Internet Security:

The Latest Virtual Private Networks

By Dr. Seamus Phan

When we think about the virtual private network (VPN), we tend to look at it from a technology standpoint, without putting it in context for business scenarios. Therefore, it may be difficult to design a VPN that caters to every perimeter, gateway, application, and user, while still providing the full security that businesses demand. Still, there are specific recommendations and technologies we can use to secure and empower our users and networks without prejudice.

VPNs can come in the form of software, which most of us are familiar with and must be installed on vendor-certified hardware and industrial-strength hardened operating systems. They are also available as "appliances", which are basically VPN software and operating systems pre-installed by the vendors on small (or not so small) form factor computers.

SSL and IPSec side by side

Traditional VPNs utilize IPSec for encryption, where IP packets are encrypted between hosts or between clients and hosts. Because of the encryption required at the packet level, issues such as shared key management and hardware acceleration have to be considered for a successful and efficient VPN installation.

Another method of VPN implementation uses SSL (secure sockets layer) for the encryption of http (hypertext transport protocol) packets, and can therefore work with any Web browser client. The flip side of using SSL, despite its widespread compatibility, is the limitation of the http itself in handling more modern applications such as peer-to-peer (P2P) file sharing and other data streaming applications.

There are some VPN technologies which not only encrypt TCP packets using SSL, but also UDP packets as well as an all-inclusive data communication encryption mechanism. Some of these technologies also allow a full audit trail of users by encrypting all data mapped to specific users' identity and usage.

If you are purchasing a VPN solution, especially for branch offices and remote access users, you should ensure that the solution is compatible with NAT and private IP environments as some dated implementations may not work well with such environments.

For a Windows-centric network, you may consider the Layer Two Tunneling Protocol (L2TP), an adaptation of Microsoft¹s older Point-to-Point Tunneling Protocol (PPTP) and Cisco¹s Layer Two Forwarding (L2F) protocol.

If however, you are using a mixed environment, you can consider running L2TP over IPSec, or simply standardize on one of these protocols. Although some VPN solutions do provide both IPSec and L2TP/PPTP compliance, it is unwise to try and suit everyone¹s preferences. It is a good practice to standardize for the entire enterprise network, and to conform all users to a single operating standard.

The MPLS alternative

Multiprotocol Label Switching, or MPLS (, is an alternative to IPSec-based VPN technology.

It is a Layer 2 independent switching technology that uses Layer 3 to provide Layer 2 services. MPLS is Layer 2 independent since it works on frame and cell-based networks, with Layer 3 functions for IP routing. Like IP-VPNs, it provides a virtual circuit through the network.

Unlike traditional IP-VPNs however, MPLS VPNs provide the same security as Layer 2 circuits, without the use or need for encryption. IP-VPNs require IP addresses for forwarding and receiving data, and therefore require private and public IP address management. With MPLS VPNs, IP addresses are not used for forwarding data on the MPLS network and so the addresses are private.

As the name Label Switching implies, all packets have encoded labels that are attached by the Provider Edge (PE) routers. Unlike IP-VPNs, MPLS VPN infrastructure does require the provisioning of the service by a service provider. Think of the MPLS VPN as a complex inventory control system where data packets are labeled with "barcodes" and then sent by the service provider to the destination, where they are read by "barcode scanners". The simplicity of the MPLS concept also means that MPLS VPNs can be processor-efficient and scalable, since it does not require encryption.

Who is between the keyboard and your network?

VPNs are great for the safe delivery of data between hosts and clients. However, VPN technology does not know the difference between a chimpanzee, and an authorized or legitimate user. Since passwords do not tie themselves to specific individuals, VPNs will not be able to tell if the user is the rightful user, or someone who managed to steal or guess a password.

A possible solution is to rely on tokens, which are part of the public key infrastructure (PKI) certificates for individual users. This requires the enterprise to erect a PKI platform and Certificate Authority capability, which can create higher management overheads.

That brings us to biometrics and other forms of user authentication. Biometrics can work as plug-in technologies for traditional IP-VPNs, and can be the first line of intrusion prevention at the keyboard level. It can also be discrete components of the physical perimeter security system.

Although we have seen biometric equipment breaking down at the hands of experts, it is the only available method of authenticating a user at a computer terminal without human intervention.

With biometrics, even identical twins will turn up different to the sensors, since no iris or fingerprint will be the same. Nothing is foolproof yet, but it is getting closer by the month.

Stopping malware at the door

VPNs, as part of the enterprise protection architecture, should also deny the transmission of illicit content or malware. Since bandwidth is still an expensive commodity with larger GUI-based enterprise portal applications, such malware should be stopped at the gateway to allow more efficient VPN usage.

There are open source solutions that allow you to cut out most spam and viruses by simple file type identification and the use of REGEX (regular expressions in Perl), or more complex content filtering algorithms offered by commercial vendors.

Keeping the network up

VPNs can be secured, but it should also allow communication without any downtime. It is unimaginable to have a VPN break down every so often, since vital transactions such as fund transfers between financial institutions can be lost or corrupted.

A good VPN architecture should provide for redundancy and load balancing, and there should be no single point of failure. If a VPN server goes down, another one should immediately take over. Even a transaction or transmission in transit should be carried over to the destination without corruption when a failover VPN server takes over.

This seems like an expensive proposition and is not often practiced at many organizations, even large ones. However, there are simple and affordable VPN solutions that will make the setting up of redundant VPN units viable.

Progressively, VPN systems are getting smaller, cheaper, and easier to learn about and maintain. Their performances are also improving quickly, and alternatives such as MPLS are also pacing the evolution of IP-VPNs steadily. In the not too distant future, it is conceivable that VPNs will form the staple of standard desktops and enterprise operating systems or be embedded in core hardware, and provide the much needed speed and performance demanded by emerging applications and data.

Dr. Seamus Phan is a world-renowned authority on the technical security aspects of the Internet. Dr. Phan serves the BWW Society as Founder and Chairman of the Internet Security Committee, which is designed and conceived to gather and share information on the latest computer and Internet threats, to provide immediate information on technology’s newest developments in the prevention of Internet-related security problems, and to increase and enhance all forms of Internet Security.

[ back to "Publications & Special Reports" ]
[ BWW Society Home Page ]