Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
/

What they never told you about VPNs

4/06/98

On Security

By Winn Schwartau

For the past several months, I have been inundated with Fedexes from countless vendors claiming they are in the virtual private network (VPN) business. I've been deluged with articles in the industry press on the importance of VPNs for business success and electronic commerce. I've seen 'Net-rant after 'Net-rant as to why "My VPN is better than your VPN."

And after studying up on VPNs and speaking to a slew of knowledgeable friends in the field, academics and more VPN vendors than I ever knew existed, I have come to the following conclusion: No one has the slightest clue what a VPN really is.

That is, except me.

If you believe the Internet Engineering Task Force and many vendors of related products, a VPN is loosely defined as "tunneling, or establishing encrypted channels over IP networks." I'm sure that means a great deal to the fearless corporate leaders who still have trouble turning on their PCs.

When clients ask me to help them implement VPNs, I ask them, "What are you trying to achieve?" It turns out they have little idea what they really want to do - which is not surprising given our current concepts of VPNs are about as naive as thinking you can run Windows NT on a 386 with 8M bytes of RAM.

Remember that the key word in VPN is virtual, meaning the individual packets can take any route to get from point A to point B. The encrypted secure channel is not a fixed pipe, as vendor diagrams would have you believe, but a dynamic, constantly shifting encrypted communications path that may move from your home laptop through Timbuktu to get to your headquarters.

That said, here are some of the things you were never told about VPNs.

VPN architectures are much more powerful than users are being led to believe. Classic VPN network diagrams show "secure" paths from one enterprise's server to a server at another physical location, with the Internet cloud fogging things up in the middle. Conceptually, this "connectionless connection" replaces dedicated X.25 or leased lines between remote offices and corporate divisions or from data center to data center. If this is all you need, fine, but the true VPN technology can do so much more in varying real-world uses.

One popular application is to use a remote client Web browser to communicate with a host server and thereby extract information from a database, conduct commerce or send e-mail in privacy. Using the IP Security concept of tunneling over IP as the only way to achieve a VPN, we again find a limited architecture. The non-IP intranet, dial-up users and other non-IP connections will not be able to access the VPN.

Most VPNs are of the server-to-server type and protect only an organization's perimeter from the ravages of the Internet. This provides point-to-point security but not end-to-end security all the way to the intranet desktop.

VPN designers are only beginning to investigate expanding the VPN security model to the interior of the sites' networks, through the intranets to the desktop. This capability will provide protection throughout the organization and will function using higher levels of the Open Systems Interconnection stack than the network or transport layer.

A VPN, as designed today, is a single-level security system. That means everyone with access to VPN resources has the same security classification. I find it odd that VPN designers don't use cryptographic mechanisms to provide data separation based on user identity - that is, give different users access to different sets of data.

In banking applications, for example, your average customer might not be given as much access to resources and information as elite private banking customers who might receive this perk due to their larger account balances. VPNs should address this user and data separation issue with a single security control rather than forcing you to build additional access control table mechanisms that require multiple levels of administration.

My kind of VPN would let me talk to the host server organization and to other VPN users privately, whether they be within the boundaries of the host site or sitting at a laptop on a ship. Current VPN architectures are remnants from legacy systems: We can talk to the mother ship but not to one another.

A VPN is supposed to make your business more competitive, more secure and easier to use. It is not supposed to be technology for technology's sake. Develop your business needs first, model the information flow and process that you would like to see, project what you think you'll need in a couple of years from a secure communications standpoint, and use that as your starting point.

The VPN business is too new to be locked into a short-term solution.

Schwartau is chief operating officer of The Security Experts, Inc., an information security consulting firm in Seminole, Fla., and president of infowar.com. He can be reached at winn@securityexperts.com or winn@infowar.com.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.