Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Google brings Buzz social networking to Gmail, mobile
Virginia firm files encryption lawsuit against tech giants
Most smartphones now have touchscreens, research finds
Five Ways Early Adopters Have Been Screwed
Google Nexus One fee cut follows broad FCC inquiry
NASA Endeavour set to dock with, expand International Space Station
Cisco, Juniper push new mobility-focused products
Startup links VMware with Amazon to create secure cloud storage
Adobe apologizes for 16-month-old Flash bug
Juniper execs share network vision
Planning for virtualization? Beware of server overload
US National Climate Service to manage world of climate change
Google tries to make Gmail more like Facebook, Twitter
'Rugged Manifesto' promotes secure coding
/

Protecting the 'private' in VPN

Related linksToday's breaking news
Send to a friendFeedback

By ALAN MACLEOD
Network World, 09/27/99

While the IP Security (IPSec) standard delivers strong authentication and encryption capabilities, it falls short in the features necessary to deploy and manage large-scale remote dial-up communities in a virtual private network.

Device-level authentication is a standard part of the IPSec Internet Key Exchange (IKE) negotiation, but IP address assignment and user-level authentication procedures are not. As a result, Internet Engineering Task Force efforts called IKE Configuration Method, Extended Authentication and Hybrid Authentication are underway to simplify and standardize key dial-up VPN services.

Remote users need a valid, internally recognized IP address to access the corporate network. Today they receive IP configuration information when they dial in to their corporate networks. This same requirement exists for remote access IP VPNs. To alleviate the need to manually assign IP addresses to each user, the IPSec working group has proposed the IKE Configuration Method. Known as Mode Config, it allows a dial-up user to receive IP configuration information as part of the IKE negotiation. Mode Config lets companies operate their IP VPNs in the same way they operate traditional remote access; it should be mandatory feature for any VPN.

The IPSec working group has focused primarily on digital certificates as the long-term solution for authentication at the device and user levels, but there are near-term issues.

First, distributing "trusted" certificates to a large body of remote users is complex. Second, a digital signature is generated from a key that resides on each PC. While the key is typically protected, the PC is often physically vulnerable to unauthorized access. Third, today's network operating systems (NOS) do not directly support certificates for user authentication.

For device-level authentication, preshared keys, which are somewhat analogous to passwords, offer a near-term alternative to certificates. They are easier to deploy, as they can be distributed once to each PC during the initial configuration process. However, they are less secure than certificates.

While the ultimate goal is to authenticate certificates directly to the NOS directory, two more near-term solutions have been proposed. The first is Extended Authentication within ISAKMP/Oakley (XAuth). The second is Hybrid Authentication Mode for IKE. Both proposals are defined as extensions to the IKE negotiation process and are based on the Mode Config draft described above.

XAuth allows user-level authentication against existing third-party authentication systems such as Remote Authentication Dial-In User Service, NetWare Bindery or Novell Directory Services. Because XAuth expects user input - username and password - it still requires certificates or preshared keys for first-phase device-level authentication.

In the most common XAuth scenario, a company's dial-up VPN users are assigned the same preshared key. This is not a problem for authenticating users; they still go through a username and password authentication. However, it is an issue for users authenticating their security gateways. It would not be difficult to spoof the gateway to obtain people's usernames and passwords. Certificates are necessary to address this problem.

As a result, Hybrid Authentication Mode for IKE has been proposed. Hybrid Authentication, a variation on the XAuth draft, combines the best of both worlds. Certificates are deployed only on the security gateways, not on all PCs. At the same time, the IKE negotiation is extended to allow authentication against existing third-party systems.

During the first phase of device-level authentication, the remote PC is optionally authenticated by the gateway via a digital signature/certificate. The gateway must return a digital signature/certificate to the client to confirm that it is the correct gateway. Second-phase user authentication is then based on username and password, allowing integration into existing authentication systems.

It's worth noting that because both proposals build on mechanisms used in IPSec, they can coexist within a full certificate infrastructure. The protocols have reasonably strong support within the VPN vendor community and provide a solution that will be required for many years to come, if not for the lifetime of IP VPNs.

Related Links

MacLeod is director of systems engineering at Xedia. He can be reached at amacleod @xedia.com.

Extended Authentication within ISAKMP/Oakley
IETF draft.

A Hybrid Authentication Mode for IKE
IETF draft.

Review and buyer's guide: VPNs
See how we rated several models and use our database to find and compare many others. Network Word, 5/10/99.

What is IPSec
Overview by the IPSec Developers Forum.

IETF IPSec working group

Feedback
Tell us your thoughts on this article or the issues it raises.

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.