VPN security: Hiding in plain sight, using network encryption

TJX isn't alone. Some very high-profile breaches of personal information -- including one involving the names of 80% of current active-duty military inside the U.S. government -- have prompted an executive mandate that encryption be used whenever personally identifiable information is in transit or at rest.

I often speak with network engineers on the topic of encryption of data in transit. Here, the first order of business is to describe the various types of encrypted transport VPNs and to suggest that they be considered in order of complexity. The two technologies that are most often used to encrypt information in transit are Secure Sockets Layer (SSL) and IPsec.

Four types of network encryption

1. Clientless SSL: Original use of SSL in which a host computer connects directly to a resource (Web server, mail server, directory, etc.) over an encrypted link.
2. Clientless SSL with a VPN appliance: This use of SSL is similar to the first for the host computer, but the work of encrypting traffic is done by the VPN appliance rather than the on-line resource (Web or mail server).
3. Host-to-network: In the two schemes above, the host connects directly to a resource over an encrypted channel. In this mode, the host runs client software (either an SSL or IPsec client) to connect to a VPN appliance and become part of the network that contains the resources the host is targeting.
   • SSL: Because of the simplicity of configuration, SSL has become the de facto choice for this type of VPN. Client software is often a small, Java-based program that users may not even notice.
   • IPsec: Until SSL became a popular method for creating host-to-network, IPsec clients were used. IPsec is still in use but can present users with a confusing number of options to configure.

4. Network-to-network: This type of encrypted tunnel VPN can be created in any number of ways, but the technology put to use is almost always IPsec.

In the case of a network-to-network VPN, we're talking about encryption from one network device to the next. Because of what we expect today's network equipment to do, some other gotchas might come up in the discussion:

• Interaction with other technologies: Wide Area Networks (WANs) often use Quality of Service (QoS), Deep Packet Inspection (DPI) or WAN acceleration, and if it isn't deployed with these services in mind, encryption can render these services useless. Network Address Translation (NAT) is another hurdle to overcome because it can interfere with the ability to set up an encrypted connection in the first place.
• Overlay network: Encrypted tunnel VPNs work by creating an overlay of encrypted links on an existing network. The encrypted links exist between two specific interfaces in the network. At the origin, if the network traffic to be encrypted is somehow rerouted or delivered to a different interface, it won't be encrypted. If the traffic is rerouted after encryption and ends up on an interface other than the intended one, it can't be decoded and will be discarded.
• DNS, IP addressing and routing all require special attention in a secure VPN. Some secure VPN technologies work quite well with private address space, others work even though the endpoints in the network are dynamically addressed. In some cases, the enterprise prefers to route all Internet traffic to a central location; in other cases, split tunneling is used and the branch locations have separate Internet gateways.
• Bandwidth: Network engineers are constantly juggling bandwidth to give their users the best possible experience, but in the case of a secure VPN, they have to consider encryption bandwidth, or the ability to encrypt and decrypt large streams of data.

Whatever the motivation, the time is right to explore the technology. Encryption technology is less expensive and more available (the technology is embedded in firewalls, routers and WAN accelerators) than it has ever been. But for most network engineers and architects, the technology requires a different way of thinking: Choose among technologies by considering them in order of complexity; try to minimize the burden on the network and on network users; and so on. By keeping to a few basic principles, you can ensure that encryption will become a very useful -- even vital -- tool for securing your network.

About the author:
Jeff Young is a senior analyst at Burton Group; his emphasis is on network architecture, Internet networks and backbones, and telecommunication service providers. He has 20 years of experience working in IT and the telecommunications industry. Young is a frequent speaker at industry conferences and panels.