http://www.eweek.com/article2/0,3959,1054748,00.asp May 5, 2003 A recent eSeminar showed that, while virtual private networks have been widely deployed, many questions about the technology remain, and many new questions are arising as the technology evolves. Following, eWEEK Labs answers some of the questions that were submitted by seminar attendees during the event, which took place April 16. For a recorded version of the seminar and for more information about Ziff Davis Media Inc. eSeminars, go to www.webseminarslive.com. What is the advantage of using VPN technologies instead of WAN technologies? Lower cost and network design flexibility are the two main benefits. In addition, with VPNs, you don't have to lease lines or X.25 bandwidth and can use the IP connectivity you already pay for. You also get finer control over which users can connect to the VPN and when they can do this. Does a single client-side VPN create as much overhead (bandwidth aside) as a site-to-site VPN? In transmission and latency, yes. The difference is in the connection setup, which is computationally expensive. Site-to-site does this rarely and leaves the link up; client-side VPNs have lots of connection setups and tear-downs. What are the concerns when using a VPN with cellular/wireless connections? One of the biggest problems with using wireless devices to gain network access is that physical security for these portable devices is so poor. Most solutions authenticate the device, not the user, so a misplaced or stolen device can grant all the legitimate user's privileges—especially if atrocious "convenience" features such as password saving or automatic Web site ID/password completion features in browsers are used. Overall security policies and follow-up actions must keep these threats in check. I thought there was an issue with using unprotected wireless - someone can get onto your machine and then get onto the secured VPN channel? If your wireless channel is itself unprotected, but it's only carrying encrypted content that stays encrypted end-to-end throughout your wired/wireless VPN, then you avoid the burden of administering another parallel ID and key infrastructure (which protects only the wireless links) while still preventing analysis of the content of your traffic. All wireless systems, of course, remain vulnerable to traffic analysis as to which nodes interact with other nodes. Would additional protection of the wireless channel enhance overall system security? Incrementally, yes, it would, but at what cost? It's a question of how much security you want on your network as a whole and then where you want to apply your effort and resources to portions of that system. Why don't more experts make a distinction between "wireless" and "mobile"? VPNs are not very user-friendly for most mobile users. This is a good point, especially in that some solutions work much better in a space administered by a single service provider than across multiple service jurisdictions (if that's the word). The more your link can look like plain-vanilla TCP/IP, the more flexibility there will be for using many different services and providers. For example, encrypting e-mail, rather than sending in clear e-mail over a VPN, makes fewer demands on the link and its service provider. Are there any IP Security or Secure Sockets Layer solutions for Linux? Yes, definitely, on both fronts. FreeS/WAN and Stunnel are popular open-source packages. The commercial appliances are operating system-independent, but a number of them are running Linux. On the client side, SSL VPNs just need a browser, so no problem there. IPSec client interoperability is harder, and there may be problems there. You'll need to check it out on a case-by-case basis. What do you think about the security of VPNs using Windows 2000 Server via DSL [digital subscriber line] or cable? Are they secure, and what are disadvantages? If a broadband connection includes a static IP address, it clearly becomes easier to target a particular machine. Even so, most security improvements in Windows 2000, and moving forward to Windows Server 2003, are configuration issues—defaulting to security, rather than out-of-the-box capability, as the default—plus the aggregate effect of applying years of patches. Assertions that open-source software is inherently more secure are now being challenged (see www.eWEEK.com/links) conscientious administration is the foundation of security, regardless of operating system choice. Can you describe security requirements for VPNs when used over public and private networks? It's hard to imagine adding a VPN on top of a private network, unless there are issues of trust with the network service provider or concerns about physical interception of signals on network links. If you have such concerns, protecting the network traffic could be worthwhile—but a VPN is only one of several solutions that you should consider. E-mail encryption, for example, is an alternative. Can you provide more information on LAN-to-LAN VPNs? If a LAN-to-LAN VPN is implemented by [IP Security] gateways that are themselves outside each LAN's individual firewall, there's minimal impact on the pre-VPN LAN. But at the same time, the firewall won't have the opportunity to protect that gateway and analyze attacks that might be made against it. On the other hand, an attacker cannot use the VPN to tunnel through the firewall—the firewall sees everything coming in from the gateway as plain-vanilla network traffic. Depending on the types of attack that most concern you, this may be a good trade-off—or not. Only if the gateway and firewall functions are highly integrated will roaming clients, with constantly changing IP addresses, be relatively easy to support. How will IPv6 affect VPNs? An IPv6 channel supports, by definition, any application's request for IPSec service. Instead of being layered on top of the Internet, IPSec becomes part of it. IPv6 substantially improves defenses against many forms of attack, and its more rapid adoption would be a good thing. As to how this "affects" VPNs, it doesn't eliminate the need for tools that administer privileges and determine which application can use IPSec for secure access to which resources. So VPN tools continue to be important; they just delegate some of their low-level tasks to the network infrastructure. I have a firewall appliance that gives us VPN capability for many mobile users, and we use PPTP [Point-to-Point Tunneling Protocol]. What else can I do to secure this? Your remaining opportunities for improved security may lie more in the realm of policy than technology. Your process of granting and revoking privileges, your management of access to sensitive information, and your training of users in their security responsibilities may be fruitful areas for emphasis. What do you mean by "granular" access as opposed to open access with a VPN connection? "Granular" access control implies more specific opportunities to grant or deny specific permissions to specific network nodes or users. The mechanisms by which these privileges are controlled may lie in the network operating system or in a higher-level layer managed by the VPN access controls. What is a VPN accelerator? A VPN accelerator offloads the computations of VPN encryption and decryption to one or more dedicated processors, reducing burdens on a general-purpose server CPU. What if I have several small clients that want to create connectivity between two offices, with less than 15 users at each office, and they want to share the same data to both offices? Will a VPN be cost-effective? Sure, a low-cost site-to-site VPN will do this just fine. Look to spend $1,000 to $2,000 for the two devices. Or you can put two Linux boxes at each end and use FreeS/ WAN (free and available at www.freeswan.org), but this is more complex to set up. Is using Microsoft Remote Desktop log-in as secure as using a VPN? Remote Desktop provides simpler configuration and firewalling. However, VPNs provide better security because you have to authenticate twice—once for the VPN, plus once for the application you want to use. But Remote Desktop plus some firewall protection to limit IPs calling in provides "good enough" security. Is there any way to have LAN-to-LAN connectivity but still require authentication in another level? You cannot tunnel a VPN in a VPN, so to get two-factor authentication you will need to use application- or port-level authentication (for example, IPSec plus HTTP/SSL or Secure Shell). If you set up a VPN between a primary site and a remote disaster recovery site, with a high-availability cluster between these two sites, and the primary site is destroyed, can the clients connect through a different VPN location to the backup site? In short, yes, but you will have to reconnect in the IPSec case as the protocol is stateful, and that state will not survive the server failover. In the SSL case, you can get failover if you terminate the SSL connection in front of your server pair, or you can get a VPN appliance that has failover (many do). You refer to VPN policies. Is there a good resource for such policies? Try The SANS Institute. It's an excellent resource for security policy information. Just click on "sample policies" on the SANS home page at www.sans.org. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon May 12 2003 - 04:15:06 PDT