|
|
 |
 |
 Events
Jobs
Premium Services
Media Kit
Network Map
E-mail Offers
Vendor Solutions
Webcasts
|
|
|
[
Home | Discussion Forum | How Do I... |
Lotus Notes Intranets |
Microsoft SharePoint |
Products |
Shopping
]
Authentication ensures the identity of all communicating parties.
You may have seen the cartoon that appeared in The New Yorker
a few years back. A dog sitting in front of a PC turned to his canine
friend and said "On the Internet, nobody knows you're a dog."
To correctly identify an individual or computing resource, VPNs typically
use one or more forms of authentication.
These methods are usually based on password authentication (shared
secrets) or digital certificates. Password authentication is
the most prevalent form of user authentication used in computer systems
today, but it is also one of the weakest because passwords can be guessed
or stolen. Multi-factor authentication is generally a stronger form
of authentication and is based on the premise of utilizing something
you have in conjunction with something you know. This process is similar
to how most ATM cards are used; a user possesses the physical ATM card
and "unlocks" it with a password.
For example, many VPNs support SecurID by Security Dynamics, a token
card that combines secret key encryption with a one-time password.
The password is automatically generated by encrypting a timestamp with
the secret key. This one-time password will be valid for a short interval,
usually 30 to 60 seconds.
Digital certificates are also becoming more prevalent as an authentication
mechanism for VPNs. A digital certificate (based on the X.509 standard)
is an electronic document that is issued to an individual by a "Certificate
Authority" that can vouch for an individual's identity. It essentially
binds the identity of an individual to a public key. A digital
certificate will contain a public key, information specific to the user
(name, company, etc.), information specific to the issuer, a validity
period and additional management information. This information will
be used to create a message digest which is encrypted with the Certificate
Authority's private key to "sign" the certificate.
By utilizing the digital signature verification procedure described
above, participants in a conversation can "mutually authenticate" each
other. Although this process sounds simple, it involves a complex system
of key generation, certification, revocation and management, all part
of a Public Key Infrastructure (PKI). A PKI is a broad set of
technologies that are utilized to manage public keys, private keys and
certificates. The deployment of a PKI solution should not be taken lightly
as there are major issues involved with scalability and interoperability.
As a matter of practice, the separate technologies used to provide
confidentiality, integrity and authentication in a given implementation
are grouped into a broad VPN protocol. Three widely used protocols
- IPsec, tunneling and Socks5 - are described below.
The protocol which seems destined to become the de facto standard for
VPNs is IPSec (Internet Protocol Security). IPSec is a set of authentication
and encryption protocols, developed by the Internet Engineering Task
Force (IETF) and designed to address the inherent lack of security for
IP-based networks. It is designed to address data confidentiality, integrity,
authentication and key management, in addition to tunneling.
The IPSec protocol typically works on the edges of a security domain.
Basically, IPSec encapsulates a packet by wrapping another packet around
it. It then encrypts the entire packet. This encrypted stream of traffic
forms a secure tunnel across an otherwise unsecured network.
The majority of VPN vendors are implementing IPSec in their solutions.
The comprehensive nature of the protocol make it ideal for site-to-site
VPNs, although there are still interoperability issues that exist across
different vendor's implementations. IPSec is a bi-directional protocol,
which means that extranet configurations must be carefully designed
and implemented. When setting up an extranet VPN, you may not want to
give your partners access to your entire network or allow them
to access yet another partner through your network.
PPTP is a tunneling protocol which provides remote users encrypted,
multi-protocol access to a corporate network over the Internet. Network
layer protocols, such as IPX and NetBEUI, are encapsulated by the PPTP
protocol for transport over the Internet. Unlike IPSec, PPTP was not
originally designed to provide Lan-to-Lan tunneling.
PPTP is built in to NT 4.0, and the client is a free add-on
to Windows95. Microsoft's implementation of PPTP has been found to have
several problems that make it vulnerable to attacks, and it also lacks
scalability in that it only supports 255 concurrent connections
per server. The low cost and integration with NT and Windows 95, however,
makes PPTP a viable remote access solution where multi-protocol access
is needed, heavy-duty encryption and authentication is not needed, and
a Microsoft-only solution is appropriate.
PPTP can support only one tunnel at a time for each user. However,
its proposed successor, L2TP (a hybrid of PPTP and another protocol,
L2F) can support multiple, simultaneous tunnels for each user. L2TP
will be incorporated in Windows 2000 and can support IPSec for data
encryption and integrity
SOCKS version 5 is a circuit-level proxy protocol that was originally
designed to facilitate authenticated firewall traversal. It provides
a secure, proxy architecture with extremely granular access control,
making it an excellent choice for extranet configurations.
SOCKS v5 supports a broad range of authentication, encryption, tunneling
and key management schemes, as well as a number of features not possible
with IPSec, PPTP or other VPN technologies. SOCKS v5 provides an extensible
architecture that allows developers to build system plug-ins, such as
content filtering (denying access to Java applets or ActiveX controls,
for example) and extensive logging and auditing of users. When SOCKS
is used in conjunction with other VPN technologies, it's possible to
have a more complete security solution than any individual technology
could provide. A user may, for example, incorporate IPSec and SOCKS
together. IPSec could be used to secure the underlying network transport,
while SOCKS could be used to enforce user-level and application-level
access control.
Most VPN technologies today do not address performance and availability
issues, as important as they are. Why? Because the majority of VPN solutions
exist on client machines and gateway servers at the extreme ends
of the communication path. They simply cannot consistently affect the
performance of the network components in the middle.
Unfortunately, this "middle" is exactly where the Internet
fits into the architecture. Any cost savings that a VPN provides can
be quickly negated if users are forced to sacrifice QoS (quality
of service) beyond certain limits. Until a standard QoS mechanism becomes
ubiquitous [see the article, "Network
Traffic Management" for background], end-to-end performance
guarantees will be hard to implement.
As a partial remedy several Internet Service Providers (ISPs) are offering
managed VPN services, which combine security capabilities with
QoS guarantees. For example, GE Internetworking provides a managed VPN
service that combines an IPSec-based VPN solution from TimeStep Corporation
with guaranteed availability of 99.9%, and round-trip latency of less
than or equal to 125 milliseconds. This type of service can be an excellent
choice for site-to-site connectivity and is made possible by the fact
that ISPs "own the plumbing." Unfortunately, the performance
guarantees only apply to traffic within the network controlled
by the ISP. Once it passes onto another ISP's portion of the Internet,
all bets are off.
This article has described how applications deployed across the Internet
today are increasingly mission-critical, whereby poor performance or
a lack of security can jeopardize business success. VPNs can play a
major role in ensuring that these risks are mitigated. By addressing
security and performance issues, a VPN can be a viable alternative to
dedicated, private network links. Understanding the myriad VPN solutions
can help organizations build infrastructures that will support their
tactical business needs today as well as their strategic business needs
for tomorrow. |
IPSec encapsulates a packet by wrapping another packet around it. It then encrypts the entire packet. This encrypted stream of traffic forms a secure tunnel across an otherwise unsecured network. Microsoft's implementation of PPTP has been found to have several problems that make it vulnerable to attacks, and it also lacks scalability in that it only supports 255 concurrent connections per server. The Author
Christopher McDonald is a senior technologies at the AMS Center for Advanced Technologies (AMSCAT) with more than eight years of experience in distributed systems development and integration. He consults extensively with AMS project teams and clients in the areas system planning, design, development and integration. As a director of AMSCAT's Advanced Solutions discipline, Mr. McDonald evaluates emerging technologies that enable AMS clients to become next-generation enterprises and tomorrow's industry leaders.
|
Feature
![[ Top ]](../pix/up-ball.gif){kind=small}