Virtual private network (VPN) implementation can make you a corporate hero. It can also make you the company scapegoat. As Clapton’s song says, “It’s in the way that you use it.”
By definition, a VPN is simply secure access to data and/or resources via private network. This private network connects through public data lines and uses a tunneling protocol and encryption by individuals or machines for whom the data and/or resource is intended.
This article appears courtesy of TechRepublic's TechProGuild, the subscription Web resource for IT administration and support professionals. Among other great benefits, TechProGuild offers in-depth technical articles, e-books, and weekly chats moderated by industry experts on hot topics such as the latest OS developments and career advancement. Sign up now for a FREE 30-day trial of our TechProGuild service.
Over the past few years, VPN has become one of the most used acronyms in the history of the networking industry. Every company that can possibly justify instituting a VPN solution is champing at the bit to do so.
In this Daily Drill Down, I’ll discuss the benefits of deploying a VPN and examine the design and technology behind it.
The path of least resistance
They (you know—all of those “experts” out there who know everything) say that VPNs and related services will have a market of greater than $10 billion by 2001. CEOs, CIOs, networking executives, and even the managers below them have become very well read in the area of VPNs. Something about the promise of having secure access to a corporate network from darn near anywhere in the world is tremendously appealing—not to mention the convenience and relatively low expense associated with setting up and maintaining a highly available global network. It seems that in a world of nonstandard standards and rapidly changing technologies, a VPN (which is largely standards-based) is the path of least resistance to a highly available, reliable, and secure network to which you could potentially connect (with the right tools) from a thatched hut in the Himalayas .
On the surface, the high-level benefit of a VPN seems great. One small fact to keep in mind: Understanding the benefits and the technologies of a VPN and how it works is very different from knowing you need one. The only way to truly reap the benefits is to dig into the technology and its foundation. Many of the above-mentioned professionals have just begun to scratch the surface of the potential of virtual private networking, its services, and its capabilities.
VPN from the clouds
It is only appropriate to touch on the benefits of deploying a VPN prior to delving into its technologies. These aren't all the possible benefits, nor do they apply to every organization and circumstance. Your actual results and benefits may vary.
Cost seems to drive and control many projects in the networking industry. Technologies are available to provide almost any desired or required result, assuming that a company’s pockets are deep enough. Realistically, every member of every technology team faces at least some—and often many—budgetary constraints. (If you’re a hiring manager and your company’s projects don’t have any monetary or budgetary constraints, please e-mail me and I will forward you a resume.) Members of information technology departments and their managers are paid to find and implement better ways to reach an end. Better can mean faster or more reliable, secure, or available. Generally, a better way to reach a similar end equals—whether directly or indirectly—less expensive. And VPNs may be the answer for many companies.
One of the most well known benefits of VPNs is access to resources from any point on the Internet. This access could potentially provide companies that currently manage multiple network points of entry with the ability to maintain a single point of entry. A fast connection to the Internet via an Internet service provider (ISP) could take the place of many, if not all, other data lines and remote-access media. A single high-speed line could replace the function of multiple point-to-point connections, Frame Relay, ISDN, and analog modems. Each of these connectivity options requires some piece of unique hardware, which in turn requires unique management and expense. The single link could transport all required traffic to and from remote users and remote sites.
The most apparent benefits from the reduction in the number of entry points to a corporate network are fewer potential points of failure and reduced hardware and administration costs. Another benefit is the ability to take advantage of the inherent redundancy that’s built into the Internet. A properly written service level agreement with an ISP could potentially offload some responsibility and accountability for network uptime. No matter how high your level of redundancy and planning, you can’t guarantee that a worker repairing a phone line in Anywhere, USA, won’t accidentally slice through the wrong fiber-optic cable and drop one or all of the core backbones of the Internet to its knees. Catastrophic failures are just that. All the precaution in the world can't protect against these types of problems. Luckily, though, situations like these are rare. So, using a VPN to reduce your multiple point-to-point connections is a fairly safe way to save those resources.
All of the resources saved usually equate to dollars. Exactly how many dollars is open to debate. Common wisdom pegs intranational remote-access savings estimates in the area of 50 percent. International estimates of savings are thought to be close to 90 percent over that of conventional remote-access solutions. Site connectivity savings are estimated to be an equally impressive 70 percent over point-to-point. These estimates are very generalized, but clearly, VPNs have the potential to save many companies money. However, to say that implementing a VPN will save every company money would be a misstatement. In the world of technology, there’s always an exception.
While potential savings may vary, one statement holds true: Nothing can currently touch an Internet-based VPN in terms of global availability. This is facilitated by the use of the standards-based Internet Protocol (IP).
With the recent explosion of low-cost, high-speed Internet access available to many individuals’ homes, VPNs make telecommuting not only an employment alternative but also a selling point to potential employees. The labor market is the tightest it has been in history. Employers are having a hard time finding qualified individuals to fill needed positions. Telecommuting via VPNs affords companies the ability to move outside their local labor market to hire individuals who live virtually anywhere, without incurring relocation expenses.
Assuming that a VPN is a viable solution for a company, the two major concerns that many face are performance and security. While IP was designed to be the standard protocol of the Internet, performance and security were not necessarily factored into its design. In the early days of the Internet, neither security nor reliable performance was mandated. Standards have been introduced to provide the ability to ensure the network performance, security, and availability required of a secure VPN.
The major obstacles of transmitting private information over public or shared lines are familiar to most IT managers. Data transmitted via a VPN must:
- Maintain its integrity.
- Be tamper-resistant.
- Be protected from duplication by unauthorized parties.
- Remain confidential until it meets its intended recipient.
VPNs accomplish this by creating tunnels along the Internet from the data’s point of origin to the point of delivery. These tunnels are secure paths through which encrypted data can travel without being intercepted by unauthorized parties. Protocol suites have been developed that provide the ability to form VPNs over the Internet and accomplish the goals I’ve listed. Four of these protocol suites are:
- PPTP (Point-to-Point Tunneling Protocol)
- L2F (Layer-2 Forwarding)
- L2TP (Layer-2 Tunneling Protocol)
- IPSec (IP Security Protocol)
PPTP is a proposed standard that Microsoft has included with Windows 98, with RRAS for NT4, and in a service pack for Windows 95. PPTP uses PPP (Point-to-Point Protocol) to provide remote-access services across the Internet via a tunnel. PPP packets are encapsulated by using a modified version of GRE (Generic Routing Encapsulation) Protocol. This encapsulation allows other protocols, including IPX and NetBEUI, to be utilized by PPTP. This is one of the main attractions of PPTP. By design, it functions at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model, allowing for transmission of protocols other than IP. In contrast, IPSec functions at the network layer (Layer 3) of the OSI model. The main weaknesses of PPTP are its lack of support of token-based authentication and the inability to provide strong encryption. PPTP relies on PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), and a Microsoft Windows NT variation that uses NT domain-level security for authentication, MS-CHAP (Microsoft Challenge Handshake Authentication Protocol).
L2Fis a tunneling protocol that encapsulates PPP packets within IP packets. It allows the use of unregistered IP addresses by hiding the IP address of the remote user from Internet users. Unlike PPTP, L2F has the ability to work directly with Frame Relay and ATM (Asynchronous Transfer Mode). L2F uses PPP for remote user authentication; however, it supports TACACS (Terminal Access Controller Access System) and RADIUS (Remote Authentication Dial-in User Service). Where PPTP allows only single connections to be made across tunnels, L2F supports multiple connections. Since it functions at the Data Link layer (Layer 2) of the OSI model, L2F also provides the flexibility of being able to handle protocols other than IP.
L2TP was designed to take over where L2F and PPTP left off and become a standard approved by the IETF (Internet Engineering Task Force). It is a Layer 2 tunneling protocol that combines the best of both L2F and PPTP. It supports the transfer of protocols other than IP and is used primarily in remote-access scenarios. Although many believe L2TP to be a security-based protocol, it doesn’t provide a secure tunnel. Like L2F, it facilitates authentication of both the user and the connection. For security, L2TP must incorporate IPSec.
IPSec is widely considered to be the best solution for the implementation of a secure VPN. IPSec was originally developed to plug the security inadequacies of IPv4 in the next generation of IP protocols, IPv6. Adoption of IPv6 has been slow, and the current need for securing IP packets is great. These two facts played a large role in the modification of IPSec to make it compatible with IPv4 in an attempt to accommodate the security needs of the current version of IP. Support for IPSec headers is optional in IPv4 but mandatory in IPv6.
In order for current networking applications to use IPSec, they must incorporate special TCP/IP stacks that have been designed to include the IPSec protocols. IPSec is a Layer 3 security protocol from the IETF that provides authentication and/or encryption for IP traffic for transport across the Internet. IPSec affords the sender of IP packets the ability to authenticate and/or encrypt data at the packet level.
There are two methods of using IPSec, which were brought about by the ability to separate authentication and encryption application to each packet. The different modes are referred to as tunnel mode and transport mode. In transport mode, the transport layer is the only segment that is authenticated or encrypted. Tunnel mode authenticates or encrypts the entire packet, which provides even more protection against unauthorized access, interception, or attack.
IPSec is built around a number of standardized cryptographic technologies to provide confidentiality, data integrity, and authentication. For example, IPSec uses:
- Diffie-Hellman key exchanges to deliver secret keys between peers on a public net.
- Public key cryptography for signing Diffie-Hellman exchanges, to guarantee the identities of the two parties and avoid man-in-the-middle attacks.
- Data encryption standard (DES) and other bulk-encryption algorithms for encrypting data.
- Keyed hash algorithms (HMAC, MD5, SHA) for authenticating packets.
- Digital certificates for validating public keys.
IPSec relies on the exchange of secret keys to allow different IPSec parties secure communications. Key management is a “key” ingredient of IPSec. There are two ways to handle these key exchanges and management within the architecture of IPSec: manual keying and the ISAKMP/Oakley scheme, also referred to as IKE (Internet Key Exchange). IKE provides the automation of key management and is the result of the combining ISAKMP (Internet Security Association and Key Management Protocol), which serves as the framework for authentication and key exchange, with the Oakley Protocol, which describes various modes of key exchange. Both manual keying and IKE are mandatory requirements of IPSec.
As with any other management automation tool, the benefit of IKE is easy to see. A VPN with a small number of sites can use manual keying effectively. VPN encompassing a larger number of users and/or supporting many remote-access users will benefit from the automation provided by the use of IKE.
IKE is designed to provide the following capabilities:
- It provides the means for protocol agreement between parties, along with which algorithms and keys to use.
- It ensures from the beginning of the exchange that you’re communicating with the intended party.
- It manages the keys that are agreed on.
- It ensures that the key exchanges are handled completely and safely.
IPSec is currently viewed as the best solution to support an IP-based environment. It includes the strong security that the other protocol suites lack: encryption, authentication, and usage of keys and their management. While IPSec is designed to handle only IP packets, PPTP and L2TP are better suited to environments requiring transmission of IPX, NetBEUI, and AppleTalk.
Aside from the Internet, an Internet-based VPN consists of three pieces: security gateways, security policy servers, and certificate authorities. The Internet is the foundation and groundwork of a VPN. It provides the large pipes for traversal by the small tunnels created by a VPN.
A security gateway is the gatekeeper of the private network. It provides security against unauthorized access to the information on the inside. It can consist of routers, firewalls, VPN hardware, and/or software. In many cases, all or most of these functions are provided by the gateway, or vice versa.
The security policy server contains the access-list information, which dictates what and who to allow and disallow access to resources. This access list can reside in many places: a router, firewall, VPN hardware, or RADIUS server.
Certificate authorities are the governing body of key verification. This governing body can be a database residing inside the private network or it can be outsourced to a third party. The latter provides the best method of key verification in cases where corporations make use of extranets.
Basic questions that should be answered before settling on the best VPN solution (if any) for your company include the following:
- How many users are at each site?
- What are the bandwidth requirements for each needed connection?
- Does the connection need to be permanent or on-demand (dial-up)?
- How much traffic will the site generate?
- Are there times when traffic is higher than others?
- What are the service-level requirements?
- Are there any problems existing in your company that will be solved by the implementation of a VPN?
- Why is a VPN better than the next competing alternative?
- Should the VPN be outsourced or built in-house?
VPN last word
Tremendous advantages accompany the implementation of a VPN for many companies. In a lot of cases, there are also tremendous savings associated with VPN that could make the project sponsor a corporate hero—not to mention the fact that a VPN and a fast Internet connection at a user’s home are a telecommuter’s dream. However, as with any relatively new technology, there are numerous questions to be asked and much studying to be done.
The best solutions are always based on knowledge. If a VPN is for you, look to the future. Make sure your choice is as scalable as you think you’ll need. Also, pay particularly close attention to any other regulations or requirements that are mandated by much larger bodies, such as the government. A number of options are available, some geared toward small business, some toward much bigger enterprises. If your company is in need of a VPN, there’s a solution that’s right for you—just make sure you’re very aware of the requirements today and, as always, think scalable.
Scott Lape is the senior systems consultant for a national insurance company based in Louisville, KY. He also works as a part-time consultant to area networking firms and has been an instructor of Microsoft curriculum. Scott is currently in hot pursuit of the elusive title Cisco Certified Internetworking Expert (CCIE)—and has been an MCSE since before it was cool.If you'd like to share your opinion, please post a comment at the bottom of this page or send the editor an e-mail.