DEBCO TECH - Doin' I.T. Right

Network Room Build-Out Services (Cad Servcies)

Bring the company closer together. Open satellite offices with greater ease. Cut major network cost. Utilize DSL and Cable modem availability and flexibility. Expand and contract without binding Telco contracts. With VPN (Virtual Private Networking) technology, offices across the nation can be available for:

Data Management
Data Backup / Offsite Data redundancy
Data transfer

What's a VPN? Virtual private networks are secured private network connections, built on top of publicly-accessible infrastructure, such as the Internet or the public telephone network. VPNs typically employ some combination of encryption, digital certificates, strong user authentication and access control to provide security to the traffic they carry. They usually provide connectivity to many machines behind a gateway or firewall.

You have multiple sites located around the country, perhaps worldwide. Maybe it's time you got them to network together. Or maybe they are networked through private means--such as leased lines. If you're aggressive about Internet access, your sites should already have connections. Have you given any thought to using the Internet connections you're already paying for?

DEBCO Tech can safely use the Internet to transmit sensitive data among your sites. We implement firewalls that support virtual private networks (VPNs) or a separate piece of VPN hardware to augment the security of a firewall. Each will encrypt data as it passes over the untrusted public Internet.

Platform: DEBCO Tech provides the proper tools. The benefits of using a hardware based solution compared to a software based solution will vary. Software based solutions scale easily but often requires expensive hardware. Like Checkpoint's Firewall-1 which runs on SunSoft's SunOS or Solaris or Hewlett-Packard's HP-UX, sits atop the routing layer, checking every packet against a predefined rule set. Some may find that the size of the machine required may grow. Therefore, machines like SPARCstations and Windows NT servers which tend to scale easily and quite inexpensively are the preferred choice.

Hardware solutions have several benefits as well. Out of the box the hardware solution requires little physical setup. Just plug it in, configure and go. Most hardware solutions like Netscreen and Sonicwall provide software updates. Because these firewall/VPN hardware providers specialize in network security their upgrades bring a major peace of mind. By offering updates to the hardware, the latest hacks and cracks that get developed and discovered are thwarted. This is the one major benefit that hardware solutions have over software solutions. But if scalability is a major concern, go with the software solution.

DEBCO Tech investigates all aspects of the total security system, such as IP translation and proxying. We determine which firewall/VPN solutions are best able to support desired features in a good security policy.

Setup, Reasoning and Security: To design a secure, distributed network using the Internet as the WAN, every aspect of the network must be secure. First, and foremost, the local networks must be behind firewalls. Once firewalls are in place, adding secure links to other sites is as easy as enabling VPN encryption.

A firewall provides a private class of IP addresses which protects the network from break-ins. Address translation allows outsiders to access certain machines, such as Web, FTP or e-mail servers, but only to the hosts that are allowed by the company policies configured in the firewalls.

Two methods of IP translation can be used: IP hiding and one-to-one mapping. With IP hiding, machines behind the firewall can "talk" to the Internet using the firewall's IP address. With one-to-one mapping, outside hosts on the Internet can directly access the addresses of certain machines within the organization.

Using address-translation and hiding techniques, everyone located behind the firewall can use the Internet, while allowing access from the Internet only to specific machines. Machines that access the Internet via IP hiding only can initiate sessions, such as Web browsing or e-mail reading. However, one-to-one mappings can be addressed from outside the firewall.

Once the basic site security is in place, connections to other locations across the Internet via a private VPN path can be implemented.

Private Paths: Once the security issues are understood, the implementation of virtual private networks should be fairly simple. A VPN-enabled firewall, usually acting as the Internet gateway as well, determines where traffic is headed and encrypts data destined for certain sites. Using a simple rule set, IP conversations are encrypted end to end and decrypted by a VPN counterpart at the other end.

Most VPN-capable firewall products, including Netscreen and Firewall-1, offer an easy setup that usually is not much more complicated than a few point-and-click commands. Each site is told which destinations are to be encrypted and from which sources it should accept and decrypt data. Once those steps are complete, every time certain criteria are met, the VPN-enabled firewall negotiates an encrypted session.

Session encryption is not performed with smoke and mirrors. Though it is completely transparent to the end user, VPN-enabled firewalls cannot encrypt data and assume that the other end can decrypt that data. There are two methods for encryption: shared key and public key. With shared-key technology, both ends use the same key, which travels with the data, for encryption and decoding. However, with this method both ends must agree on the key and it must not be intercepted by an outside party.

To avoid these problems, public-key cryptography was invented. With this method, each end generates a matched public- and private-key pair. The public key can be given to anyone. Data that is encrypted with that public key can only be decrypted by a matching private key. The problem becomes keeping the private key safe (which is not too difficult) and ensuring that the person who gave you the key is not an imposter.

If a network is located completely within an organization, a key server can be set up, possibly using the X.509 standard. Then, all public keys can be archived in a single secure location for all to use. In addition, using an X.509 certificate server will allow for digital signatures, which ensure that the data is not touched in transit.

Out of Band Management: As part of a VPN installation, DEBCO Tech considers adding out-of-band access to the VPN/firewall system. We find that simple errors in system configuration can lock one out. A simple modem will allow dial-in access to load a different rule set instead of requiring one to travel to a remote site for the fix.

Other Issues: Most VPN-capable firewall vendors believe that the hardware won't be a limiting factor, but in some cases it is. They may quote numbers related to encrypted throughput at full wire speed, but that isn't the only factor that should cause concern. VPN-enabled firewalls require a lot of RAM and a fast CPU to handle all the session data related to IP translation, not to mention encryption cycles.

Obviously, the machine chosen for any VPN and firewall will depend on the traffic generated.

Factors to consider:

Will there be multiple sessions open at once (Web browsing)? How many encrypted sessions will be open at the same time? How many machines will have IP translation?

Although DEBCO Tech has no hard and fast rules, we can make some recommendations. If scalability is an area of concern then pick a machine that can scale well. SPARCstations and Windows NT servers with Firewall-1 tend to scale easily. If manageability and functionality are the areas of concern then Netscreen and Sonicwall offer a great fit.

RAM becomes an issue when there are many sessions open at once. Every session requires a certain amount of RAM and CPU time to maintain the information necessary to keep address translation (or encryption) going. Most Web browsers will download approximately four elements (such as graphic images) at a time. This means that each user may have as many as four sessions to be maintained.

In addition, CPU time is eaten up quickly when encrypted paths are used. Most VPN-enabled firewalls can maintain a wire-speed encryption stream; adding streams, such as Web browsing, can change resource requirements. Each of those streams has a session key associated with it and an encryption and decryption engine as well.

Keep in mind that virtual private networks will not work in every scenario. And though the security is very good, the reliability of the underlying Internet cannot be guaranteed. Therefore, data will be safe, but it may not arrive in a timely fashion. When the quality of service needs to be guaranteed, private lines still are the best solution.