Remote Access Security
Remote-access security is a priority. Here's how to find the system that works for any situation and any budget.
August 27, 2004
For performance and security reasons, large organizations with many simultaneous remote users should consider specialized hardware to terminate the VPN at the enterprise. These options are available as additional software for an existing firewall to dedicated VPN concentrators, and are priced from the low hundreds to tens of thousands of dollars. Regardless of the VPN technology you choose, you'll need to determine user demand to decide if the extra hardware expense is necessary.
There are several varieties of VPN protocols -- IPsec, PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and SSL. Each can be the most affordable choice in a given situation.
IPsec, a Layer 3 protocol, is used as an encryption method (in conjunction with PPTP or L2TP) and as the VPN protocol. IPsec is often used to create VPNs between offices. Many VPN concentrators and firewalls, including those from Cisco Systems, Check Point Software Technologies, Microsoft, NetScreen Technologies (acquired by Juniper Networks in April), SonicWall, Symantec and WatchGuard Technologies, support IPsec as a terminated VPN method.
needs vs. wantsBasic Features to Look For: • Compatibility with your protocols• Minimal network reconfiguration• Adequate security Nice to Have If You Can Afford Them:• Seamless application integration• Multiple encryption schemes• Integration with policy-enforcement frameworks |
Because IPsec is built into later versions of Windows 2000 and beyond, and included in devices such as those listed above, it can be an affordable option for securing remote access--even when you consider firewalls that require the purchase of additional software for full IPsec support.
IPsec uses stronger encryption than PPTP or L2TP, which is why it's favored by many professionals, but PPTP provides a VPN that may be good enough for your needs at a lower overall cost in most situations.
A PPTP client is included in current Windows versions, and the protocol makes few demands on network bandwidth. These two facts make PPTP an affordable option for those who don't have specific (hardware-generated) requirements for other VPN protocols. PPTP clients are also available for Linux and Macintosh; it's relatively easy for both admins and users to use; and it natively supports multiple Layer 3 protocols.
L2TP, a standards-track (IETF RFC 2661) Layer 2 protocol, builds on a Cisco routing protocol. Some parts were built off L2F, an encapsulation protocol. To build a VPN tunnel that provides an authenticated connection along with frame correction, L2TP uses digital certificates for authentication and requires additional protocols (such as IPsec) for encrypting traffic.An L2TP client is standard in current Windows versions. It can build tunnels across networks other than IP, so frame relay or ATM links can be included in a standard security plan. L2TP's flexibility makes it an affordable option for larger organizations with multiple network and link technologies in use, since the IT staff must learn to deploy and support only a single VPN protocol.
Special Issue:Affordable IT • Introduction • Desktop Management• Desktop Security• Patch Management• Protocol Analyzers• Network Monitoring • Network Configuration• Storage• Whiteboxes & Used Gear • All-In-One Gateways• Mobile & Wireless• E-Mail• Web Servers |
SSL operates at Layer 5 of the OSI model (versus Layer 2 or Layer 3 for the other VPN protocols), so it typically provides access at a different level--to specific applications rather than an entire network segment, for example. SSL is not simply a protocol-specific technology--an SSL VPN can tunnel non-HTTP traffic using a downloadable host agent to redirect non-HTTP traffic over the SSL tunnel. SSL typically uses digital certificates for authentication, and that cost and overhead should be figured in unless you're using Microsoft's free Certificate Authority to issue certificates.
From a client-side perspective, SSL is an affordable method because a Web browser is all that is usually required--you'll need to run software only on devices that don't have a browser installed, such as some handhelds.Server-side termination costs are higher with SSL than with the other major VPN protocols, however. The number of simultaneous SSL VPN users must be factored in when determining the affordability of this method, as SSL carries a relatively heavy processing load for any device that terminates at the tunnel--the greater the number of users, the heavier the load.
Gotchas • Security policies often deny access or break applications in the early phases of deployment--test extensively, and plan for some hiccups. • If dial-up access is part of the scheme, watch telecom costs, even if your partner has lots of PoPs; toll calls from hotel rooms get expensive in a hurry. • When a service-level agreement is in place, how long does the partner have to fix things when they go awry?• When policy enforcement is part of the total service, how obtrusive is it for your users? And how easy would it be for users to work around the policies? |
Low-cost SSL add-ons exist but may not provide enough processing power to prevent endpoint devices, such as firewalls and routers, from being overwhelmed. Look to vendors such as Cisco that include SSL VPN capabilities in their VPN concentrators, firewalls and other end-point equipment.
Equipment designed specifically to ease the SSL-termination burden, such as Symantec's Clientless VPN Gateway and SonicWall's SSL-R, carries a purchase price that looks high, but this type of gear can handle the high computational demands of SSL for a large number of users without causing network delays.
Remote File Access
Once a secure remote connection has been established, you need to figure out ways to allow access to files stored on various servers. If you use a variety of OSs, a you'll also need a network file-sharing program.Open-source Samba provides authenticated access to or from a wide variety of OSs, including Windows, Linux, Unix and Macintosh, and can be implemented as part of a deployment along with a VPN and an authentication system to create a solid remote file-system access package.
There's no need to use Samba if you're a Windows shop. If you're using an IPsec or PPTP VPN, you may not need to buy any applications for file sharing. You simply configure the hosts to talk to a WINS server or modify the relevant LMHOSTS file appropriately. Similarly, Novell NetWare handles file-sharing duties without the need for Samba.
Outsourcing
A growing number of ISPs and security vendors are offering VPN-termination services as part of a total managed-security package. These systems are typically based on a combination of proprietary and open systems and carry a relatively low initial purchase price and ongoing annual subscription fees.
Many of the managed systems bundle numerous security aspects, including authentication, authorization, policy enforcement (of client firewall and antivirus protection, for example) and VPN encryption, along with basic connectivity through dial-up or broadband Internet access. Hence, they may be very affordable for companies with a large number of workers who access the enterprise network from many different types of locations. An outsourcing company that handles all the details for the various connection types will save considerable staff time compared with developing multiple policy implementations. You can save significant time and money by handing over the management of remote access to a third party with the expertise and infrastructure in the junction of telephony and networking. One growing area of remote-access outsourcing is in providing a single login experience at any number of remote 802.11b hotspot locations. From here, users must adhere to security policies--antivirus, VPN, firewall, authentication--before the connection is confirmed and completed. The upside is that, in a functional area that requires successful initiation and operation of many components and services, someone else is responsible for keeping it all working properly. The downside is that the "someone else" introduces another layer of potential failure in an already complex transaction environment. For many companies, though, the expertise and service-level agreements of an outsourcing partner make the financial arrangement attractive, regardless of the precise numbers involved.For remote access, outsourcing is an affordable option, whether you choose to work with a partner for all remote-access functions, select functions, or only some locations of remote network access. Here are some points to consider:
Reliability: What is the guaranteed turnaround time on trouble tickets? How many local PoPs are in place for the particular access method(s)?
FeaturesClick to Enlarge
Costs: What are the start-up, shutdown and monthly recurring costs? Are there early-termination penalties? Are there per hour/time and material costs for repairs?
References: Who is using your service locally? Nationally?
Management: What distributed control is available? Where is the authentication database stored? Who owns the data in the authentication and authorization database? Do you have direct access to log and reporting files, or do you get a standard report at predetermined intervals?
Web Links
"Secure Shell: Building a Safer Tunnel"
Before you start talking about securing access, you must decide to provide access. Most organizations let users dial in through a standard POTS connecting to a Microsoft RAS (remote access service) server or use a remote Internet connection that reaches the enterprise through an ISP.Additionally, many large organizations partner with an ISP, since large banks of modems and a large RAS server are expensive. For many smaller organizations, however, RAS may be the most affordable choice.
A RAS server and communications client software are built into current versions of Windows and easily work with most network authentication and authorization schemes, so they don't require the extensive installation and integration processes of some VPN technologies.
If you are a Windows shop but choose not to use the Microsoft RAS software, open-source RAS is available in full-featured router software like Freesco, developed and supported by the Freesco team.
Although RAS deployment is simple, some companies prefer to tie dial-up connectivity into an application, rather than have it treated as a separate process by users and software. For these companies, software libraries provide the capabilities they need, though they carry the obvious costs of development and debugging efforts. You can get RAS software for custom programs as well as through libraries such as iPro, which supports Borland compilers, and jRAS32 if you develop software in Java.
If you've implemented a RADIUS server for authentication and access control, establishing RADIUS services is your most cost-effective option. And after you install a RAS server, you can link the RADIUS database to other security functions.0
You May Also Like