VPN Security Requirements Debated

Debates about the security of IP VPNs rage on throughout the industry, but many large VPN users are most worried about what happens to their traffic when it reaches a recipient’s network.

Where an IP tunnel terminates is as critical as the overall connection itself, according to Jim Metzler, founder of Ashton, Metzler and Associates and moderator of Network World (U.S.)‘s multicity State of the WAN tour.

Data can be greatly compromised if an IP tunnel dumps off into an insecure part of another company’s network, he says. For instance, if you connect to a partner that passes your traffic straight through to its network without holding the traffic in a “demilitarized zone,” then your information could be in jeopardy.

For Walter Nieczyporowski, a network specialist at the Bank of Montreal in Toronto, this is unacceptable. His company goes to great lengths to check out the specifications at the other end of any planned IP tunnel ahead of time.

“We want to know what’s at the other end. We don’t want to create a tunnel if they are exposed to the Internet on the other side,” he says. Nieczyporowski and his team, as well as the bank’s information security experts, work closely with customers, such as big oil companies, that want to establish private connections with the bank.

The team makes sure there is no direct connection between the end of an IP tunnel and the destination site’s corporate network. If the information security team does not feel comfortable with the set-up, it will deny the request to create a link.

A director of communications technology at a large pharmaceutical company, who asked not to be named, takes this a step further. His company’s legal team requires all customers and partners linking in through IP VPNs to sign a liability document.

“We’re sharing drug plans with other companies, doing e-commerce,” he says. “It’s more than just needing firewalls on either side.”

Then, an audit begins. The company hands over its guidelines for partnering, including a proposed architecture for the drop-off point. “There are always some companies that want to throw you into a router with an on it. That’s not allowable,” he says.

There are no shared ports allowed in this plan. In fact, a partner needs to have a router running VPN software in a DMZ with a separate network card for just that traffic, he says. The pharmaceutical company also scrutinizes the partner’s security policies, including who has access to the network.

“We aren’t going to just plug into a company because they say they have a VPN. VPNs don’t mean the same thing to all people,” he says. “That’s why we’re clear about our requirements.”

The director acknowledges that not all partners have this technology in place, and he dispatches his team to help set up the preferred drop-off point, if needed. Sometimes, the company will even fund the upgrade if the partnership is critical.