Some remote-access vendors New Oak (Bay) White Paper Open Connect White Paper Emerging Standards: IP Tunneling By Julie Bort

By Peggy Watt
Network World, 1/26/98

Bringing remote and roving users into the corporate intranet forces IT managers into a balancing act. They've got to weigh the simplicity of browser-based access via the Internet against the security of older methods.

Web-based access definitely has ease of use in its favor. Browser-equipped remote users make a local call to the Internet. Once connected, they enter the URL or click on the assigned bookmark for the corporate Web. Entering a valid password usually gives them access to the same resources - Webified legacy databases, e-mail and applications - as their onsite peers.

As companies Webify traditional data sources, remote users potentially enjoy greater access to corporate information than previously. Users praise the functions they get when employers put Web front-ends on data warehouses, for example. Before the Web, querying and reporting tools were reserved for researchers versed in the art of online transaction processing.

Salespeople, among others, value this accessibility. While at customer sites they can tap into the intranet and pull down data on products in stock or pricing, for example.

But should that data be sailing across the Internet? That is its route, if the user is browsing into the intranet instead of using the older method of connecting directly into a LAN gateway.

"Whenever you connect a wire to the Internet, you're opening yourself up to possible compromise,'' says John Telford, a principal at Infomax Consulting Inc., in Portland, Oregon. "The mechanisms to gain remote access are not so much of a challenge as figuring out the security aspects.''

The Internet's primary vulnerability is a lack of security. While a dial-up call goes over a public line, it goes directly to a corporate server and doesn't pass through an anonymous chorus of servers and routers as it would over the Internet.

A lot of IT managers are out on that wire, trying to find the balance. More than 108 million employees worldwide will work outside traditional office settings by 2002, according to a study by the market research firm GartnerGroup Inc., of Stamford, Connecticut. And just because the users won't be at headquarters doesn't mean they won't need or expect access to the data stored there.

IT managers are finding there's no single access solution, and probably few permanent ones, in the changing world of Web technology.

Piscataway, New Jersey-based Chanel Inc., part of a global company headquartered in Paris, is building an extranet to facilitate communications among its dispersed salespeople.

Chanel has implemented RemoteWare Express, an extranet-based transaction tool from XcelleNet Inc., in Atlanta, to send and verify order information between sales staff and central offices. The browser-based access is easy for the 150 salespeople, who use hyperlinks for navigation. They connect through the Internet and a Windows NT-based remote access server (RAS).

Giving the sales staff a browser interface to corporate data is proving easier to manage for users and IT, says Joe Slattery, a senior programmer. The salespeople are getting access, through the Web tools, to more data than they previously could retrieve remotely.

Chanel also is testing RemoteWare Express Software Manager, which can securely distribute software updates to remote and mobile users when they access the extranet. The company is studying access and work patterns to determine the best methods for broadcasting data and program updates to the remote users, Slattery says.

Like XcelleNet, vendors that have long offered remote access tools are reassessing and revamping their product offerings to accommodate the Internet as the route of choice and a Web infrastructure at the destination. If users can come into the corporate LAN through an intranet, companies no longer will need a modem bank for direct-dial connections into a RAS. Neither will they need to manage multiple points of presence, since each user makes a local call to the Internet.

In traditional remote access configurations, the RAS that acted as the gatekeeper to the corporate LAN also handled authentication and security - functions a network manager does not want to give up just because remote users enter an intranet via the 'Net.

So some companies keep the RAS, but add a switch intended to handle extranet access. That switch sits between the Internet and a virtual private network (VPN) leading to the intranet.

The extranet access switch integrates network communications (protocol and services) with routing functions, authentication, bandwidth management and interaction with the corporate firewall. New Oak Communications Inc., in Acton, Massachusetts, markets one such switch - the NOC 4000.

Companies can retain their existing RAS and still take advantage of an Internet connection in other ways. Funk Software Inc., in Cambridge, Massachusetts, for example, recently expanded its Remote Access Communications Suite with an Internet gateway that acts as a secure router. It allows browser access to Novell Inc. IntraNetware servers.

Even companies without direct 'Net connections can link to an Internet service provider from a RAS port.

"We think [VPNs] through service providers will be the big trend for '98 [when it comes to intranet access],'' says Brad Baldwin, director of remote access at International Data Corp.'s Mountain View, California, office.

Most major carriers, including AT&T, MCI Communications Corp. and Sprint Corp., offer VPN services, as do smaller data services providers, such as IBM Global Services and GE Information Services. Most carriers use tunneling protocols to ensure privacy across their backbones.

Tunneling software encapsulates IP packets inside encrypted packets for transport through a temporary point-to-point connection. A firewall at the source encrypts and encapsulates data to send it; one at the destination opens, authenticates and decrypts the data.

"It's the same issue whether you're dealing with roaming users or an extranet with business partners,'' says Julie Bort, a Silverthorne, Colorado, analyst who follows security standards development.

For example, a financial officer might be accustomed to retrieving up-to-the-minute corporate sales information from a central repository, often through a browser interface to a legacy database that produces HTML reports on the fly. When the executive is traveling, that same proprietary information could be available safely via a VPN.

For long distances, a VPN is an ideal solution for remote access, Telford says. He recommends such a setup for a client with offices in Hong Kong and the Pacific Northwest to beat the astronomical cost of dedicated circuits.

Deciding to use a VPN is the easy part. Once IT managers have made that choice, they have to pick among several competing tunneling protocols. The choice primarily comes down to the Microsoft Corp.-developed Point-to-Point Tunneling Protocol (PPTP) and the Internet Engineering Task Force's IP Security (IPSec) protocol.

In a typical scenario, PPTP runs on the remote Windows client and a Windows NT Server providing Web, proxy and routing services. A traveling employee makes a local Internet connection and enters the Web address of the company extranet.

The client sends a user ID and passwords for the ISP and the RAS. The server recognizes and admits packets only from the remote user. The server also can send an ID for the remote program to authenticate. Bort cautions that PPTP may be a short-lived solution, even though it may be well-supported. That's because Micro-soft is working on its successor - Layer 2 Tunneling Protocol (L2TP).

IPSec supports the use of multiple encryption algorithms, including variations of the Data Encryption Standard, for a stronger encryption than PPTP. It also is used with tunnels involving firewalls and routers and resides on both client and server.

At the least, companies giving remote users intranet access over the Internet should take advantage of the Secure Sockets Layer (SSL) standard, Bort says. Designed by Netscape Communications Corp., SSL is widely supported in both servers and browsers.

If intranet managers aren't satisfied with security currently available for Internet access, they still can require users to dial up a RAS directly but allow them to do so through a browser interface. They can implement the same password and even encryption protection, but avoid the public network.

Even third parties are enhancing remote access tools for Web play. Take Traveling Software Inc., in Bothell, Washington, for example. The vendor, which is well-acquainted with nomadic users through its LapLink file-sharing and update program, now markets Point B Remote Net-Accelerator.

The software, which resides on the browser-based client and the RAS, speeds remote transmissions through caching. It caches data on the client and then, after comparing what's on the client to what's on the server, only sends updates. "Point B is middleware in any PPTP or VPN solution,'' says Clemens Butz, product manager.

Host access vendors are being especially conscientious about partnering on Web connectivity. Remote host access - getting into the corporate databases with the same privileges as a local client - obviously raises security concerns, but all major host access vendors have browser-enabled their tools. They are adding support for Java, ActiveX and other Web technologies and are teaming with RAS, switch and port vendors to ensure the security of host applications accessed via an extranet or intranet.

And the next big thing? According to Baldwin, faster communication through cable modems and digital subscriber line technologies will provide more secure VPNs. The intranet bounds, it seems, may be limitless.