Featured eBooks
Open Season 2025 Guide
Health Tech
Space Trends
Insights & Reports
Access Management: Core to CISA’s Zero Trust Maturity Model 2.0
Presented By Carahsoft
Download Now
Identity Modernization for Government Service Excellence
Presented By Okta
Download Now
Magazine

Run Your Network Over the Internet

Cynthia Morgan

|

G

overnment managers can make a good case for office decentralization. Branch offices put an agency where it's most needed. Moving personnel out of major metropolitan areas can lower costs, and telecommuting can attract talent that otherwise might opt for fatter industry paychecks.

Ironically, however, the computer industry that helped make decentralization so attractive is lagging behind on the remote networking curve, particularly when it comes to mission-critical data. Teleconferencing is still a challenge, and security concerns often chain high-level personnel to a desk at headquarters.

"Sensitive applications, the ones you keep on the servers at headquarters, are tough to get to if you're not linked into the internal network. If you're a remote user, access to these programs is either denied completely or quickly becomes a complicated problem," says Tom Dunigan, a staffer with Oak Ridge National Laboratory's Network Research Group in Oak Ridge, Tenn.

Virtual private networks (VPNs) may hold the answer for Oak Ridge and for many other government offices. A VPN, essentially an encrypted link between a user and a network server, uses the Internet as a data thoroughfare, in lieu of dedicated circuits. Once the VPN is established, data travels securely across a kind of virtual circuit that acts almost exactly like a standard physical network connection. Users simply activate the VPN link, which handles dial-up or other connection chores in the background, and log into the network as they would if physically connected to the local area network.

A VPN "tunnel" can be established using something as simple as a dial-up World Wide Web connection available from any Internet service provider (ISP), or as elaborate as an agency's high-speed asynchronous transfer mode (ATM) link to the Internet. Using VPN connections can cut multi-site communications costs by 50 percent or more. Network cost-cutting takes place across the board, since VPNs can also reduce the additional fax, voice and even video transmissions employees use to compensate for not being wired into the central network.

Virtual private networking may have a profound effect in other areas, as well. Since it operates over Internet connections available to anyone, it eliminates the need for special dedicated circuits for an agency's extranet connections, to suppliers or other agencies. And it can make those connections more secure and easier to manage. It can also forestall some of the problems that occur when a network is forced to stretch to accommodate too many "remotes."

On PCs or on the Network

A VPN can be established at several points in the network connection. Microsoft Corp.'s Point-to-Point Tunneling Protocol (PPTP), included in Windows 98, Windows NT 4.0 and as a dial-up client upgrade to Windows 95, handles the entire operation in software installed on the client and server machines. Other solutions, such as CheckPoint Software Technology Ltd.'s VPN-1 product suite, which is based on its FireWall-1 security software, support Unix as well as Windows platforms. Scheduled to be released in November, the VPN-1 suite will include an accelerator card that eliminates the delays caused by software-only encryption.

Router-based solutions, such as Shiva Corp.'s LANRover VPN Gateway, establish the connection from the LANRover router on the server side and can also overcome software-only performance problems. They also often offer the advantage of additional security and much better network management features.

At Oak Ridge, "payroll, personnel reviews, just about anything that might involve the Privacy Act--classic business-sensitive services--had to be behind the firewall," Dunigan says. "In the past, when we just couldn't avoid it, we could set up special secure connections so somebody could get to these things. But we generally just told people they had to get to the network" with a physical connection.

All that could change with a VPN. "The idea of secure VPN tunneling was very attractive to us from the moment we heard about it," Dunigan says. "Internet connections are ubiquitous, and they're inexpensive. The server sees a user from a VPN as just another client on the network, even if that user is not physically present. We have the luxury of being able to choose our bandwidth, choose our access point and still save quite a bit of money on connection costs."

The widespread deployment that some Oak Ridge officials had hoped for has yet to materialize. While a few users are connecting back to headquarters via tunnels, the lab's VPN trial remains a small one, mainly because of problems with incompatible standards and the high costs of proprietary solutions.

"We're not particularly happy with anything we've seen yet," Dunigan says. "We started with Microsoft's PPTP, mainly because it was free, but we've also looked at commercial products, like FireWall-1. None of them really give us what we need, which is a fully interoperable VPN that works equally well with Windows, Unix and Macs, yet doesn't cost a bundle." (For more information, check out Dunigan's web site.)

Federal Users

Other VPN attempts have been more successful. Pilot programs are already under way at the National Communications System, where officials plan to use the Internet, via VPNs, as an emergency connecting point for several federal agencies, including the Federal Emergency Management Agency, the General Services Administration and the Commerce Department. And a long chain of VPNs will link financial intelligence units in several countries, from Slovenia to Ecuador, to drug interdiction forces at the Treasury Department. The connections will be used to pinpoint potential money-laundering transactions. The Bureau of Land Management has used V-One Corp.'s SmartGate, in conjunction with a massive firewall defense, to administer networks and allow outside agencies to access its Informix databases.

There are some downsides to VPNs, however. As Oak Ridge discovered, selecting and integrating VPN products with other network and Internet components must be done carefully. The products and consulting sometimes needed for a large-scale implementation can be very expensive. Also, the connection is only as reliable as the ISP at either end, and in some cases that's not very. Intermittent ISP failures, or one of the Internet's infamous "World Wide Waits," can wreak havoc with quality of service requirements. And unreliable connections can spook remote users into relying on older means of communication.

One critical factor: Both ends of the connection must speak the same VPN "language" or the tunnel cannot be maintained successfully. But, as Oak Ridge discovered, the dust has yet to settle in the VPN standards war. Competing proprietary solutions often cause problems in managing multiple standards and protocols, especially since there may be different ISPs on each end of the connection. And interoperability problems can grow geometrically with each new VPN addition. Right now the exact methods of encryption, and other security practices involved in VPNs, vary from vendor to vendor.

"IPv6 and the Internet security protocols such as IPSec and L2TP [Layer 2 Tunneling Protocol] may give us the interoperability between commercial solutions, and the multiplatform support we've been looking for," Dunigan says. IPv6, the Internet Engineering Task Force (IETF) next-generation IP standard, not only provides for longer 128-bit IP addresses (as opposed to today's 32-bit version), it also mandates minimal security levels at each Internet node. IPSec, another IETF project that provides a security framework for IP networks, has taken longer to emerge in usable form than originally estimated. "So the trouble is that not much is available for either standard yet," he says.

Many government network administrators will keep VPNs at the pilot stage until security standards are common in major vendors' offerings. Virtually all network operating system, router/switch and firewall makers have promised support for IPSec and IPv6, although fully supported releases may be several months away in many cases. With secure, interoperable VPN capabilities built into operating systems such as Sun Microsystems' Solaris (a popular form of Unix) and Microsoft Windows NT, the need to cobble together solutions from multiple vendors will largely disappear. "Cost is, of course, a factor in any large-scale deployment," Dunigan says. "We'd like to see a standards-based solution where we're not wired into one single vendor."

Improvements Ahead

L2TP, another IETF standard, looks to be the "common language" VPN manufacturers have been waiting for. Device-independent, L2TP is actually a blend of PPTP and a Cisco Systems technology, Layer 2 Forwarding. It builds-in support for IPSec and permits tunneling to take place over non-IP networks such as X.25. It can also accommodate IPX, the protocol used by Novell NetWare networks, as well as Apple Macintosh's AppleTalk connections.

Support for IPv6 and IPSec is still in the future for Microsoft, thanks to continued delays in releasing Windows NT 5.0. The company will ship the new operating system next year with licensed IPSec support from Cisco Systems. Linux (a low-cost Unix) and Solaris seem to have a head start on IPv6. "Things will be a lot easier when the major operating systems support a standard VPN solution," Dunigan says. "But even then, nobody just migrates wholesale to a new platform. You'll still need to support legacy systems," which won't include built-in support for the new standards. "That means you'll need a compatible VPN at the router."

If your office is considering a move to a virtual private network and you have only a few users whose needs are noncritical, you may be able to rely on the PPTP available in today's versions of Microsoft Windows. If you're planning on using mission-critical applications with a VPN, transmitting sensitive data or providing access to more than a few casual users, you'll want to build in additional security features, possibly through a firewall or via special VPN encryption products such as the IPSec-compliant Permit software suite from TimeStep Corp.

More rigorous requirements that include a large number of regular users, high-bandwidth transmissions, service guarantees, a wide range of platforms and protocols to support and/or extremely fast performance need far more careful planning. Companies such as Bay Networks Inc., Shiva, Ascend Communications Inc. and Cisco Systems all provide extensive VPN design services.

Whatever VPN technology you choose, you'll need to take special pains in implementing it:

  • Test first. Start with a pilot program, with fewer than a half-dozen users in a carefully controlled environment.
  • Integrate slowly. Don't rush all your applications onto a VPN. Once you've established repeated VPN sessions with users on one application, add others gradually.
  • Provide backup during the implementation phase. It goes without saying that if something can go wrong with a new network capability, it will. Giving beta testers alternate network access will make troubleshooting easier.

Virtual private networking is probably at least a year away from becoming an off-the-shelf technique for foolproof--and secure--remote connections. But even with today's standards confusion, the cost savings may easily justify using VPNs at your agency.

Cynthia Morgan reviews computer and network technology for several publications. The former editor of Byte magazine, she is based in Massachusetts.

NEXT STORY: Where to Stay