What is a VPN?

What is a VPN?

Information Security Technical Report, Vol 6, No. 1 (2001) 15-22 What is a VPN? Perry B. Gentry1, PricewaterhouseCoopers The business world today is...

110KB Sizes 6 Downloads 294 Views

Information Security Technical Report, Vol 6, No. 1 (2001) 15-22

What is a VPN? Perry B. Gentry1, PricewaterhouseCoopers

The business world today is increasingly dependent on communications and real-time data is rapidly becoming a requirement for companies to stay competitive. This has impacted information security programs as employees, business partners, vendors and others beyond the traditional enterprise boundaries require immediate access to a wide array of systems and business information. These new business communications needs have demonstrated the need for new secure communications tools to help protect the information as it moves. Since first recognized, there have been many approaches taken to meet the goals of securing this ‘information in motion’. Some have emphasized support of high-speed communication, others have focussed on connecting multitudes of simultaneous, low-speed remote dial-up users, some have accentuated ease of use and deployment, while still others

concentrated on the security aspects of the communication. Few have been able to meet all of these goals and provide a system that scales to meet the needs of both small and large organizations. There has been a great deal of discussion in the press and in industry about Virtual Private Network (VPN) products and services. Like many new technologies, the VPN market has been suffering through the standards development phases to establish the guidelines for interoperability. It is also suffering from the misuse of the term to describe certain services that are not actually true VPNs but External Private Networks (EPNs).

VPN Defined There are many VPN products and services on the market today and a wide variety of implementations. This has created some confusion on what the term VPN actually means. We will attempt to define and provide

1 Perry B. Gentry, CISSP, is a manager in the Technology Security practice focused on E-business security solutions. His areas of specialization include Virtual Private Network technology; Public Key Infrastructures; network protocols, architectures, and security; high-assurance and high-availability designs; and cryptographic system design techniques. Perry is a founding member and East Coast leader of PriceWaterhouseCooperss VPN Center of Excellence. Of Perry’s 15 years of experience in the security field, 13 were spent performing system security engineering for the National Security Agency’s Information Systems Security (INFOSEC) organization. As the Technical Director for In-Line Network Encryption Products, Perry helped guide the development of US Government SONET, ATM and IP network security products. He has participated in American National Standards Institute (ANSI) standards committees, is a member of the IEEE and is a Certified Information Systems Security Professional (CISSP). Perry holds a Top Secret clearance, is a NSAcertified Cryptologic Engineer, and is certified as a Department of Defense Level III Program Manager and Systems Engineer. He holds a BS degree in Electrical Engineering from Clemson University and a MS degree in Electrical Engineering from The John Hopkins University. He is based in Baltimore, and can be contacted at [email protected]

The author would like to express thanks to the following people for providing valuable guidance and input for this article: Jason Dowd is a manager in the Technology Security practice at PricewaterhouseCoopers, based in St. Louis, MO, USA. Jason has more than four years experience working with IP networking, Internet and Electronic Commerce solutions. Rob Rudloff is a senior manager in the Technology Security Practice at PricewaterhouseCoopers, based in Denver, CO, USA. Rob has more than eight years experience working with information systems and information security focused on security infrastructure and electronic commerce.

0167-4048/01/$20.00 © 2001, Elsevier Science Ltd


What is a VPN?

clarity on VPN solutions and what their uses are in today’s business.

2. It is private because it uses encryption that the users control for protection of the data.

To properly define a VPN, it will be necessary to understand a few terms and definitions. The following terms and definitions should help provide some understanding of what a VPN really is.

3. It is a network because devices and systems are communicating on a common path.

Virtual — Being such in essence or effect though not formally recognized or admitted. Private — Intended for or restricted to the use of a particular person, group, or class. Network — A system of computers, terminals, and databases connected by communications lines. Public network — A network generally accessible by many other networks where the connections to and from the network are generally not known and the entities on the network are free to join (i.e. the Internet). External network — A network that is not publicly accessible but may have connections to other networks that are authorized. Internal/private network — A network that is primarily used by some entity and is protected from the public due to physical barriers. Definition of an external private network (EPN) — A connection through an external network (not public) where the users have no control over the protection of the data being transmitted. Definition of a virtual private network (VPN) — A connection through a network utilizing encryption technology to privatize data for transmission between two trusted parties. 1. It is virtual because it can use a public or a private network to transmit data.


With a true VPN solution, the data is privatized as it leaves the originator ’s site (client machine or enterprise network boundary) and before it enters the service provider network. The encryption device can be managed by the user (the most secure way) or outsourced to a managed VPN service similar to or combined with managed firewall service. Regardless of who provides the encryption device, the data then remains encrypted between the originator’s and the recipient’s private network. It needs to be noted that there are many services that claim to be VPNs but are actually EPNs. An EPN is a service provider network that claims privacy within their private network, but the end-users have no control over that privacy mechanism. This is different from a managed VPN solution in that the data is sent to the EPN provider in the clear and they then provide some means (separated network, special routing, perhaps encryption) to protect the data once they have it. This isn’t truly private because the user has given away the control of how the privacy is achieved to a third party, and the privacy measures are not truly end-to-end (i.e. originator network boundary to recipient network boundary). VPNs are virtually private because the encryption takes place on the originator’s own private network and decryption takes place within the intended recipients’ private network. It is virtually private because between these two endpoints the network and communication are freely accessible, but that accessibility does not result in the exposing of the information (if the encryption is properly implemented).

Information Security Technical Report, Vol. 6, No. 1

What is a VPN?

What a VPN does do


Transmission Privacy

A VPN, included as part of the properties of the encryption process, should provide integrity protection to the data during transport. This means that the data cannot be modified in transit without detection (through the creation of data errors upon decryption). In many cases the communication may not need to be private, but the accuracy and substance of the communication is critical (e.g. a $10 vice $10 million monetary transfer, etc.)

At its core, a VPN privatizes data from point A to point B. The VPN’s primary function is to protect the data from disclosure during transmission over any given network path. The privatizing of data allows the use of public networks for transmission as though they were private (virtually private). The maintenance of data privacy through the use of a VPN is beneficial where information and services must be protected from disclosure, modification, and unauthorized uses while traversing public network segments.

What a VPN should do Authentication and Authorization

A VPN should address the identification and authorization process associated with controlling access to the VPN. As such, users of the VPN system would be authenticated as identified, authorized users of the VPN system. Further, their authentication credentials may be provided to the terminating VPN system, to validate their connection to that system. Without strong authentication of the users of the VPN, one must often question the need for privacy — it is the intention of users to have secret conversations but remain unknown parties to one another? A typical example of privacy without strong authentication of both parties would be secure Web page viewing (SSL). As generally employed, only the secure website’s identity is authenticated to the viewer, while the identity of the viewer of the secure Web page is unknown to the website. However, it must be noted that SSL can be configured to support strong authentication of both the website and the browser of the website.

Information Security Technical Report, Vol. 6, No. 1


A VPN should provide functions designed to ensure that the identification of the origin of any particular transmission cannot be masked. This would be important if the time or fact of the communication was necessary (e.g. proving that an order was placed, payment was sent, etc.) Access/Flow Control

A VPN often does not perform all of the selective access control and flow control measures of a firewall. It must be recognized that a VPN represents a temporary extension of the corporate network boundary out to the VPN client machine connecting to it. This boundary point, usually devoid of the controls implemented at the traditional boundary in the form of firewalling, can be an inviting entry point target to hackers. Using port remapping and Trojan exploitation code, a skilled hacker can actually surreptitiously ‘piggyback’ onto the legitimate VPN connection and so gain entry into the enterprise network. Personal firewalling, either incorporated into the VPN or used in conjunction with it, can be a powerful guard against this type of exploitation.


What is a VPN?

What a VPN does not do Storage Privacy

• Connecting business units at different physical locations together via a public network.

A VPN does not protect or privatize the data while it is at point A or once it arrives at point B. It can also leave information exposed while being transported over the originator or recipient’s networks (internal networks before the encryption device or external networks after decryption device). This point is made because a VPN only addresses the communications aspect of information protection, it does not address information stored on a disk, displayed on screen, or printed.

• Connecting departments who transfer sensitive data together over a shared corporate backbone.

Businesses must understand that there is no solution that does everything and that information security is a continuous ‘life cycle’ involving many policies, procedures, and controls. A VPN can be a great control asset if deployed correctly within the enterprise, but security is only as good as the weakest link in the enterprise’s overall activities. Every business must assess, design, implement and maintain their security program and understand where the risks to information assets exist.

Security means more than keeping bad things from happening. Security experts can turn security technologies, policies, and procedures into business enablers that will make it possible for an enterprise to maximize competitive advantage, achieve increased operating efficiency, and enhance revenues.

Business Uses of a VPN Organizations can utilize VPN technology throughout the enterprise. When VPN technology is deployed correctly in the organization it can enable business processes that would otherwise be cost prohibitive. VPN technology can rightfully be viewed as an enabling technology that enhances the ability of the organization to achieve its goals and objectives by increasing opportunities and revenue. Some common uses of VPN technology include:


• Connecting to business partners to enhance the purchasing and sales cycles. • Providing cost effective remote access for mobile employees via a public network. • Connecting confidential systems together to allow secured communications.

Requirements of a Well Designed VPN Scalability

Scalability is more than just throughput. Throughput is how much data a given box can handle at any one time. The problem we encounter is how do we grow from there. Once we reach that limit, how do we scale. Scalability should include ways to stack boxes together to work in tandem, similar to the concept of stackable hubs. If we need more connections we just add another hub to the stack. Of course there is always a limit to how many things we can stack, but the point is that we are not limited by a single unit’s performance. Scalability allows a solution to grow as the business grows and eliminates forklift upgrades. Usually load balancing and redundancy are provided as well.

Information Security Technical Report, Vol. 6, No. 1

What is a VPN?


Performance is the raw throughput of a device. The VPN must be able to handle a large amount of traffic if it is going to work in the enterprise. Depending on the given scenario, a VPN should be able to process close to the input line speed that it connects to or to the line speed of the slowest link. If the users are connecting a VPN device to a 100Mbps Ethernet segment but the incoming traffic is routed over a T1 then the users would only need the 1.544Mbps throughput. If the users were using the VPN to encrypt traffic across an internal ATM backbone then the users would want the encrypted throughput to be close to 100Mbps. Reliability

For a VPN to actually make it in the business world it must be reliable. Reliability means that it should be available at all times, at a level similar to that of the telephone. Reliability must include redundancy features to allow automatic recovery of failed devices with limited interruption of service. As VPN solutions are adopted in the business world and begin to play a key role in the organization, reliability will be a necessary factor. Organizations are looking to use VPN technology as an enabling strategy to provide access to enterprise resources to increase opportunities and revenues while lowering the costs of providing connectivity. This can only be achieved if the VPN is available when needed. Usability

The VPN needs to be very easy to use and understand. For a VPN solution to be successful the end users of the VPN should be able to use its services without realizing they are doing so. The VPN should be transparent to the user when tunnels are established and

Information Security Technical Report, Vol. 6, No. 1

torn down. There shouldn’t be any unnecessary requirements for the users to allow for secured access to resources required to get their job done. Increased security and efficiency allows the workforce to meet the organizations goals and objectives. A good policy distribution system should allow the VPN to determine when to encrypt and when to send clear text information. The only requirement the user needs to notice is authentication to provide access. Ease of Management

For a VPN product to be deployed by any medium or large enterprise, it must have a well-implemented management solution. In security products it is key to have a solid management solution to ease the burden of administration, management and reporting. The management platform must have a simple way to design security policy, an easy way to distribute that policy and an easy way to simultaneously manage a large number of devices. It should include the capability for separation of duties, distributed management consoles and fault tolerance. Interoperability

To make complete use of a VPN product it should be interoperable with other VPN products. For a complete enterprise solution the VPN will need to allow the users to communicate with business partners and others who may have deployed a different VPN solution. This requires that to communicate securely the users should ensure that the selection of VPN equipment be interoperable according to industry standards and protocols. This factor will enhance the ability of the organization to enable new forms of electronic commerce in the future and continue to capitalize on the cost advantages of VPNs, as well as protect investment.


What is a VPN?

Protocol Support


If a VPN is truly an enterprise solution it will provide a wide range of networking protocols. These protocols ensure that the users can communicate with other business partners and various forms of dial devices that may be necessary in the organization. The following protocols should be supported:

As we start distributing data through the use of VPN technology we must realize the need for authentication. This authentication will be required at several levels. First it is required that the VPN software authenticate with the other VPN devices that it is communicating with. This requires that device A and device B have properly exchanged information (keys, certificates, etc…) to authenticate before they begin the encryption /decryption or authentication/verification of communications. Second it may be necessary (as in the case of the remote laptop users) to follow up with user authentication to ensure the person in possession of the device is who they say they are. This can be in the form of username/ password, tokens, certificates, smart cards or a variety of other user access controls available. This provides an extra measure of protection to mitigate the risks of lost or stolen devices. To help with centralizing user administration, the VPN system should support third party authentication mechanisms.

• IPSEC • PPTP • L2TP • RADIUS Service Level Agreement

In order for a VPN to be used as a business enabler, it may be necessary to negotiate with the service provider a service level agreement to provide consistent throughput and service to the connected locations. This requirement will depend on the criticality of the individual applications the users are supporting across the VPN. Seamless Integration

For a VPN solution to fit into an organization it must integrate into the network and other systems as a complementary service. A VPN is merely privatizing data to protect information as it travels from point A to point B. The VPN device should integrate into the existing infrastructure and provide value. This additional value is only recognized fully if the solution will work with the existing remote access servers, Internet connections, certificate authorities and authentication mechanisms. A solution loses value if an administrator must maintain a completely separate authentication database to provide access.


Accounting, Auditing and Logging

For any security solution to be complete, it must be able to log, account, and create audit trails. The system should log system events to help administrators identify problem areas and understand when key events have taken place. The security function will also want logging to review breaches in security policy, potential intrusions and other security-related events. Others in the organization such as Internal audit and accounting may wish to view accounting for users, usage, and other activities. A good logging function will provide the necessary information with the ability to notify selected individuals when encountering a given event.

Information Security Technical Report, Vol. 6, No. 1

What is a VPN?


The current standard for commercial encryption is still DES or triple DES, and in the future will migrate towards the recently announced Advanced Encryption System (AES) . VPNs carrying any form of sensitive traffic should use triple DES encryption to protect the data. VPN solutions often suffer a performance degradation when using triple DES, so make sure any numbers quoted by vendors include triple DES performance reports.

The Technology Standards of IPSEC and IKE

material for security associations, and in this case particularly for IPSEC. The IKE standard is a hybrid protocol that incorporates parts of the key exchange ideas of Oakley and SKEME in conjunction with the framework from ISAKMP. IKE uses Diffie-Hellman key exchanges and provides mechanisms for different forms of key exchange authentication from public key to preshared key. The IKE protocol can also utilize IPSEC compliant X.509v3 certificates for use with a public key infrastructure. IPSec was not created with only the final goals of VPNs in mind, but with the intention of providing security services for any type of IP connectivity that might need these services at the network layer. However, the IPSec authors were well aware of the needs of VPN technology, and their specifications have met many of these goals in an extremely flexible and extensible way.

The Internet Engineering Task Force (IETF) has developed a set of standards for IP Security referred to as IPSEC. The standards provide a means for communication of information to be protected at the network layer. This standard provides a framework for authentication and encryption between two parties while allowing some flexibility in the use of different encryption algorithms and authentication methods. The framework allows two or more unlike devices to establish communications, authenticate and determine an agreed upon encryption scheme to use during a communication’s session. This will provide great flexibility for businesses to take the technology and deploy it while maximizing the investment by also communicating with other business partners without the need for a new device. This framework will prove to increase the success of VPN solutions by providing more flexibility to inter-operate with others. Again it is important to note that this framework alone does not make us secure endto-end, but merely creates a secure channel with a trusted partner. Caution must be exercised when creating these connections and using these services to ensure that other security concerns are addressed as well.

Requirements to Implement an Enterprise VPN

The IETF has also developed the Internet Key Exchange (IKE) to provide authenticated keying

As organizations begin to deploy VPN solutions throughout large enterprises, the real

Information Security Technical Report, Vol. 6, No. 1

The Point to Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) are commonly deployed in organizations for remote access. These tunnels to the organization allow authorized clients to access internal hosts while utilizing public access networks such as the Internet. Encryption with PPTP and L2TP is possible, but a new solution exists with today’s VPN standards. IPSEC can be used as an alternative or in conjunction with PPTP or L2TP. Using IPSEC only allows the user to establish an encrypted tunnel to their home network based on security policies without having to ‘launch’ a tunneling application. If the users must use PPTP or L2TP however, IPSEC can just provide the encryption services for the PPTP or L2TP traffic and allow those services to tunnel the packet flow accordingly.


What is a VPN?



Organizational Security Policy

One of the underlying requirements to implement a VPN is the overall enterprise security policies and procedures. A VPN is merely a point solution to solve a specific problem. A security policy should identify the requirements for a VPN based on the formalized risk assessment process that identified the risks to information.

Understanding business requirements

A VPN should be viewed as an enabling device to allow business communications to be achieved over backbone networks, public infrastructures or other external networks. A VPN solution will help businesses provide solutions for remote employees, business partners, and other electronic commerce initiatives.

Understanding what the users are protecting and who the users are protecting it from

Before deploying any solution, businesses need to understand the problem and ensure that the solution they are deploying actually addresses that problem. A VPN only protects the information in transit from point A to point B and additional measure may need to be taken to safeguard the information once it reaches point B.

Understanding legal issues

With any encryption solution there are legal considerations to consider. Encryption import and export laws must be understood when deploying international solutions and this must be taken into account during the design phase of the solution.

Understanding integration issues

Infrastructure requirements are a big consideration when looking at deploying a VPN solution. Organizations need to understand VPN technologies as well as other technologies to integrate the solution into the network properly. A solid understanding of information security, system security, routing, service provider connectivity and other issues must be addressed to deploy a success enterprise-wide VPN solution.

issues will arise as to the other requirements surrounding VPN technology that enhance overall security. The following table provides some issues that will need to be addressed during the planning stages of VPN deployment.

employees, clients and business partners. The use of VPN technology has matured to a level where it will provide organizations with a solid solution to enable new avenues to drive revenue and reduce operating costs.


If the users are serious about deploying VPN technology the users should verify the users have addressed all the requirements. A solid VPN solution can be achieved with proper planning and design to support a well organized implementation.

Organizations are becoming more aware of the opportunities available to meet strategic goals and objectives by leveraging security and technology to deliver services to


Information Security Technical Report, Vol. 6, No. 1