Security Problems

For intra- and intercompany VPN traffic, considerations such as security, availability, reliability, and performance may force organizations to consider exactly where their traffic flows and what other traffic uses the same networks. Primary among these considerations is security. Security issues include privacy (transmissions cannot be read), authorization (users h ave the right to access certain resources), integrity (data isn't tampered with), nonrepudiation (senders are who they say they are), and assurance of service (the ability to send or receive data cannot be denied). Except for denial of service, all these concerns can be addressed through encryption and digital keys. However, costs associated with keys and encryption may include processing power, network bandwidth, special hardware, and time and expertise to manage the system. Instead of incurring those costs, organizations may choose to use private networks, which they typically perceive as needing less investment to achieve a higher level of security.

You can question to what extent, if at all, Internet traffic is more vulnerable to various kinds of attacks. For instance, if the same physical lines carry Internet and private network traffic, both types of traffic may be equally vulnerable to "invasion of privac y" via a network monitor. In this context, notes Dataquest analyst John Coon s, encrypted VPNs may be more secure than private lines.

Most other types of attacks, however, are easier to mount on the public Internet than on a private network. The reason is simple: It's difficult for a perpetrator to insert traffic into a private network, but it's easy on the public Internet. Attacks that require the ability to transmit include password-guessing attacks, data tampering, and "spoofing" (pretending to be an authorized user by forging an authorized address on packets).

An attack that aims at denial of service can be particularly hard to defend against, even if a company is willing to spend money on security: For instance, a perpetrator can bombard a particular address with traffic, tying up communications and processing resources at that site. Recent perpetrators have been crashing servers, routers, and printers using the Ping of Death attack, which involves sending a ping message that is larger than legal size. If a firewall blocks ping messages, there are way s to accomplish the same thing via the HTTP, NFS, or Telnet protocols. Intruders will, unfortunately, always find a way.