Look for an explosion of trade publication hype about Virtual Private Networks (VPNs) over the next year. Why? Because administrators will find many new VPN security options and tools in Win2K.
A lot of admins are already struggling to make a VPN work, but Windows NT managers in particular may need a refresher course. They'll encounter some new tools when upgrading to Windows 2000—tools that will make implementing a VPN much more practical.
First, just what is a VPN?
Everybody talks about taking a company on the ‘net, referring to e-commerce, or a connection between the sales force and customers. But, unless you’re a retail business, this doesn't matter very much to your business plan. The importance of the Internet to many companies is the way it can be used as a backbone to extend local office applications and data to branch offices. Of course, this is nothing new for giant corporations, which have long used leased lines and dial-up, modem-to-modem connections to share data between distant offices.
A textbook definition
Technically, a VPN can be described as a network that provides the functionality of a private network without dedicated private connections, relying instead upon public network interconnectivity. The use of security technologies makes the circuit “private.”
My first experience with leased lines was decades ago when we used them to link the WGBH-TV [PBS, Boston] remote cameras and sub-station to local control and master control rooms. This approach was used to move video signals in the days before satellite links, but the concept is the same whether you're moving accounting data or video signals.
What's new is the "virtual" part, which refers to the use of secure technologies to let companies use the extremely public (and extremely cheap) Internet to replace dedicated and relatively secure connections used in what you might call "real" private networks.
If you've never had serious security concerns before, the mere thought of your company's daily business transactions and precious accounting or engineering data being passed around the Internet second-by-second on a 24/7 basis should be a real wake-up call!
Not only do you have to worry about outsiders getting a peek at your confidential information (the way you do when they dumpster dive or gain access to tape or floppy diskette copies of some of your computer files); you now have to make certain that they don't modify data between the time it leaves one office and the time it arrives at another distant office, possibly insinuating false information into your system undetected. In other words, to run a safe VPN and realize the cost savings from giving up leased lines or not having to set up entirely new systems at each branch office, you must find ways to prevent copying, deleting, modifying, or even falsifying entire files—and you must do all this over an extremely public communications system.
My first column looked at the shortfalls of encryption, and some readers missed the point that very soon, all their files could be compromised. In five years, almost anyone who's interested in your data will be able to build a supercomputer in a few days. So, although encryption is an important tool in protecting the data you send over a Web-based VPN, it's only the beginning.
New tools for Windows 2000
Windows 95, Windows 98, and NTW/S (workstation and server) 4.0 support Microsoft's PPTP (Point to Point Tunneling Protocol), which provides for encrypted communication sessions between a PPTP client (all Windows platforms, or even Macintosh, with third-party tools) and a PPTP (Windows NT) server. That works for the Microsoft universe, but it leaves out a very large part of the world.
Cisco Systems' Layer 2 Forwarding (L2F) was developed in the mid-‘90s, about the same time as PPTP. What's new for Windows 2000 is Layer Two Tunneling Protocol (L2TP), a combination of the best parts of both. L2TP is actually a mature Internet Engineering Task Force protocol. In a future column, I'll look at the best features of L2F and PPTP, which have been combined in L2TP.
IPSec (Internet Protocol Security) provides tools for encryption, authentication, and more. IPSec is a network layer security protocol and, although it has been used to support server-to-server tunneling, it's not intended for client-to-server tunneling. Thus, IPSec and PPTP or L2F, and the combined L2TP, are complementary.
Microsoft says it will support client/server PPTP/L2TP-based virtual private network sessions running over IPSec in Windows 2000 (NT 5), but it will continue to support server/server tunneling based on PPTP to ensure a smooth transition.
I'll delve into more detail on all these protocols and standards in future columns, explaining how they differ and how you can use them in combination to provide for secure fixed and mobile VPN access. Until then, for information on all active IETF security working groups, check out http://www.ietf.org/html.charters/wg-dir.html#Security_Area.
John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.
Have a comment?
If you'd like to share your opinion, please drop us a note or post a comment below.