have been regarded as a reliable and secure connectivity
option for enterprises. But since data travels over
a public network, it's important to look into the security
aspects carefully, to avoid breaches and compromises.
by Ketan Sanghvi
(Virtual Private Networks) are catching on in popularity
globally among large enterprises and in companies at
the higher end of the SME (Small and Medium Enterprise)
segment. This is due to factors like the evolved maturity
of the technology, realistic levels of cost and pricing,
a realization among enterprises that excess manpower
is not necessary to maintain a VPN, and increased customer
The idea of VPN is to provide a private network configured
within a public network. VPNs enjoy the security of
a private network through mechanisms like access control
and encryption. And it takes the advantage of the economies
of scale and built-in management facilities of large
public networks. VPNs are very cost-effective when deployed
on a large number of sites that need to be interconnected.
However the popularity of VPNs has a long way to go
compared to leased lines and other forms of connectivity.
An enterprise user will want to ensure that the enterprise
data is authentic, meaning it comes from a trusted source
and has not been tampered with en-route. This requires
authentication, which can take several forms in increasing
order of complexity, from pre-defined and fixed passwords
to public key interchange. A user might want to encrypt
the data in order to ensure that the data is not accessible
to anyone except the intended receiver. The encryption
algorithms also vary in complexity and proportionately,
the resources consumed.
Companies usually find that the overheads of VPN security
are quite intimidating. This is especially true when
configuring extranets, due to the diversity of the various
systems and issues relating to PKI (Public Key Infrastructure).
The outcome of a security outage can be devastating.
For example, if a bank's VPN network is compromised
there can be a huge financial loss. Who knows where
the poor account holder's money will be siphoned out?
The company will have exposed its sensitive data to
a hacker or competitor.
The level of security required by an enterprise really
depends on the level of 'insecurity' among the users
and the nature of the data. Obviously, if the data is
very sensitive, the need for protection is much higher.
can be protected with measures like authentication and
encryption. Both take up hardware and software resources
depending on the level of authentication and encryption
required. And the overheads can vary from nominal to
Enterprise requirements of privacy range from separation
of traffic with the use of tunneling or encapsulation
techniques, to sophisticated encryption. IPSec technology,
with its authentication, key management, and encryption
components, is a very important enabler of VPNs.
IPSec and encryption
IPSec is a framework of open standards for ensuring
secure private communications over IP networks. Based
on standards developed by the IETF (Internet Engineering
Task Force), IPSec ensures confidentiality, integrity,
and authenticity of data communications across a public
IP network. IPSec provides a necessary component of
a standards-based, flexible solution for deploying a
network-wide security policy. Even though tunneling
alone makes data relatively safe from hackers, with
IPsec, companies must encrypt the data, making it virtually
impossible for a hacker to make sense of a stolen data
Enterprises will need to use more sophisticated and
secure encryption technology for their VPNs in future.
Although encryption based on 40- and 56-bit key lengths
is generally accepted as sufficient today, tomorrow's
VPNs will rely on longer keys and stronger encryption
step by step modular approach to the problem of VPN
security is a good idea. I will talk about modular security
concepts which are actually shared by many in the IT
The VPN gateway, also called a VPN server or VPN switch,
is the heart of the infrastructure. It's the single
point at which all VPN clients and other devices communicate
to establish the VPN tunnel. The gateway establishes
the encryption settings and key management and controls,
the rule base that dictates who can go where and do
Most VPN gateways are very similar to firewalls. Access-control
lists have to be configured to allow or deny traffic
to destinations protected by the gateway. A major task
at the gateway is to review the rule base to ensure
the appropriate level of protection for the resources
behind the gateway. The rule base, combined with router
access-control lists and firewalls, protects critical
resources by limiting access to users with authorized
Penetration and DoS (Denial of Service) tests can also
be helpful. This should ensure that there aren't any
configuration problems or weaknesses that might give
a hacker the ability to gain unauthorized access to
the gateway or successfully launch a DoS attack that
would prevent users from establishing a VPN connection.
Not only are we concerned about external threats, but
we also have to be wary of disgruntled employees. Controlling
and limiting access to the administrative interface
for the VPN gateway should help reduce this risk.
The VPN Client
client often receives the least attention in a VPN rollout,
but it can create the biggest hole in the infrastructure.
Once the server authenticates a user and the gateway
creates an encrypted VPN tunnel session, the user is
on the internal network.
If a hacker can determine the client configuration and
a valid user ID and password, then the system will be
compromised no matter how much effort you put into the
rest of the VPN architecture. The question is, should
we let employees make changes to the VPN client software?
And should we let them install the VPN client on their
home computer systems? Limiting the amount of control
the user has might also cause support problems. And
if a user can't make configuration changes, how can
effective troubleshooting take place?
The best way to deal with this issue is to create detailed,
but user-friendly configuration instructions that are
balanced with a policy to address security issues that
might arise from improper configurations.
Network components and management
well made network design and layout can help you gain
better control over VPN security. Important issues here
include network segregation, router access-control list
protection, and the proper configuration of firewalls.
Companies often put a lot of effort into securing the
VPN gateway, access servers and clients and then stick
them on a network that has other, less secure systems
sharing the same segment. If a hacker gains access to
the less secure system, he has unrestricted access to
the VPN infrastructure. This is because when infrastructure
resides on the same network, the traffic normally doesn't
go through a firewall or gateway router. The traffic
usually has unrestricted access to other devices.
A VPN must be seen as an extension to the enterprise
network and must fit seamlessly into the overall enterprise
management architecture for the current infrastructure.
Enterprise customers require that the existing enterprise
management environment be extended and enhanced with
new VPN management capabilities. This provides the administrator
with control, security, and visibility from the wiring
closet to the campus backbone, through the wide area
and out to the VPN end user.
Indian IT Heads tend to under- or over-estimate the
network resources that a VPN consumes. In such a situation,
the CIO may consult the VPN provider for a practical
assessment of resource needs. There should be a balance
between security and ease of use as well as performance
depending upon the needs of the user.
More efficient and scalable methods of identifying network
users, applications, and resources must be developed
in order to handle the growth in VPNs and networks in
general. Forward-looking network architects are envisioning
a future in which authentication can be scaled to address
orders of magnitude for more users, and deliver an even
more granular and secure set of solutions. Emerging
technologies like digital certificates and directory
services enable a more scalable, flexible, and secure
infrastructure for the authentication of network users.
Digital certificates are currently used to authenticate
the encryption keys of IPSec end stations. The enhancement
of these capabilities is being pursued under the PKI
initiative in the IETF.
The writer is Managing Director, WANLANd Datacom
(India) Pvt. Ltd.