National Computer Security Association. Do-it-Yourself Virtual Private Networking - Collection of drivers, filters and documents for building your own. DES overview Review of firewalls - Network World, 2/3/97. Henthorn is senior technical product manager at Livingston Enterprises, Inc., a remote access vendor in Pleasanton, Calif. He can be reached at alex@ livingston.com.

By Alex Henthorn
Intranet, 4/21/97

First comes a department or two, then headquarters, followed by corporate sites scattered around the world. Before you know it, sales staffers and other on-the-go employees also want access to the corporate Web.

It's great to extend the intranet beyond the confines of corporate headquarters, but along with that access comes security concerns. What's an intranet manager to do?

The answer, in many cases, is to rely on virtual private networking (VPN). With this technology, intranet managers can outsource private remote corporate Web access to Internet service providers. With the Internet serving as a ubiquitously accessible backbone network, intranet managers can reduce the cost and complexity of delivering remote access to centralized Web-based information resources.

VPNs take private data, such as IP and IPX packets, and securely transport it over the Internet. Security functions are performed on IP packets, which are then encapsulated, or tunneled, inside other IP packets for routing across the Internet.

If you're considering extending access to the corporate Web using a VPN, your first and foremost concern should be security. Generally, it is easier for hackers to break into and exploit the data on a corporate LAN from the Internet than it is for them to capture IP packets as they are routed through the Internet. This is because Internet routers are specialized, single-task computers with lean, security-hardened operating systems made only to route traffic across the Internet backbone. Additionally, Internet routers are typically administrated in a secure manner.

On the other hand, the general-purpose computers typically used for Web and E-mail servers, and sometimes even firewall gateways, use operating systems that are designed more for accessibility than security. This means they tend to have many exploitable security loopholes.

In order for a VPN to be truly secure, three security functions must be invoked. Authentica-tion assures receivers that the sender is really the sender. Integrity assures receivers that when data arrives, it is only from the sender and that no third party has inserted data into the packet stream. Encryption assures receivers that only they can read the data.

In a VPN, security functions must be applied to every IP packet that is transmitted because Layer 3 protocols such as IP are stateless - there is no way of telling if a packet is really associated with a particular connection. While upper-layer protocols such as TCP are stateful, their connection-tracking mechanisms aren't secure because they can be so easily duplicated or spoofed.

Without per-packet authentication and integrity, which typically can be implemented via software upgrades, a VPN does not have tunnel endpoint security. The VPN connection will compromise the firewall security.

The Internet Engineering Task Force (IETF) recognizes two standards-based algorithms for authentication and integrity. One is Message Digest Version 5 (MD5) and the other is Secure Hash Algorithm (SHA).

Encryption equation

To assess the need for encryption on your VPN, begin by identifying and

classifying all the types of intranet data that could result in a loss to the organization if captured by an outsider.

Next, measure the data's potential opportunity cost, or the cost someone would be willing to incur to get that data.

Then identify and analyze the likely poachers of this data. Think about motives and financial resources.

At a minimum, the IETF endorses the use of the 56-bit Data Encryption Standard (DES) for encrypting most corporate data transmitted over a VPN.

The key to scalable security

And don't overlook key management, which is the process of automatically keeping security keys updated. In VPNs with only a few sites, manual updating of keys may be acceptable. However, in a large VPN, it is necessary to have an automated system to handle these updates.

Since security protocols such as MD5 and DES are available in source code form to anyone on the Internet, the keys really determine the strength of the security. This means keys must be updated or changed regularly to fend off attackers. Key management takes this security consideration and applies it to the operational dynamics of large networks.

The protocols

The first three are known as Layer 2 forwarding protocols because they first encapsulate Layer 3 packets such as AppleTalk, IP and IPX in the Layer 2 PPP before encapsulating them in IP. While billed as VPN solutions, these protocols have no packet-by-packet encryption, authentication or integrity functions or a key management facility.

IPSec provides for packet-by-packet authentication, integrity and encryption. The IETF also plans to formally endorse a standards-based key management protocol called Internet Security Association and Key Management Protocol with Oakley key determination.

The IPSec protocols are the most advanced VPN standards effort. They already are being tested extensively today by multiple vendors of remote access, firewall and other intranet related software.

All of these arcane technical issues are important to keep in mind, but intranet managers must ultimately choose real products to implement a VPN.

The good news is that VPNs can be built using existing routers, gateways and desktop software that have been upgraded to support IPSec.