 |
|
|
Magistrate
VPN
Table of Contents Introduction More and more organisations are looking beyond the physical boundaries of their own sites in the quest to make the best business use of new technology. Data communications between physically remote sites – perhaps for branch office to head office connectivity, or links between business partners – have become an essential part of modern business practice. In the past, such links have been forged using dedicated connections such as leased lines, but this approach – whilst certainly secure – can prove to be extremely expensive and inflexible. What if the sites are at opposite ends of the country, for example, or even on opposite sides of the globe? Imagine the costs involved in creating a dedicated network of such proportions.� If such links are heavily used, it may be cost-effective to take such an approach, but there are many organisations who may only require those connections for a couple of hours a day, leaving a lot of unused bandwidth lying idle for the rest of the time.� Lack of flexibility is another characteristic of private Wide Area Networks. Leased lines provide only fixed point-to-point network connections, which cannot be changed easily – certainly not without incurring additional cost. How, therefore, does one cope with network connections created to service transient business partnerships, which will no longer be required once the project is completed? And how does an organisation go about servicing its mobile users, each of which require a secure connection to the corporate network, but possibly from a different location every day? Internetworking is becoming the technology platform for a growing range of business uses: secure access to global resources on the Internet and other public networks; secure remote access to the enterprise network for remote users and branch offices; and compartmentalisation of the internal network for enterprise-wide connectivity and security. To meet the rapidly evolving connectivity needs of today's networks, corporations require an integrated network security solution that is flexible and extensible enough to meet their requirements now and in the future. Organisations with large populations of mobile workers also need to be able to provide flexible yet secure (preferably encrypted) remote access to business applications which are located behind firewalls. The same is true of any organisation wishing to implement electronic commerce systems, but the traditional firewall implementation is not designed to allow such free movement of traffic. With the advent of the Internet, the opportunity has arisen to provide temporary links across the public network between companies and sites. Instead of creating a true private network with all its attendant costs and management issues, we can make use of the Internet to provide a Virtual Private Network (VPN).� Rather than maintaining an expensive point-to-point leased line, a company can connect each office or Local Area Network to a local Internet Service Provider (ISP) and route data through the Internet, thereby using shared, low-cost public bandwidth as the communications backbone. VPN's are not limited in the number of LAN’s or nodes that can be included in the virtual WAN. For a company that has numerous sites to link, this can result in significant savings when compared to maintaining a network of leased lines. This is technology that can be employed by companies of any size too. Not all companies require even as much as 64 Kbps for their Wide Area Network, and VPN’s can be set up to work at speeds slower than is possible with leased lines. A small company or branch office can use standard analogue modems and cheap Internet accounts to create a worldwide private network. Nor does a VPN need to be a permanent link. Dial-on-demand virtual networks can be created using analogue modems or ISDN for those sites that don’t require a full-time connection. When a user on the LAN needs to access the WAN, a modem or router automatically connects to a nearby ISP and starts sending data across the Internet. VPN links can be set up with little effort and removed just as easily. In addition, client-to-server VPN’s can be created on demand between remote user PC’s and a firewall or VPN termination device at head office. This provides the means for roaming users to have access to corporate networks no matter where they may be located.� Implementing a secure VPN to connect remote PC users to the local network results in significant cost savings for businesses. A VPN reduces the number of modems and telephone lines required centrally to support dial-in networking, and dramatically decreases long distance charges since remote PC users would connect to their local ISP instead of dialling direct to head office. Of course, with all this sensitive corporate data flying around the public network, security becomes a primary concern. Unprotected data sent across the public Internet is susceptible to being viewed, copied or modified by unintended individuals or organisations. Data can be tampered with en route and valuable systems can be sabotaged. Both ends of the tunnel must ensure beyond any measure of doubt that they are communicating with a valid host or client at the remote end of the link. Once the link has been established, data travelling within the tunnel must be encrypted to ensure that no one who may be eavesdropping the conversation can gain access to the raw data. The most important considerations for Internet security are: Authentication – verifying that the parties on each end of the link are who they claim to be Privacy – ensuring that transmitted content is not read or intercepted by unauthorised recipients Integrity – verifying that the transmitted data is received in an unchanged state The security risks involved in communicating over the Internet have deterred some enterprises from taking full advantage of Virtual Private Networks.� Doing business over the Internet — including transferring funds, obtaining and verifying credit information, selling and even delivering products — requires a reliable and effective security solution. Current offerings in the VPN market place are more than capable of providing secure links between two locations. Some are only capable of establishing a link between two secure gateways, or firewalls, whilst others are designed to provide a client-server VPN, allowing individual remote and mobile users to establish secure links back to head office from their hotel room. High levels of authentication and encryption – using digital certificates and powerful encryption algorithms – ensure that sensitive corporate data remains private. If you were to try to classify Magistrate in the VPN market place, you would have to call it a client/server VPN, or an Application Gateway, though the flexible implementation model provided by the product allows it to take on more “traditional” VPN characteristics too. As well as providing the usual tunnel termination capabilities at the edge of the corporate network, Magistrate can also provide secure communications from the client right through to the application server itself. Whenever a system with the Magistrate client installed (known as a “snared host”) attempts to communicate with another snared host or server, Magistrate performs a secure handshake – transparently to the user – and all data subsequently exchanged between the two hosts is automatically encrypted. Running under all flavours of Windows – 9x, NT and 2000 – Magistrate consists of two components. The VPN Client is installed on both client and server machines, inside and outside the firewall. It can operate either in point-to-point mode, or as a member of a VPN. In point-to-point mode, two systems with the VPN Client installed establish a secure connection by exchanging session keys during the initial secure handshake, and the security settings are specified on a per-client basis. When operating as part of a VPN group, the Magistrate Client will automatically apply the security policy assigned to that group by the administrator. The second component is the VPN Administrator, which is installed on a single administrator workstation (and which also includes the Client component). The VPN Administrator provides the means to define VPN groups and apply security policies to those groups across the enterprise from a single, central location. Security policies are automatically distributed to all members of a VPN group, and are automatically applied the next time a VPN Client communicates with members of that group. Installation of Magistrate is just about the easiest we have ever seen for a VPN product. Although it is possible to use point-to-point mode – effectively treating each Magistrate client as a “stand alone” machine in control of its own security policy, most organisations will undoubtedly make use of the VPN group capabilities. When security policy is controlled centrally in this way, all that is required to install the client is to run SETUP.EXE – no further configuration is necessary, since security policy is downloaded and applied when the client is first invited to join a group, or the next time it attempts to communicate with another group member. There is no difference in either the client or the installation method between a server and an end-user PC. Although installation of Magistrate is simplicity itself, configuration can be less than straightforward depending on how you want to use it. We have already mentioned point-to-point and group modes, both of which allow two or more hosts to participate in a secure VPN, with all communications between them encrypted automatically. However, it will not always be possible – or desirable – to install the Magistrate client on every PC in the enterprise. Perhaps, for instance, it is enough to ensure that only communications across the public network are secured, leaving all internal intranet communications in the clear. In this case, all that is necessary is to install Magistrate on a single PC at the edge of the network in either Gateway or Router mode (or both).
A Gateway is a machine that accepts inbound secure connections from Magistrate clients for any number of machines on the network behind it. The data is then decrypted and sent in the clear across the internal network. A Router operates in the opposite direction, accepting connections in the clear form internal hosts, and then encrypting them in order to communicate securely with remote Magistrate hosts. It is possible for a single edge server to act as both Router and Gateway if required – this would allow Magistrate to behave as a typical tunnel termination edge device, providing a secure point-to-point link with a remote edge server to provide VPN services for all hosts on two separate networks. Deciding on exactly which implementation is most appropriate for your needs can be quite difficult, but help is at hand in the excellent documentation. The Getting Started guide provides an overview of Magistrate, procedures for installing and testing, and a quick tour of the most commonly used features. The Administrator’s Guide goes into much more detail on administration and configuration, and provides a number of excellent implementation examples. Once you have decided on how to implement your VPN, however, configuration is straightforward thanks to the VPN Wizard. The Wizard steps through all the screens of the Administrator program necessary to create and configure a VPN group.
The Member screen allows the administrator to specify one or more additional hosts to participate in a particular VPN Group. Note that since the membership of a particular Group determines security policy, it is only possible for each host to be a member of one Group at a time. Once a host has been entered on the Member screen – either by name or IP address – an invitation is sent out to that host to join the VPN Group. The new member can reject the invitation if they like, and you can elect to have them enter a one-time password, which should be distributed by some out-of-band method (i.e. in person or by letter) in order to identify both ends of the invitation communication. During the invitation process, Magistrate uses the RSA Cryptosystem to generate a 1024-bit public/private key pair. These key pairs are subsequently used in the secure handshake between two Magistrate hosts to securely exchange the DES session key between them. The VPN Administrator program generates the public and private keys for the VPN Groups and distributes them to the Group’s member servers. The public/private keys for the Groups are stored in the registry of the VPN Administrator system in an encrypted format. Clients (non-members) generate their public/private key pair after each reboot. VPN clients automatically store the public key (group name) of the member server after the initial secure handshake. The administrator can export the member server’s public key (or Group public key) to a key file that users of client systems can import and store. A client “knows” a member server when it has the public key of that member. Export and out-of-band import of public keys provides protection against spoofing and man-in-the-middle attacks. When a client connects to a “known” member server, it does not request the member’s public key. Instead, it sends a challenge (created by using the Group’s public key) to validate that the server is a member of the Group. Once the members have been selected, the security policy can be defined. The first screen enables the administrator to specify the minimum level of encryption (both 168-bit Triple DES and 56-bit Single DES encryption strengths are available), whether to use a Gateway, whether to run as a Router, or whether to tunnel all data over port 509. By default, only the data portion of the packet is encrypted, with the headers remaining intact. In specifying that data should be tunnelled over port 509, the entire packet is encrypted and a new header generated.
Other options on the Security page allow the administrator to specify what happens when communicating with other hosts which do not have the Magistrate VPN client installed. If communication with non-snared hosts is allowed, the user will be permitted to communicate with any other host. If the remote host has the VPN client installed, then a secure communication is negotiated automatically. Should the remote host be non-snared, then communication continues in the clear. It is also possible to specify that only communications with snared hosts will be allowed which ensures that all communications are secured. If a Magistrate client attempts to connect to a non-snared host, the session is dropped immediately. This is the only time that an end user will ever be aware of Magistrate’s presence. The next section of the security policy is controlled via the Rules screen, which enables the administrator to specify on a per-protocol basis which protocols are allowed over a Magistrate connection, and whether authentication is required for each protocol. Magistrate supports X.509v3 digital certificates, LDAP 2/3, Windows NT Domain, Novell NDS, SecureID, RADIUS, Kerberos, and various biometric devices as authentication agents. In fact, because Magistrate uses a plug-in architecture, any third-party user-based authentication device may be used. The final screen determines which events are to be logged, and once a policy has been saved, it is applied to every member of that particular group the next time a member machine attempts a Magistrate connection. The policy distribution occurs automatically – there is no need for either the administrator or the client to take any further action. Once a policy has been deployed, the administrator can monitor connections in real time via the monitor screen in the VPN Administrator program. Notable events are stored in the NT event logs according to which events were specified in the Event Log screen of the security policy. Once the VPN client has been installed, the only evidence is a small icon in the system tray which can be one of three colours. If it is grey, then the Magistrate client is running and connections are secured based on the policy set locally on the machine. This policy offers similar settings to the group policy set by the administrator, and can be modified locally by right-clicking on the Magistrate icon. Magistrate can also be disabled temporarily if required, in which case the icon will be coloured red.
If the icon is green, then the client is a member of a VPN Group, and the policy is controlled centrally. Right clicking on the icon allows the policy settings to be viewed, but all the options are greyed out preventing modification. The Magistrate VPN client works transparently in the background as required. If the client PC is communicating with a non-snared host, then the client is not used and data travels in the clear. Unless, of course, communication with non-snared hosts is prohibited, in which case the connection is forcibly dropped by the client. If communication is attempted with another snared host, then the VPN client automatically uses DES encryption to encrypt data travelling between them. The session key is dynamically generated during the secure handshake using the largest key size supported by both systems (set by the VPN Administrator). During a handshake between a client and member server, the server generates the session key and sends it to the client using the public key of the client, enabling the client to use its own private key to decrypt the session key. Magistrate never stores a session key – it is always dynamically generated as needed. Once a session has been established, all subsequent data is encrypted. Clicking on the Magistrate icon in the taskbar brings up a real-time monitor screen where encrypted connections are highlighted in red, whilst clear sessions (if allowed) are shown in grey. The monitor windows displays the type of encryption key used (DES-40, DES-56 or 3DES), the time the connection started, the protocol used, the port, the remote IP address, the number of kilobytes received and sent, the group name (if any) and the time the connection ended. This gives a positive indication to the user that his or her data is being secured whenever necessary. Magistrate is one of the most flexible - and yet simple - VPN products we have seen in our labs to date. Its only real shortcoming is a slight performance penalty due to all the cryptographic operations being performed in software. This necessitates a reasonably well-powered client in order to maintain throughput, though there is talk of supporting a cryptographic accelerator card in future releases. Some might also consider the lack of IPSEC support as a disadvantage, though in an all-Magistrate system – which would be the norm in most cases – this would obviously not be an issue. These minor gripes aside, Magistrate is one of the few VPN products we have tested that provide true end-to-end security right from the client to the application server. Installation of the client does not force its use, thus allowing connections to non-snared hosts where needed. However, where security is paramount, it is also possible to lock the systems down to ensure that communication is only ever made between secured machines. The simplicity of the installation and configuration also belies the flexibility and power of the product. The VPN Client can be installed on every machine in the organisation, or it can be installed as a router, a gateway or both in order to provide security at the edge of the network. All in all, Magistrate is an excellent product and deserves the NSS Approved award. Product:
Magistrate VPN |
Security Testing |
Send mail to webmaster
with questions or�
|
