With the right approach to information security, you can protect distributed computing environments from attacks and security violations, while ensuring the confidentiality and integrity of your corporate information.
May 1, 2001
As the use of Virtual Private Networks (VPNs) within businesses grows, security becomes a central issue. According to an October, 2000 study by IDC of Framingham, MA, one in five Canadian companies surveyed reported that their organization’s network, data or Internet security has, at some point, been compromised. This fact accounts for people’s apprehension around transmitting confidential information across public networks.
The reality is that “hacking” is no longer limited to computer experts. With electronic espionage, the stakes are high. In addition to financial loss, information — such as customer data, credit card information, corporate applications and employee data — is at risk.
Security is the key to an Internet-based VPN. Business and commerce cannot be conducted without the assurance of data integrity and privacy. Today, there are many options available to secure VPNs and eliminate the fear and paranoia surrounding the breach of confidentiality.
WHAT IS A VPN?
Virtual Private Networks are deployed on a public network infrastructure, such as the Internet. VPNs can provide organizations with cost-savings over leased lines and can help extend connectivity to telecommuters, mobile users and remote offices as well as to customers, suppliers and partners. VPNs can be designed, deployed and managed in-house or outsourced to service providers who manage your organization’s network.
VPNs use a technology referred to as “tunneling” to communicate between networks. Tunneling — which forms the basis of all VPN communication — is a technology that enables one network to send its data via another network’s connection, ensuring a secure channel or pipe
ation to flow. This technology uses the public infrastructure to create a private network connection between a client and a server. Tunnelling works in an open VPN by embedding its own network protocol within the TCP/IP packets carried by the Internet.
Since VPNs typically use a shared public infrastructure, there are certain security risks that network managers face. For this reason, VPN communications must address three key security issues for use in a corporate arena: encryption, hashing and authentication.
At minimum, VPNs should have some level of encryption to ensure data privacy. Encryption refers to the translation of data into a secret code by using a complex mathematical formula that combines the original data with a logical key. This is later decrypted by the receiver using the same key. To read an encrypted file, you must have access to the key that decrypts it. It is important to have a good key management system to negotiate and exchange these secret encryption keys in a secure manner.
VPN networks should also be safe from tampering. There are many ways to ensure that the integrity of information being shared over a VPN is intact. The most common of these is “hashing.” Hashes are used to ensure that transmitted messages across a network have not been tampered with in any way. A hash value (or simply “hash”) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that other text will produce the same hash value. The sender’s network will generate a hash of the message, encrypt it and send it with the message itself. The recipient’s network then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they match, there is a very high probability that the message was transmitted intact.
Perhaps the main security issue associated with VPNs is determining whether or not the user obtaining access is an imposter. The ability to positively authenticate network users is vital to ensuring VPN security. This is particularly important in an “untrusted” network, such as an airport lounge, where unknown users can potentially sabotage or abuse access to an organization’s network resources.
VPNs use several different measures to ensure security. Four key areas of VPN security are: authentication, perimeter security, data confidentiality and intrusion detection.
Authentication refers to the method of identifying users, applications, and resources in a network. For mobile workers or telecommuters, remote access authentication authorizes users to access corporate network resources from outside the company campus. In order to authorize remote workers to access the network, each remote access account must be configured with the proper cryptographic algorithms and encryption and authentication keys. Without these keys, a remote user cannot access a corporate network using a VPN. Other methods of authentication include implementing a system that requires that a user ID and password be submitted each time a user connects. The problem with this method is that many users choose easy-to-remember passwords (names, birthdays, etc.) that can be easily guessed.
A solution to this problem is “two-factor” user authentication. This method uses the “something you have, and something you know” scenario to restrict access. The “something you know” factor is typically a login ID or Personal Identification Number (PIN). The “something you have” factor corresponds to a device that generates a value, based on factors like time, or an input phrase called a “challenge.” An example of “something you have” is a SecurID card, which generates a random number every 60 seconds. The number is generated in a cryptographically secure manner and changes every time it is used, preventing the use of a previous value for future authentication. This makes two-factor authentication very difficult to break. To penetrate the system, the attacker must know the log-in and have the token device.
The most commonly used perimeter security for VPNs is the use of firewalls. Firewalls are designed to prevent unauthorized access to or from a private network. With VPNs, all messages entering or leaving the network pass through the firewall, which is positioned between the router and the local- or wide-area network. The firewall examines each message and blocks those that do not meet the specific security criteria for that network.
Data confidentiality is a critical concern for businesses employing VPNs. Encryption is the weapon of choice to help cloak and protect sensitive information across a network. Security protocols for IP communications have been developed to ensure a secure channel for the flow of information across a VPN.
One security protocol that is used specifically to secure VPNs is the Internet Protocol Security (IPSec) standard. IPSec is a series of guidelines for the protection of IP communications that specifies ways for securing private information transmitted over public networks. IPSec supports encryption, authenticity, data integrity and replay protection (defence against unauthorized resending of data). IPSec uses 168-bit Triple-Data Encryption Standard (DES) encryption, one of the strongest forms of encryption today. IPSec was developed to standardize the way data protection is performed, making it possible for security systems developed by different vendors to interoperate.
Intrusion detection and vulnerability testing are also a vital element in a VPN security infrastructure. The ability to “sniff” attackers and holes in the network is vital, since organizations are usually unaware of attacks on their system. Unfortunately, hackers scanning ports and coordinated attacks on corporate networks are realities that corporations must deal with today. However, experts agree that 60 to 70 per cent of network attacks come from inside the company. Intrusion detection inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into, or compromise, a system.
An Intrusion Detection System (IDS) evaluates suspected intrusions once they have taken place and signals an alarm. An IDS also monitors
for intrusions originating inside the network, providing valuable policing of insider crime.
THE FUTURE OF VPN SECURITY
As VPNs grow and evolve, security measures will continue to improve to account for the greater volume of network traffic. Along with stronger encryption, there will be more monitoring and management tools to watch over the VPN.
Today, organizations attempting to connect to multiple VPNs require multiple access devices or key generators to access the network. In the future, organizations will be able to deploy several independent VPNs across a network, while maintaining a single secure access method to monitor and manage the entire network from a single point. This will help alleviate security issues associated with connecting separate networks, such as authenticating users and perimeter security, while reducing the costs of managing each piece of a distributed network individually.
A completely impregnable network is not possible with the hacking skill and computer power that exists today. However, businesses can take solace in knowing that technology does exist to help minimize network security breaches and protect valuable company information. As new security technology is developed and the business landscape changes, the use of VPNs to help organizations communicate securely with their corporate network and empower their remote workforce will continue to grow — and so will the need to maintain acceptable levels.CS
John Williams is Director of Data Sales for Avaya Canada, Markham, ON, where he supports the various sales teams and their business partners to promote the company’s data products. Mr. Williams has been helping organizations develop secure wired and wireless networks since 1991.