Labs Answers VPN Questions

Protocol security, open-source options are top of mind.

Ziff Davis Media Inc.s Aug. 19 eSeminar, "Making sense of VPN challenges," revealed high levels of concern among the several hundred attendees in areas such as justifying virtual private network costs and choosing among various technical options. This event continued, in a sense, the VPN discussion that began during our April 16 eSeminar, "VPN strategies."

One new topic during the Aug. 19 presentation was the state of the art in open-source VPN implementations, which generated considerable interest among participants. Almost one in five attendees called open-source VPN tools "central" to their future VPN plans.

The following questions were answered during and after the event by eWEEK Labs analysts and eSeminar guest speakers Charlie Scott, information security analyst for the city of Austin, Texas, and David Lesser, president and chief technology officer of Nexum Inc.

For a recorded version of both VPN eSeminars and for more information about eSeminars, go to

How are VPN protocols such as SSL [Secure Sockets Layer] and IPSec [IP Security] better than PPTP [Point-to-Point Tunneling Protocol]?

Microsoft [Corp.] supports PPTP on Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME and Windows 98. The companys more recent platforms-specifically, Windows 2000, Windows XP and Windows Server 2003-also support whats formally called Layer Two Tunneling Protocol with Internet Protocol security, or L2TP/IPSec.

PPTP is less processing-intensive, meaning that a given amount of server processing capacity can support more connections using PPTP rather than the more burdensome IPSec. On the downside, as Microsoft acknowledges in its TechNet discussion of "Planning security for a VPN," a PPTP connection "does not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user)." By contrast, the same discussion observes that L2TP/IPsec "offers the highest level of security, providing data confidentiality, data integrity, data origin authentication, and replay protection."

Given the disruptions that enterprises have suffered from the Sept. 11, 2001, attacks, SARS [Severe Acute Respiratory Syndrome], power outages and the like, what do you believe are the senior-level executives current concerns regarding security-specifically, from the point of view of assuring reliable IT operations? How can VPNs support business continuity?

Cost-effective IT uptime depends on striking a balance among what might seem contradictory goals. Some operational threats, such as natural disasters, are offset by dispersing operations to multiple sites; other threats, such as deliberate security attacks on external connections or physical IT facilities, are minimized by keeping the defensive perimeter as physically compact as possible.

To minimize exposure to attacks against communication links, a physically separate private network is an effective defense-but it merely replaces an unacceptable, but low-likelihood, worst-case scenario with the certainty of painful network costs.

VPNs reconcile these conflicts by letting the enterprise maintain secure links, across long distances, while still taking advantage of a public, standards-based worldwide infrastructure.

Do VPNs require additional security monitoring?

You need to watch that the external interface of your VPN device is only serving the protocol its supposed to (for example, IPSec, PPTP or SSL). You also need to be mindful of what users are logging in to the VPN and where they are going (also of failed log-ins, etc.). The things you should be more worried about are the things you cant see. For instance, does the user on the other end have his or her system adequately patched, and are they using anti-virus protection? Thats something that can be dealt with using policies and procedures, and, in some cases, with VPN policies "pushed" down to the client.

How reliable are "very low cost" solutions, like the $100 VPN routers on the market?

They are probably fine for small-office/ home-office purposes. The thing to bear in mind is that the inexpensive devices typically dont offer high-availability services, such as failover, that higher-end devices do. On the plus side, theyre cheap enough that you can keep a few spares around. Youll have to make the call for the business requirements for your environment.

Im interested in dumping the laptop and wish to use a Windows CE-enabled handheld for retrieving and responding to info from home base. Do you have any suggestions on VPN considerations to ensure that communication is as secure as possible?

The main thing youll want to watch out for is the capabilities of the CE handhelds processor. Generally, these processors arent powerful enough for IPSec clients (if theres even a client available). A clientless SSL-based VPN might be the way to go for handhelds.

Could you comment on the usage of a VPN to complement a wireless LAN?

If youre not going to use anything beyond WEP [Wired Equivalent Privacy] on your wireless LAN, then a VPN solution is highly recommended. Put the wireless access points outside your firewall and require your users to VPN into the network, just like over the Internet. How this works on your network will greatly depend on your network architecture.

What open-source VPN solutions are available?

Open-source VPN solutions include FreeS/WAN, OpenVPN, CIPE, Poptop and PPP [Point-to-Point Protocol] over SSH. You may want to look at a book called "Building Linux Virtual Private Networks."

Is there a pcAnywhere-type host that serves remote access to remote users so that all applications are available over SSL? Im trying to justify HTML-enabling some applications and cant seem to make the effort worth the benefit.

To date, there is no magic "Webifier" for applications. The solution that addresses both Web and client/server applications will be different, depending on your needs.

Discuss this in the eWeek forum.