 |
|
|
|
INTRODUCTION
More and more organisations are looking beyond the physical boundaries of their own sites in the quest to make the best business use of new technology. Data communications between physically remote sites – perhaps for branch office to head office connectivity, or links between business partners – have become an essential part of modern business practice. In the past, such links have been forged using dedicated connections such as leased lines, but this approach – whilst certainly secure – can prove to be extremely expensive and inflexible. What if the sites are at opposite ends of the country, for example, or even on opposite sides of the globe? Imagine the costs involved in creating a dedicated network of such proportions.� If such links are heavily used, it may be cost-effective to take such an approach, but there are many organisations who may only require those connections for a couple of hours a day, leaving a lot of unused bandwidth lying idle for the rest of the time.� Lack of flexibility is another characteristic of private Wide Area Networks. Leased lines provide only fixed point-to-point network connections, which cannot be changed easily – certainly not without incurring additional cost. How, therefore, does one cope with network connections created to service transient business partnerships, which will no longer be required once the project is completed? And how does an organisation go about servicing its mobile users, each of which require a secure connection to the corporate network, but possibly from a different location every day? Internetworking is becoming the technology platform for a growing range of business uses: secure access to global resources on the Internet and other public networks; secure remote access to the enterprise network for remote users and branch offices; and compartmentalisation of the internal network for enterprise-wide connectivity and security. To meet the rapidly evolving connectivity needs of today's networks, corporations require an integrated network security solution that is flexible and extensible enough to meet their requirements now and in the future. Organisations with large populations of mobile workers also need to be able to provide flexible yet secure (preferably encrypted) remote access to business applications which are located behind firewalls. The same is true of any organisation wishing to implement electronic commerce systems, but the traditional firewall implementation is not designed to allow such free movement of traffic. The Virtual Private Network With the advent of the Internet, the opportunity has arisen to provide temporary links across the public network between companies and sites. Instead of creating a true private network with all its attendant costs and management issues, we can make use of the Internet to provide a Virtual Private Network (VPN).� Rather than maintaining an expensive point-to-point leased line, a company can connect each office or Local Area Network to a local Internet Service Provider (ISP) and route data through the Internet, thereby using shared, low-cost public bandwidth as the communications backbone.� VPN's are not limited in the number of LAN’s or nodes that can be included in the virtual WAN. For a company that has numerous sites to link, this can result in significant savings when compared to maintaining a network of leased lines.� This is technology that can be employed by companies of any size too. Not all companies require even as much as 64 Kbps for their Wide Area Network, and VPN’s can be set up to work at speeds slower than is possible with leased lines. A small company or branch office can use standard analogue modems and cheap Internet accounts to create a worldwide private network.� Nor does a VPN need to be a permanent link. Dial-on-demand virtual networks can be created using analogue modems or ISDN for those sites that don’t require a full-time connection. When a user on the LAN needs to access the WAN, a modem or router automatically connects to a nearby ISP and starts sending data across the Internet.� VPN links can be set up with little effort and removed just as easily. In addition, client-to-server VPN’s can be created on demand between remote user PC’s and a firewall or VPN termination device at head office. This provides the means for roaming users to have access to corporate networks no matter where they may be located.� Implementing a secure VPN to connect remote PC users to the local network results in significant cost savings for businesses. A VPN reduces the number of modems and telephone lines required centrally to support dial-in networking, and dramatically decreases long distance charges since remote PC users would connect to their local ISP instead of dialling direct to head office. Of course, with all this sensitive corporate data flying around the public network, security becomes a primary concern. Unprotected data sent across the public Internet is susceptible to being viewed, copied or modified by unintended individuals or organisations. Data can be tampered with en route and valuable systems can be sabotaged.� Both ends of the tunnel must ensure beyond any measure of doubt that they are communicating with a valid host or client at the remote end of the link. Once the link has been established, data travelling within the tunnel must be encrypted to ensure that no one who may be eavesdropping the conversation can gain access to the raw data. The most important considerations for Internet security are: Authentication – verifying that the parties on each end of the link are who they claim to be Privacy – ensuring that transmitted content is not read or intercepted by unauthorised recipients Integrity – verifying that the transmitted data is received in an unchanged state The security risks involved in communicating over the Internet have deterred some enterprises from taking full advantage of Virtual Private Networks.� Doing business over the Internet — including transferring funds, obtaining and verifying credit information, selling and even delivering products — requires a reliable and effective security solution. Current offerings in the VPN market place are more than capable of providing secure links between two locations. Some are only capable of establishing a link between two secure gateways, or firewalls, whilst others are designed to provide a client-server VPN, allowing individual remote and mobile users to establish secure links back to head office from their hotel room. High levels of authentication and encryption – using digital certificates and powerful encryption algorithms – ensure that sensitive corporate data remains private. IPSec One very important standard for the VPN world is IPSec, which defines a set of protection services and protocols that provide for end-to-end security in a VPN, whether over the Internet or in a private network. Traffic Security Protocols IPSec defines extensions to the IP protocol in the form of two additional headers for IP packets. The Authentication Header (AH) verifies the authenticity of the packet’s contents, providing authentication, integrity and anti-replay for the entire packet (both the header and the data).� The Encapsulating Security Payload (ESP) provides confidentiality by encrypting a packet before transmitting it. An ESP packet consists of a control header, a data payload (which is an encrypted version of the user's original packet), and an optional authentication trailer (thus providing optional authentication and replay-detection services). AH and ESP can be used with various authentication and encryption schemes, some of which are mandatory. The specification states that packets should be authenticated using either MD5 (Message Digest 5) or SHA-1 (Secure Hash Algorithm 1), both of which work by creating a unique “hash” or “digest” of the contents of the packet – a form of “digital fingerprint” that can ensure that the contents are not tampered with en route. Vendors are also free to add other encryption and authentication algorithms. For example, DES (56 bit) and Triple DES (where the data is encrypted three times using two or three unique keys for an effective key length of 112 or 168 bits) are commonly used for encryption. Some vendors will include other algorithms too, such as Blowfish, CAST, CDMF, IDEA and RC5. AH and ESP can be used alone or in combination during an IPSec communication session. Both protocols use encryption keys to protect data. The difference between AH and ESP authentication is that AH authenticates the entire IP packet, including any tunnel header, while ESP only authenticates from the payload of the ESP encapsulation. This is acceptable for intranet packets that are encapsulated completely. IPSec is policy-based, allowing the administrator to define different policies – each using different algorithms perhaps – for different tunnels. One example of how this can be used is to allow an administrator to enforce different levels of protection depending on whether the tunnel extends across the public network or is contained within a private network. Key Exchange IPSec allows both manual and automatic key exchange. However, in order to maintain scalability when used on a wide scale, automatic key exchange is recommended. Automatic key exchange is defined by a number of Internet drafts, but the main framework is described by the Internet Security Association Key Management Protocol (ISAKMP). ISAKMP is designed to be key-exchange independent; that is, it is designed to support many different types of key exchange. However, there is an Internet draft defining a specific public key-based approach for automatic key management, known as Internet Key Exchange (IKE). There are four distinct methods of authentication in IKE: authentication with pre-shared keys, authentication with digital signatures, and two methods of authentication using public key encryption. IKE provides a facility for identification of different certificate authorities (CAs), certificate types (e.g. X.509, PKCS #7, PGP, DNS SIG and KEY records), and the exchange of the certificates identified. Security Associations A Security Association (SA) is the method IPSec uses to track a given communication session. It defines how the communicating systems will use security services, including information about the traffic security protocol, the authentication algorithm, and the encryption algorithm to be used. SA’s also contain information on data-flow, lifetime of the SA and sequence numbering to guard against replay attacks. IKE allows multiple policies to be defined with different configuration statements. SA’s are then negotiated dynamically between two IPSec systems, coming to an agreement over which algorithms to be used and the level of authorisation for a range of addresses, protocols and ports that will be protected by the SA. A given SA can use ESP or AH, but not both. If a connection needs both protocols, it needs to establish two SA’s for each direction (four for a bi-directional connection). Tunnel and Transport Mode Once a tunnel has been established, there are two possible modes of operation.� In Tunnel Mode the entire IP datagram (header and payload) is encrypted and transmitted between the two tunnel devices. The receiving device decrypts the packet and forwards the original datagram to the destination host. The advantage of this is that no changes are required to end systems in order to take advantage of IPSec security. Another advantage is that the encapsulation of the original IP header removes the opportunity for traffic analysis on the wire since the original source and destination addresses can be hidden. Transport mode, on the other hand, is only used between VPN hosts. It encapsulates and encrypts only the data portion (payload) of each IP packet, but leaves the header untouched.� When a host runs ESP or AH, the payload field is the data that normally follows the IP header (for example, a TCP or UDP header followed by user data). Transport mode is less secure than tunnel mode, since it does not conceal or encapsulate the IP control information. Unfortunately, flexibility in the standard can result in interoperability problems, making life extremely difficult for the prospective VPN user. There is supposed to be a “lowest common denominator” which will ensure that any truly IPSec-compliant products should be able to communicate with each other, but at the time of writing independent IPSec certification is the only way prospective purchasers can be certain that products from different vendors will interoperate successfully. Summary In the last couple of years we have seen a great deal of press coverage devoted to Internet security – or rather the lack of it. This makes people wary of losses through electronic crime and credit card fraud, resulting in confusion and worry for those businesses who would otherwise be interested in, and reap a huge benefit from, the adoption of electronic commerce. It is important to put these things into perspective, however. There have always been impediments to business, whether it be highwaymen, shipwrecks, pirates, bank robbers, or white-collar fraudsters. Each new innovation brings a new risk, yet whatever the risk, the business community must learn to adapt, minimise and, at worst, insure against, that risk.� At the end of the day, moving the computing platform from a traditional “in house” model to the apparently insecure model of the Internet does not significantly increase or decrease the overall risk – we simply get a new breed of pirate. Firewalls and VPN's are the means by which we can repel boarders, as we move forward into the world of electronic commerce and communications.
|
|
Send mail to webmaster
with questions or�
|
