NET WORKS

Virtual private networks-

how they work
by Roger Younglove

VPNs are hot, and for good reason. They promise to help organisations
more economically support sales over the Internet, tie business partners
and suppliers together, link branch orfices with each other, ancl support
telecommuter access to corporate network resourccs.

I
11 1999 ccii-po”ations Iioiight $281 iiiillion worth ;iniount of iicccss equipment rcquirctl, and give managers
ol virtiial private nct~vork(VL’N) liard\vv;iuc, and better i:oiitroI over their lay-flung nctworlts.
that to $831 Iiy the end ol this
year, according to Inkinctics. C;ititici-s In-Stat Crouli What is required to construct a VPN?
predicts the total in;irkct for Vl’N gcar antl scrvicrs will
,.LWO major clcincnts arc ncccssary to c:onstruct a VI”:
explode h i ii projcc~ctl$267 ii tuiiiiclling protocol and ii 1iie:iiis to authmticalc that
Iiillion by the end ol 2003. h h e c tunncl origin. 7imlzeliiiig is 21 mcthod for scnding data
biteriiei WM sin’vey oi 200 I’l‘ niai1agci.s [ound that 29% pacltck securely o w the Interiirt or othor p u l i k
were already using VI’Ns, while the remaining 7 1 ?O WCI’C ~ictworlt./ I
tuniiclling pi-otocol eiic;ipsulates dala pacltets
six months to one y c x o r more away frmi dcployiiicnt. with iiiform;ition that providcs routing data eii;ililing the
What, cxactly, is ii VI”? /\ good woi-king dclinitioti is as encalisulatcd payload to tr;ivcrsc the iirtwol-lc securely.
lollo\vs: Tock1~7tlic choice is priiiiarily bctwccii two tuniielling
~,rolocols, hl~lll dcvelo~,rd by Ihc IETF (l11ternct
A virtual private iictworli is ii coinliinatioii ol tuiincl- Thgiiiecring Task l h ~ (litt~)://~~\v\v,ictf.~~rg):
~)
ling, encryption, autliciitidioii aiitl ;i(:ccss con1rol weti
to carry traliic o\wr the Intorncl (or a iiimaged 1iitc”A (?)I.%?‘/’ (/,Uy?l’ % / Z l i 2 I ? 1 ~ / 1 ~~/71’~l J ~ O i ‘ O i )
protoc:ol (11’) iictwork or a provider’s Iiacltbonc:). 1,2’1‘11 is ii network protocol tlrat mcnpsul;itcs 1 T I I
(point~to-poiiitprotocol) {riimcs to Iic sent 0 1 7 ~ 1 - 11: X.25,
Simply stated, ii VL’N gives 11. a s~’cU1’cw a y to al:ccss lramc relay, or iYIW1 (;isynclironous trarisler mode)
corporatc tiet\vorlt rcsour(:cs over tlic Intcriiet or othcr networks. (layer 2 rrlcrs to thc data link layer ol the OS1
public or private iirl\vorks. model; layer 3 is the iirtwork layer.)

Why are VPNs important? (io II’&C (111 h‘i/l,t / J l ’ l i ~ O C O lS C V X l ’ d J ~

in the IJS workforce that Il’Scc is ii 1,;iycr 3 lirotocol stanckird dcsigirrd as iiii
do thcir jobs is ci~iitiiiu;illy entl-to-ciid tncchanisiii Tor ensuring tlata security in 11’-
1rkforcc delnallds fl-equcnl I,ascd comiiiuiiic;itioiis. Il’Scc allows 11’ payloads to lie
oi corporatc in[tirmation, cncryptcd antl mcapsiilatcd in iiii 11’ hcader lor s(:ciirc
millions of peoplo Lelecotnmute, m r l ciiiployocs r across the Intcrnct (or a corporate IP inter-
inc:rcasingly need ;i(:ccss lo o-mail ;incl iictworlt Ilelwork).
applications at night and at wccltciicls. ‘l‘hc Iiendit or 1,2’L‘I’rcinotc acc~ssis that it U S ~ SIYY)
Moreover, the explosion of ii-coiiiiiierc(’ iiiciiiis 11i;iI Tor cncapsulation ;ind does not require installation oi an
conipanies arc inrploiiicuting htisiiicss applic:;itioiis that cxtr;i liacltagi on the rcmoto client. While I , X l ’ is
share i n k m a t i o n ;imoiig diiferont sites, cixtcndiug thc typic;illy utilisotl b y the SI’S (service providers) to provide
reach oi thcir liusincss tu p;iutiicrs, c:oiitr;ictors ;inti the rcimotc dialup VL’N ii( [or custoinors, II’Siic is the
supply chain. Io all tliose iircliis VI’Ns promise to r e d n ~ c iiiiijor tunncl prolocol used lor ltic enterprise, which is
I-ccurrinji telecoiiiiiiLiiiic;ilioiis charges, ininiiiiisc the our IOCLIS iii this article.

260
NETWORKS
NETVORKS
mi-cls or tligitiil ccrtilicates. Sharcd secret is fairly easy to tloc:utiicnts loi both opcrational guidaiicc and aidit
utilise for ii sinall iiuiiilm of endpoints (clieiits mdior purposes. Second, if yiu ever wish to cross-certirj7(that is,
gateways).’liikon cards work vory well lor liirgc intrarict l)c treated iis iiii ccjual ancl iil~loi o iicccpt certiliciitcs) with
iiiil)lciiientatioiis, 1x11lor ii large extranei im~~lciiietit;itit,n ii CA opcratctl h y sn~iico~ic else, Iioth the CI’ and CI’S iirc
the easiest iiicthod is io use ti digital cxrtilicate (public required to ciisurc that Iiotli ccrtificxtcs arc considerecl
key infrastrllctliro). cqtial iii the rtrquircrl iisprcts.

Implementing a public key Gzla~mztc’l?il seruice

infrastructure Rccgardless ol how mcll the securii y policics have hccii
A piililic ltcy inlrastructurc (I’IU) starts with :I dcfiiied, operating ii VI’N nwr the lntcrnct is not liiglily
certilimtc autliority (LI), ii software package opcr;itctl in prcctlictal,le I~ecii~isc tlic Iiiteriiot is not ii guaranteed
a high security area, tllat issues digital ccrtilicatrs. A 1’1<1 trmsport. 1I giixantccd scrvice is not required, thc
also inclucks a c1irc:ctoi.y scrvico to male the ccrtificatc Internet provides ;idcquatc VI’N transport.
widely available. W i c n iiiiplemcnting :I IKI, the decisiciii IIowew!r, if guamiitecd scirvicc is mandatory, ii service
to purchase or coiitixl oui the service must bc Ixisecl k!vel ;1jirccmcnl (SIA) cat1 be
not only on cost, but also, iiinrc transport nvcr i l managcd Ii’ tiel-
importaiitly, oii security policy and u”k. !In SI,/\ is ii money-back
rccluircmciits. I)o you have lull giixantee that the sei-vice prnvidcr
c:ontrol iilthe l’K1 or do you lot sninc (SI’) will deliver :I specific level ol
oiie else oiicrate it for VOLI? service. ‘Tliis iiiirrlit cnver~ lnr
in adtlitioii to ii CA, ii 1’111 also cximple, overall nctworlc availability
iiicludcs, ;it iiiiiiiiiium, aii X.501)v:I- of 99.7’b, or cncl-to-end latency not
compatililc dataliase. Tho C,I opera- grmtcr than 15Oiiis round-trip, or
tor issiics the digital ccrtilicatcs l o local loop availhility of 997‘k,or a
thc end ciitity in this msc the Ilacltct loss I l l less tlian 1 % overall
Il’Scc endpoints-and records thc throughput. ’l‘lie agreeinail may also
in lormation in the datal-, dictate such terms its, lor inslance, i i
ccrti[icatc is eitlicr compromised or is rckiiid ol one month’s charges if the
no longer correct lor soiiic reasoii, it is listcd Iiy tho CA SI’ ;ibrogatcs any o[ the agreed upon service levels.
opcratiir 011 i i c c r t i h t o revocation list (Citl,). liach time
iiii 1I’Scc eiidpoint clieclts the validity o l a cci-tifimic Conclusion
preseiitod f i x iiiithciitication, it clioclts the CI<I, lisi; if that Whether implc~mcntcd;is iiii intranet or iin cxtranct, a
ccrtilicatc is listcd, it is invalid aiicl the eiiilpoiiit rcjects ii, VI’N can reduce coiiiinunicatioiis costs Iiy utilising ii
single connection with niic piece o l ccluipment f i x cach
Le p i h y il($izes aul/zori.sn/ioii re location instead oC what would otlicrr
implcmciit a L’KI, you should VI coiii~nu~iic:;itionlinlts using legacy cq
policy (CI’) rcg;irtllcss 01 whether y o u oporatc or Cost is usu;illy the dcterrnining iiictor ol whether the
outsourcc your CA.’I‘hc CI) deline;itcs the requiroincrits VI’N is Iiuilt in-liouso or is contracted out. Cost pcr
t o i.cceive ii certifiixtc Irom the CA (lor caaniple, ii coiincc:tioii lor ii scwice is wcighctl against the total
certiiicatc must lie rccliicsted in persoti iiiid recluircs twn equipment, iraining, maiiitcii;incc, ;ind management
loriiis (IC 111, one a piciurc 11)) m l / o r ;I lcvcl o l authority costs spi-ccatlover tlir number of connections rccpii-cd Tor
([or cx;iiiiple, this ccrtilicatc ;~llowssignatwc aiitlioriiy ii VIW built in-house. Aiiotlirr important considcratioii is
(or oiic nrillioti dollars). wlin iixiint;iiiis conti.ol o l thc equipmeiit. Some c:nmpanics
For iin 11’Sec clidpoint, ihc CI’dciiiics &it in lnrin;i- do not use coiitl’;ict services, rcgartllcss ol cost, bcc;iusc:
tion must lie siilimi~tcdto thc CA lor ccrtific;itioii. thcy ~ w i i i lull
t control ovvr the VI”.
lMorenver, the CI’ shnuld {Jsiiig VI’Ns, compariics (:;in rc1i;ibly aiitl securely
that tlrr CA must iiieet for share iiil‘orni:ition ;icross the Inicrnot or a iiiaiiagccl 11’
iictivvoi-It.’Todiiy VI’Ns ai-c Iicing used to hclp corpora-
pplicatiotis, tic: I)usincss partners
,.10 successfully implement ii CA, tlic operator iiiust and suppliers togcthcr, and support the explosion o l
write a c:crtilicatc practico stateiiicnt (CI’S), which sp1~11s e-cni~i~iici-c~:, cspccielly in husincss-to-husiiicss applicii-
out how ilio opcratiim n l the C/\ iiiiitclicis ihc CI’ 1ions.
(ccrtilicatc policy) recluircmcnts. Il you iiiiplimeiil yiour
o\wi CA, you should c:rc;itc both tlic CI’;iiid the CI’S. Sincc
you have full control iil the implciiiciitatioii, this niiglit
Iiut ii is important lor iwo misoiis.
I;irst, it uisurcs optiniiil sccui-itp Iiy requiring: written