IMPLEMENTING A WAN -- a link between two or more remote networks -- used to be an expensive, complicated undertaking. Companies with branch offices might have used leased lines to run a dedicated bridge from one LAN to another. If a company had remote or mobile workers, it either maintained banks of modems or leased POP (point of presence) access from dial-up providers. These private networks were not easy to use, cheap, nor particularly reliable, but they were a necessity.

With the Internet revolution has come a simpler, less expensive option for interconnecting LANs: emulating a dedicated point-to-point connection via a public network. The most popular technique, tunneling, entails wrapping private network packets inside TCP/IP data sent via the Internet. Hardware or software on both ends of this VPN connection use a shared encryption key to encrypt and wrap and then unwrap and decipher VPN packets.

VPNs leverage companies' existing Internet service to eliminate the cost and management burden of single-purpose leased lines and modem banks. A VPN is not a perfect solution because it is sensitive to all of the problems that plague the Internet, including latency (packet delivery delays), packet loss, and routing failures.

Every potential VPN malady is matched by an equally troubling private network issue, but VPNs create a unique dilemma: When you ship private information along a public network, how do you keep that information safe?

The greatest risk comes from malicious hackers and spies who would like to crack your network either to earn bragging rights or to steal from you. No less troubling is the opportunity a VPN offers to insiders who might decipher your VPN traffic using the passwords stored on your servers or given to remote users. Designing a VPN strategy that locks out unauthorized external users is not enough.

A VPN also must track and limit the mobility of authorized employees who try to abuse their access privileges. That protection covers the too-common circumstance of authorized users who, intentionally or accidentally, share their VPN access credentials with a hacker.

With personal computers, Unix servers, and workstations running at head-spinning speeds, the question sometimes arises as to why anyone needs so much processing power. Pundits often cite the need to run more capable applications and to scale Internet services to thousands of users, but VPNs create a more pressing need for fast computers.

A VPN uses encryption to ensure that a hacker capturing your WAN packets sees only indecipherable garbage. That's no small challenge. Encryption is based on the kind of mathematical calculations that fill a blackboard. Every VPN packet is transmuted by a series of calculations intended to make it impossible to restore the packet to its original form except by its intended recipient. The stronger the encryption, the more computing time it takes to encrypt or decrypt each packet. The strongest encryption techniques require more computing power than most companies can afford, given the volume of data they handle.

The network-services architects who must devise a sound VPN strategy face three primary challenges. First, an encryption technology must strike a balance between protection and computing requirements.

Second, encryption keys -- or the data, such as passwords or strings of random digits, used to generate them -- have to be protected; in other words, they should be acccessible to as few people as possible.

Finally, a safe VPN is one that audits activity, identifies potential break-ins, and gives administrators the tools and information they need to respond quickly to breaches, including the power to instantly revoke the access rights of users who possess valid keys or passwords but abuse their privileges or who are using borrowed or stolen credentials.

Many flavors of VPNs are available. In the following pages, we'll look at three common varieties. The least-expensive option is the software VPN. Here, the process of protecting and delivering VPN packets is handled entirely by software that is either part of the operating system or is added as a free or inexpensive option.

A relatively new approach is to package a VPN in self-contained hardware, a box that transparently routes VPN packets between your LANs via the Internet. Finally, the industrial-strength solutions include hardware and software and are suitable for deployment in an enterprise that requires maximum protection or scalability to hundreds of remote users.

The many risks involved in using a VPN to send sensitive data via the Internet are more than outweighed by the cost advantages a VPN provides when compared to private circuits. When a company suffers a breach, it's not a sign that a VPN is a bad idea; rather, it's a failure in planning or policy.

Whichever type of VPN you choose, strengthen it as new technology becomes available. Thorough planning and tracking of emerging encryption technologies are the best ways to safely sneak your company's data past the sharks and pirates that troll the Internet looking for prey.

» posted by ITworld staff

InfoWorld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine