[ISN] Security without the sweat

From: InfoSec News (isnat_private)
Date: Tue Jul 22 2003 - 00:20:50 PDT

  • Next message: InfoSec News: "[ISN] US Navy dumps Microsoft, makes network the weapon"

    http://www.fcw.com/fcw/articles/2003/0721/spec-security-07-21-03.asp
    
    By Paul Korzeniowski 
    July 21, 2003
    
    For several years, federal agencies have used virtual private networks
    (VPNs) to reliably secure online information exchanges with remote
    workers and trading partners. Yet, deploying systems based on the IP
    Security (IPSec) protocol - the main method until now - is not always
    as easy or flexible as agencies would like.
    
    In the past year, an alternative has emerged that is taking the market
    by storm: VPNs based on the Secure Sockets Layer (SSL) protocol.  
    Boasting several attractive features - such as simpler installation,
    more device flexibility and lower maintenance costs - SSL VPN products
    are quickly reaching government information technology shops that want
    to expand the user base for e-government applications without breaking
    the bank.
    
    In fact, market research firms Gartner Inc. and META Group Inc. both
    expect SSL VPNs to be the primary way to connect remote users to
    enterprise networks as soon as next year.
    
    As the SSL VPN market mushrooms, the supplier base also has
    diversified. Initially, start-ups Aventail Corp., Neoteris Inc.,
    NetSilica Inc. and SafeWeb Inc. dominated the space. Not wanting to
    miss the action, networking heavyweight Nortel Networks Ltd. has begun
    promoting its Alteon 2424-SSL, while Cisco Systems Inc. plans to
    unveil its SSL VPN wares by year's end. In all, about two-dozen
    vendors now offer the products.
    
    To understand the surging interest in SSL VPNs, it's important to
    grasp how the approach differs from IPSec VPNs. Both techniques share
    a goal: Encrypt transactions to ensure data is secure as it passes
    over Internet connections. They achieve this in different ways (see
    "How it works," below). As a result, each option has strengths and
    weaknesses.
    
    IPSec has become popular because it rides on top of the standard
    TCP/IP stack, whereas previous security mechanisms relied on
    proprietary network protocols. Although IPSec makes it simple to
    connect two computers, it poses installation and maintenance
    challenges.
    
    For one, agency officials have to ensure that their end-user devices
    use the same encryption technique as their central servers. This
    typically involves installing IPSec software on PCs. "In a large
    [organization] with thousands of employees at various remote
    locations, it can become quite cumbersome to maintain the IPSec
    software," said Sarah Daniels, Aventail's vice president of product
    management and marketing.
    
    Typically, users can't install the software themselves, so the IT
    department is responsible for deploying and testing the security
    functions. If an agency upgrades its IPSec software, it often has to
    make the changes on all end-user devices.
    
    By comparison, with SSL VPNs, a device only needs a generic Web
    browser that has SSL functionality, something found in almost every
    case. So the initial installation requires minimal manpower. To
    upgrade an SSL connection, a company usually only has to change its
    server software.
    
    "Because there is so much less administrative [work] required,
    organizations can realize dramatic manpower savings by moving to an
    SSL VPN," said Jason Matlof, Neoteris' vice president of marketing and
    business development.
    
    Easier maintenance appeals to the U.S. Naval Medical Information
    Management Center in Bethesda, Md. In early 2002, officials explored
    ways to provide its 55,000 users with secure access to medical data
    via its IP-based intranet.
    
    After evaluating its options, they selected SafeWeb's secure extranet
    appliance Tsunami SSL VPN system to give its users access to health
    industry information, such as medical benefits, newsletters, reservist
    duties and e-mail.
    
    "The client security functions have been quite simple to install and
    easy to manage," said Ariel Echano, a network security engineer at the
    naval center.
    
    Because IPSec requires both ends of a connection to use compatible
    software - almost always from a single vendor - it may not be a viable
    option for all applications, such as those involving outside
    organizations.
    
    "IPSec has never been a fit choice with extranet applications, because
    it can be difficult to set up and maintain connections to a large
    number of trading partners," said Jim Slaby, a senior network analyst
    at Forrester Research Inc., a market research firm.
    
    IPSec's requirement of special client software can also create
    problems for nomadic employees. "With IPSec, employees can't use a
    kiosk, a terminal at a customer's site or a handheld device to access
    a corporate network, because they lack the appropriate client
    software," said Anthony Daley, senior vice president and general
    manager at Westcon Inc., a computer and network products distributor.
    
    Also, IPSec VPNs can run into problems with firewalls, which operate
    at the same network level as the encryption software. For example, if
    a government employee is at a contractor's site and tries to download
    data from his or her agency's enterprise application, the firewall
    likely will block the transaction because the request comes from
    outside the organization. Firewalls typically ignore SSL connections
    because they know security functions operate at another level.
    
    The Case Against SSL VPNs
    
    Although SSL VPNs include enticing features, they are not a cure-all.  
    Because they require Web browsers, most SSL VPN solutions only provide
    access to Web-based applications. Vendors have to add special software
    so their systems are compatible with mainframes, client/ server
    applications, file transfer systems and terminal server applications.
    
    "When they first came out, the SSL solutions supported only a couple
    of applications," such as e-mail, said Jim Jones, chief technology
    officer at systems integrator Science Applications International Corp.
    
    Cost is another area where SSL VPNs can come up short. "The initial
    price for installing an SSL VPN can be three times higher than that of
    an IPSec VPN," said Kyle Klassen, a product marketing manager at
    Nortel. SSL software is more complicated than IPSec software and the
    SSL products are at an earlier stage of development, so vendors have
    been unable to reduce costs yet via volume shipments.
    
    Typically, management functions are one of the last components added
    to a nascent technology, and that has been the case with SSL products.  
    Vendors are focusing on improving their systems' graphical user
    interfaces and widening the range of management information their
    products can collect.
    
    Initially, the IPSec and SSL VPNs were positioned as an either/or
    scenario. "SSL vendors started out talking about their products as
    IPSec replacements, but there has been a growing realization that
    neither option is perfect for every application" so vendors now view
    the technology as complementary to IPSec VPNs, Westcon's Daley said.
    
    Korzeniowski is a freelance writer in Sudbury, Mass., specializing in
    technology issues. He can be reached at paulkorzenat_private
    
    
    ***
    
    
    How it works
    
    To secure information, an agency must encrypt data as it moves from
    the sender to the receiver. IP Security (IPSec) virtual private
    networks (VPNs) operate and encrypt information at the network layer —
    Layer 3 of the seven-layer network model, to be precise. This protocol
    does not pay attention to what type of information (e-mail message,
    file transfer) may be moving from place to place. It is more concerned
    about locking down the network transport (e.g., TCP/IP).
    
    Secure Sockets Layer (SSL) VPNs function at the application layer, the
    top layer of the seven-layer model. This technique does not take the
    network layer into account but instead focuses on the application
    layer. In most cases, an SSL session assumes the person is connecting
    to a Web service, although special vendor add-ons make it possible for
    users to work with other systems, such as mainframe and client/server
    systems.
    
    ***
    
    By the Numbers: Ideal for mobile users
    
    If you have a small (say, half a dozen), stable set of locations that
    you want to connect securely, chances are that a Secure Sockets Layer
    (SSL) virtual private network (VPN) may not be the best option. The
    initial hardware can cost $25,000 to $50,000, significantly more than
    IP Security (IPSec) VPN switches, which are priced in the $15,000 to
    $25,000 range.
    
    However, because an SSL VPN requires little setup - only a standard
    Web browser - on the end user's computer, it typically costs about
    half as much to manage those connections as it would with IPSec, which
    requires that special software be loaded and maintained on all client
    computers. Therefore, SSL usually makes the most sense when a company
    has a large number of mobile employees who work from different
    locations and use a wide variety of devices (hotel computers,
    handhelds, customer systems, etc.) to connect to an enterprise
    network.
     
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 03:13:09 PDT