VPNs: Virtually Anything?
A Core Competence Industry Report
Pick up any six press releases and you're bound to read six different definitions of "VPN" - Virtual Private Network. In an industry obsessed with acronyms, vendors and service providers twist and stretch this label as needed to fit product offerings. Woe to the consumer who simply wants to know what this acronym means. Unfortunately, a single, practical working definition of "VPN" remains elusive - like beauty, the true meaning of...
Step 2 of 2:
VPN is in the eye of the beholder.
What can we say that is generally true of all VPN products and services? Well, certainly the goal of all VPN products is to enable deployment of logical networks, independent of physical topology. That's the virtual part - allowing a geographically distributed group of hosts to interact and be managed as a single network, extending the user dynamics of LAN or workgroup without concern as to physical location.
Some interpret private simply as a closed user group - any virtual network with controlled access. This definition lets the term VPN fit a wide variety of carrier services, from traditional Frame Relay and ATM networks to emerging MPLS-based networks. Others interpret private as secure - virtual networks that provide confidentiality, message integrity, and authentication among participating users and hosts. In this paper, I focus on Secure VPNs.
Just as there are an endless variety of physical network topologies, so too are there an infinite set of VPN topologies. At their core, however, most VPN topologies try to satisfy one of three applications.
Increasingly today, any of these VPN applications can be outsourced to a commercial service provider, be it a regional ISP, top-tier network access provider, public carrier, or an *SP specializing in managed security services. In such Outsourced VPNs, the service provider is responsible for VPN configuration (provisioning) and monitoring. Service Providers may locate their VPN devices at customer premises or at the carrier's POP.
Each of these VPN applications is supported by secure, network-to-network, host-to-network, or host-to-host tunnels - virtual point-to-point connections. VPN tunnels may offer three important security services: Authentication, to prove the identity of tunnel endpoints, Encryption, to prevent eavesdropping or copying of sensitive information transferred through the tunnel, and Integrity checks, to ensure that data are not changed in transit.
Tunnels can exist at several protocol layers.
For a comparison of these alternatives, visit http://www.corecom.com/external/vpn/compare.html.
Of course, combining approaches is also possible - and, to satisfy some security policies, absolutely necessary. L2TP does not provide message integrity or confidentiality. Standard IPsec does not provide user-level authentication. The Windows 2000 VPN client layers L2TP on top of IPsec to satisfy both of these secure remote access requirements. On the other hand, vanilla IPsec is more appropriate for site-to-site VPNs and SSL is often the simplest secure Extranet solution.
All of these are VPNs, yet every one I've mentioned takes a different approach. Let's take a look at some of the trade-offs that should be considered when looking at VPN alternatives.
Difficulty of Deployment: Do you require multi-protocol support? Layer 2 VPNs are designed to tunnel any network protocol carried by PPP, while IPsec was designed specifically to tunnel IP. How will your existing devices involved in VPN deployment? Layer 2 VPN products require access server upgrades at the corporate WAN access router and/or ISP POP. IPsec VPN products run the gamut from router and firewall upgrades to drop-in "security appliances" to carrier-class IP service switches. Each of these alternatives has a different impact on network addressing, routing, firewall configurations, and packet filters.
Integration: Do you require legacy (e.g., RADIUS, SecurID, S/Key) user authentication? If so, shop carefully: many VPN products can be integrated with external authentication servers, but features vary widely. Must your VPN accommodate privately addressed networks? If so, look for a VPN product that also supports network address port translation (NAPT), or make sure you perform NAPT before your traffic hits the VPN.
Client Software: Compulsory Layer 2 remote access and IPsec site-to-site solutions do not add any client software. IPsec remote access clients are also embedded in enterprise-class operating systems like Windows 2000 and Solaris. Windows 95/98/ME/NT, Linux, and Mac desktops require add-on IPsec clients. However, because many vendors implement remote access extensions to standard IPsec, it is often necessary to deploy the IPsec client supplied with the gateway. Don't assume that you can use an open source Linux client or the built-in Windows 2000 client with every IPsec gateway. Situations in which you have no control over the desktop environment may demand a "client-less" solution like SSL.
Flexibility: Before shopping for a VPN product, review your corporate security policy to determine your authentication method, message integrity, and encryption algorithm requirements. Many VPN products support a wide variety of alternatives, enabling flexible deployment in response to changing requirements. But these products may also be more expensive and more challenging to configure. Narrowing your requirements up-front can reduce your total cost of deployment.
Performance: VPN technologies add packet overhead and make extensive use of encryption, which adds processing delay. However, VPN products can be engineered to minimize the performance impact of authentication and encryption - for example, by using ASICs or co-processor cards to perform encryption at wire speed. It is common to price VPN products based on encrypted throughput, concurrent tunnels, and the number of client licenses or users. These vendor specs can be useful for sizing, but remember that your own mileage will vary - trial the product in your own network to accurately assess capacity. Also consider future growth: are there crypto accelerators, RAM upgrades, or step-up products in the same family?
Transparency and Ease-of-Use: VPN solutions only provide security if they're used. Products that require technically demanding and intrusive user intervention at the desktop are more likely to be subverted than products that operate transparently. Is end-user security policy configuration required at the desktop, making installation and enforcement a support nightmare? Seek out VPN products that provide centralized client management features - for example, the ability to generate canned policies and "push" software updates.
Scalable Management: Basic configuration and monitoring tools are often fine in modest site-to-site VPNs. However, VPNs involving hundreds or thousands of users require more robust management and diagnostic tools. For example, configuring pre-shared secrets in a dozen IPsec gateways requires little automation or infrastructure. But large remote access VPNs can benefit from deploying a Public Key Infrastructure (PKI) to create, distribute, and track digital certificates on a per-user basis. Diagnostic tools that help ferret out VPN protocol configuration problems are invaluable for small and large deployments. Outsourcing is another way to deal with scale - managed VPN service providers already have the necessary infrastructure in place.
These are but a few of the issues that face VPN consumers. The VPN product landscape and supporting technologies are changing rapidly. Continuing refinements are underway - for example, improved compatibility with NAT and stronger IPsec support for remote access VPNs. L2TP and IPsec base standards have been finalized, bringing with them a wave of VPN products. Increasingly, IPsec will simply be embedded in host operating systems and network devices. Product focus has changed from basic functionality and interoperability to advanced features and increased scalability. We are now seeing third and fourth generation products that make VPNs a very credible alternative to private physical networks.
Copyright 2001 Core Competence, Inc.