nd customer service over so-called Internet virtual private networks (I-VPNs) or extranets.
Closer to Customers
"An extranet links together various groups in and outside an organization," says Tom Kucharby, president of Summit Strategies, a marketing and channel-strategy consulting firm in Boston, Massachusetts. "Because companies are including customers and suppliers in their intranet projects, we think extranets will eventually make up almost 100 percent of the intranet market."
I-VPNs run over the Internet and transparently encrypt the links between sites. They can provide a cost-effective way to connect small branch or home offices to a central office, to let partners access a company's internal network, and to securely trade and sell products. The
advantages
are obvious:
- Low access fees instead of high prices for leased lines.
- Excellent scalability of access, for example, from one Basic Rate Interface (BRI) ISDN line at 64
KBps to 30 ISDN lines at 2 MBps via a Primary Rate Interface (PRI).
- Access is available worldwide via fixed and cellular networks as well as over satellite links.
I-VPNs use encryption technology to establish a
tunnel
, a secure transport channel, between sites. With client software to initiate the tunnel and a tunnel server at a corporate site to terminate the tunnel, your Internet service provider (ISP) doesn't have to support tunneling in any way. Both ends of the tunnel can exchange IP or even IPX packets flowing from, for example, a remote site to a central-office LAN.
The tunnel acts as a router on top of the Internet protocol. If the target address of a packet points to a secure tunnel site, the tunnel server picks the appropriate encryption key, encrypts packets, and sends them off the Internet. At the destination, packets will then be decrypted. Encryption keys can be statically configured (i.e., each target tunnel uses its own key), dynamically exchanged through a publi
c-key algorithm such as Rivest-Shamir-Adleman (RSA), or changed in regular intervals to further enhance security.
This kind of packet encapsulation has another advantage. Using network address translation (NAT), a LAN on one side of the tunnel can use a nonrouteable IP network address such as 10.0.0.0 (RFC 1918) internally. The IP tunnel will then translate this network address to a valid address for transport over the Internet. This prohibits an external computer from accessing an internal device, simply because every Internet router will drop packets with a destination of 10.x.x.x.
Stronger Encryption
However, if you use Internet-routeable addresses internally, encryption of just the IP data fields still gives an eavesdropper access to IP addresses and port numbers, enough information for an attack. That's why the packet, including the IP and TCP header, must be wrapped and placed in a new IP packet. (This is what tunneling is all about.) Such a packet is immune to manipulation if the e
ncryption method used is strong enough.
Secure IP (IPSEC) is emerging as the standard used to coordinate encryption between two endpoints. It includes both Simple Key Management for Internet Protocol (SKIP), developed by Sun Microsystems, and Internet Security Association and Key Management Protocol (ISAKMP/Oakley) as optional protocols for key management. (For more information on tunneling protocols, see "A Virtual Private Affair," July BYTE.)
Key length of encryption algorithms is an important issue. Products typically have 128-bit key lengths in International Data Encryption Algorithm (IDEA) and RC4 algorithms or 112 bits in triple DES encryption schemes.
Several I-VPN products from European and Israeli vendors such as Data Fellows, Elvis+, Radguard, and Utimaco Safeware have entered the market. Many observers expect European companies to start building I-VPNs next year, though traditional VPNs will continue to play an important role throughout the next five years.
Software Solutio
ns
Data Fellows offers a full range of products based on the tunneling protocol SSH. "SSH is probably the most widely used communications-oriented encryption protocol," says Sakari Pihlava, a product manager with Data Fellows. "With our SSH implementation, we demonstrated that it was possible to develop a robust I-VPN product when other companies were only debating protocol standards."
SSH has been widely embraced as a remote log-in protocol in Unix applications. It includes direct support for SOCKS, an authenticated firewall traversal protocol, and uses RSA for host and user authentication.
"With the IPSEC standard coming along this year, we will show an IPSEC implementation of our VPN product this fall," notes Pihlava. He says that the new version of its F-Secure VPN product will use ISAKMP/Oakley for key management, because "this is where the early market will be." However, Pihlava also expects early ISAKMP/Oakley implementations in different products not to be 100 percent compatible an
d interoperability testing between products of different vendors to take until early next year.
F-Secure VPN runs on a dedicated Unix server using a 128- or 112-bit encryption algorithm and supports Windows, Unix, and Mac clients. The software connects several LANs in a meshed topology, with separate IP tunnels from each VPN router to any other. It can also connect through a central VPN router in star topology. The F-Secure VPN router sits between the secure network and a Web server, providing firewall functionality. According to Data Fellows, a Windows NT-server version of F-Secure VPN, which will still be based on SSH, though, should also be available this fall.
A cheaper solution without a built-in firewall is the company's F-Secure SSH server and client software. With only one connection to the LAN, the SSH server acts as an IP tunnel proxy. It receives only encrypted traffic from the standard Internet access router, decrypts the packets, and sends them to the local client. You can establish s
ecure connections from the client to the Internet via the SSH server or through the SSH client.
The F-Secure Commerce server and client operate in a similar way but are optimized for use with standard commerce Web servers. The server authenticates a caller and establishes an encrypted connection between the browser and the Web server.
Which Key Is Yours?
Utimaco's Safeguard VPN includes the server software, client agent, and a firewall. The agent software for Windows NT is based on Microsoft's Network Driver Interface Specification (NDIS) and operates between the NDIS hardware driver and the TCP/IP stack. Because this solution emulates a standard network API, it is transparent to the application. In the Unix version of Safeguard VPN, however, the agent is part of the TCP/IP stack.
Safeguard VPN includes an IP tunnel gateway with two LAN ports to include non-NDIS stations in encrypted communications. Developers can also use a Safeguard VPN software developer's kit to adapt existing a
pplications to the tunneling environment.
Users can choose between 56-bit DES and the stronger 128-bit IDEA algorithm for encryption. As for the tunneling and package signature, the system uses IPSEC tunneling to ensure interoperation with other vendors' systems.
Safeguard VPN uses SKIP or Strong Key Management and Authentication Protocol (SKAP), developed by Utimaco, for authentication and key management. SKAP implements the Generic Security Services API (GSSAPI) and supports RSA authentication via smartcards.
Easy Setup
The stateless SKIP may be the best solution for small organizations, because it is easy to set up and doesn't require prior communication to establish and exchange encryption keys. It communicates keys in line with the packets. ISAKMP is better suited for large organizations or secure communication with business partners, because this session-oriented protocol allows for the negotiation of encryption schemes and thus makes integration of new sites easier. Companies
who want additional authentication via smartcards will use SKAP.
Elvis+, a Russian network software developer, licensed its Secure VPN product to Sun in May. Sun is offering the VPN software in international markets as SunScreen SKIP E+.
Elvis+ Secure VPN uses SKIP for key management, but the company says it will eventually support the emerging ISAKMP standard as well. The company plans to include JMAPI-based (Java Management API) management of network objects in its product range and deliver the first JMAPI-compliant modules to its software early next year. Also, the company says its next versions will include support for user certificates stored on smartcards and a comprehensive development kit.
F-Secure, Safeguard VPN, and Elvis+ Secure VPN run the encryption process in software. Hardware-based solutions, on the other hand, offer performance advantages and usually depend less on OSes and the security holes that are associated with them. Although they often use proprietary tunneling schem
es and are less flexible, they are sometimes considered more secure.
VPN in a Box
Biodata's BigFire, a firewall packet filter and encrypting box, includes a proprietary IP tunnel. It provides three network connections, one to the secure LAN, one linking directly to the Internet, and one that helps network administrators configure and operate the device. BigFire and BabylonNet, a dedicated tunneling server, use 112-bit triple DES as encryption algorithms. In addition, BigFire supports NAT and single-IP address resolution, which allows users to operate their complete extranet data transfer under a single-IP Internet address.
Radguard's NetCryptor, which extends the company's CryptoWall family of encryption products, lets you build multisite VPN solutions with central management facilities, a certification authority unit, redundant topologies, and automated messaging between the stations. Because the system includes a packet-filter firewall, it provides both security for the data traffic and
protection against threat from the Internet. In contrast to BigFire, NetCryptor also supports IPSEC tunneling.
All the aforementioned solutions require software or hardware for both the client and the server. If you want your I-VPN to be transparent to the client, your ISP must have tunnel-enabled access servers and perhaps routers.
Big European ISPs such as EUNET, ECRC, and EBONE, for example, have already started to roll out security services for closed user groups as well as business-to-business commerce on the Internet. Closed user groups work best if all members access one provider's backbone and share a limited amount of network addresses. This allows the ISP to route and filter data reliably and quickly, and avoids incompatibilities between the equipment of different ISPs. SAP, a big developer of enterprise resource-planning software, for example, runs its complete service and support network in such a closed user- group environment.
Wher
e to Find
Advanced Services & Media
Munich, Germany
Phone: +49 89 636 50150
Fax: +49 89 636 50152
Internet:
http://www.sni.de/public/media
VPNs Proliferate
