Problem solve Get help with specific problems with your technologies, process and projects.

Think before you encrypt

There are pitfalls to using encrypted VPNs that you should know about before you go ahead.

Think before you encrypt
Tom Lancaster

Got a VPN tip of your own? You can send it in, and we'll grant you instant fame by posting your tip on our Web site, and we'll enter you in our tips contest for some neat prizes.

Despite the overwhelming advantages to using encrypted VPNs, there are a few side effects that you should consider before implementing an encrypted VPN in your network. One notable side effect is that the same encryption that prevents unauthorized individuals from spying on your data also neuters a lot of management equipment. For instance, protocol analyzers and RMON probes cannot see anything except the layer 2 and 3 headers. Typically, these correspond to Ethernet and IP. This dramatically limits these tools' effectiveness, and by extension, limits your ability to troubleshoot network issues. It also limits your ability to do trending and analysis work, which is very important for planning network upgrades and their budgets.

Another consequence is that Intrusion Detection Systems (IDS) are blinded as well. This means that if the network on the far end of the VPN tunnel is compromised, and the VPN tunnel is used to gain access to your network, bypassing the firewalls, then the intrusion detection system will be completely unaware because it cannot see inside the encrypted packets.

Although it might be technically possible to create a packet analyzer or RMON probe that is capable of peering into an encrypted tunnel, this is prohibitively difficult and expensive for most people, and success would probably be a violation of the Digital Millennium Copyright Act anyway.

So, when you are designing a VPN, keep in mind the blind spots that may be created in your network. By carefully choosing where you terminate your tunnels, you may be able to minimize these. For instance, if you terminate your VPN in a firewall, you can still sniff the traffic between the firewall and a server, but if you terminate the tunnel at the server you can't. The ability to sniff the traffic makes it more manageable, but necessarily less secure. As always there is a trade-off between security and manageability.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.

Did you like this tip? Why not let us know? Send an email and sound off.

Related Book

Virtual Private Networks: Technologies and Solutions
by Ruixi Yuan and W. Timothy Strayer
Online Price: $44.95
Publisher Name: Addison Wesley
Date published: April 2001
Virtual private networks have become an essential part of today's business networks, as they provide a cost-effective means of assuring private internal and external communications over the shared Internet infrastructure. Virtual Private Networks: Technologies and Solutions is a comprehensive, practical guide to VPNs. This book presents the various technology components, concrete solutions, and best practices you need to deploy and manage a highly successful VPN.

This was last published in October 2001

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.