placed packet sniffer can compromise
your confidential communications.
VPNs eliminate the hazards of conducting private conversations in public networks by making your communications intelligible only to the person with whom you want to communicate. VPNs encrypt IP datagrams, use strong authentication before allowing communication, and check data integrity to assure packets arrive at their destination unchanged.
Organizations implementing VPNs leverage their relatively inexpensive Internet connections to build virtual WANs with secured access for off-site employees, remote offices and business partners. VPNs reduce the costs of building and maintaining internal dial-up infrastructures or more expensive point-to-point WAN links.
The VPN Puzzle
VPN-enabled devices typically fit in at the network perimeter. These devices might link the network to individuals in a client-to-LAN configuration, effectively extending the internal network out to the remote user, or they might connect to another VPN-enabled dev
ice, thereby creating a virtual, encrypted point-to-point link between two separate networks.
LAN-to-LAN VPNs hide functions like data encryption from end users. The devices on the LAN at the remote end of the VPN link appear to be part of the corporate network: The VPN operates entirely
transparently
to the user. Client-to-client VPNs, on the other hand, employ software (on a workstation) that intercepts all network traffic destined for a VPN-linked host and adds the necessary encryption elements. End users communicate securely with hosts running compatible VPN software without affecting access to non-VPN hosts.
A VPN requires three functions: encryption, authentication, and data integrity. Typically each VPN node uses a secret session key and an agreed upon encryption algorithm to encode and decode session data, exchanging session keys at the start of each link using public key encryption. VPN nodes also must confirm that the entity at the other end of the connection is who
they say they are. Most VPNs use public key authentication methods to validate each end of the connection; some may additionally require the end user to supply an account name and password. Finally, both endpoints of a VPN link check data integrity, usually using a cryptographic hash or digest function such as Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). MD5 is a public-domain standard for generating 128-bit cryptographic checksums. SHA-1 is a hashing function for generating 160-bit cryptographic checksums. Developed as part of the Digital Signature Standard (DSS) by the U.S. Department of Commerce and the National Institute of Standards and Technology, SHA-1 performs an advanced form of a checksum on all data received.
Testing Testing 1, 2, 3
For this report, we selected 10 VPN products. They reflect three
different approaches
to VPN implementation. In addition to four stand-alone VPN products, we tested four firewall servers with VPN features and two packa
ges that integrate VPN functions into network and operating system-level products.
Most of the products combine a variety of encryption methods, algorithms, and key lengths, so developing a consistent testing methodology that could produce meaningful results was impossible. I tested for overall security, ease of use, manageability, and interoperability, with particular attention to individual security elements, such as supported encryption schemes, key length, authentication methods, and data integrity support.
Aventail VPN currently offers the best combination of supported standards, management features, and ease of use. Impressively versatile, it makes creative use of the SOCKS protocol (frequently used by proxy firewalls) as its primary VPN mechanism. Two other products rank highly: Check Point's FireWall-1 and Raptor Systems' Eagle NT. Both add an extra level of security by integrating VPN features with firewall functionality, so you can provide varying levels of controlled access to VPN users
once they've been authenticated.
Vendors define the term "VPN" very broadly; each product reviewed here offers some kind of VPN functionality, but each implementation is also unique. Almost every product solves at least one problem better than the others. For example, Data Fellows' F-Secure Virtual Private Network 1.1 works for multinational organizations looking for the highest encryption options available to connect multiple networks, while products like FTP Software's Secure Client and Sun Microsystems' SunScreen SKIP shine at client-to-client communications. Firewall-based products, like FireWall-1, Eagle NT, and BorderWare, help corporations that must combine VPN versatility with the security of a firewall.
The VPN product category is still in its early stages. Only five of the products would interoperate for me: the firewalls, FireWall-1, BorderWare, and Eagle NT, and two clients, FTP Secure Client and SunScreen SKIP. Properly configuring them to work together is not for the faint of heart.
As protocols such as the IPSec family become officially standardized, and as VPN vendors implement them, expect true interoperability to become a core feature of all VPN software. For now, plan to stick with a single vendor to ensure VPN compatibility -- organizations planning to establish VPNs with business partners must choose carefully.
AltaVista Tunnel 97
AltaVista Tunnel 97, a dedicated VPN, supports tunneled LAN-to-LAN (available through the Workgroup edition) or client-to-LAN (with the Personal Edition) connections. Managing keys with the included Tunnel Manager application is more intuitive than with many of the other products reviewed, and the ability to control how much of the internal network to make available to VPN users is a very useful feature. A setup wizard and well-organized administrator's guide simplify installation, but compared to the other products reviewed, Tunnel's narrower encryption support and less flexible implementation reduce its appeal. Tunnel 97 is a good produ
ct hobbled by relatively limited capabilities and feature set.
Aventail VPN 2.5
Aventail has taken a different approach to creating a VPN product, and the results seem unusual at first. Aventail impressed me with its flexibility, extensive support for encryption methods, and array of authentication options. Unlike other VPN products that tunnel encrypted packets, Aventail implemented a reverse SOCKS proxy gateway to provide VPN capabilities and encryption functions at the session layer. Encryption and authentication can be controlled on a service-by-service level, and additional filters can be employed to limit user access or protect them from potentially hostile Java code or ActiveX components.
Authentication and encryption methods are implemented as software modules, so adding new standards as they evolve should be as easy as installing a new module. Administrators can exercise as much (or as little) control as they want over their VPN users. With its multiple authentication and subauth
entication options, and multiple platform support for both servers and clients, Aventail is extremely versatile.
Check Point FireWall-1 3.0a
Check Point extends FireWall-1, one of the most popular firewall servers on the market, to include support for both LAN-to-LAN and client-to-LAN VPNs. Similar to Eagle NT, FireWall-1 lets administrators create VPN connections with unrestricted network protocol access, or they can create VPNs with an extra level of security by enabling the firewall to restrict or permit certain types of traffic. Adding traffic restrictions on VPN links, limiting the type of application that can be run, makes sense when connecting to business partners.
Configuring a FireWall-1 VPN is complicated, but it is also much more flexible than most and supports a wider variety of encryption and authentication options. For organizations that already use FireWall-1 as their firewall server, adding VPN functionality is a no-brainer.
Data Fellows F-Secure Virtual Private Net
work 1.1
Developed in Finland, F-Secure VPN boasts freedom from any export restrictions, which means that international organizations are free to implement a full- strength version at all their locations. Its graphical VPN configuration design utility let me create our VPN definition with drag-and-drop simplicity. However, F-Secure supports only LAN-to-LAN VPNs, and each endpoint network requires a dedicated VPN server, based on a stripped- down NetBSD kernel with limited hardware support. Undocumented configuration parameters that were needed to get the software to work with our 3Com network cards hampered installation.
FTP Software Secure Client 3.0
FTP's Secure Client offers VPN functionality as a component of a full-featured Windows 95 TCP/IP client implementation, unlike the other VPNs. Secure Client replaces Microsoft's IP stack and supports both IPSec and SOCKS security. Its ability to interoperate with other VPN products is impressive, as is its client-to-client communication en
cryption function. However, with security features limited to client communications, Secure Client scores poorly compared to products offering both client and LAN VPN capabilities. As a stand-alone product, Secure Client might not meet all your VPN needs, but it could fit in nicely if used with other products.
Trusted Information Systems Gauntlet 4.0
Gauntlet 4.0, from Trusted Information Systems, also incorporates VPN functions into an existing firewall framework, supporting three types of VPN configurations: private, trusted, and pass-through. Private links provide secure communications, with the added safeguard of forcing all communications to be evaluated by the firewall rules. Trusted links provide full, unlimited access between VPN sites. Pass-through mode lets you implement a third-party VPN product in addition to Gauntlet. You configure Gauntlet at the server console or through a Java-based management applet.
Gauntlet 4.0's extensive support for different authentication modes prov
ides a secondary level of security. In a private VPN scenario, users can first authenticate to the VPN server, then use an authentication token such as SecurID to access individual servers or services. VPN support is currently available only in the Unix version of Gauntlet; the NT version is slated to have VPN support soon.
Microsoft Routing and Remote Access Service
Routing and Remote Access Service (see "Software-Only Routing for NT," September BYTE) offers VPN functionality through Microsoft's Point-to-Point Tunneling Protocol (PPTP). RRAS can do 128-bit encryption. It can authenticate only through NT's directory service or through Remote Authentication Dial-In User Service (RADIUS). Overall security would benefit from the addition of some form of certificate authentication on the client end. However, RRAS's availability as a free download makes it an attractive option for budget-conscious organizations with modest security requirements. In addition, RRAS offers enhanced multiprotocol routin
g and dial-up support for remote users, and it's easy to set up.
Raptor Eagle NT 4.0
Raptor's Eagle NT firewall/VPN combo scored well thanks to its support for multiple encryption and authentication schemes, as well as its ability to selectively control access to internal resources through the firewall access rules. I was also impressed with its monitoring and logging capabilities, though Eagle NT suffered from some minor glitches during testing. For example, it allowed only dial-up VPN sessions from a LAN workstation running Windows 95 version OSR2; other versions of Windows worked fine.
BorderWare Firewall Server 4.1
Configuring the BorderWare Firewall server for VPN sessions is extremely easy thanks to its Java-based remote administration utility and simplified setup menu. Configuring the server hardware itself, however, is not so easy. Like F-Secure, BorderWare is based on a stripped-down Unix kernel, so hardware support is more limited than for the other products. Once we go
t all the right pieces together, installing the software was not a problem. BorderWare's combination of firewall and VPN functionality is a plus because it gives you the ability to define varying levels of access for VPN clients.
SunScreen SKIP
Like FTP's Secure Client, SunScreen SKIP is a client-based package. It works on Windows95 or Solaris 2.5.x computers and installs as a virtual network interface, so it can be managed through the Control Panel in the Win 95 version. SunScreen SKIP supports the SKIP key management scheme, so you'll be able to establish secure connections without the hassle associated with manually exchanging encryption keys. One of the more attractive features of SKIP -- not found in some of the tunnel-based products -- lets you define secure and nonsecure hosts, and all traffic between your workstation and those hosts will be encrypted accordingly. Overall, SunScreen is easy to work with; however, it does lack the full feature set of server-based products.
Digging
Your Own Holes
Choosing the right VPN product for your organization requires careful thought about your requirements. Client-to-client encryption products, like those from FTP Software and Sun, might be best for decentralized organizations or those with many mobile users. International corporations might prefer Data Fellows' F-Secure VPN because of its full-strength cryptography and no export controls.
The products that scored best in our testing -- Aventail VPN, Check Point FireWall-1, and Eagle Raptor NT -- did well because each offers a good combination of encryption and authentication options, along with support for both LAN-to-LAN and client-to-LAN VPN connections. They proved to be the most versatile and easy to use of all the products in this roundup.
However, VPN software is a rapidly progressing product category, and many of the technical obstacles I encountered, such as lack of product interoperability, will fade as open standards for security evolve. Look for big changes in the
next revisions of all of these products.
Product Information
AltaVista Tunnel 97 Workgroup version...................from $995
Personal version........................................from $ 99
AltaVista Internet Software, Digital Equipment Corp.
Littleton, MA
Phone: 508-486-2308
Fax: 508-486-2017
Internet: http://www.altavista.software.digital.com
Extend Your Net with VPNs
