VPNs have been regarded as a reliable and secure connectivity option for enterprises. But since data travels over a public network, it's important to look into the security aspects carefully, to avoid breaches and compromises. by Ketan Sanghvi

VPNs (Virtual Private Networks) are catching on in popularity globally among large enterprises and in companies at the higher end of the SME (Small and Medium Enterprise) segment. This is due to factors like the evolved maturity of the technology, realistic levels of cost and pricing, a realization among enterprises that excess manpower is not necessary to maintain a VPN, and increased customer acceptance.

The idea of VPN is to provide a private network configured within a public network. VPNs enjoy the security of a private network through mechanisms like access control and encryption. And it takes the advantage of the economies of scale and built-in management facilities of large public networks. VPNs are very cost-effective when deployed on a large number of sites that need to be interconnected. However the popularity of VPNs has a long way to go compared to leased lines and other forms of connectivity.

Security aspect
An enterprise user will want to ensure that the enterprise data is authentic, meaning it comes from a trusted source and has not been tampered with en-route. This requires authentication, which can take several forms in increasing order of complexity, from pre-defined and fixed passwords to public key interchange. A user might want to encrypt the data in order to ensure that the data is not accessible to anyone except the intended receiver. The encryption algorithms also vary in complexity and proportionately, the resources consumed.

Companies usually find that the overheads of VPN security are quite intimidating. This is especially true when configuring extranets, due to the diversity of the various systems and issues relating to PKI (Public Key Infrastructure). The outcome of a security outage can be devastating. For example, if a bank's VPN network is compromised there can be a huge financial loss. Who knows where the poor account holder's money will be siphoned out? The company will have exposed its sensitive data to a hacker or competitor.

The level of security required by an enterprise really depends on the level of 'insecurity' among the users and the nature of the data. Obviously, if the data is very sensitive, the need for protection is much higher.

Protection
Data can be protected with measures like authentication and encryption. Both take up hardware and software resources depending on the level of authentication and encryption required. And the overheads can vary from nominal to substantial.

Enterprise requirements of privacy range from separation of traffic with the use of tunneling or encapsulation techniques, to sophisticated encryption. IPSec technology, with its authentication, key management, and encryption components, is a very important enabler of VPNs.

IPSec and encryption
IPSec is a framework of open standards for ensuring secure private communications over IP networks. Based on standards developed by the IETF (Internet Engineering Task Force), IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network. IPSec provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy. Even though tunneling alone makes data relatively safe from hackers, with IPsec, companies must encrypt the data, making it virtually impossible for a hacker to make sense of a stolen data stream.

Enterprises will need to use more sophisticated and secure encryption technology for their VPNs in future. Although encryption based on 40- and 56-bit key lengths is generally accepted as sufficient today, tomorrow's VPNs will rely on longer keys and stronger encryption algorithms.

Modular approach
A step by step modular approach to the problem of VPN security is a good idea. I will talk about modular security concepts which are actually shared by many in the IT industry.

The VPN gateway, also called a VPN server or VPN switch, is the heart of the infrastructure. It's the single point at which all VPN clients and other devices communicate to establish the VPN tunnel. The gateway establishes the encryption settings and key management and controls, the rule base that dictates who can go where and do what.

Most VPN gateways are very similar to firewalls. Access-control lists have to be configured to allow or deny traffic to destinations protected by the gateway. A major task at the gateway is to review the rule base to ensure the appropriate level of protection for the resources behind the gateway. The rule base, combined with router access-control lists and firewalls, protects critical resources by limiting access to users with authorized addresses.

Penetration and DoS (Denial of Service) tests can also be helpful. This should ensure that there aren't any configuration problems or weaknesses that might give a hacker the ability to gain unauthorized access to the gateway or successfully launch a DoS attack that would prevent users from establishing a VPN connection.

Not only are we concerned about external threats, but we also have to be wary of disgruntled employees. Controlling and limiting access to the administrative interface for the VPN gateway should help reduce this risk.

The VPN Client
The client often receives the least attention in a VPN rollout, but it can create the biggest hole in the infrastructure. Once the server authenticates a user and the gateway creates an encrypted VPN tunnel session, the user is on the internal network.

If a hacker can determine the client configuration and a valid user ID and password, then the system will be compromised no matter how much effort you put into the rest of the VPN architecture. The question is, should we let employees make changes to the VPN client software? And should we let them install the VPN client on their home computer systems? Limiting the amount of control the user has might also cause support problems. And if a user can't make configuration changes, how can effective troubleshooting take place?

The best way to deal with this issue is to create detailed, but user-friendly configuration instructions that are balanced with a policy to address security issues that might arise from improper configurations.

Network components and management
A well made network design and layout can help you gain better control over VPN security. Important issues here include network segregation, router access-control list protection, and the proper configuration of firewalls.

Companies often put a lot of effort into securing the VPN gateway, access servers and clients and then stick them on a network that has other, less secure systems sharing the same segment. If a hacker gains access to the less secure system, he has unrestricted access to the VPN infrastructure. This is because when infrastructure resides on the same network, the traffic normally doesn't go through a firewall or gateway router. The traffic usually has unrestricted access to other devices.

A VPN must be seen as an extension to the enterprise network and must fit seamlessly into the overall enterprise management architecture for the current infrastructure. Enterprise customers require that the existing enterprise management environment be extended and enhanced with new VPN management capabilities. This provides the administrator with control, security, and visibility from the wiring closet to the campus backbone, through the wide area and out to the VPN end user.

End measures
Many Indian IT Heads tend to under- or over-estimate the network resources that a VPN consumes. In such a situation, the CIO may consult the VPN provider for a practical assessment of resource needs. There should be a balance between security and ease of use as well as performance depending upon the needs of the user.

More efficient and scalable methods of identifying network users, applications, and resources must be developed in order to handle the growth in VPNs and networks in general. Forward-looking network architects are envisioning a future in which authentication can be scaled to address orders of magnitude for more users, and deliver an even more granular and secure set of solutions. Emerging technologies like digital certificates and directory services enable a more scalable, flexible, and secure infrastructure for the authentication of network users.

Digital certificates are currently used to authenticate the encryption keys of IPSec end stations. The enhancement of these capabilities is being pursued under the PKI initiative in the IETF.

The writer is Managing Director, WANLANd Datacom (India) Pvt. Ltd.