In essence, the user accesses the network using a cable modem or DSL or wireless device. The VPN defines a tunnel between the user's workstation and the server, and the connection operates as a dedicated circuit for the session. The VPN sending system encrypts and encapsulates the protocol used by the network, and the receiving device reassembles and decrypts the data. VPN product support most popular protocols, including Internet protocol, but each product varies in the number and types of protocols supported.
Protecting the Data
VPNs, by definition, operate across public switched lines. That means the data must be protected. Several products implement versions of the Data Encryption Standard, DES. In its basic form, DES uses a single key for encryption and decryption (called symmetric encryption).
Other products implement asymmetric encryption, using two keys. Under this approach, the sending system creates a unique key, called a private key. The system encrypts this key using a public key; the receiving device decrypts the private key, and both systems use the private key for subsequent data transmissions.
Keys can be any size, but most range from 40-bits to 128-bits. DES uses a 56-bit key, but vendors favor larger keys because they are harder to break. Popular types of encryption include:
- 3DES (Triple Data Encryption Standard): Uses multiple keys and multiple encryption/decryption passes to enhance the security provided by simple DES.
- IPSec (IP Security): Provides encryption for the IP protocol. Network managers can choose to encrypt the entire packet or only the data. The workstation uses a public key that triggers a proprietary key from the server that exists for the session. IPsec products protect Layer 3 of the OSI model.
- PKI (Public Key Infrastructure): Provides encryption keys for workstations outside of the corporation. PKI systems operate in conjunction with digital certificates to help secure the transmission.
- Secure Socket Layer (SSL): Implements public and private encryption keys to secure transmission.
Configuring the Link
Establishing VPNs is not simple. Network managers must plan for each workstation's IP address. They also must protect workstations with firewalls, regardless of their location, and they need to publish and enforce comprehensive, strong security policies to ensure that users follow the best procedures.
Further, any change in employees or workstations requires changing the network. Managers should therefore carefully consider such features as intrusion detection, auditing, reporting, and policy management for each product.
The vendors will simplify this process in the future. For now, however, most vendors only support their equipment, and the centralized controls remain limited. VPN security requires a commitment, and managers should determine if the cost savings justify the on-going expense of operating a secure VPN.
Gerald Williams serves as director of quality assurance for Dolphin Inc., a software development company. He previously served with National Software Testing Labs, Datapro Research, and Datapro's PC Communications Reference Service. This article first appeared in CrossNodes, an internet.com site.