Networks


Virtual Private Networks

The Internet offers a golden opportunity for many companies to provide near-free access to their corporate e-mail and data, but this freedom comes at a price. Security is by far the biggest concern that most network managers face when considering remote access. Cyber break-ins and eavesdroppers pose a serious threat to mobile and home users' sensitive data. But as budgets tighten, businesses will push the security envelope by looking to the Internet to provide a more cost-effective way to allow telecommuters and mobile users to access the corporate network.

Remote-access virtual private networks (VPNs) promise to be the brass ring of free, open access anywhere, anytime. But the solutions offered today are not complete -- and not without their own problems. Besides the fact that most of the VPN-related standards have yet to be completed, you'll be hard-pressed to find any shrink-wrapped Internet solutions. Instead, most vendors offer their own solutions that mix a variety of proprietary and third-party products, usually over public infrastructure, not necessarily the Internet.


Limitations

To understand the attractiveness of VPNs, it's best to know the limitations of current remote-access solutions. Simply put, traditional authentication schemes such as Password Authentication Procedure and Challenge-Handshake Authentication Protocol fall short in providing complete security. These schemes do not address issues of iron-clad authentication and integrity or eavesdropping.

If you've ever had your telephone calling-card number stolen and received a huge bill at the end of the month, you can understand what lack of authentication means. Traditional authentication schemes require no more than a user name and password to gain access to your network. But these can be hacked or stolen. Robust authentication, such as certificate-based authentication, ensures that the person requesting the connection is actually the person authorized to connect.

Issues of integrity are critical as well. The integrity of your message should never be compromised, but you should know immediately if it is. If you send an e-mail to your broker ordering a sale, you don't want the message to read "buy."

Perhaps the biggest issue with security these days is encryption. Anyone with a cordless phone knows the danger of talking over the airwaves. Unfortunately, nearly anyone with access to ISP hardware can eavesdrop on data conversations. Without some form of encryption, these conversations are completely open.


First the intranet, now the Virtual Private Network (VPN). Carriers and Internet service providers (ISps) are lining up to roll out the next logical step from their private Internet Protocol (IP) and frame relay services-a new generation of intranets that looks and feels just like the Internet but is more secure and shoots packets through more quickly and efficiently. And what's more, it can incorporate your business partners, too, as an extranet. Interested? Trouble is, shopping for a VPN service isn't simple. No one, not the service providers, industry analysts or even pioneering users, can agree on just what constitutes a VPN. In addition, no carriers are offering them yet.

Virtual private networks are the next big wave in data communications. Organizations of all sizes are embracing VPNs to build secure links with business partners and franchisees, extend communications to far-flung offices, and slash telecom costs for growing legions of mobile and remote workers.

These software- or hardware-defined networks are not only changing the way companies look at wide area networking, they're also changing the way they look at their businesses and industries. The goals are lofty:Boost sales, expedite product development and delivery, and create stronger relationships, as well as cut costs.

VPNs make all this possible because they're based on standard, ubiquitous, and easily accessible IP networks-the public Internet as well as private IP systems run by carriers or user companies themselves. They are "virtually private" in that data is transported over secure tunnels that resemble, at least in function, conventional private lines.

At its most basic level, a VPN is a means for allowing access to a private network's e-mail, shared files or intranet via an Internet connection. Instead of making a long-distance call to connect to a RAS server (which may not support high-speed connections such as 56K and cable modems), a remote user connects to a local ISP and then to a VPN server. The VPN server acts as an intermediary between the Internet connection and your local network and handles user authentication. Once the VPN verifies a user's name and password, access to the local network or intranet is granted. All data (including user names and passwords) sent between the remote user and the server travels over the public Internet-but it's encrypted to preserve privacy. Reducing long-distance phone charges is the most tangible benefit of a VPN over traditional RAS dial-ups. Because remote users make only local calls to connect to their ISPs, your telephone bill can shrink substantially-even if you have only a handful of remote users.

A VPN also requires less hardware on the network end than does a RAS configuration. Your server-side modem setup can be a simple affair with most of the work handled by the ISPs providing the Internet connections. If your company has several networks in different locations, you can potentially save even more money by using VPN technology to knit servers together into a WAN. The VPN can be used to create a private tunnel through the Internet solely for internetwork communication, sidestepping the need for costly leased lines.

VPNs also allow remote users to take full advantage of whatever high-speed connections they have installed locally. With RAS access, on the other hand, the server's communication equipment has to match that of the remote caller. So if a RAS server is set up to handle 28.8Kb-per-second modems and ISDN, for example, remote users with 33.6Kbps, 56K or cable modems lose the benefits of their high-speed equipment. Although you could update the RAS server's equipment to match what's out in the field, that could be an expensive and ongoing process.

Using the Internet to transmit sensitive data is generally a risky proposition, but security is the keystone of a VPN. A VPN server follows-and can even go beyond-the same user-authentication procedures as a typical RAS setup, employing protocols such as RADIUS and Challenge Handshake Authentication Protocol (CHAP) to combat IP spoofing and ensure that sessions are established only by authorized users. Encryption secures all data sent between a server and remote system-and prevents it from being corrupted by packet sniffers.

Private Protocols


Because a single, standards-based virtual private networking solution has not yet been adopted, there are several types of VPNs available. In addition to some protocols under development by router and firewall vendors, there are three basic types of VPN solutions: Microsoft's Point-to-Point Tunneling Protocol (PPTP), the proposed IPsec suite of protocols and the SOCKS proxy solution.

The Prospects for VPNs


What's ahead for VPNs? Changing standards will dictate the market. As it stands today, none of the technologies can claim to be the ultimate answer to everyone's VPN needs. Each holds its own strengths and weaknesses, but you can expect to see L2TP and IPsec take the lead because of their flexibility and security, with IPsec gaining popularity when IPv6 takes its place in the Internet infrastructure. Integrated and improved support for L2TP in NT 5.0 will keep Microsoft's tunneling technology a favorite among administrators looking for a fast and inexpensive solution.



If you have any comments or suggestions I would like to hear from you.

Click here to Email me. Email Me


Start Page Introduction About Me Networks Java Cool Links Barbados