other methods of securing data communications like MPLS emerging,
security managers now have more options to build fortified
networks. by Seamus Phan
office fax machine is a very busy beast, receiving over tens
of junk faxes everyday. When I decided I had enough of fax-spam,
I went through the fax user manual and discovered the "Password
Plus" mode, which allows only users in the authorized
number list to fax in, while legitimate but uninvited guests
will have to be provided a password. This is essentially turning
a fax machine into a secured "tunnel", or an analogy
of a virtual private network (VPN).
While VPNs do address information security, they are highly
complex, due in part to the diversity of vendors offering
similar and yet somewhat disparate solutions. The only governing
standard that most vendors adhere to, at least at its core,
is IPSec (Internet Protocol Security). IPSec VPNs have enjoyed
market dominance for quite sometime now, displacing older
remote access VPNs which relied on ISDN and analogue lines.
Nevertheless, new protocol entrants are emerging. In particular,
Multiprotocol Label Switching (MPLS) has emerged to bridge
the older world of asynchronous transfer mode (ATM), Frame
Relay and the IP world. There are also startups, including
Jim Clark's (Netscape co-founder) Neoteris (www.neoteris.com),
which offers a non-IPSec proprietary VPN appliance that authenticates
from a Web browser.
Understanding some VPN basics will help you to decide what
is suitable for your enterprise.
IPSec is an IETF working group standard that provides authentication,
confidentiality, and integrity for IP traffic. It provides
authentication by blocking unauthorized users from the network
and confidentiality by keeping unauthorized users from snooping
or retrieving the contents of packets traveling to and from
the network. IPSec also provides integrity for data by ensuring
that the data traveling to and from the network is not modified
or otherwise tampered with.
There are two kinds of IPSec packets, encapsulating security
payload (ESP) and authentication header (AH). ESP provides
for authentication, confidentiality and integrity while AH
only covers authentication and integrity, but not confidentiality.
Check against your intended solution to see that it supports
both (or more).
ESP works by encrypting the entire data packet, including
the payload with the sensitive information. AH does not encrypt
the data packet nor the information, but merely creates a
copy of the sensitive data transferred to check against, ensuring
that nothing has been illegally modified during transit. The
good thing about using AH is that it is much faster than ESP,
since encryption is processor-intensive and can slow down
traffic. But the landscape of VPN has also changed somewhat,
with many vendors now offering hardware-assisted encryption
that offloads encryption to a dedicated co-processor. Again,
check to see if your vendor offers hardware-accelerated encryption,
especially if you must have ESP.
IPSec traffic can work in two modes, transport mode, and tunneling.
Transport mode will secure an IP packet from the originating
source to the intended destination. Tunneling wraps an existing
IP packet inside another IP packet defined in the IPSec format.
Both modes can encapsulate in either encrypted ESP or un-encrypted
The transport mode was designed to provide end-to-end security
between communicating systems (including that of client platforms),
while tunneling was intended primarily for gateway communication.
Both modes however, rely on a key exchange (such as the Internet
key exchange or IKE) where encryption keys are securely exchanged.
IPSec supports DES (data encryption standard) or Triple DES
(3DES) for data encryption, and MD5 and SHA-1 for authentication.
Using 3DES and SHA-1 requires accelerated hardware, especially
for large corporate networks with hundreds of users (sometimes
simultaneously online). Some VPN vendors may also include
proprietary and sometimes stronger encryption protocols, but
these may only work in tandem with identical or similar products.
If your enterprise has determined to standardize equipment,
then proprietary encryption protocols may be acceptable.
IKE can provide identity protection for the initiating session
hosts under the main mode, or use the aggressive mode, which
is faster but offers no identity protection for the session
hosts. Both hosts communicating with each other must be running
the same mode.
IPSec VPNs can also provide proprietary features such as "single
sign-on", which requires clients to authenticate only
once to get access to all services. Some IPSec VPNs also offer
specialized client software for the authentication, while
others allow authentication through Web browsers.
You may also attempt to build your own Linux-based IPSec VPN,
by implementing the FreeS/WAN (www.freeswan.org) together
with the likes of Linux Router Project or LRP (www.linuxrouter.org)
on inexpensive PCs. This demands much expertise and patience,
and should not be relied upon for mission-critical networks
(unless you have also set up clustered, load-balanced networks).
Multiprotocol label switching (MPLS) is another IETF definition.
It can be seen as a method of connecting IP traffic to connection-oriented
networks, such as ATM, Frame Relay, or optical networks.
The key benefit of MPLS is speed. Think of our postal system
at work using the MPLS, where the mail received is not analyzed
by individual collection postmen, but sent to a regional collection
centre. This collection centre then scans the mail by machine
(if readable), by humans (if handwritten), and then barcoded.
The barcoded mail is then scanned at downstream delivery checkpoints,
without further analysis. This whole process speeds up mail
delivery, similar to the concept behind MPLS.
MPLS started as Tag Switching, where ATM switches adopt a
routing function, and dynamic IP routing is used to trigger
virtual circuits or path setups. The data is analyzed deeply
once at the entry to the MPLS network, after which forwarding
tags are inserted before the IP headers.
At both ends of a data session are label switch routers (LSRs),
which can support MPLS. An ingress LSR is where data enters
into the MPLS network while an egress LSR has data leaving
its MPLS network. The ingress LSR inserts small identifiers
known as labels (or tags), and when the data leaves the egress
LSR, the labels are removed. This is because labels are known
only to MPLS equipment, and should not confuse non-MPLS equipment
outside the MPLS network.
There can also be multiple labels for each data packet, but
only the outer-most (the most recently added) label will be
used for forwarding.
The advantage of using labels with MPLS networks is that once
a packet has been labeled, the packet will not go through
multiple hop analysis, and can provide the much needed speed
in secure communications.
However, MPLS does not offer 100 percent security and downstream
IP-based security equipment may be added to enhance security.
Remember that MPLS is intended for site-to-site connections
while IPSec can be for site-to-site as well as other connections.
Each has its place in comprehensive corporate-wide security
For open source fans, there is also an ongoing project at
SourceForge (sourceforge.net/projects/mpls-linux) which aims
to port MPLS onto Linux boxes. As with the Linux Router Project
and FreeS/WAN, these kinds of implementations should be left
to Unix gurus with patience and knowledge, and if implemented,
should be run on clustered, load-balanced and redundant equipment.
Get a helping hand
If you would rather offload the entire VPN project to someone
else, there is always the option of using managed security
services. With managed security services, you relegate your
full control to a trusted third party where you can define
performance and QoS levels. However, managed security services
often do not provide as granular a control as your own VPN
setup would, and you may have to work around some limitations
imposed by these providers.
For MPLS, Equant offers managed VPN services. According to
Equant, malicious spoofing (where intruders try to gain access
to a premise equipment or PE router) is nearly impossible,
since the packets received from the router are IP packets
that must be received on a particular interface or sub-interface
to be uniquely-identified with a specific customer's VPN Label.
In short, each customer is given a unique Label and all incoming
traffic is tagged with this label.
For IPSec, the likes of KDDI and WorldCom offer managed VPN
services. These typically allow almost any IP and IPSec capable
downstream client platform to access corporate resources from
anywhere in the world, and can also provide site-to-site security
Whether your enterprise decides to outsource the VPN architecture
or even the manpower, it is also important to be knowledgeable
about VPN offerings, their design and implementation. There
is no simple way to deploy comprehensive security.
Seamus Phan is research director at KnowledgeLabs News Center
(www.knowledgelabs.net), an independent technology news bureau
and writes for Network Computing-The Asian Edition. He can
be reached at firstname.lastname@example.org.
Avici Systems (www.avici.com)
IPsec VPN vendors
Check Point Software (www.checkpoint.com)
Source IPsec VPN
for Linux (sourceforge.net/projects/mpls-linux)
Managed service providers