Whom Do You Trust In A Virtual World?

Building A Secure Extranet Using A Virtual Private Network.

Sharing business processes and data with externalpartners calls for a rethinking of security policies. Like granting access to thebrick-and-mortar compound, building a virtual private network requires knowing what needsto be protected, from whom and how to choose the right security force.

HP has been emphasizng the concept of the "virtual corporation" as a way ofextending business processes and data outside the firewall. "Our vision is securingthe virtual corporation," says Bill Sudlow, HP's senior director of Product Planningand Development. "How we do that depends on the type of solution that's needed."

Sudlow explains that the virtual corporation takes one of three different forms:end-to-edge; edge-to-edge; and remote access. The end-to-edge format takes place in acollaborative environment where the external partners are trusted to access certain,specific resources within the corporate firewall. In this scenario, security is based onthe individual desktop. "We want to know it's you coming in," says Sudlow. Here,he adds, an extranet virtual private network (VPN) combined with HP's VirtualVault trustedWeb server is a secure communications method.

The best example of an edge-to-edge network, according to Sudlow, is a branch officewhere the connection is nothing more than a pipe between two edge-points and the securitylayer doesn't care about the user. "We'd want everybody to have access," headds. The open style of an edge-to-edge format is very well suited for using InternetProtocol Security (IPSec) which was designed to provide security between multiplefirewalls and routers.

Realizing that this "virtuality" changes how business is conducted means thatsecurity constraints must be re-defined. So, HP's Praesidium Partners program has selectedto partner with industry leaders in the field of Internet security. For example, AventailCorporation (Seattle, Wash.) provides extranet/VPN technology through its AventailExtraNet Center (formerly Aventail VPN) and Aventail Connect (formerly AventailAutoSOCKS). Both are based on the Internet Engineering Task Force (IETF) Socks v5 securityprotocol standard. Socks v5 supports multiple authentication and encryption methods,includes detailed access controls, active content filtering, monitoring and logging forinternal and external networks.

"They provide a common authentication environment for TCP/IP applications,integrate with a variety of authentication types including digital signatures, smart cardsand token technologies and we can back into many legacy protocols," says JudeO'Reilley, Aventail's product marketing manager. "We assume maximum heterogeneity.Your business partners shouldn't be burdened with your security infrastructure."

Socks And SECS

Sudlow explains that the biggest difference between Aventail's Socks-based VPNs andIPSec-based security can be found in what goes on at the user's desktop. Because IPSec isnot part of the operating system, changes must be made to the Internet protocol stack,which can cause compatibility issues with existing applications on a partner's desktop.With the VPN, an application is loaded to the desktop with no modifications to the stack.By extension, the VPN works with any firewall without reconfiguration.

In addition, says Sudlow, Aventail's VPN provides user-based authentication and accesscontrol, where IPSec is machine-to-machine. "We can know who the user is and whatapplications and systems they're trying to access," he says. "Take HP. We may bedealing with over 400 partners. We can't let them all in to the network unattended."

Underscoring Sudlow's comments, O'Reilley adds that, secure Internet technology aside,a VPN should also be a good-will marketing tool. "It provides connectivity tohigh-value customers and partners. Companies know how much in revenue they collect fromeach. In that respect, setting up a VPN should be faced as a customer service and not as asecurity problem. Access for internal users is the security problem."

Most of Aventail's competition doesn't necessarily see it that way because, for themost part, they've implemented a "Web-only approach. This assumes the customer willfront-end its resources with HTML," according to O'Reiley. "But, there's avaluable resource sitting in the mainframe. You can't ignore it."

Why VPN?

As far as O'Reilley is concerned, VPNs fall into four categories: managing change suchas those that occur through mergers and acquisitions; managing external providersespecially those required for mission-critical applications such as Y2K remediation;automating demand and supply-chains beyond EDI; and mastering co-optition where a partnermay also be a competitor.

The security needs of these categories may be as far reaching as providing access viae-mail or the Web to technicians before any infrastructure integration actually takesplace, to installing a common way to manage access for all external users without firewallchanges, to sharing TCP/IP-based resources between multiple corporate layers. For example,a preferred Aventail client is a well-known electronic manufacturing firm that bought anequity position in a third-party supplier of storage technology that was incorporated intoits final product.

Engineers from both firms found the need to perform lots of front-end negotiation ontechnical topics such as form factor, cost and design specifications, while high-levelmanagers needed to cooperate on financial issues. Under those circumstances, an AventailVPN maintains the security policy for a T.120-standard data conferencing whiteboardapplication; the engineers share specifications and design ideas while the managementshares ERP and financial planning applications and data. "It's the same technologyproviding the policy management for both parts of the corporation," says O'Reilley.

As VPNs continue to gain favor, O'Reilly thinks that the focus on extranet managementof providing security for users and resources will separate itself from network levelencryption technology. That will take the form of more CORBA support for object-orientedtechniques for basic authentication and encryption, which will include the ability tostore and share policies on LDAP directories.

Aventail will also focus on integrating the VPN with applications such as help deskthat would supply causal analysis and deploy data collection agents. Finally, look forAventail to build "a box you can drop on your network that gives you instantextranet," says O'Reilley.

Templates and pre-defined solutions are much on the mind of HP's future Praesidiumofferings as well. Sudlow points to the recent success of implementing a real-time, 3-D,CAD process for Siemen's KWU, a nuclear power technology leader for nearly 50 years. Themost efficient way to support Siemen's far-flung team of engineers was to create a virtualreality design review process, accessed via a VPN and protected by VirtualVault.

So, Sudlow says customers ought to look for a "virtual R&D" template thatcombines VirtualVault, a VPN and engineering processes into one solution. At the end ofthe day, says Sudlow, the question to ask is: "What are your assets worth toyou?"


HP estimates it can cost an organization $500 to $1,000 annually to support individual remote users. Claiming it will solve a lot of problems for companies that are geographically dispersed and help reduce the cost of supporting remote e-mail users while simplifying access, HP has combined OpenMail, in the form of OpenMail Anywhere (OMA) client software, with HP's Praesidium VirtualVault 3.5 trusted Web platform. OMA is the standard browser mail client for OpenMail 6.0.

"On top of the laptop, there's the dial-up network to the POP, authentication to the network [in the form of a token], telecomm charges and management of the token," says Al Morgan, HP's OpenMail Anywhere product marketing manager in Communications Software Operations. "It's much more expensive than basic e-mail." Morgan expects that OpenMail Anywhere combined with VirtualVault will cut those yearly costs by as much as 75%. OMA users access a Secure Sockets Layer (SSL)-secured url from any browser. The browser accesses OpenMail Web client software located on a VirtualVault server. VirtualVault acts as a proxy client and binds the user to the mail server.

Taking in the bigger picture, Julie Rockwell, HP's product marketing manager for the Internet Security Division, compiled a comparison of standard dial-up costs vs. OMA for a 5,000-user company providing remote access to its employees. Her conclusion: "A...company...will save around 80% on one-time investment costs by using [OMA]. A non-Internet solution would cost $1.5 million to set up while OMA would cost less than $300,000. Both numbers do not include implementation or consulting costs." In addition, because OMA works with any SSL-based browser, e-mail access can be provided for users of Win CE-based palmtop systems. Once logged in, the client is presented with a "Hotmail, Yahoo Mail-type of interface."