Making the move from modem bank to IPSec

By Ellen Messmer
Network World, 11/23/98

Austin, Texas

Schlumberger Corp., a global giant in oil-field services, has long been dependent on dial-up modems to connect tens of thousands of employees in about 65 countries to its corporate LAN.

This remote access scheme has forced the company to maintain about five dozen modem banks around the world and has cost Schlumberger a bundle on point-to-point long-distance telephone calls.

Time for change

But the era of the modem bank appears to be drawing to a close at Schlumberger, which now plans to migrate to a remote access system based on Internet access lines and IP Security (IPSec) technology.

Over the next 12 months or so, Schlumberger plans to start swapping its dial-up modems for IPSec-based virtual private network gateways from TimeStep and complementary client/server applications from other vendors.

By relying on IPSec products, Schlumberger hopes to provide its employees with a secure, global access network and enable trading partners to exchange encrypted data with Schlumberger by deploying their own standards-based remote access gear.

IPSec advances

Though slow to take shape over the past three years, the most recent version of the IETF's IPSec standard has finally "crossed the threshold of viability," says Bill McGregor, senior research scientist at Schlumberger. His group has been closely following the standard's development, and its implementation in vendor firewalls, gateways and routers.

IPSec, which defines authentication and encryption techniques for secure access, used to be limited to gateway-to-gateway data exchange.

Now IPSec also includes a more complex client-togateway security mechanism that lets a user with IPSec client software remotely authenticate his identity to the gateway.

As soon as this authentication happens, the user is granted encrypted access to as many as 20 authorized subnets behind the IPSec gateway. With this security system, the remote user can be restricted to specific LAN segments rather than be allowed to roam at will through the entire corporate intranet.

"The client software knows what subnets are behind the gateway," McGregor says.

For the remote computer user and the organization's gateway to identify each other, they can swap digital certificates or predefined shared secrets as simple text strings. Schlumberger has chosen to use Entrust Technologies' X.509 digital certificates.

Under Schlumberger's set-up, the user's IP address will also be viewed as a source of identity by the IPSec protocol. Each IPSec gateway will be able to dynamically assign an IP address to a remote user for use on the corporate network as the user is granted encrypted access. This technique is sometimes called tunneling.

IPSec now performs IP assignment in an automated way, while in the past, manual intervention would have been required to add the temporary IP address to each client.

According to McGregor, the IPSec technology has "moved from being an experiment a year ago," to being mature enough to deploy operationally. The first users to get IPSec software on their computers will likely be Schlumberger's sales, research and field engineers.