IPSec to Help Unravel VPNs

Companies that adopt new Internet technologies often make a choice in favor of new tools over interoperability. In many cases these organizations accept some measure of proprietary lock-in over standards-based but technologically deficient services. For some, the immediate return on investment or added competitive edge outweighs the advantages of waiting for standards-based technologies. For many of these companies, Virtual Private Networks are just such a technology.

Virtual Private Networks (VPNs) make it possible to link remote branch offices, telecommuters, and corporate partners to an enterprise network. A remote user can take advantage of all the services offered to users at a company’s headquarters. Rather than using expensive end-to-end leased lines or paying tolls on dial-up lines, enterprises can take advantage of the public Internet as a transport. A well-designed relationship with an Internet Service Provider will always be cheaper than building your own modem pool or paying long distance charges for mobile users. Those savings are attractive, but VPNs continue to be dogged by interoperability headaches. One of the biggest of those headaches is also one of the most important: security.

The key technology for making a VPN secure is called Internet Protocol Security (IPSec). IPSec is a standards-based approach to ensuring that communications channels over the Internet can be authenticated and, where necessary, encrypted. It took a long time for the Internet Engineering Task Force (IETF) to standardize IPSec. As a result, IPSec-based products -- in particular IPSec-based VPNs -- are only beginning to emerge. Despite the delay, the standard ensures that almost any correctly configured client can create a secure connection to the enterprise network.

Getting that client configured is the problem. VPNs using IPSec are built by defining the endpoints, or subnets, on either side of the VPN tunnel and establishing encryption and authentication parameters on either end. Each end also needs to establish a shared secret to start the encryption negotiation. If any of these parameters is missing or not matched, the tunnel doesn’t get built. Unfortunately, in the remote location there’s usually no IT staff to assist with the process, and the end user is unlikely to be familiar or comfortable with the intricacies of setting up a VPN connection.

As a result, deployment of IPSec VPNs becomes a problem. If deployment cannot be simplified, many corporations will return to traditional dial access strategies, incurring costs or performance penalties that could have been avoided by VPNs. To address the deployment problem many telecommunications providers provide turnkey solutions that build VPNs using proprietary, but easy to deploy, technology.

For Windows NT and Windows 98 users, the VPN strategy has always been the Point to Point Tunneling Protocol. PPTP’s main virtue is its ease of setup, but another advantage that is sometimes overlooked is that it comes with every Windows based client. As a result there’s no software distribution headaches. The main problem with PPTP, as it stands today, is that it is fundamentally a Microsoft solution. Add in some Macintosh or Unix-based clients and the PPTP VPN gets harder to deploy.

In today’s multiplatform environment we shouldn’t have to care who makes the routers, workstations and modems at either end of the VPN connection.

That’s why IPSec-based VPNs are so important. Organizations that outsource the provisioning of VPNs should look carefully at their vendor to make sure they are committed to using IPSec. For example, AT&T uses IPSec for the tunnels they build for their customers. Bell Atlantic plans to support IPSec in the second quarter, and MCI WorldCom is planning to use IPSec in the late summer.

The emergence of IPSec-based VPNs as a force is being demonstrated by the acts of key networking equipment vendors, such as Cisco Systems, Northern Telecom and Ascend Communications. These companies are building this underlying security technology into basic networking products. Cisco, for example, is bringing to market hardware-based encryption add-ons for nearly every router in its product line. Ascend Communications -- purchased earlier this year by Lucent Technologies -- is building secure and interoperable VPN services into their entire product line.

Early deployment of IPSec VPNs highlighted some of the problems with the specification. In particular, there continues to be no standard for firewall interoperability or resolving address conflicts between remote and local ends of the VPN tunnel. But, the VPN vendor community and the IETF are working on extensions to help fill these holes in the IPSec standard.

This cooperation means we will soon see interoperable security for the IT organization considering VPN deployment. The economic advantages, combined with robust security, will finally make it possible to deploy VPNs with confidence. --Mark McFadden is a consultant and is communications director for the Commercial Internet eXchange (Washington). Contact him at mcfadden@cix.org.