platforms, which is critical for IS professionals managing heterogeneous computing environments. It offers modular plug-in support for many authentication, encryption, and key-management methods, providing IS managers the freedom to adopt the best technologies for their needs. Plug-and-play capabilities include access-control tools, protocol filtering, content filtering, traffic monitoring, reporting, and administration applications. SOCKS v5 can filter data streams and applications, including Java applets and ActiveX controls, according to detailed specifications. Another design advantage of SOCKS v5 is that a SOCKS VPN client is non-intrusive. It runs transparently on the user's desktop and does not interfere with networking-transport components as do lower-layer protocols, which often replace the WinSock DLL, TCP/IP stack, and low-level drivers (thus interfering with desktop applications).

Because SOCKS v5 is designed specifically for highly secure environments, analysts expect that SOCKS v5 and appropriate plug-ins will be used primarily for highly secure remote access and extranets where the extension of private client networks stretches across multiple organizational perimeters.

Evaluating Extranet VPNs

Unlike intranets that are relatively isolated, extranets are intended to reach partners, customers, and suppliers, as well as remote employees. Securing that WAN requires diligence and the right tools. The VPN should secure all applications, including TCP and UDP applications such as Real Audio and FTP; corporate vertical applications such as SAP, BAAN, PeopleSoft, and Oracle; and "homegrown" applications built using Java, ActiveX, Visual Basic, and the like. Because most corporate computing environments are heterogeneous with many legacy systems, the best VPN solution should be extremely versatile and interoperable with multiple platforms, protocols, and authentication and encryption methods. Also, when a vendor says that its product runs on both Windows and UNIX, be sure to verify that it supports more than one flavor of UNIX.

The security elements of a VPN can be prioritized differently, but with an extranet VPN, all the fundamental pieces--encryption, authentication, and access control--should be integrated tightly with some type of perimeter security. Usually this means a company will place a VPN proxy server behind an impenetrable firewall that blocks all unauthenticated traffic. Any traffic allowed in is then funneled through a common portal directly to the VPN server, which filters traffic according to company policy. It is essential that the VPN tie a user's access permissions to end-to-end encryption and authentication. Also, the client software should be as transparent as possible.

Online business is not restricted to credit card transactions. It can involve complex negotiations and collaboration on projects. When vital, confidential information is involved, IS professionals cannot risk compromising any portion of the network. An extranet VPN should use the highest encryption available, which currently is 128 bits, though U.S. companies must receive special governmental permission to export encryption over 56 bits (although there are ways international companies have circumvented this structure). In addition, the VPN should support multiple authentication and encryption methods because business partners, suppliers, and customers are likely to have varying network infrastructures and platforms. It is unrealistic for a company to try to mandate what systems are used beyond their LAN. When companies conduct multifaceted business transactions over public networks, simple encrypted tunnels will not suffice.

To allow untrusted sources access into a network, companies need to be able to identify individual users and tie those identities to varying levels of network access. The defined access privileges can be used with e-mail, data warehouses, custom applications, legacy systems, Web sites, product distribution systems, and any other service or application tied to the network. Manufacturing companies have used extranet VPNs for supplying delivery and production schedules and account information. Financial institutions have used extranet VPNs for loan syndication, providing clients with account information and performance reports. Health institutions have used VPNs to provide access to medical records and offer confidential research information.

By adding VPN security to an extranet (see Figure 4), companies easily can define which network resources are available to customers, partners, remote employees, consultants, or other business resources. This increased access to information can result in much broader corporate reach, greater efficiency, better customer service, increased collaboration, supply-chain automation, and increased return on investment.

In a true business-to-business scenario, IS managers should look for a VPN that filters access to resources based on as many parameters as possible, including source, destination, application usage, type of encryption and authentication used, and individual, group, and subnet identity. Administrators should be able to identify individual users, not just IP addresses, either through passwords, token cards, smart cards, or other methods of authentication. Passwords usually are sufficient for casual office use, but they are not as secure as token or smart cards. Employees often are careless with their passwords and rarely change them, whereas token and smart cards change the passcode on a regular basis, often as frequently as every 60 seconds.

Once authenticated, administrators can authorized traffic to protected resources without jeopardizing network security. The strictness of access control is what ultimately determines the level of security among VPN solutions. Without being able to control exactly who has access to each resource on a network, a VPN is virtually useless beyond the network's perimeter. Once authenticated, a user should not have carte blanche on the network. Rather, specific permissions should be granted to each user in order to retain the most control over every resource. Security should increase, not lessen, as a user moves inward toward the most sensitive data.

Conclusion

Extranet VPNs are too valuable to disappear. They are changing the business model for the 21st century by laying the groundwork for establishing trust relationships among organizations and individuals over the Internet. The technology is new but already valuable to leading companies, most of which champion UNIX systems. According to a 1997 Forrester survey, more than half of the 50 Fortune 1,000 companies interviewed said that within two years they expect to use the Internet to communicate with partners. Two-thirds said they intend to execute transactions with customers over the Internet. IDC and Link Research forecast that VPNs will continue to grow at an annual rate of 45 percent through 1999. The prospects are promising, but without highly secure, scalable extranet VPNs, enterprises will have difficulty capitalizing on the opportunities. Companies should adopt a VPN solution that uses the best of evolving technologies, functions in a heterogeneous corporate environment, and maps real-world trust relationships to the network.

References

"General Usage for International Digitally Ensured Commerce," International Chamber of Commerce.

"ROI in the Extranet World," Gartner Group Research Note, Key Issue Analysis, January 6, 1998.

"1998 Predictions for the Internet," November 28, 1997.