|
|
 |
 |
 Images
Events
Jobs
Premium Services
Media Kit
Network Map
E-mail Offers
Vendor Solutions
Webcasts
|
|
|
[
Home | Discussion Forum | How Do I... |
Lotus Notes Intranets |
Microsoft SharePoint |
Products |
Shopping
]
Security is the enabler of the extranet. By applying
various methods of securing a Web site, a Webmaster
can turn a public space into a private gallery. The questions of top
concern to the extranet Webmaster (see the sidebar, "Six Security Goals")
all have to do with making sure that information, goods and services a company
makes available to its extranet users cannot be accessed or altered by the
general public.
The answer, in a word, is encryption. But encryption is a complicated matter, neither fully understood by the average webmaster nor fully standardized. It's crucial, for instance, that the same method be used for encrypting/decrypting messages at both ends of a transaction, lest legitimate recipients end up just as foiled as the bad guys! Presently the state of the art for extranet encryption boils down to two competing approaches: Secure Sockets Layer (SSL) and so-called "tunneling" protocols, principally PPTP and IPsec. SSL, created by Netscape to secure web-based credit card transactions, is also useful for extranets, especially those that resemble electronic commerce applications. Shopping carts and order entry systems are increasingly familiar uses for SSL, which is in play whenever your browser points to a URL beginning with Tunneling is a better answer than SSL when a company needs to make confidential all communications between two end points, as is frequently required on an extranet. As well, when a company wants to let users roam between multiple Web servers each of which houses confidential information -- without making them all SSL servers -- tunneling is the solution. Simply put: SSL makes sense for the occassional transaction, whereas tunneling creates a virtual private network (VPN) -- a company What is tunneling? Technically, it is the process of putting one packet inside another, according to Bernard Aboba, senior program manager for routing at Microsoft Corp. Recalling that packets are the chunks of information into which all Internet messages get chopped, tunneling can be thought of as the act of encapsulating ordinary (non-secure) IP packets inside of encrypted (secure) IP packets. It is sometimes more useful to think of tunneling in a less literal sense, namely, as a "tunnel" of privacy between two end-points connected by a public (non-secure) channel. This is often the Internet, but it could equally be the cellular telephone network. In a hide-in As with most information technologies these days, when it comes to tunneling two standards are emerging: Microsoft's, known as PPTP (and its derivative L2TP), and everyone else's. The latter goes by the name of the IP Security protocol, or IPSec. Point-to-Point Tunneling Protocol is the method used to create secure channels in Microsoft® Windows NTTM, and Microsoft has said it will build support for PPTP into Windows 98 clients. PPTP support is also available for Windows 95 from Microsoft, and for other Windows clients from third parties (see, for example, www.nts.com). If for no other reason than near-ubiquitous support, then, the PPTP proposal carries significant de facto weight. When examining PPTP, some important points should be considered. First of all, the protocol is currently only a proposed standard with the IETF, and it will in all probabitlity be reduced to an informational standard soon -- the equivalent of a footnote -- since Microsoft is now putting its resources behind a PPTP-descendant, L2TP. Secondly, the standard as specified for the IETF isn't exactly what Microsoft has implemented. Microsoft uses its own encryption. PPTP is built on top of Point-to-Point Protocol (PPP), which most of us experience as the login protocol for dial-up Internet access. PPP already has some encryption capability, for instance the CHAP and PAP algorithms used to encrypt passwords during dial-up authentication. The proposed PPTP specification has access to PPP's native encryption capability. But Microsoft has implemented its own, stronger encryption (based on the RC4 algorithms), which it calls Microsoft Point to Point Encryption (MPPE), says David Eitelbach, senior program manager for Microsoft. Support for PPTP remains wider than Microsoft. In fact, although PPTP is commonly thought of as Microsoft's protocol (for obvious reasons), Aboba and Eitelbach point out that most of the work on it was actually done by the engineers at Ascend Communications Inc., makers of IP routers commonly used by ISPs. "Support for compulsory PPTP tunnels is built into the dial-up network access servers from the members of the original PPTP forum. This includes Ascend, US Robotics [now part of 3Com Corp.], and Telematics," says Eitelbach.
Other vendors continue to announce PPTP support in firewalls and tunnel Servers. These include Novell, New Oak, and Extended Systems. Thus, although the attention of standards bodies is shifting towards L2TP, PPTP remains a practical option with a growing installed base for tunneled communications. Particularly where the encryption As mentioned, L2TP is where most of the standards attention is being focused. L2TP stands for Layer 2 Tunneling Protocol, which refers to the low level network layer at which the protocol operates. Draft 7 of the proposal has just been released on the IETF Web site, and by December L2TP will be submitted as proposed standard. The outstanding difference between L2TP and PPTP is that the former combines the control and data channels of the latter, and runs over UDP as opposed to TCP. UDP is a faster, leaner (and less reliable) protocol for sending packets that, because it does not retransmit lost packets, is commonly used in real-time Internet communications. PPTP, by contrast, separates the control and data channels into control stream that runs over TCP and a data stream that runs over GRE (a less popular Internet standard). Combining the control/data channels and using high-performance UDP makes L2TP more "firewall friendly" than PPTP -- a crucial advantage for an extranet protocol -- since most firewalls do not support GRE. L2TP, like PPTP, is protocol IPSec was developed by some of the foremost experts of encryption, and IPSec allows machines to support a number of encryption algorthims for encrypting the actual data stream, such as DES, Triple DES, IDEA, etc., says Brett Howard, vice president of engineering for TimeStep Corp., a tunnel Better still, IPsec includes an integrity check. This ensures that no packets are deleted, added or tampered with during transmission, giving IPsec unique clout in meeting the integrity goal of security standards. (Refer to the sidebar, "Six Security Goals"). Moreover, IPSec security information is itself encrypted. IPSec uses machine level certificates that authenticate the identity of the communicating hosts using public key encryption. An IPsec session proceeds roughly as follows. One machine initiates a tunnel by contacting the other machine and sending its certificate. The originator receives the remote machine's certificate in response. The machines then use their public/private keys to encrypt The encryption technology used by IPsec is so good, in fact, that L2TP uses it -- at least by default! If L2TP finds that IPSec is not supported by the remote end-point, it falls back to less If L2TP relies on IPsec to do encryption, why not simply use IPSec for tunneling from the get-go? Most experts agree that only L2TP and PPTP solve a problem widely experienced by business users: the need to support dial-up access by individuals as well as secure business-to-business networking. L2TP/PPTP is a good choice for roving users and remote access users because it employs PPP user authentication, which seamlessly handles dial-up connections through an ISP [Internet Service Provider].
IPSec, in its standard form, only performs machine-level authentication, not user-level authentication. So the roving user with multiple machines may be in a quandry. Then again, most vendor implementations of IPSec have added support for user-level authentication in their products, so it's rare that you'll find an actual IPSec product that doesn't have this ability. But such support relies on proprietary extensions to the standard. IPSec was designed to provide optimum enterprise-level security between firewalls and routers. An IPSec agent can be placed on a client or server so that those devices can be end points as well. For a company that uses mainly Unix servers and may want to create multiple kinds of tunnels, IPSec may be the right choice. While there are compelling reasons to look at both the PPTP/L2TP and IPsec tunneling options, the roads are different. With its Microsoft roots, PPTP/L2TP makes sense in situations where tunneling will occur primarily between NT servers and Windows clients. A technical argument militates in favor of L2TP as well. The protocol operates at layer 2 of the seven-layer OSI Network Reference Model. (Other protocols do their work at higher layers.) This means that existing security protocols such as RADIUS, which tracks, monitors and audits authentication, can be used seamlessly in L2TP installations. L2TP looks like any terminal server to RADIUS. Again, though, on the practical side, most vendors that offer IPSec products have also integrated support for RADIUS and SecureID, etc. into their products. Support for IPSec tunneling seems to be growing as well. According to TimeStep's Howard, the company's last interoperability "shoot-out" drew the participation of 27 IPsec vendors. It seems fair to conclude that, regardless of which company gets to charge the tolls, your sensitive data will be taking the tunnel to work one day soon. |
Six Security Goals
1. Confidentialty
2. Authentication
3. Nonrepudiation
4. Integrity
5. Access control
6. Availability SOURCE: Building an Extranet, by Julie Bort and Bradley Felix.
Click here to buy this book.
Julie Bort is a journalist, international speaker and co-author (with Bradley Felix) of the book Building an Extranet (John Wiley & Sons, May 1997).
|
