- Email: [email protected]
Implementing Virtual Private Networks in Today's Organization
Information Security Technical Report, Vol 6, No. 1 (2001) 23-30
Implementing Virtual Private Networks in Today's Organization Dr J.S. Broderick, Director, Corporate Consulting Services, Symantec Inc.
Introduction Virtual Private Networks have been available as solutions to organizations for many years, however, it is only in the last three to four years that organizations have considered them viable. This article examines some of the reasons why the technology has not really been widely implemented despite the promises of the VPN vendors. These promises include: reduced cost of communications, prevention of information hi-jack and secure communications. Organizations who have attempted to implement VPNs have had mixed success. The ones who have been most successful have been those that have used an analytical and logical approach to providing the solution. The ones who have failed have done so primarily because they tried to implement the solution without such an approach.
Issues faced by Organizations When an organization is considering implementing a VPN solution, it faces a bewildering array of issues to consider. Many consider a VPN implementation to be simply an extension of their existing network infrastructure. At a simplistic level this may be true, but the security issues faced by an organization when it plans a VPN implementation may be considerable. The words “may be” are deliberately vague since the extent of the issues depends on the purpose for which the VPN is used and the locations from which the VPN can be used.
0167-4048/01/$20.00 © 2001, Elsevier Science Ltd
Consider the following scenarios: • If an organization uses a VPN to protect information in transit across its own network within its own controlled premises, the issues faced are relatively small. • If the scope of the VPN is extended to permit other remote parts of the organization connect securely, a range of different problems emerge. • If the scope is extended still further to include partners and suppliers, this compounds the problem with yet another level of complexity. • If the organization wishes to permit remote users to connect to internal network resources (data, systems and services) a full range of problems arise. This is because the organization has essentially moved from an isolated network to one that can be potentially accessed from anywhere. Rather than attempt to explain all of the problems associated with each of the scenarios individually, this article will describe the components parts of the problems. These components may then be assembled to gain a complete understanding of the problem for any given scenario.
Problem Components Organizations wishing to implement a VPN should strongly consider the following issues: Planning
• Scope
23
Implementing Virtual Private Networks
• Interoperability • Encryption and Key Management • Policy • Performance • Security, including fail-over, redundancy, single point of failure • Third party users • Ease of Use Implementation
• Manpower
ground up. Although many would not now admit it, most people simply bought some components, cable, hubs, routers, etc. plugged it together to form a rudimentary network and then worked out how to make it work, make it perform better, make it secure, later. Organizations that attempt this approach with their VPN are most likely to fail. Even if they get it to work, the security achieved is likely to be much lower than they expected and were led to believe by the vendor who sold them the solution. Planning is KEY to implementing a secure VPN. Without planning, the VPN will be less than optimally secure — it may even be insecure, or, it will not operate at all!
• Automation Scope
• Failover • Redundancy • Key Management • Initial user management
When choosing a VPN technology to use, it is vital that the organization does not consider just the immediate requirement, but also considers the potential future uses, otherwise, the organization may be locked into using a technology today, that it will have to consign to the trash a year or two in the future.
Management
There are basically four typical VPN scenarios: • Long-term user management • Office-to-Office • Modification of VPN solution/design • Intra-Office • Hacking through the VPN tunnel • Dial-in user-to-office The remainder of this section will consider the issues highlighted above in the three areas of Planning, Implementation and Management.
Planning At the risk to being accused of pointing out the obvious, implementing a VPN is akin to implementing a new network from the
24
• Office-Partner/Supplier In the first two cases, the VPNs are simply part of the existing network, albeit a more secure part. The fundamental issue is where to position the end points of the VPN i.e. gateways, that are responsible for encrypting/decrypting the contents of the
Information Security Technical Report, Vol. 6, No. 1
Implementing Virtual Private Networks
packets. Since in many cases the network design and structure will have been open until the implementation of the VPN, the requirement for network hiding may be absent. If not, the solution described for the latter two scenarios in the above list may be more applicable. In the case of Dial-in user-to-office or OfficePartner/Supplier, the main issues to consider are: • How many individual VPNs are required i.e. how many individual users or companies will require individual rather than shared VPNs. • What sort of traffic will be permitted through the VPN — open or controlled. • Whether internal network hiding or address translation is required. • How deep the VPN is permitted to reach into the organizational network — it stops at the perimeter, or at an internal subnet. • How user authentication is managed. • The consequences of the VPN endpoints not being available i.e. fail-over/ redundancy. • How much data is expected to flow through the VPNs. • How easy or difficult is the solution to use. • The security posture of the third party client/partner or supplier. Capacity
To define the capacity of a VPN gateway, an organization needs to determine the number
Information Security Technical Report, Vol. 6, No. 1
of simultaneous users (whether individuals or other organizations) that it requires to be capable of being simultaneously connected, and the speed of connection required by these users. These two factors, together with the resource requirements of the VPN gateway solution determine the performance characteristics of the gateway computer required. Encryption and Key Management
All VPN implementations use some form of key as part of the encryption process that ultimately protects the data in transit. Some VPNs use the same key for setting up the VPN tunnel and then for encrypting the data for the entire duration of the existence of that VPN tunnel. Other implementations use a fixed shared key for the VPN initialization and then create a unique session key that is used to encrypt the data for the entire lifetime of that tunnel. An enhancement over the previous methods is to negotiate and change the session key either on demand of either party composing the VPN or at a regular interval. This is the basis of the ISAKMP/Oakley and many other key exchange implementations. Whatever VPN solution is chosen, major factors in the solution should be the strength of the encryption used and the key management methodology supported. Resilience/Fail-over
If resilience, fail-over or redundancy is required, this further impacts the performance characteristics of the gateway system and potentially the configuration of the communications infrastructure required
25
Implementing Virtual Private Networks
to support the solution. For example, it may mean using dual ISPs, using land line and microwave communications channels, provision of uninterrupted power supplies, etc. User Authentication
After considering these items, an organization should think about how, or if users should authenticate themselves in order to use the VPN. If there is no authentication required to initiate the VPN application, anyone could send anything down the VPN, which really defeats the purpose of most organizations’ VPNs i.e. that they should be used to transmit sensitive information. The second part of the authentication mechanism is required by the receiving VPN gateway so that it knows that the initiating gateway is indeed an authorized gateway. Once this has been established, the two gateways initiate the encrypted channel between them.
Network Hiding
Some VPN implementations provide network address translation functions that effectively hide an organization’s internal network from visibility on the other side of the gateway. While this provides a level of security by eliminating a view of the network, it can in some cases provide complex routing problems to solve. Ease of Use
User behaviour is generally fickle. Therefore, if an organization provides a solution that is difficult to use and administer, users and administrators alike will tend to find an alternative way of getting their jobs done — even if it means reducing the overall security of the organization. Finding a solution that is easy to use is paramount to obtaining rapid acceptance and long-term usage of that solution.
Application/Service Access Rights
Third Party Users
Another issue that must be considered is what a given user is permitted to access together with what applications/protocols are permitted to touch that destination. This issue is primarily an organizational policy issue, but it has a fundamental bearing on what VPN solution will be chosen by the organization and how that solution is implemented.
When an organization links third parties to its computing infrastructure, it is making an implicit trust relationship between the two organizations. The organization is assuming that:
Implementing a VPN without any content control, whether at a protocol level, and/ or, intra-packet level provides open access using any protocol to the destination system. The only protection the destination system has is its own security configuration. In practice, adding a second level of protection for that system by providing filtering in the VPN is highly desirable and strongly recommended.
26
• the third party is as secure, or more secure than they are • the third party will not compromise the organizations security • that someone within their own organization will not compromise the security of the third party • that multiple third parties will not try to compromise each other via the commonly used infrastructure
Information Security Technical Report, Vol. 6, No. 1
Implementing Virtual Private Networks
These are significant issues that need to be addressed from both a technical and business management point of view so that all parties involved are protected from unscrupulous or unethical behaviour. Key Management and Interoperability
Management of keys associated with VPN implementations is not a trivial issue. If the VPN tunnels are under the total control of the implementing organization, many of the problems are eliminated, however, if different organizations or different management regimes are trying to connect using a VPN, the problems may be severe. Aside from the choice of VPN technology used and the keys used by that technology, the problems with key management and interoperability can be simplified to a cooperation issue. A VPN can only be created by two parties that agree to: • use a common approach • have common methods of managing VPN related keys that are exchanged between the two parties Without this level of cooperation, the VPN between the two parties is very unlikely to work. An issue that is not strictly key management, but is related, is that of encryption strength. Due to different legislation in different countries, an encryption strength available in one country may not be available to be used in a partners’ country. This inevitably leads to a reduction in encryption strength if the two parties wish to communicate across a VPN. Configuration
It is vital to remember that VPNs provide point-to-point connections and that both
Information Security Technical Report, Vol. 6, No. 1
ends of the link need to be configured so that they work together. For organizations that intend to use a small number of VPNs the additional work involved in coordinating both ends of each VPN is an inconvenience. If an organization is expecting to implement a large number of VPNs, the additional effort required is significant and attention should be paid during the VPN solution selection to the facilities provided in the solution by the vendor to reduce configuration effort when implementing large numbers of VPNs. Whatever the size of the proposed VPN implementation, it is important to include sufficient implementation resources in the planning stage.
Implementation Manpower
If an organization has successfully completed the planning cycle, implementation of the VPN should be relatively uneventful other than the usual headaches associated with the implementation of any other type of network. Perhaps the most challenging aspect of implementing a VPN is that it is often very hard to determine what isn't working since all of the traffic in the flowing down a VPN path is encrypted. This means that: • If the data doesn't reach its destination it may not be obvious where it went. • If the gateway at the remote end of the VPN is improperly configured, the data may reach the gateway and then appear to get lost. These two scenarios may appear obvious, but in the heat of a complex VPN installation, sometimes the obvious is incredibly well hidden.
27
Implementing Virtual Private Networks
Some VPN vendors provide tools to assist with debugging these problems, some don't. In either case, it is probably prudent for an organization to invest in some type of packet sniffing technology to assist in debugging a troublesome VPN. Armed with a packet sniffer and knowledge about the structure of the VPN packet (provided by the VPN technology vendor), debugging a troublesome VPN becomes a chore rather than a headache. The VPN troubleshooter won't be able to read the contents of the packet, and will only be able to identify the source and destination addresses of the packets.
Redundancy/Fail-over Implementation
The manpower issue with implementing VPNs is not usually discussed by VPN vendors since it detracts from the point of their sales presentation, i.e. to show the organization how it can conduct E-business safely across a public network such as the Internet. However, in the real world, where skilled manpower is a premium and is usually expensive, this is not an issue that can be lightly passed over. The skills required to implement VPN technology typically include:
The organization is then faced with making a business decision; do we take the risk and allow data transmission in clear text, or do we wait. In either case a financial judgment has to be made and the most appropriate decision taken.
• Excellent network and network debugging skills (down to packet level). • A highly analytical mind to solve some of the apparently abstract problems that VPN installations can sometimes give rise to.
An important issue, and one that is often ignored until the problem arises, is that of failover and redundancy. In many VPN implementations, the whole of an organization’s VPN infrastructure is centred in a single place, and often within a single gateway, typically a firewall. This inevitably means that should this device suffer a hardware, or other malfunction that renders the device temporarily or permanently inoperable, the entire VPN capability suddenly becomes unavailable.
Key Management
Implementation of secure key management is vital to providing a secure VPN implementation. If the keys get inadvertently disclosed to unauthorized third parties, the security of the implementation is very questionable. In light of this it is important that a great deal of care is spent on this aspect of the VPN implementation. Initial User Management
Automation
Provision of automated setups for VPN implementations is not a strong point of today’s solutions. This is because of the complexity and variety of how VPNs can be configured. However, once a solution is selected, a pilot of the solution should be implemented in a test lab environment and the process used to configure that environment documented by the implementation team in extreme detail.
28
When an organization configures a large number of users to use its VPN capabilities, it is very tempting to issue a standard startup password since it simplifies the overall process. From a security point of view, this is not good practice and should be avoided if at all possible. If the VPN implementation supports use of password expiration, this feature should be used to force the user to change their initial VPN application startup password from the one supplied by the
Information Security Technical Report, Vol. 6, No. 1
Implementing Virtual Private Networks
implementation team as soon as they invoke that application. While many users may request access to corporate resources via VPN tunnels, some of those users will not use the capability. It is therefore prudent for the organization to periodically review tunnel usage and to revoke tunnels that have not been used for an extended period of time, if at all. This of course would require support from the organizations’ security policy. User training is an area that should not be overlooked, yet often is. Organizations should not expect users, whether individuals, groups, partners or clients to be able to use a new technology instinctively. These users should be trained both in the operation of the technology and in the responsibilities that use of that technology requires them to accept.
Management
their associated user identities can be deleted. Removal of old user credentials and accounts is a function that is sometimes poorly performed in organizations, however, in the case of VPN implementations, failure to perform this function could lead to a severely damaging intrusion into the organization’s computing environment with consequential losses occurring. Modification of VPN solution design/function
Once a VPN solution has been implemented in an organization, any changes other than adding/removing users or tunnels will involve a significant amount of work. The safest approach would be to start the whole process again (not the whole implementation) since most organizations will still have to operate their existing operations during the changes. In this way potential problems can be identified in the planning stage and hopefully resolved prior to any changes to the existing operational environment being implemented.
Long-term user management Hacking through the VPN tunnel
Potentially the most difficult aspect of managing VPN users in the long-term is that they become blasé about the capability that they have been provided with. They begin making assumptions that may not be true and may even start to abuse the functionality. Much of this attitude can be eliminated through regular information security awareness programmes that stress the users’ responsibilities for managing the security of information to which they have access. Such an approach must, of course, be supported by the organization’s Information Security Policy. In any organization, users, whether individuals, groups, partners or clients will change. As these changes occur, it is important that the team responsible for managing the VPN solution is kept abreast of these changes so that old, no-longer required tunnels and
Information Security Technical Report, Vol. 6, No. 1
Just because an organization implements a VPN doesn’t necessarily mean that it is protected against all hackers. Hacking an established VPN itself is not trivial, however, if the hacker can hack into a VPN during or before it is initialized, the organization that is at the other end of the VPN believes that the user is authorized. This is why it is imperative to control what information is permitted into and sent out of an organization via its VPN links. It is also vital that any organization using VPNs implements a sophisticated Intrusion Detection Solution to monitor to evidence of unauthorized intrusions and take appropriate actions. This is a complex area and is beyond the scope of this article, but is something which organizations should be cognizant of.
29
Implementing Virtual Private Networks
Summary As can be seen from the numerous issues associated with any VPN implementation discussed above, putting all these issues together for an organization and being assured that all areas have been addressed is not a trivial task. The planning phase is probably the most difficult and time consuming phase of the project, however, this is time very well spent since, if the plan is good, time and resources fruitlessly wasted in the remainder of the project will be minimized.
Biography
17 years. During the late 1980s he became actively interesting in firewalls, VPNs and their implementation. During the mid-1990s he moved to Raptor Systems Inc., where he became the chief technologist for their European operation. At Raptor he became even more actively involved in VPN technologies and especially deployment of the Raptor VPN technology. Raptor was merged into AXENT technologies where Dr Broderick was transferred to their US services subsidiary (Secure Network Consulting Inc.) where he was responsible for architecting their professional services. AXENT was subsequently merged into Symantec Inc. during December 2000.
Dr Stuart Broderick has been working actively in the information security world for the last
30
Information Security Technical Report, Vol. 6, No. 1
Implementing Virtual Private Networks in Today's Organization Dr J.S. Broderick, Director, Corporate Consulting Services, Symantec Inc.
Introduction Virtual Private Networks have been available as solutions to organizations for many years, however, it is only in the last three to four years that organizations have considered them viable. This article examines some of the reasons why the technology has not really been widely implemented despite the promises of the VPN vendors. These promises include: reduced cost of communications, prevention of information hi-jack and secure communications. Organizations who have attempted to implement VPNs have had mixed success. The ones who have been most successful have been those that have used an analytical and logical approach to providing the solution. The ones who have failed have done so primarily because they tried to implement the solution without such an approach.
Issues faced by Organizations When an organization is considering implementing a VPN solution, it faces a bewildering array of issues to consider. Many consider a VPN implementation to be simply an extension of their existing network infrastructure. At a simplistic level this may be true, but the security issues faced by an organization when it plans a VPN implementation may be considerable. The words “may be” are deliberately vague since the extent of the issues depends on the purpose for which the VPN is used and the locations from which the VPN can be used.
0167-4048/01/$20.00 © 2001, Elsevier Science Ltd
Consider the following scenarios: • If an organization uses a VPN to protect information in transit across its own network within its own controlled premises, the issues faced are relatively small. • If the scope of the VPN is extended to permit other remote parts of the organization connect securely, a range of different problems emerge. • If the scope is extended still further to include partners and suppliers, this compounds the problem with yet another level of complexity. • If the organization wishes to permit remote users to connect to internal network resources (data, systems and services) a full range of problems arise. This is because the organization has essentially moved from an isolated network to one that can be potentially accessed from anywhere. Rather than attempt to explain all of the problems associated with each of the scenarios individually, this article will describe the components parts of the problems. These components may then be assembled to gain a complete understanding of the problem for any given scenario.
Problem Components Organizations wishing to implement a VPN should strongly consider the following issues: Planning
• Scope
23
Implementing Virtual Private Networks
• Interoperability • Encryption and Key Management • Policy • Performance • Security, including fail-over, redundancy, single point of failure • Third party users • Ease of Use Implementation
• Manpower
ground up. Although many would not now admit it, most people simply bought some components, cable, hubs, routers, etc. plugged it together to form a rudimentary network and then worked out how to make it work, make it perform better, make it secure, later. Organizations that attempt this approach with their VPN are most likely to fail. Even if they get it to work, the security achieved is likely to be much lower than they expected and were led to believe by the vendor who sold them the solution. Planning is KEY to implementing a secure VPN. Without planning, the VPN will be less than optimally secure — it may even be insecure, or, it will not operate at all!
• Automation Scope
• Failover • Redundancy • Key Management • Initial user management
When choosing a VPN technology to use, it is vital that the organization does not consider just the immediate requirement, but also considers the potential future uses, otherwise, the organization may be locked into using a technology today, that it will have to consign to the trash a year or two in the future.
Management
There are basically four typical VPN scenarios: • Long-term user management • Office-to-Office • Modification of VPN solution/design • Intra-Office • Hacking through the VPN tunnel • Dial-in user-to-office The remainder of this section will consider the issues highlighted above in the three areas of Planning, Implementation and Management.
Planning At the risk to being accused of pointing out the obvious, implementing a VPN is akin to implementing a new network from the
24
• Office-Partner/Supplier In the first two cases, the VPNs are simply part of the existing network, albeit a more secure part. The fundamental issue is where to position the end points of the VPN i.e. gateways, that are responsible for encrypting/decrypting the contents of the
Information Security Technical Report, Vol. 6, No. 1
Implementing Virtual Private Networks
packets. Since in many cases the network design and structure will have been open until the implementation of the VPN, the requirement for network hiding may be absent. If not, the solution described for the latter two scenarios in the above list may be more applicable. In the case of Dial-in user-to-office or OfficePartner/Supplier, the main issues to consider are: • How many individual VPNs are required i.e. how many individual users or companies will require individual rather than shared VPNs. • What sort of traffic will be permitted through the VPN — open or controlled. • Whether internal network hiding or address translation is required. • How deep the VPN is permitted to reach into the organizational network — it stops at the perimeter, or at an internal subnet. • How user authentication is managed. • The consequences of the VPN endpoints not being available i.e. fail-over/ redundancy. • How much data is expected to flow through the VPNs. • How easy or difficult is the solution to use. • The security posture of the third party client/partner or supplier. Capacity
To define the capacity of a VPN gateway, an organization needs to determine the number
Information Security Technical Report, Vol. 6, No. 1
of simultaneous users (whether individuals or other organizations) that it requires to be capable of being simultaneously connected, and the speed of connection required by these users. These two factors, together with the resource requirements of the VPN gateway solution determine the performance characteristics of the gateway computer required. Encryption and Key Management
All VPN implementations use some form of key as part of the encryption process that ultimately protects the data in transit. Some VPNs use the same key for setting up the VPN tunnel and then for encrypting the data for the entire duration of the existence of that VPN tunnel. Other implementations use a fixed shared key for the VPN initialization and then create a unique session key that is used to encrypt the data for the entire lifetime of that tunnel. An enhancement over the previous methods is to negotiate and change the session key either on demand of either party composing the VPN or at a regular interval. This is the basis of the ISAKMP/Oakley and many other key exchange implementations. Whatever VPN solution is chosen, major factors in the solution should be the strength of the encryption used and the key management methodology supported. Resilience/Fail-over
If resilience, fail-over or redundancy is required, this further impacts the performance characteristics of the gateway system and potentially the configuration of the communications infrastructure required
25
Implementing Virtual Private Networks
to support the solution. For example, it may mean using dual ISPs, using land line and microwave communications channels, provision of uninterrupted power supplies, etc. User Authentication
After considering these items, an organization should think about how, or if users should authenticate themselves in order to use the VPN. If there is no authentication required to initiate the VPN application, anyone could send anything down the VPN, which really defeats the purpose of most organizations’ VPNs i.e. that they should be used to transmit sensitive information. The second part of the authentication mechanism is required by the receiving VPN gateway so that it knows that the initiating gateway is indeed an authorized gateway. Once this has been established, the two gateways initiate the encrypted channel between them.
Network Hiding
Some VPN implementations provide network address translation functions that effectively hide an organization’s internal network from visibility on the other side of the gateway. While this provides a level of security by eliminating a view of the network, it can in some cases provide complex routing problems to solve. Ease of Use
User behaviour is generally fickle. Therefore, if an organization provides a solution that is difficult to use and administer, users and administrators alike will tend to find an alternative way of getting their jobs done — even if it means reducing the overall security of the organization. Finding a solution that is easy to use is paramount to obtaining rapid acceptance and long-term usage of that solution.
Application/Service Access Rights
Third Party Users
Another issue that must be considered is what a given user is permitted to access together with what applications/protocols are permitted to touch that destination. This issue is primarily an organizational policy issue, but it has a fundamental bearing on what VPN solution will be chosen by the organization and how that solution is implemented.
When an organization links third parties to its computing infrastructure, it is making an implicit trust relationship between the two organizations. The organization is assuming that:
Implementing a VPN without any content control, whether at a protocol level, and/ or, intra-packet level provides open access using any protocol to the destination system. The only protection the destination system has is its own security configuration. In practice, adding a second level of protection for that system by providing filtering in the VPN is highly desirable and strongly recommended.
26
• the third party is as secure, or more secure than they are • the third party will not compromise the organizations security • that someone within their own organization will not compromise the security of the third party • that multiple third parties will not try to compromise each other via the commonly used infrastructure
Information Security Technical Report, Vol. 6, No. 1
Implementing Virtual Private Networks
These are significant issues that need to be addressed from both a technical and business management point of view so that all parties involved are protected from unscrupulous or unethical behaviour. Key Management and Interoperability
Management of keys associated with VPN implementations is not a trivial issue. If the VPN tunnels are under the total control of the implementing organization, many of the problems are eliminated, however, if different organizations or different management regimes are trying to connect using a VPN, the problems may be severe. Aside from the choice of VPN technology used and the keys used by that technology, the problems with key management and interoperability can be simplified to a cooperation issue. A VPN can only be created by two parties that agree to: • use a common approach • have common methods of managing VPN related keys that are exchanged between the two parties Without this level of cooperation, the VPN between the two parties is very unlikely to work. An issue that is not strictly key management, but is related, is that of encryption strength. Due to different legislation in different countries, an encryption strength available in one country may not be available to be used in a partners’ country. This inevitably leads to a reduction in encryption strength if the two parties wish to communicate across a VPN. Configuration
It is vital to remember that VPNs provide point-to-point connections and that both
Information Security Technical Report, Vol. 6, No. 1
ends of the link need to be configured so that they work together. For organizations that intend to use a small number of VPNs the additional work involved in coordinating both ends of each VPN is an inconvenience. If an organization is expecting to implement a large number of VPNs, the additional effort required is significant and attention should be paid during the VPN solution selection to the facilities provided in the solution by the vendor to reduce configuration effort when implementing large numbers of VPNs. Whatever the size of the proposed VPN implementation, it is important to include sufficient implementation resources in the planning stage.
Implementation Manpower
If an organization has successfully completed the planning cycle, implementation of the VPN should be relatively uneventful other than the usual headaches associated with the implementation of any other type of network. Perhaps the most challenging aspect of implementing a VPN is that it is often very hard to determine what isn't working since all of the traffic in the flowing down a VPN path is encrypted. This means that: • If the data doesn't reach its destination it may not be obvious where it went. • If the gateway at the remote end of the VPN is improperly configured, the data may reach the gateway and then appear to get lost. These two scenarios may appear obvious, but in the heat of a complex VPN installation, sometimes the obvious is incredibly well hidden.
27
Implementing Virtual Private Networks
Some VPN vendors provide tools to assist with debugging these problems, some don't. In either case, it is probably prudent for an organization to invest in some type of packet sniffing technology to assist in debugging a troublesome VPN. Armed with a packet sniffer and knowledge about the structure of the VPN packet (provided by the VPN technology vendor), debugging a troublesome VPN becomes a chore rather than a headache. The VPN troubleshooter won't be able to read the contents of the packet, and will only be able to identify the source and destination addresses of the packets.
Redundancy/Fail-over Implementation
The manpower issue with implementing VPNs is not usually discussed by VPN vendors since it detracts from the point of their sales presentation, i.e. to show the organization how it can conduct E-business safely across a public network such as the Internet. However, in the real world, where skilled manpower is a premium and is usually expensive, this is not an issue that can be lightly passed over. The skills required to implement VPN technology typically include:
The organization is then faced with making a business decision; do we take the risk and allow data transmission in clear text, or do we wait. In either case a financial judgment has to be made and the most appropriate decision taken.
• Excellent network and network debugging skills (down to packet level). • A highly analytical mind to solve some of the apparently abstract problems that VPN installations can sometimes give rise to.
An important issue, and one that is often ignored until the problem arises, is that of failover and redundancy. In many VPN implementations, the whole of an organization’s VPN infrastructure is centred in a single place, and often within a single gateway, typically a firewall. This inevitably means that should this device suffer a hardware, or other malfunction that renders the device temporarily or permanently inoperable, the entire VPN capability suddenly becomes unavailable.
Key Management
Implementation of secure key management is vital to providing a secure VPN implementation. If the keys get inadvertently disclosed to unauthorized third parties, the security of the implementation is very questionable. In light of this it is important that a great deal of care is spent on this aspect of the VPN implementation. Initial User Management
Automation
Provision of automated setups for VPN implementations is not a strong point of today’s solutions. This is because of the complexity and variety of how VPNs can be configured. However, once a solution is selected, a pilot of the solution should be implemented in a test lab environment and the process used to configure that environment documented by the implementation team in extreme detail.
28
When an organization configures a large number of users to use its VPN capabilities, it is very tempting to issue a standard startup password since it simplifies the overall process. From a security point of view, this is not good practice and should be avoided if at all possible. If the VPN implementation supports use of password expiration, this feature should be used to force the user to change their initial VPN application startup password from the one supplied by the
Information Security Technical Report, Vol. 6, No. 1
Implementing Virtual Private Networks
implementation team as soon as they invoke that application. While many users may request access to corporate resources via VPN tunnels, some of those users will not use the capability. It is therefore prudent for the organization to periodically review tunnel usage and to revoke tunnels that have not been used for an extended period of time, if at all. This of course would require support from the organizations’ security policy. User training is an area that should not be overlooked, yet often is. Organizations should not expect users, whether individuals, groups, partners or clients to be able to use a new technology instinctively. These users should be trained both in the operation of the technology and in the responsibilities that use of that technology requires them to accept.
Management
their associated user identities can be deleted. Removal of old user credentials and accounts is a function that is sometimes poorly performed in organizations, however, in the case of VPN implementations, failure to perform this function could lead to a severely damaging intrusion into the organization’s computing environment with consequential losses occurring. Modification of VPN solution design/function
Once a VPN solution has been implemented in an organization, any changes other than adding/removing users or tunnels will involve a significant amount of work. The safest approach would be to start the whole process again (not the whole implementation) since most organizations will still have to operate their existing operations during the changes. In this way potential problems can be identified in the planning stage and hopefully resolved prior to any changes to the existing operational environment being implemented.
Long-term user management Hacking through the VPN tunnel
Potentially the most difficult aspect of managing VPN users in the long-term is that they become blasé about the capability that they have been provided with. They begin making assumptions that may not be true and may even start to abuse the functionality. Much of this attitude can be eliminated through regular information security awareness programmes that stress the users’ responsibilities for managing the security of information to which they have access. Such an approach must, of course, be supported by the organization’s Information Security Policy. In any organization, users, whether individuals, groups, partners or clients will change. As these changes occur, it is important that the team responsible for managing the VPN solution is kept abreast of these changes so that old, no-longer required tunnels and
Information Security Technical Report, Vol. 6, No. 1
Just because an organization implements a VPN doesn’t necessarily mean that it is protected against all hackers. Hacking an established VPN itself is not trivial, however, if the hacker can hack into a VPN during or before it is initialized, the organization that is at the other end of the VPN believes that the user is authorized. This is why it is imperative to control what information is permitted into and sent out of an organization via its VPN links. It is also vital that any organization using VPNs implements a sophisticated Intrusion Detection Solution to monitor to evidence of unauthorized intrusions and take appropriate actions. This is a complex area and is beyond the scope of this article, but is something which organizations should be cognizant of.
29
Implementing Virtual Private Networks
Summary As can be seen from the numerous issues associated with any VPN implementation discussed above, putting all these issues together for an organization and being assured that all areas have been addressed is not a trivial task. The planning phase is probably the most difficult and time consuming phase of the project, however, this is time very well spent since, if the plan is good, time and resources fruitlessly wasted in the remainder of the project will be minimized.
Biography
17 years. During the late 1980s he became actively interesting in firewalls, VPNs and their implementation. During the mid-1990s he moved to Raptor Systems Inc., where he became the chief technologist for their European operation. At Raptor he became even more actively involved in VPN technologies and especially deployment of the Raptor VPN technology. Raptor was merged into AXENT technologies where Dr Broderick was transferred to their US services subsidiary (Secure Network Consulting Inc.) where he was responsible for architecting their professional services. AXENT was subsequently merged into Symantec Inc. during December 2000.
Dr Stuart Broderick has been working actively in the information security world for the last
30
Information Security Technical Report, Vol. 6, No. 1