A gateway is a device that
features VPN server capabilities. An example of a gateway is the Cable/DSL VPN
Router. The Router functions as a VPN server, creating a “tunnel” or channel
between itself and a remote location, so that data transmissions between them
are secure. A host is a device, such as a computer, with VPN host software
installed. Microsoft 2000 and XP have built-in VPN host software; other versions
of Microsoft operating systems require additional, third-party software
applications to be installed.
Gateway to Gateway
An example of a gateway-to-gateway VPN would be a Cable/DSL VPN Router (gateway)
linked to the central office's VPN server (gateway). At home, a telecommuter
uses his Cable/DSL VPN Router for his always-on Internet connection. His Router
has a built-in VPN server configured with his office’s VPN settings. He starts
up the Router’s utility and connects to the VPN server at the central office
40 miles* away. Using the VPN, the telecommuter now has a secure connection to
the central office’s network, as if he were physically connected.
Host to Gateway
An example of a host-to-gateway VPN would be a notebook computer (host) linked
to the central office’s VPN server (gateway). In her hotel room, a traveling
business person dials up their ISP. Their notebook computer has VPN host
software configured with their office’s VPN settings. The person starts up the
VPN host software and connects to the VPN server at the central office 4000
miles* away. Using the VPN, the business person now has a secure connection to
the central office’s network, as if they were physically connected.
*Distances are examples only;
VPNs have no distance limitations.
VPN Types
There are three broad categories of VPN products:
The majority of hardware-based VPN systems are encrypting routers. They are
secure and easy to use, since they provide the nearest thing to "plug and
play" encryption equipment available. Since they don't waste processor
overhead in running an operating system or applications, they provide the
highest network throughput of all VPN systems. However, they may not be as
flexible as software-based systems. The best hardware VPN packages offer
software-only clients for remote installation, and incorporate some of the
access control features more traditionally managed by firewalls or other
perimeter security devices.
Firewall-based VPNs take advantage of the firewall's security mechanisms,
including restricting access to the internal network. They also perform address
translation; satisfy requirements for strong authentication; and serve up
real-time alarms and extensive logging. Most commercial firewalls also
"harden" the host operating system kernel by stripping out dangerous
or unnecessary services, providing additional security for the VPN server. OS
protection is a major plus, since very few VPN application vendors supply
guidance on OS security. Performance may be a concern, especially if the
firewall is already loaded - however, some firewall vendors offer hardware-based
encryption processors to minimize the impact of VPN management on the system.
Software-based VPNs are ideal in situations where both endpoints of the
VPN are not controlled by the same organization (typical for client support
requirements or business partnerships), or when different firewalls and routers
are implemented within the same organization. Currently, standalone VPNs offer
the most flexibility in network traffic management. Many software-based products
allow traffic to be tunneled based on address or protocol, unlike hardware-based
products, which generally tunnel all the traffic they handle, regardless of
protocol. Tunneling specific traffic types is advantageous in situations where
remote sites may see a mix of traffic - some that may need transport over a VPN
(such as entries to a database at headquarters) and some that do not (such as
Web surfing). In situations where performance requirements are modest (such as
users connecting over dial-up links), software-based VPNs may be the best
choice.
In a summary, a VPN is a private connection between two machines or networks
over a shared or public network. In practical terms, VPN technology lets an
organization securely extend its network services over the Internet to remote
users, branch offices, and partner companies. In other words, VPNs turn the
Internet into a simulated private WAN.
The Internet's appeal is its global presence, and its use is now standard
practice for most users and organizations. As the need for communication links
continue to grow, VPNs become increasingly relevant as they provide security,
are cost-efficient and quick to implement.
Wireless Security
A Wireless Local-Area Network (WLAN) uses radio frequency technology to transmit
and receive data over the air, providing all the features and benefits of
traditional LANs but without the limitations of a cable.
WLANs have become widely accepted for both home and business use. However, as
WLANs become widespread, the need in business for a more robust security
solution is required.
To safeguard data on WLANs, the 802.11 standard specifies three basic methods of
securing access to wireless Access Points (APs):
Service Set Identifier (SSID)
The SSID allows a WLAN to be segmented into multiple networks, each with a
different identifier. Each of these networks is assigned a unique identifier,
which is programmed into one or more APs. To access any of the networks, a
client computer must be configured with the corresponding SSID identifier for
that network. Thus, SSID acts as a simple password, providing a measure of
security.
Media Access Control (MAC) address filtering
To increase security, each AP can be configured with a list of MAC addresses
associated with the client computers that are allowed access to the AP. If a
client's MAC address is not on the list, the AP will deny access. This method
provides good security but is only suited to small networks. The labor-intensive
work of entering MAC addresses and maintaining up-to-date lists on all of the AP
devices obviously limits the scalability of this approach.
Wired Equivalent Privacy (WEP)
To minimize the risk of radio frequency (RF) interception by somebody nearby,
WEP is specified for encryption and authentication between clients and APs
according to the 802.11 standard. WEP security is based on an encryption
algorithm called RC4. The encryption algorithm is generated based on a key (a
number sequence) entered and controlled by the user. All clients and APs are
configured with the same key to encrypt and decrypt transmissions of data. WEP
keys are 40 or 128 bits in length.
An AP (Access Point) can be set up to provide encryption-only protection in
open-system mode, or to add authentication in shared-key mode. MAC address
filtering is often used together with this encryption. WEP security is best
suited for small networks, as there is no key management protocol. As a result,
keys must be manually entered into every client. This can be a huge management
task, especially as keys should be changed regularly to provide a higher level
of security.
Overall Virtual Private Networking (VPN) Is Your Best Bet
VPN makes it possible for users on an un-trusted network to connect to a private
network in an easy and secure manner. For business networks, a VPN solution for
wireless access is currently the most suitable alternative to WEP and MAC
address filtering.
Internet Protocol Security (IPSec), as defined by IETF, is the most widely used
mechanism for securing VPN traffic. IPSec can use multiple algorithms for
encrypting data, keyed hash algorithms for authenticating packets, and digital
certificates for validating public keys. VPNs also support a variety of user
authentication methods. These standards-based methods allow for easy integration
into existing network infrastructures.
The IPSec protocol includes three principal security elements:
Authentication Header (AH)
The AH provides authentication and integrity by adding authentication
information to the IP data. This ensures that the data will not be available to
an unauthorized client and will not be altered en route. Authentication
techniques used are MD5 (Message Digest Algorithm 5) and SHA (Secure Hashing
Algorithm).
Encapsulation Security Payload (ESP)
The ESP provides confidentiality. It can also provide integrity and
authentication, depending on the algorithm used. With the ESP in use, part of
the ESP header itself and all data is encrypted. Tunnel or transport modes are
available, with tunnel mode being the choice for remote access. Encryption
techniques used are DES (Data Encryption Standard) which uses 56 bit length keys
and Triple-DES or 3DES which uses 168 bit length keys.
Internet Key Exchange (IKE)
These are the management protocols that are used to negotiate the cryptographic
algorithm choices to be employed by the AH and ESP. The mechanisms used provide
for an extremely scalable solution. Keys are maintained, exchanged, and verified
using these protocols.
What Does All This Say?
For home and small business: The combination of SSID + MAC + WEP is most likely
an acceptable alternative for wireless security. That is, a deliberate attempt
to access the network is required. Our products utilize this level of security.
For medium and enterprise business: With centrally managed administration for a
large number of users and the ease of deployment and control, VPN is the best
choice for wireless security. That is, powerful methods are employed to ensure
that network access is strictly limited to users who can be authenticated and
that privacy of message traffic is ensured in the event of interception.
