Companies striving to improve communications between increasingly dispersed employees and partners have made VPNs (virtual private networks) a staple of network infrastructure. As evidence, an overwhelming majority – 89 per cent – of respondents to the 2001 InfoWorld Security Solutions Survey currently have a VPN in place, and 58 per cent either use VPN services or plan to use them in the next 12 months.
In addition to improved communications, VPNs can provide significant cost savings. Dial-up modems can be replaced with VPN remote-access solutions to allow travelling employees and telecommuters to access the corporate network. Removing direct dial-up access eliminates long-distance and toll-free number charges that can be a substantial corporate expense. Site-to-site connections, such as between corporate headquarters and branch offices or business partners, are also prime targets for VPN solutions, which can reduce costs by taking advantage of the public Internet instead of purchasing leased lines or other expensive WAN (wide area network) connections.
As VPNs have developed, the biggest advance has been the ratification of the IPSec (Internet Protocol security) standard, which, despite a shaky start, provides interoperability between various gateways and clients. VPN products are now fairly stable and can communicate relatively well with one another using the defined standard, but their evolution toward interoperability and manageability is far from complete.
First and foremost, the IPSec standard will continue to be improved by the Internet Engineering Task Force (IETF). The first major change will be the ability to use IPSec tunnels with NAT (Network Address Translation) and NAPT (Network Address Port Translation). Once this functionality is in place, companies will have more flexibility regarding where to place their VPN gateways. The IP address changes made through NAT will no longer “break” the IPSec protocol. Currently, NAT can be used with IPSec VPNs only if NAT occurs before the packet is encrypted. NAT modifies the IP address and port information in a packet, and if the packet is encrypted, NAT cannot make the necessary changes.
The IETF is developing a standard called NAT Traversal, which encapsulates IPSec traffic via UDP (User Datagram Protocol), allowing NAT to make the necessary IP address and port changes. This is great for people with home networks using NAT behind one public IP address from a broadband Internet connection. Now their VPN client will work on a machine with a private IP address. NAT Traversal also provides more options in network configuration. Currently, the best places to implement a VPN gateway are on the same device as the corporate firewall or in parallel with it. NAT Traversal will allow network administrators to place a VPN gateway in almost any location.
Authentication in remote-access VPNs will also be improved, providing more security and greater ease of use. Currently, IPSec only supports pre-shared keys, which do not provide two-factor authentication, and digital certificates, which offer two-factor authentication only with a PKI (public key infrastructure).
Many organizations would like to implement two-factor authentication (something you have and something you know) to provide an additional layer of access security, but they would also like to use authentication technologies they already have in place, such as SecurID, biometrics, or a Radius user ID and password database. Three new systems have been proposed to the IETF that would allow them to do both: XAUTH (extended Authentication), Hybrid Authentication, and CRACK (Challenge/Response Authentication of Cryptographic Keys).
These developments and many others will continue to make IPSec VPNs more interoperable and easier to manage. One of the long-term advances will be a standard management platform for VPN devices. With standardized management, administrators could easily manage multiple VPN gateways and clients from different vendors. For example, you could set up a Check Point VPN for remote access and site-to-site connections to branch offices and a Cisco PIX VPN for a partner extranet, and you could control all of the devices and clients involved from one location.
Several major vendors, including Netscreen and Check Point, are backing this development. Standardized management will also eliminate the headaches involved in using best-of-breed solutions from a variety of vendors, a strategy generally preferred by IT managers. According to our 2001 InfoWorld Security Solutions Survey, 53 per cent of respondents choose best-of-breed security solutions, whereas only 22 per cent prefer to buy from a single vendor.
The use of VPN services will also grow in the near future. As companies move to focus on core competencies, they will outsource the aspects of their business that are more costly to manage. With economies of scale in their favour and easier management on the horizon, VPN services offer a viable alternative to organizations looking to offload some functions.
A few years down the road, you can also expect to see tighter integration of IPSec into OSes, similar to the path TCP/IP took when it was introduced. Microsoft made a good first step by including IPSec functionality in Windows 2000, and Solaris and Linux also support IPSec. But with the forthcoming improvements in the IPSec standard and the increasing use of VPN technology, especially for securing wireless networks, IPSec integration will need to become even tighter. By making VPNs easier to use and manage, this integration will further decrease the costs of implementing VPNs.
VPNs have quickly become an accepted, and often necessary, technology in the IT department. The future will bring not only further improvements in the interoperability, usability, and manageability of this technology. It will also bring tighter integration with operating systems, helping to make IPSec as well-known as TCP/IP and VPNs an even more compelling means of extending corporate networks to remote employees, offices, and business partners.
THE BOTTOM LINE
Executive Summary: VPNs are quickly becoming a standard component in the IT infrastructure. The cost savings they provide are often unbeatable, and a growing trend to use VPN services may save organizations even more money.
Test Center Perspective: Improved standards – especially for NAT, remote-access authentication, and management – will greatly reduce the time and resources necessary to deploy and maintain a VPN. Improved interoperability will also allow organizations to more easily implement best-of-breed solutions.
Technology Analyst Mandy Andress ([email protected]) covers security and networking for the InfoWorld Test Center.