Home > Networking News > Selecting a VPN solution? Think security first
Networking News:
EMAIL THIS

Selecting a VPN solution? Think security first

By Linda Christie, M.A., contributor
18 Apr 2001 | SearchNetworking

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

More and companies are extending their extranets to capitalize on business-to-business opportunities. While the advantages of using the Internet to connect to remote workers, branch offices, suppliers, customers, and business partners are many, there is a built-in danger that sensitive data could fall into the hands of hackers and corporate spies as it travels over this cost-effective but public network.

As part of an overall network security strategy, most companies employ firewalls to control access to their networks. A firewall prevents unauthorized users from accessing data and applications. However, once packets of data pass through the firewall to the Internet, a company's information assets are at risk. To protect their data in transit, 56% of large organizations employed site-to-site VPNs in the year 2000, according to a study conducted by Infonetics Research (http://www.infonetics.com/).

With an IP VPN, a company can exchange data with virtually anyone in the world for nearly half the cost of using dedicated and/or frame relay circuits. As an added benefit, the same VPN technology can securely connect networks to remote access users utilizing dialup links or broadband services such as xDSL and cable modems. Even though user confidence is growing, moving from private lines to a public network still raises concerns.

"Deciding which VPN technology to implement can be confusing and intimidating, given the myriad of choices available," said Johnnie Konstantas, Product Marketing manager for Check Point Software Technologies (http://www.checkpoint.com/), a leading provider of Internet security solutions. "Because of the differing VPN standards and interpretations used to implement them, interoperability problems among some VPN products can increase network complexity."

Add security concerns to the mix, and deciding on VPN equipment can be risky business. SearchNetworking talked to leading industry experts and developed the top twelve issues to consider when selecting large enterprise VPN solutions. We weren't surprised that security topped the list:

  1. Best-of-breed security: "To be compatible with the rest of the world, companies should select VPN solutions that use the standard IPsec protocol," said Matthew Close, Director Managed Security Services Group for Exodus Communications, a company that provides a worldwide network of Internet hosting operations (http://www.exodus.net/). "IPsec secures data by creating a virtual tunnel from point A to point B that 'looks' like a direct connection with no infrastructure [routers/hops] in between. To protect the payload even further, VPNs utilize a suite of IP Security protocols that include an Authentication Header (AH) and an Encapsulating Security Payload (ESP) to encrypt many of the protocol stack information items."

    "Sending data through this tunnel is like putting your money into a container traveling through a suction tube to a drive-thru bank teller," he explained. "Even though tunneling alone makes data relatively safe from hackers, with IPsec, companies must encrypt the payload, making it virtually impossible for a hacker to make sense of a stolen data stream."

  2. Tight integration with other security solutions: Any VPN solution you select must seamlessly integrate with network and other security solutions such as firewalls, content and URL filtering, Denial of Service (DoS), antiviral (AV) screening, intrusion detection (ID), etc. "The VPN solution must seamlessly fit into your router infrastructure," said Bob Reason, Senior Manager, Contivity Product Marketing for Nortel Networks, a provider of IP VPN solutions (http://www.nortelnetworks.com/). "You want to be able to map the users accessing your secured resources against existing directories and policies you have in place."

    Konstantas adds that in addition to using their operating system of choice, security managers must be able to manage all security solutions from one application, "so solutions can talk with each other rather than just alert someone to do something."

  3. Comprehensive: Large enterprises need a VPN solution capable of supporting Internet, intranet, and extranet communication across heterogeneous platforms and operating systems -- including remote clients. "Only integrated VPN/firewall solutions are designed to deliver complete Internet security," said Konstantas. "VPN gateways deployed separately from the firewall burden network administrators with many needless complexities. In addition, the placement of stand-alone VPN gateways with respect to the firewall becomes critical since firewalls cannot enforce access control of encrypted traffic. "Standalone VPNs must terminate outside the firewall so data is decrypted before it passes through," said Phil Gabardi, Director of Security Engineering for Storage Networks, a leading storage service provider (http://www.storagenetworks.com/). "That way you have a log of all traffic and a more secure environment."

  4. High availability: Guaranteed levels of service are difficult to deliver if you deploy VPN devices from multiple vendors. "If you stick with one vendor, interoperability will be more certain," said Reason. To that end, many companies are even specifying what equipment they will support for extranet partners. Close agrees, "If you can work with one best-of-breed vendor and stick with them across the corporate extranet, you'll have greater success making VPN connections."

  5. Centralized VPN management architecture: IT departments need the ability to centrally configure, manage, and troubleshoot VPN security across the organization. "Not all vendors deliver management software that can simultaneously distribute security policy information to all boxes," said Konstantas. "You need a common glue to interoperate with hundreds of disparate forms of security: to securely connect to otherwise incompatible application environments." Gabardi recommends finding a solution that offers a single console port with a GUI interface that makes it easy to create groups, add routes, etc. "It's important to test these solutions out, because some are more difficult than others to configure," Gabardi said. "Most vendors will offer a 30-60 trial period so you can make sure the advertised features work."

    In addition, the management software should aggregate all of the logs to create a granular audit trail. "Logged data should easily integrate with popular security reporting applications that will allow you to make determinations about protecting the network from attack," Konstantas said. In addition, Close says good debugging tools are a must. "If there's a problem making a connection, technicians must have debugging tools that will quickly determine if a shared key is incorrect or specifically what part of the IPsec protocol failed."

  6. Easy deployment and configuration: VPN solutions should be compatible with current, familiar servers, operating systems, and centralized security databases. "Tying a lot of devices together for multiple locations can be a daunting task," said Close. "The number of tunnels grows exponentially as you design a mesh topology connecting remote sites. Make sure that the management software allows you to maintain all of the information you need in one database, so you can design one configuration instead of 40. In addition, the solution should provide a secure, encrypted management link for pushing configuration information to devices in the field."

  7. Easy user interface: Installing VPN boxes at remote offices, configuring VPN client software on laptops, and establishing VPN connections should be easy for end users to implement. "Client software installation and authentication processes should be as easy and seamless as possible," Reason said. "In addition, the VPN switch terminating tunnel needs to be flexible enough to accommodate varying IP addresses, since mobile users will have temporary IP addresses."

  8. Interoperability: Open Platform for Security (OPSec) is a Check Point specific alliance and certification process for ensuring product interoperability. Purchasing OPSec platform VPN solutions that support standardized authentication methods, tunneling protocols, and encryption types will minimize connectivity problems. However, because developers are interpreting the IPsec standard in many ways, interoperability between vendors can be difficult. "Be cautious of third party IPSec certifications. Stick with IETF [Internet Engineering Task Force]," Close said. "We're finding all kinds of interoperability problems even from one version to another for the same device."

    "Right now you have to married to one vendor if you want things to work," Gabardi agreed. "If you want to talk to the world, you may need to buy one of each."

  9. Scalability: "Supporting LAN to LAN tunnels connecting a large number of remote users, FTP database file transfers, and online transaction processing are the most demanding applications," Gabardi said. "However, the VPN usually isn't the bottleneck. The bandwidth to the Internet -- typically a T-1 line -- is the biggest problem."

    Konstantas said encrypted file overhead can significantly reduce VPN throughput. "Customers that want the fastest performing VPN gateway possible, independently of their WAN connection speed, need to ensure that their solution supports VPN acceleration. Since encryption is a very CPU-intensive process, it is often necessary to offload the task to an accelerator card which, in some cases, can more than double VPN throughput."

  10. Traffic control: The ability to manage bandwidth -- by user, by group, by application, by time of day, etc. -- is vital for maintaining availability and quality of service (QoS) guarantees. "You should be able to give priority to customers coming in over employees wanting to browse the Internet, allocate bandwidth to certain applications such as NetMeeting which will not work below certain levels, or make sure your CEO and specific user groups are given top priority to VPN resources," Konstantas said.

  11. Automated password/key management: Automated password and key management, especially for remote access VPNs, are vital for reducing security personnel workload. "Thousands of security management tasks -- issuing passwords, generating security policies, notifying certificate authorities of changes, revoking access privileges, etc. -- cannot be handled manually," said Konstantas.

  12. Supplier support: Large organizations need to work closely with a limited number of suppliers and vendors that will provide the level of support needed to select, implement, and maintain highly-available VPN solutions. "You need the ability to fix it over the phone," Gabardi said. "The big boys are better at doing that."

For additional information about selecting and purchasing VPN equipment, check out the following resources:

"Redefining the Virtual Private Network (VPN)" a Check Point white paper at http://www.checkpoint.com/.

"The business case for IP-VPN services" a white paper on the Nortel Networks website: http://www.nortelnetworks.com/.

"Virtual Private Networks: Your Guide to the New World Opportunity" a white paper available from Cisco Systems at http://www.cisco.com/.

"User Plans for VPN Product and Services in the US 2000" an Infonetics Research white paper located at http://www.infonetics.com/.

"A Practical Guide to the Right VPN" available from the ZDNet IT Resource Centers http://techguide.zdnet.com/.

"Virtual Private Networks: Viable Products Now," Network World, 12/11/00 http://www.nwfusion.com/.

VPN Resources from ComputerShopper.com at http ://www.zdnet.com/computershopper/edit/cshopper/content/extra/9812biz/378000.html/.

"Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs?" a white paper on the Check Point website at http://www.checkpoint.com/.

"A Practical Guide to Network Security" prepared by Dr. Bill Hancock, CISSP, VP, Security Chief Security Officer, Exodus Communications at http://www.exodus.net/.

"Chapter 9 -- Virtual Private Networking" for Windows 2000 at http://www.microsoft.com/technet/.

"IP Security for Local Communication Systems," a paper outlining the Microsoft Solutions Framework?Best Practices for Enterprise Security at http://www.microsoft.com/technet/security/.

For more information about StorageNetworks, visit their website at http://storagenetworks.com.

For more information on IPSec, read the Internet Engineering Task Force (IETF) Security Area at http://www.ietf.org/html.char ters/wg-dir.html#Security_Area/.

Linda Gail Christie, M.A., is a contributing editor based in Tulsa, OK.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


Comprehensive network management resources, expert solutions, and professional research informing your technology decisions
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2000 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts