Securing the last mile

Securing that last mile is a frightening prospect.

Client-to-LAN virtual private networks (VPN), which encrypt communications between an individual's laptop or home PC and corporate LANs, break two of the cardinal rules of enterprise network support: Never touch the desktop, and never do anything that requires users to change their computing habits.

The need for security is driving network managers to lock up communications between users and corporate LANs. But how do you create, deploy, support, manage and report on hundreds or thousands of VPN client users?

Despite having its competitors directly on its heels, TimeStep Corp. earned our Blue Ribbon award because its Permit Enterprise product offers the best support for PKI and the strongest management tools for an enterprise deployment.

We tested 11 user-to-site VPN products. Many of the same vendors were represented in our site-to-site VPN review earlier this year (NW, May 10, page 86), in which we looked at configuration and performance in a LAN-to-LAN environment. This time we focused on how products handle corporate VPN clients.

Most of the products we tested provided reliable performance and reasonable manageability. In fact, of the 11 products we tested, eight accumulated total scores that lay within a one-point span. TimeStep earned the Network World Blue Ribbon Award because its Permit Enterprise 1.2 product serves up the management tools needed for a truly huge deployment.

Setting the VPN client ground rules

An end user's experience with a VPN starts with the software installation. We normally don't evaluate client installation procedures, but because VPN clients are generally installed in the field, we wanted to look at the whole experience. Even this was a little unfair: We tested on freshly installed Windows 95 systems, so we didn't get to experience the full gamut of Windows conflicts and confusion associated with installing software on a well-traveled laptop.

How we picked products We invited all VPN vendors to submit products for this review. Most of the major vendors responsed and sent products to our lab. Cisco begged off, because they were still in final beta testing with their VPN client. Xedia also declined, citing lack of resources, although the recent VPN powerhouse acquisitions by Lucent (which now owns, in addition to its own VPN product, complementary and competing products from Xedia, Livingston, and Ascend) has probably thrown the marketing efforts into chaos. Compatible Systems, Nortel (formerly Bay, formerly New Oak), and Network Associates all declined to participate. The odd-man out in this review is IRE, which only (at this time) offers VPN client software and doesnąt sell a complementary tunnel server and management system. We ended up looking at their product multiple times anyway, once through their standalong submittion, and again because several of the VPN tunnel server vendors offer the IRE client under an OEM license.

We looked at the ways each product handled setting up authentication information for each VPN client, configured the client software and set up security policies.

One of the difficulties in setting up VPNs is putting security key information on the client. Public-key certificates, which provide the best security, are long and cumbersome. More importantly, the private half of the public key should not pass over the network - it should be created on the client and locked there with a passcode.

No vendor had a magic bullet for dealing with key information. Most of the products we tested used the simpler, less secure, "preshared secret" authentication method, which means each client is given a username and password. Many vendors also supported public-key digital certificates, using standards-based, or their own proprietary, certificate authorities.

TimeStep took the digital certificate and certification authority scheme the most seriously with Permit Enterprise. The company includes a copy of Entrust's certificate authority and an X.500 directory in its enterprise management suite. With these tools, you're well armed. The combination produces a certificate authority and directory database configuration designed to scale to tens of thousands of users.

Building a full system for creating, managing, securing and revoking digital certificates falls under the rubric of public-key infrastructure (PKI). The term "infrastructure" is chosen carefully because installing a PKI can be as difficult as any other part of your network infrastructure. A proper PKI installation requires that the network and security managers come together to determine a whole suite of policies and procedures for identifying network users. Doing PKI right is a big deal and one the VPN vendors we tested aren't ready to take on just yet - except for TimeStep, whose Permit Enterprise is one product in which support doesn't look like it was an afterthought.

Once we got authentication information out of the way, we examined how policy and configuration information is installed with each product. This is easier than setting up security key information because one policy typically works for an entire group of users.

Here, Data Fellows' F-Secure VPN, Indus River's RiverWorks Enterprise VPN, Intel's VPN Gateway Plus and VPNet's VPNWare stood out. These products all loaded security policy information into the client over the network.

Every other product in our sampling took a more traditional approach. You must build a deployment kit, combining network-specific initialization files with vendor-supplied images. When the kits are distributed, end users who install the VPN client get the corporate policy information at the same time.

But VPN Gateway Plus and VPN-ware automatically load security policy information onto the client at installation time, giving you a one-time chance to define network security policies.

F-Secure VPN and RiverWorks take this feature further, allowing automatic policy updates after the client has completed its initial configuration. The management server sets up software and policy changes for the client. The next time the client connects, it downloads any changes sent. If you're using the full Data Fellows suite, including antivirus and file-encryption tools, the policy manager used with F-Secure VPN coordinates updates, virus signatures and policy information. It's an elegant solution, but it requires a Windows network environment.

Indus River's RiverWorks has

a more comprehensive and complex solution to the client policy problem - one that combines Windows-based dial-up networking and VPN authentication into a single control panel sitting on an end user's desktop.

River Pilot, a component of RiverWorks, integrates all corporate ISP dial-up numbers, access codes and policies into the VPN client. The user hits "connect," and the client dials the Internet - based on the local telephone number information - and takes the user all the way from the dial tone to an encrypted VPN connection.

The network manager controls every aspect of the connection, from whether an 800 number is allowed and which ISP is preferred in each city to which end users are dialing in to the corporate network. This policy information, along with a revised list of dial-up numbers, is downloaded to clients whenever they connect.

For certain kinds of large deployments, these features give Indus River a clear advantage. For example, an organization with multiple ISP contracts, occasional branch-office and headquarter dial-ups and an emergency 800 number - all managed from a central site - would find that River Pilot decreases support and ongoing costs at the same time it increases control.

All other vendors we tested treat their encryption software as a network add-on to Windows. They assume that the user has already set up a network connection, either through a LAN or through dial-up networking.

Policy lock-down is another feature that distinguishes some of the products we tested. Once policy and configuration information is loaded, some products, such as Intel's VPN Gateway Plus and Check Point Software's VPN-1 Gateway, let you lock it down so the client can't control or change it. In fact, certain products - such as Indus River's RiverWorks, Altiga Networks' VPN Concentrator Series, VPNet's VPNware and Lucent's Security Management Server - work only that way. Others, such as Red-Creek's Ravlin 7100 and Data Fellows' F-Secure VPN, let the user be in complete control at all times.

Which security policy approach works best depends upon your environment. Unfortunately, no single product covers the whole market by letting you choose between total control and total freedom on a client-by-client basis.

Client security

Once your client access policies are set, you have to consider how securely wrapped the data you're sending over the wire is. We concentrated on IP Security (IPSec) and Internet Key Exchange (IKE) as IP encryption methods because they are the two prevailing standards. IPSec is the standard suite that describes how information is encrypted and authenticated. IKE describes how tunnels are set up and how security keying information is created and exchanged.

Some vendors, such as RedCreek and Check Point, support IPSec/IKE and their own proprietary (or non-IPSec) encryption. In most cases, these vendors let you select your encryption preference.

In user-site mode, VPNet's VPNWare only supports the Simple Key Management Internet Protocol (SKIP) encryption system. That

didn't worry us very much because SKIP is a well-understood standard. InfoExpress only supports a proprietary system in its product, VTCP/ Secure. The company had beta versions of IPSec code available, but not on the platforms we were using to test.

We were also concerned about Indus River, which does not support IKE for key exchange, and Intel, which requires its own proprietary protocols if you want to use its new client deployment tool. But these aren't killer weaknesses.

Layer 2 Tunneling Protocol is not well established in the marketplace - at least not until Windows 2000, which has a built-in L2TP VPN tunneling client, hits the streets next year. Therefore, support for L2TP was not well represented in the products we tested. Altiga's VPN Concentrator Series was the only product to offer an L2TP tunnel.

L2TP is an entirely different strategy for pulling tunnels (not encrypted, by the way) from a central site to an end user. The benefit of L2TP is that an end user can use protocols other than IP (such as IPX) to tunnel to the server. And if an end user is authenticated using the L2TP mechanisms - which are different and complementary to the IPSec authorization tools - the end user can get an IP address assigned in a standard way from the central site network.

Indus River's RiverWorks and VPN Concentrator Series include Point-to-Point Tunneling Protocol, which is useful in Windows 3.1 or Macintosh environments in which IPSec client software is not readily available.

In addition to encryption and tunneling standards, network managers should pay attention to the built-in client-side firewalls available with some of the products we tested. After all, if a client PC has a window into your network, shouldn't it have protection against compromise? Data Fellows' F-Secure VPN, InfoExpress' VTCP/Secure and Check Point's VPN-1 Gateway all have some firewall capabilities in their client and server software. Check Point, in its Secure Client package, includes a stateful firewall, although only with a limited policy set.

A stateful firewall is a variant on a packet-filtering firewall that maintains the state information of connections as they pass through the firewall. This ability allows the software to match flows in both directions. Without stateful analysis of traffic flows, the capabilities of a packet-filtering firewall are restricted in enforcing very strong security by only letting in packets which are part of an approved "connection."

VTCP/Secure and F-Secure VPN offer a less-secure pure packet filter at the client side.

Tunnel-side firewalls, which add capabilities to the tunnel server to give it a partial or full firewall, come in the box with most of the products we reviewed, although TimeStep's Permit Enterprise, Indus River's RiverWorks, VPNet's VPNware and RedCreek's Ravlin 7100 offered little in this area. If you are looking to deploy one of these vendors' products in a corporate network in which all users are not permitted entry into all departmentalized networks, you should think about using an auxiliary firewall as well.

Firewall capability in the client may be overkill because VPN clients are usually connected via the public Internet. Being able to turn off Internet traffic when the VPN is connected may be sufficient. Altiga's VPN Concentrator Series product strictly adheres to this approach. When the client is connected to the Altiga VPN server, no other Internet traffic is allowed - no packets go from the client directly to the Internet without passing through the tunnel server first. Permit Enterprise, RiverWorks, Ravlin 7100 and Rad-

Guard's cIPro System all allow the end user to select whether to disable Internet traffic when the VPN is active. Intel's VPN Gateway Plus and Check Point's VPN-1 Gateway put this feature under control of the network manager.

How does the user see it?

We were concerned that end users would resist VPN software if it made their Internet experience substantially slower. We ran performance tests on each of the products, testing latency and throughput. With only two exceptions, we found little performance difference among the products we tested.

The two exceptions were products that used compression. With Indus River's RiverWorks and Info-Express' VTCP/Secure products we saw an overall performance increase of between 5% and 15% when compression was turned on, depending on the kinds of data and size of packets used. In our tests, InfoExpress performed substantially better than any other VPN vendor, although it achieved those numbers using the company's proprietary protocols.

For noncompressing VPN clients - the rest of the vendors in our test sample - the average degradation in network performance was 20%, with traffic running between 16% and 24% slower over the VPN. For normal Web applications, such as browsing and e-mail, this degradation is hardly noticeable. With interactive applications, such as virtual terminals, users may be dissatisfied with the difference in performance because we saw as much as a 60% increase in latency.

Managing thousands of users

While the clients may be secure, you still need to authenticate all those users. All of the VPN products we looked at include per-user authentication. Most of the systems include local authentication, which looks up user information in a database stored on the VPN device or VPN management station, but you should probably also provide a gateway to some external authentication database to avoid creating yet another password for users to forget.

Remote Authentication Dial-In User Service (RADIUS) has become the de facto choice for network-based authentication. There are good RADIUS servers available to pull from a variety of authentication databases, including the NT Security Access Manager database, and a variety of one-time password systems using tokens or smart cards, such as SecurID or Cryptocard.

We tested each server that supported RADIUS against our in-house server. We found excellent interoperability - we were able to make almost every RADIUS-supporting VPN work easily. Check Point's VPN-1 Gateway was the only exception - we got it to work, eventually, but it wasn't quite as easy as the others. Data Fellows' F-Secure VPN and TimeStep's Permit Enterprise don't support RADIUS at this time.

However, some of these products are poorly designed. For example, VPN-1 Gateway required us to enter each user into the RADIUS database and its own database. Having to enter users into two databases (and remember to take them out as well) is a bad idea.

VPNet's VPNware and Altiga's VPN Concentrator Series go in the other direction. They not only let you store user and password information in a RADIUS database, but they also let you download per-user configuration information (optionally) from the RADIUS server. You may also like Indus River's RiverWorks RADIUS design, which requires that the RADIUS server return a special flag that enables the user for VPN access.

Once all of your users are accessing the network properly, you'll want to keep track of their comings and goings. We looked at the accounting features of these VPN products and were generally disappointed.

The best choice for accounting in the VPN tunnel servers seems to be RADIUS, which moves the accounting records off the tunnel server into an environment where there are abundant freeware tools to create reports. Lucent's Security Management Server and Altiga's VPN Concentrator Series support RADIUS accounting, while Intel's VPN Gateway provides RADIUS accounting for Shiva Smart Tunnel users only.

Most of the other VPNs have weak accounting and reporting tools. For example, Indus River's RiverWorks lets you see information only for past days - you cannot look at this morning's data. Even worse, reports are filed by day, so there's no easy way to look at usage over a period longer than 24 hours. InfoExpress and Check Point have slightly better capabilities. However, Check Point makes you pay $1,500 to get a log consolidator - a feature we think should have been included in the base product - to produce lousy reports with incomplete data.

However, weak is better than nothing, which is what we got when looking at VPNet's VPNWare, RadGuard's cIPro System and Red-

Creek's Ravlin. These three products either gave us no accounting data or dropped so much information during the process that the data we were able to collect was useless.

Managing and monitoring the VPN

Though we weren't happy with their accounting tools, the products did better in other management areas. More than half the products were able to page someone or send an e-mail message when something went wrong. The best management and monitoring came in products from Altiga and Lucent. With Altiga's VPN Concentrator Series, every aspect of the tunnel server shows up in the management module. You can even see the speed of the fans in the dual power supplies if that seems interesting to you. Lucent's Security Management Server is even stronger where it really matters. For example, it offers multiple levels of management, letting you specify who can monitor and who can change things. Lucent also includes a baby protocol analyzer in its product, a nice touch.

We also liked the systems that gave us limited command-line management capabilities, including the TimeStep, Intel, RadGuard and VPNet products. You wouldn't want to build an enterprise VPN using a command line, but the ability to connect to a VPN server using a low-tech terminal emulator to change a single parameter or debug an interoperability problem is a nice plus.

Network managers who plan to take a "set it and forget it" stance to managing their VPN services can live with weak management tools such as those from RedCreek and Intel. Although you can see what's going on with these tools, it's a painful process.

InfoExpress' VTCP/Secure is even less management-friendly because it's the only VPN that uses ASCII menus in an MS-DOS window for configuration. With InfoExpress, you have to run a report to see who is logged on, and the only way to kick off a misbehaving user is to restart the entire VPN server.

Astonishingly enough, all of the products we tested worked more-or-less as advertised, with few problems in our basic latency and throughput tests. In general, we saw the most instability in clients that had been running for a long time, whether connected to the VPN or not. This is a difficult area to test; getting repeatable problems in our lab was an arduous exercise.

Several of the products had trouble with very long-lived tunnels (more than 24 hours), although everyone we talked to promised that this should work, would work at the next patch level or would work if we changed our operating system, security parameters or key times in some way. If you plan to have long-lived tunnels, make sure you test them in your environment with your security parameters before buying.

We found more stability problems in the management consoles. For example, the Indus River's RiverWorks graphical user interface blew up on several occasions, and the VPNet VPNWare Web-based Java kit occasionally lost its hold on reality and had to be restarted. We also ran into design problems with some products: InfoExpress' VTCP/Secure, because of its architecture, doesn't support all types of IP protocols, which might cause interoperability failures in some application environments; and Lucent's Security Management firewall-plus-VPN strategy caused some connectivity problems with our FTP server.

So what do I buy?

The products we looked at vary so widely that there is no single top choice. Your best match depends on the size of your VPN, the way you connect to the Internet and more complex questions such as whether you want to use Windows networking remotely and whether you're going to use charge-back accounting.

RedCreek's Ravlin series beat out all contenders for simplicity of installation and operation. Nevertheless, Ravlin would be a disaster if you had thousands of users to connect.

For midsize users, the Altiga VPN Concentrator Series is a great deal. Well priced and with an easy-to-understand management interface, setting up and running Altiga's VPN Concentrator Series was never a challenge. While Lucent and Check Point also scored well in the same areas, their management interfaces were an order of magnitude more complex than Altiga's, without offering a corresponding number of extra features.

For massive deployments, look closely at Indus River's RiverWorks and TimeStep's Permit Enterprise offerings. These companies have thought about what it means to distribute 10,000 or more clients. While we found deficiencies in reporting tools for both, their other strengths make them mandatory evaluation candidates. Similarly, Lucent, VPNet and Intel, which have less experience but strong architectures, should be on the short list of anyone doing a massive rollout.

However, don't let our small/midsize/large categories stop you from looking at all of the products that fit your needs. We looked at a bunch of winners, and that's good news for any network manager.

RELATED LINKS

Snyder is a senior partner at Opus One in Tucson, Ariz., specializing in security and messaging technologies. He can be reached at joel.snyder @opus1.com.

Scorecard, NetResults and How We Did It
Key findings, vendor contact info, pricing and a look at our test methodology.

Review and buyer's guide: VPNs
In-depth review of site-to-site VPNs, plus an interactive database that lets you find the VPN that best matches your criteria. Network World, 5/10/99.