Network Security: Virtual Private Networks

Introduction:

In the last two articles, we discussed overall network security and firewalls. This month, we complete our security series with a look at Virtual Private Networks (VPN).

Background:

VPN implementations have increased dramatically as they remedy a shortcoming of the Internet. Developed to provide free and open access between academic institutions, the Internet protocol, TCP/IP, originally did not provide a secure means to transfer data. VPN technology provides security features not found in the TCP/IP protocol suite. These features protect an organization from:

1. Unauthorized access to organizational data (snooping)
2. Unauthorized alteration of data (tampering).
3. Unauthorized masquerading by outsiders as insiders (spoofing).

What is a VPN?

A VPN provides a secure virtual connection using a non-secure public data network, like the Internet. Establishing a VPN allows an association to transact secure communication via their standard low-cost Internet connection – to branch offices, members, customers or meetings. Figure 1 shows how VPNs operate over the Internet. Site A, Site B and Site C can all communicate securely with each other through the Internet. Site D, on the other hand, has no VPN encryption devices—therefore Site D’s communication with Sites A, B and C is not secure over the Internet

VPN Technologies:

VPN consists of four technologies: Authentication, encryption, tunneling and compression.

Authentication

Authentication is the process of verifying users or data. Like firewalls, VPNs can verify where the data originated (IP address) for what application the data is intended as well as matching users and passwords. VPNs can further authenticate data by performing a digital stamp. The stamp summarizes the data digitally before transmission. If tampered with in transit, the receiving side will determine that the stamp does not match the data, and the system can drop the data.

Encryption

Encryption protects networks from data tampering or snooping. Encryption is usually handled with encryption keys. Encryption keys often have public keys and private keys. Figure 2 shows how public and private keys work in pairs. If Alicia wishes to send encrypted data to Alex, she must first obtain Alex’ public key. Alicia, when sending encrypted data to Alex, must use Alex’s public encryption key. Even though a public key is used to encrypt the data, only Alex’s private key can unencrypt the data. In this way, only Alex can access the data encrypted with his private key. The longer key, the greater the level of security. Longer keys, however, take VPN devices longer to encrypt and unencrypt the data.

Tunneling

Tunneling is the process in which a message is encapsulated in another format. This allows the original information to be masked and unreadable to unauthorized snoopers.

There are several standards that have emerged as protocols for tunneling. One called point-to-point-tunneling protocol (PPTP), is natively supported by Windows NT, Windows 95 and Windows 98 operating systems.

Tunneling

The header information required by encapsulation, authentication and encryption processes add additional data to the original message. This can slow the speed of data delivery. Compression performed by VPN devices can counter these negative size effects

How Associations Can Use VPNs: :

Associations can improve their effectiveness and reduce their costs with VPNs. Associations with chapters, affiliates, branch or remote offices may find VPNs cost-effective. Such associations can share membership, fundraising, meeting, order entry or other association information. VPNs can allow associations to register attendees, memberships, or sales orders on-site at conferences or meetings. They can eliminate re-entering data, providing remote access to your systems in real time. Association staff ask, should I worry? Ask your membership whether they want their membership, or other personal information sent so that any hacker can view it. Remember that hackers don’t necessarily care who they hack—they only care that they’ve hacked someone. It’s a sad state of reality, but its real.

VPN Implementation: The Internet::

The Internet is the most common application for VPN technology. Access is possible from practically any location in the world. Remote users can use hardware or software to initiate VPN sessions. In this way the data would be encrypted upon (VPN) session initiation. Figure 3 shows how organizations can implement VPNs over the Internet.

Implementation Considerations: :

Implementation considerations include performance, cost, and architectural design:

Performance

VPNs can be implemented using software or hardware. A hardware solution is faster, but more expensive. Ultimately performance depends upon the carrier systems. If carriers are busy, packet delivery is slower. Internet Service Providers (ISPs) do not provide Quality of Service (QoS) guarantees. Even if ISPs could guarantee QoS, they could not guarantee that all transmissions would remain on their service until delivery. Therefore, such guarantees would depend on other carriers' services. Agreements amongst ISPs for QoS guarantees are possible, but do not yet exist.

Architectural Design

VPN devices perform some of the same functions as traditional network security devices like firewalls. VPNs can run as part of a firewall or in addition to a firewall. Some experts prefer to run all security services on a single device, which simplifies administration. Other experts prefer separate devices, because a major security breech would require penetration of all devices.

The architectural design must fit within an organizations’ security framework. As mentioned in the first article on network security, organizations must develop a security plan, then implement that plan. VPNs, firewalls, authentication, physical security, and all other components of network security must fit into the framework of that larger plan.

Cost

According to Byte Magazine Online, "the cost of a VPN may be less than half that of a private dial-in access solution…. Rather than leasing lines directly to major partners and customers, you can use your existing Internet connections to send VPN traffic to one another". Federal Computer week reports that "Cost savings from using VPN technology have been estimated to be 50 to 80 percent less than using dedicated leased lines".

By setting up a VPN from a remote site to connect to the association headquarters, associations can have on-line real time database update, regardless of where staff are. All members of an association can have up-to-the-minute access to all information, regardless from where it comes. Many of my association clients want secure access to home or traveling users. Again VPNs can provide a safe and cost-effective solution.