VPN: Light at the End of the Tunnel

WASHINGTON (07/05/2000) - The modem rack, once a staple of every department and agency server room, is heading for extinction. Now that virtually every remote worker can reach the Internet, direct dial-up access - with the support hassles, long-distance charges, busy signals, modem hang ups and line-quality problems that plague it - is giving way to virtual private networks (VPNs).

Security concerns, of course, have made many agencies and departments skeptical of VPNs. After all, virtual private networks couldn't be as secure as truly private networks, could they? And news reports of high-profile Internet break-ins, most recently at America Online Inc. (AOL), seem to emphasize that point. If AOL, with all of its intellectual and financial resources, can't keep intruders away from its private data, who can?

Such security concerns are well- founded, because any socket to the outside world creates the potential for hacking. But this was true of dial-up remote access, too. And with recent advances in security technology, VPNs are arguably more secure than a modem line. It is, in short, time to reconsider adopting a VPN solution.

And there are obvious benefits for agencies and departments. Moving from modems to VPNs will have a slimming effect on your department's equipment rack. If your network supports 10 simultaneous dial-up users, you have 10 modems and 10 data lines. One VPN server or VPN-enabled router can replace that entire bank of modems.

VPNs further reduce costs by cutting the number of data lines coming into your facility. That will reduce your monthly phone bill, and your bean counters will bless you for eliminating long-distance charges incurred by your dial-up users.

A Snapshot: Three VPN Servers

Implementing a VPN starts with the selection of a server. To illustrate the most common VPN server types, I tested three representative products: Network Associates Inc.'s Gauntlet Firewall/VPN 5.5, the VPN services built into Microsoft Corp.'s Windows 2000 Server and the VPN capabilities of Lucent Technologies Inc.'s Pipeline routers. Because two of the servers are implemented in software, let's first consider some planning issues related to software VPNs.

You may be able to install VPN software on an existing server that's being used as a basic router, gateway or proxy server. But if that server is also handling your firewall, it could be running at its capacity. Active firewalls that examine the contents of every network packet work particularly hard. If you add the burden of VPN to that mix, you might degrade performance for all users.

You may also need to increase the bandwidth of your network. After you switch to a VPN, some dial-up modem users will connect to your network via broadband carriers, causing your server load to skyrocket. Just one cable modem or Digital Subscriber Line user can occupy the equivalent bandwidth of nearly 100 modem users. If you don't make room for broadband users in your capacity planning, your remote strategy could fail for poor performance. You don't want to leave VPN users longing for their old direct-dial modem connections.

Gauntlet Firewall/VPN 5.5

Version 5.5 of Network Associates' Gauntlet Firewall/VPN solution for Unix and Microsoft Windows NT provides firewall, proxy, McAfee enterprise virus protection and Layer 2 Tunneling Protocol (L2TP) over IPSec VPN services in one package. Since all the components come from the same vendor, they move network data efficiently through the processing pipeline.

Considering its capabilities, Gauntlet's system requirements are minuscule.

Network Associates recommends a Pentium 233 with 128M of RAM. I tested Gauntlet on a Windows NT Server 4.0 system. Basic installation is quick and more or less automated. The best feature of the installation process is the thorough system check that Gauntlet performs before it starts copying files. The installer identifies conditions that could compromise Gauntlet's effectiveness or performance.

A single administrative console manages all of Gauntlet's features - and Gauntlet is loaded with features. Fortunately, it defaults to a fully locked-down configuration. Any feature you don't configure immediately is effectively disabled.

Getting Gauntlet's VPN server running is among its simpler configuration tasks, but it still takes considerable time and knowledge. Before you install Gauntlet, you'll need to register your VPN server with a public-key infrastructure certificate authority such as Verisign Inc. or Entrust Technologies. If you run your own certificate authority, Gauntlet will use your internally generated certificate to authenticate your new VPN server.

The administrator has fine control over VPN encryption and authentication parameters. The online documentation offers some guidance in choosing security settings, but it would be nice to see templates, wizards or even simple defaults that ease configuration. The absence of context-sensitive help slows the process considerably.

Gauntlet appeals most to those who value a rich array of features over ease of configuration and administration. It is a total solution, including virtually everything you need to create a secure, bidirectional gateway to the Internet using affordable hardware. Given its complexity, you should budget for training and installation consulting before you implement Gauntlet Firewall/VPN 5.5.

Windows 2000 Server

In a recent press release, Microsoft stated that in an independently verified test, an Intel Corp.-based server with four CPUs and 1G of RAM ran 5,000 simultaneous VPN sessions. Considering the cost of stand-alone VPN servers capable of handling that kind of volume, Microsoft's approach to VPN seems worth considering - even for non-Windows shops - on the basis of cost alone.

Windows 2000 Server and Advanced Server are billed as do-everything network servers: file/print, Web, applications, databases, objects - you name it.

However, turning a Windows 2000 system into a workable VPN server requires us to throw out most of the features listed on the side of the Windows 2000 box.

This seems wasteful until you compare the cost of Windows 2000 Server (about $1,000) with VPN solutions such as Gauntlet Firewall/VPN (starting at about $2,000 per year).

Windows 2000's VPN services are nowhere near as configurable as Gauntlet's, although Microsoft balances the scales with a much simpler administrative interface. You'll also find that Windows 2000 is equipped with services that support VPN, including a remote authentication dial-in server and an X.509 certificate authority.

With the upcoming release of its Internet Security and Acceleration (ISA) server, Microsoft plans to round out Windows 2000's suite of services with Internet caching and a firewall. The company's goal is to make it possible for one (albeit beefy) PC server to handle all Internet gateway duties for a sizable enterprise.

Administrators familiar with VPN services under Windows NT 4.0 will recognize the Windows 2000 approach. The first step is to activate Windows 2000's optional (but included) routing and remote access service (RRAS).

Windows 2000 also includes a Dynamic Host Configuration Protocol (DHCP) server that pushes dynamic IP addresses and other network settings to client systems.

VPN benefits from DHCP when it is available - VPN clients are much easier to configure using DHCP - but the RRAS wizard understands that you might not have configured DHCP prior to activating VPN. RRAS contains its own limited DHCP server expressly for simplicity. If you only need DHCP for VPN and dial-up users, RRAS will automatically configure and use its built-in DHCP server.

After the RRAS setup wizard is completed, the server is ready to accept VPN connections. Tuning RRAS for maximum security requires digging through a maze of dialog boxes to enable certificates and disable backward-compatible weak authentication. This process takes longer than it should, thanks in part to the administrative interface's avoidance of potentially unfamiliar terminology. If you understand network terminology and know how VPN works, you'll find Microsoft's gentler jargon more frustrating than helpful. IPSec encryption is part of Windows 2000's core network services and has its own administrative interface. The RRAS console fails to alert you if IPSec is disabled (which is the default). As a result, VPN clients may make L2TP connections believing IPSec encryption is in place, when in fact the tunneled data is not encrypted.

Windows 2000's lower cost and quick setup make it a good choice for small groups. It is even better if you plan to use that Windows 2000 server in other ways. Gauntlet is a more significant investment - training is a must - but its greater configurability and broad standards support makes it suitable for large and changeable organizations.

Lucent SecureConnect and VPN Gateway

For hardware-based VPN, we looked at Lucent Technologies' Pipeline series routers and its VPN Gateway line of stand-alone server appliances. Pipeline routers - a product line Lucent picked up when it acquired Ascend - originally offered firewall and IP security software (under the product name SecureConnect) as an option. With its latest round of firmware upgrades, Lucent now supplies SecureConnect free of charge for all Pipeline devices from the model 50 Integrated Services Digital Network router up.

Lucent's new SecureConnect firmware equips Pipeline routers with IPSec encryption (40 bits standard; triple Data Encryption Standard [3DES] optional), X.509 certificate support, network address translation (for sharing one Internet account across a LAN) and firewall security. That's a slew of features for such a little box, so it's understandable that the encryption support is limited on the smaller Pipeline models. They simply don't have the processing power to manage 3DES encryption for multiple VPN connections. Pipeline routers, like most others, use a command-line interface for configuration. For convenience, Lucent supplies a Java-based configuration console called SecureConnect Manager (SCM), which runs on any Java-capable PC or work- station that shares a network with Pipeline.

To squeeze SecureConnect's impressive capabilities into Pipeline's tiny Flash ROM, Lucent eliminated the configurability common to other VPN implementations.

After enduring the endless fiddling required to set up Gauntlet and Windows 2000 VPN, SecureConnect's comparatively cut-and-dried approach is a blessing.

When you enable VPN by creating a new tunnel in SCM, it is configured for IPSec and L2TP. Period.

Having IPSec and VPN built into your router presents a relatively bulletproof alternative to server-based solutions. With no moving parts - most Pipeline models don't even have a cooling fan - there is nothing to wear out. The device's entire configuration, firewall rules and all, fits in non-volatile RAM and can be downloaded in a single file. If the device fails, just replace it with a new unit and upload its configuration file. You're back in business. The primary shortcoming of router-based VPN is scalability. A low-power embedded microprocessor is no match for the four-CPU workhorse Microsoft used to rack up 5,000 simultaneous connections. Some routers offload the encryption, the most demanding component of VPN, to dedicated hardware.

Lucent uses encryption accelerators in its scalable VPN Gateway product line.

These gateways are full-featured firewall/VPN servers packaged in convenient, integrated PCs. Bridging the gap between router firmware VPNs and user-configured servers, Lucent's VPN Gateway systems promise ready-to-run solutions. With its VPN Gateway 80 slated to sell for less than $5,000, Lucent hopes to lure prospects away from server-based VPN.

The VPN Outlook

With remote workers, branch offices, off-site conferences and traveling staff, VPN is a necessity for many organizations and agencies. It is a simple technology to describe, but it can also be tricky to configure properly.

Integrated and embedded servers seem poised for the most rapid growth. As faster low-power microprocessors appear, vendors will build VPN and other network services into smaller and smaller cabinets. I anticipate Lucent VPN Gateway-class servers that operate entirely in solid state, using Flash memory instead of hard drives. Embedded Linux and Windows CE 3.0 are ideally suited to such appliances. We need only wait for the hardware to catch up.

For now, your best VPN choice is determined by the factors most important to you. If you need VPN running by tomorrow morning and you have a relatively limited number of connections to support, choose hardware. You may find that your current router's firmware can be upgraded with VPN capabilities. If not, stand-alone VPN devices such as the Lucent VPN Gateway set up quickly and more or less look after themselves, just as you would expect a black box to do.

In the realm of software VPN, Windows 2000 Server is unique among network operating systems because it includes a capable VPN server. It is short on flexibility, but it's extremely affordable, relatively easy to manage and runs on inexpensive PC systems. The ultimate, super-configurable, cross-platform solution, Network Associates' Gauntlet Firewall/VPN, covers all the major standards and is sublimely reconfigurable. Combination firewall/VPN solutions in Gauntlet's class are incredibly complex, but if you expect your needs to grow significantly in the next couple of years, the investment in time and capital is worth it.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about America OnlineAOLAscendBlack Box Network ServicesEntrustEntrust TechnologiesGatewayINSIntelLucentLucent TechnologiesMcAfee AustraliaMicrosoftVeriSign Australia

Show Comments