look at the current renditions of virtual private network
technology and where it is heading in terms of functionality
and plug-ins. by Dr Seamus Phan
we think about virtual private networks (VPNs), we tend
to look at it from a technology standpoint, without
putting it in context for business scenarios. Therefore,
it may be difficult to design a VPN that caters to every
perimeter, gateway, application, and user, while still
providing the full security that businesses demand.
Still, there are specific recommendations and technologies
we can use to secure and empower our users and networks
VPNs can come in the form of software, which most of
us are familiar with and must be installed on vendor-certified
hardware and industrial-strength hardened operating
systems. They are also available as "appliances",
which are basically VPN software and operating systems
pre-installed by the vendors on small (or not so small)
form factor computers.
SSL and IPSec side by side
Traditional VPNs utilize IPSec for encryption, where
IP packets are encrypted between hosts or between clients
and hosts. Because of the encryption required at the
packet level, issues such as shared key management and
hardware acceleration have to be considered for a successful
and efficient VPN installation.
Another method of VPN implementation uses SSL (secure
sockets layer) for the encryption of http (hypertext
transport protocol) packets, and can therefore work
with any Web browser client. The flip side of using
SSL, despite its widespread compatibility, is the limitation
of the http itself in handling more modern applications
such as peer-to-peer (P2P) file sharing and other data
There are some VPN technologies which not only encrypt
TCP packets using SSL, but also UDP packets as well
as an all-inclusive data communication encryption mechanism.
Some of these technologies also allow a full audit trail
of users by encrypting all data mapped to specific users'
identity and usage.
If you are purchasing a VPN solution, especially for
branch offices and remote access users, you should ensure
that the solution is compatible with NAT and private
IP environments as some dated implementations may not
work well with such environments.
For a Windows-centric network, you may consider the
Layer 2 Tunneling Protocol (L2TP), an adaptation of
Microsoft's older Point-to-Point Tunneling Protocol
(PPTP) and Cisco's Layer 2 Forwarding (L2F) protocol.
If however, you are using a mixed environment, you can
consider running L2TP over IPSec, or simply standardize
on one of these protocols. Although some VPN solutions
do provide both IPSec and L2TP/PPTP compliance, it is
unwise to try and suit everyone's preferences. It is
a good practice to standardize for the entire enterprise
network, and to conform all users to a single operating
The MPLS alternative
Multiprotocol Label Switching, or MPLS (www.mplsforum.org),
is an alternative to IPSec-based VPN technology.
It is a Layer 2 independent switching technology that
uses Layer 3 to provide Layer 2 services. MPLS is Layer
2 independent since it works on frame and cell-based
networks, with Layer 3 functions for IP routing. Like
IP-VPNs, it provides a virtual circuit through the network.
Unlike traditional IP-VPNs however, MPLS VPNs provide
the same security as Layer 2 circuits, without the use
or need for encryption. IP-VPNs require IP addresses
for forwarding and receiving data, and therefore require
private and public IP address management. With MPLS
VPNs, IP addresses are not used for forwarding data
on the MPLS network and so the addresses are private.
As the name Label Switching implies, all packets have
encoded labels that are attached by the Provider Edge
(PE) routers. Unlike IP-VPNs, MPLS VPN infrastructure
does require the provisioning of the service by a service
provider. Think of the MPLS VPN as a complex inventory
control system where data packets are labeled with "barcodes"
and then sent by the service provider to the destination,
where they are read by "barcode scanners".
The simplicity of the MPLS concept also means that MPLS
VPNs can be processor-efficient and scalable, since
it does not require encryption.
Who is between the keyboard and your network?
VPNs are great for the safe delivery of data between
hosts and clients. However, VPN technology does not
know the difference between a chimpanzee, and an authorized
or legitimate user. Since passwords do not tie themselves
to specific individuals, VPNs will not be able to tell
if the user is the rightful user, or someone who managed
to steal or guess a password.
A possible solution is to rely on tokens, which are
part of the public key infrastructure (PKI) certificates
for individual users. This requires the enterprise to
erect a PKI platform and Certificate Authority capability,
which can create higher management overheads.
That brings us to biometrics and other forms of user
authentication. Biometrics can work as plug-in technologies
for traditional IP-VPNs, and can be the first line of
intrusion prevention at the keyboard level. It can also
be discrete components of the physical perimeter security
Although we have seen biometric equipment breaking down
at the hands of experts, it is the only available method
of authenticating a user at a computer terminal without
With biometrics, even identical twins will turn up different
to the sensors, since no iris or fingerprint will be
the same. Nothing is foolproof yet, but it is getting
closer by the month.
Stopping malware at the door
VPNs, as part of the enterprise protection architecture,
should also deny the transmission of illicit content
or malware. Since bandwidth is still an expensive commodity
with larger GUI-based enterprise portal applications,
such malware should be stopped at the gateway to allow
more efficient VPN usage.
There are open source solutions that allow you to cut
out most spam and viruses by simple file type identification
and the use of REGEX (regular expressions in Perl),
or more complex content filtering algorithms offered
by commercial vendors.
Keeping the network up VPNs can be secured, but it should
also allow communication without any downtime. It is
unimaginable to have a VPN break down every so often,
since vital transactions such as fund transfers between
financial institutions can be lost or corrupted.
A good VPN architecture should provide for redundancy
and load balancing, and there should be no single point
of failure. If a VPN server goes down, another one should
immediately take over. Even a transaction or transmission
in transit should be carried over to the destination
without corruption when a failover VPN server takes
This seems like an expensive proposition and is not
often practiced at many organisations, even large ones.
However, there are simple and affordable VPN solutions
that will make the setting up of redundant VPN units
Progressively, VPN systems are getting smaller, cheaper,
and easier to learn about and maintain. Their performances
are also improving quickly, and alternatives such as
MPLS are also pacing the evolution of IP-VPNs steadily.
In the not too distant future, it is conceivable that
VPNs will form the staple of standard desktops and enterprise
operating systems or be embedded in core hardware, and
provide the much needed speed and performance demanded
by emerging applications and data.
Seamus Phan is research director at KnowledgeLabs
News Center (www.knowledgelabs.net), an independent
technology news bureau and writes for Network Computing-The
Asian Edition. Want to share your experiences with VPNs?
E-mail at email@example.com