 |
A VPN provides a secure mode of electronic communications. E-mail and Web traffic are not secure. Anyone who “listens” to the data traffic moving over a connection can read what is being sent.
While many users may not consider their communications to be sensitive enough to be worried about, a growing number are choosing to take action. The VPN is their tool of choice. A VPN encrypts chunks of data before sending them out to their destination, where they are decrypted back into documents or files that the recipient can use.
As the Internet is the medium used to send the data, the network is not really private, but the encryption ensures that the data remain unreadable.
Variety pack
A private network consists of dedicated communications lines between two or more destinations. The benefit is that no other users have access to the network, offering great security. The major drawbacks are that it is extremely expensive and inflexible.
Secondly, the need for fixed connections means that offices or factories can be connected but traveling employees cannot be. To get around some of the cost and infrastructure issues of private networks, VPNs came into being.
There are three basic VPN set-ups from which to choose:
• NETWORK-BASED TECHNOLOGY Point-to-Point requires installation of dedicated equipment at each location, such as an office or factory. IPSec, a security protocol designed to authenticate and encrypt data transmitted over the Internet, is one of the most popular features used for this type of VPN. Since data travel over the Internet, cost reductions over private networks can be realized.
• CLIENT-BASED To give remoteaccess to traditional VPN, users need to install VPN client software on their computers. Users will usually then need to dial up to access secure network access points that connect them to the network. This requires installation and training for users. The software can also cause the user’s machine to perform slowly.
• CLIENTLESS SECURE SOCKETS LAYER (SSL) VPN Users can access networks from any location that has a computer with a browser and an Internet connection. They do not need to download a VPN client software on their computers—authentication will be done at the corporate server or main network. So, companies will still need to have hardware at the receiving end to manage access to the network.
 |
Philip Goldie, product marketing manager for security and mobility solutions at Nortel Networks Asia Pacific, reported good growth in SSL VPNs. The advantages, he added, are the speed with which solutions can be implemented and the relative ease of use for the end-user.
Kenneth Liew, vice-president of Pacific Internet’s corporate business group expressed a similar sentiment. The Singapore-based regional Internet Service Provider offers managed services for customers using both point-to-point VPNs and SSL VPNs. Supporting clientbased VPN users often proves a headache for IT staff in many companies.
“They’re always faced with a lot of configuration problems. After the [VPN software] configuration has been installed, it may get disrupted [caused by installation of other software] and then their VPN client doesn’t work. It takes up a lot a lot of time,” said Liew.
The lack of clients, said Goldie, allows companies to gain major benefits at little additional cost. For example, companies that may have equipped only a small portion of their workforce with mobile computers, and VPN client software due to the costs of hardware and support, can give SSL VPN access to many more users, allowing them to work from home using their personal machines.
Because SSL VPN access is configured on the server side, different employees can be given different levels of access to— various functions based on their needs— all of this is transparent to the user.
Business partners, suppliers and key customers can even be given access to limited functions with minimum difficulty. Liew sees this as a major selling point. “The real advantage is that you don’t have to force your suppliers to use a certain type of VPN which complies to your company policies,” he said.
Easy ballgame
Nortel’s client, Unisys Australia, found that out when it was responsible for providing IT services for Rugby World Cup 2003 in Australia.
Unisys was responsible for ensuring that more than 10,000 accredited journalists had access to the event’s Web site, including realtime two-way data transfers. A further 2,000 remote journalists and news agencies were given access to an extended version of the site to facilitate their coverage of the event.
With so many users, as well as IT staff of the International Rugby Board and Web correspondents, the initial idea of providing client-based VPN access was quickly discarded.
Instead, SSL VPN access provided access without the need to distribute and support client software.
“It was one of the biggest value-add, and one of the quickest and easiest elements of the whole infrastructure to deploy,” said Goldie. SSL VPN could provide access to applications and file servers through various means, but Liew said this creates the potential for security problems.
With applications ranging from enterprise resource planning systems to customer relationship management suites offering Web-enabled components, the functionality of SSL VPN is growing.
Neither Goldie nor Liew believe SSL VPN will fully replace IPSec VPN. However, with start-up costs as low as US$10,000, the former provides flexible and secure communications while keeping support costs to a minimum.
Obviously, said Goldie, this filled a need in the marketplace. “To have come from the space of zero to hero in the space of two or three years in terms of real-user usage, that’s a significant testimony to the power of the solution,” he said.
IS IT REALLY SECURE?
VPN is the question: ‘Is it secure enough?’
The answer: Probably.
Kenneth Liew, vice president of Pacific Internet’s corporate business group admitted that because it requires simply a Web gateway to work, the SSL VPN becomes vulnerable to risks such as the Denial of Service attack.
In such an attack, a machine is flooded by an overwhelming number of requests for data initiated by a malicious party. This jams up the site, preventing other users from accessing it.
“Since you’re using the Web site as the front-end, your site has to be seen on the public Internet. But once it is seen on the public Internet, anyone in the world can attack your Web site,” he said.
The actual security of your network, however, should remain intact as long as it is properly configured.
SSL is, as Philip Goldie of Nortel Networks pointed out, the standard used to provide security in most online banking and e-commerce activities.
No security is foolproof, which is why it pays to consult with suppliers and experts about your needs and decide on the appropriate balance of access and security.
Play video
There are currently no comments for this post.