NET WORKS

Virtual private networkshow they work

by Roger Younglove

VPNs are hot, and for good reason. They promise to help organisations
more economically support sales over the Internet, tie business partners
and suppliers together, link branch orfices with each other, ancl support
telecommuter access to corporate network resourccs.

1999 ccii-poations Iioiight $281 iiiillion worth

ol virtiial private nct~vork(VLN) liard\vv;iuc, and
that to $831 Iiy the end ol this
year, according to Inkinctics. C;ititici-s In-Stat Crouli
predicts the total in;irkct for VlN gcar antl scrvicrs will
explode h i ii projcc~ctl$267
Iiillion by the end ol 2003. h h e c
biteriiei WM sinvey oi 200 Il niai1agci.s [ound that 29%
were already using VINs, while the remaining 7 1 ?O WCIC
six months to one y c x o r more away frmi dcployiiicnt.
What, cxactly, is ii VI? /\ good woi-king dclinitioti is as
lollo\vs:
11

A virtual private iictworli is ii coinliinatioii ol tuiinclling, encryption, autliciitidioii aiitl ;i(:ccss con1rol weti
to carry traliic o\wr the Intorncl (or a iiimaged 1iitcA
protoc:ol (11) iictwork or a providers Iiacltbonc:).
Simply stated, ii VLN gives 11.
a s~cU1cw a y to al:ccss
corporatc tiet\vorlt rcsour(:cs over tlic Intcriiet or othcr
public or private iirl\vorks.

Why are VPNs important?

in the IJS workforce that
do thcir jobs is ci~iitiiiu;illy
1rkforcc delnallds fl-equcnl
oi corporatc in[tirmation,
millions of peoplo Lelecotnmute, m r l ciiiployocs
inc:rcasingly need ;i(:ccss lo o-mail ;incl iictworlt
applications at night and at wccltciicls.
Moreover, the explosion of ii-coiiiiiierc( iiiciiiis 11i;iI
conipanies arc inrploiiicuting htisiiicss applic:;itioiis that
share i n k m a t i o n ;imoiig diiferont sites, cixtcndiug thc
reach oi thcir liusincss tu p;iutiicrs, c:oiitr;ictors ;inti the
supply chain. Io all tliose iircliis VINs promise to r e d n ~ c
I-ccurrinji telecoiiiiiiLiiiic;ilioiis charges, ininiiiiisc the

260

;iniount of iicccss equipment rcquirctl, and give managers

better i:oiitroI over their lay-flung nctworlts.

What is required to construct a VPN?

,.LWO major clcincnts arc ncccssary to c:onstruct a VI:
ii tuiiiiclling protocol and ii 1iie:iiis to authmticalc that
tunncl origin. 7imlzeliiiig is 21 mcthod for scnding data
pacltck securely o w the Interiirt or othor p u l i k
~ictworlt./
I
tuniiclling pi-otocol eiic;ipsulates dala pacltets
with iiiform;ition that providcs routing data eii;ililing the
encalisulatcd payload to tr;ivcrsc the iirtwol-lc securely.
Tock1~7tlic choice is priiiiarily bctwccii two tuniielling
~,rolocols, hl~lll dcvelo~,rd by Ihc IETF (l11ternct
Thgiiiecring Task l h ~
(litt~)://~~\v\v,ictf.~~rg):
~)
(?)I.%?/ (/,Uy?l % / Z l i 2 I ? 1 ~ / 1 ~~/71~l J ~ O i O i )
1,2111 is ii network protocol tlrat mcnpsul;itcs 1 T I I
(point~to-poiiitprotocol) {riimcs to Iic sent 0 1 7 ~ 1 - 11: X.25,
lramc relay, or iYIW1 (;isynclironous trarisler mode)
networks. (layer 2 rrlcrs to thc data link layer ol the OS1
model; layer 3 is the iirtwork layer.)

(io II&C (111 hi/l,t / J l l i ~ O C O lS C V X l d J ~

IlScc is ii 1,;iycr 3 lirotocol stanckird dcsigirrd as iiii
entl-to-ciid tncchanisiii Tor ensuring tlata security in 11I,ascd comiiiuiiic;itioiis. IlScc allows 11 payloads to lie
cncryptcd antl mcapsiilatcd in iiii 11 hcader lor s(:ciirc
r across the Intcrnct (or a corporate IP interIlelwork).
lhc Iiendit or 1,2LIrcinotc acc~ssis that it U S ~ SIYY)
Tor cncapsulation ;ind does not require installation oi an
cxtr;i liacltagi on the rcmoto client. While I , X l is
typic;illy utilisotl b y the SIS (service providers) to provide
rcimotc dialup VLN ii(
[or custoinors, IISiic is the
iiiiijor tunncl prolocol used lor ltic enterprise, which is
our IOCLIS iii this article.

NETWORKS

NETVORKS
mi-cls or tligitiil ccrtilicates. Sharcd secret is fairly easy to
utilise for ii sinall iiuiiilm of endpoints (clieiits mdior
gateways).liikon cards work vory well lor liirgc intrarict
iiiil)lciiientatioiis, 1x11lor ii large extranei im~~lciiietit;itit,n
the easiest iiicthod is io use ti digital cxrtilicate (public
key infrastrllctliro).

tloc:utiicnts loi both opcrational guidaiicc and aidit

purposes. Second, if yiu ever wish to cross-certirj7(that is,
l)c treated iis iiii ccjual ancl iil~loi o iicccpt certiliciitcs) with
ii CA opcratctl h y sn~iico~ic
else, Iioth the CI and CIS iirc
required to ciisurc that Iiotli ccrtificxtcs arc considerecl
cqtial iii the rtrquircrl iisprcts.

Implementing a public key

infrastructure
A piililic ltcy inlrastructurc (IIU) starts with :I
certilimtc autliority (LI),
ii software package opcr;itctl in
a high security area, tllat issues digital ccrtilicatrs. A 11<1
also inclucks a c1irc:ctoi.y scrvico to male the ccrtificatc
widely available. W i c n iiiiplemcnting :I IKI, the decisiciii
to purchase or coiitixl oui the service must bc Ixisecl
not only on cost, but also, iiinrc
importaiitly, oii security policy and
rccluircmciits. I)o you have lull
c:ontrol iilthe lK1 or do you lot sninc
oiie else oiicrate it for VOLI?
in adtlitioii to ii CA, ii 1111 also
iiicludcs, ;it iiiiiiiiiium, aii X.501)v:Icompatililc dataliase. Tho C,I operator issiics the digital ccrtilicatcs l o
thc end ciitity in this msc the
IlScc endpoints-and
records thc
in lormation in the datal-,
ccrti[icatc is eitlicr compromised or is
no longer correct lor soiiic reasoii, it is listcd Iiy tho CA
opcratiir 011 i i c c r t i h t o revocation list (Citl,). liach time
iiii 1IScc eiidpoint clieclts the validity o l a cci-tifimic
preseiitod f i x iiiithciitication, it clioclts the CI<I, lisi; if that
ccrtilicatc is listcd, it is invalid aiicl the eiiilpoiiit rcjects ii,

Gzla~mztcl?il
seruice
Rccgardless ol how mcll the securii y policics have hccii
dcfiiied, operating ii VIN nwr the lntcrnct is not liiglily
prcctlictal,le I~ecii~isc
tlic Iiiteriiot is not ii guaranteed
trmsport. 1I giixantccd scrvice is not required, thc
Internet provides ;idcquatc VIN transport.
IIowew!r, if guamiitecd scirvicc is mandatory, ii service
k!vel ;1jirccmcnl (SIA) cat1 be
transport nvcr i l managcd Ii tieluk. !In SI,/\ is ii money-back
giixantee that the sei-vice prnvidcr
(SI) will deliver :I specific level ol
service. Tliis iiiirrlit cnver~ lnr
cximple, overall nctworlc availability
of 99.7b, or cncl-to-end latency not
grmtcr than 15Oiiis round-trip, or
local loop availhility of 997k,or a
Ilacltct loss I l l less tlian 1 % overall
throughput. llie agreeinail may also
dictate such terms its, lor inslance, i i
rckiiid ol one months charges if the
SI ;ibrogatcs any o[ the agreed upon service levels.

Le p i h y il($izes aul/zori.sn/ioii re
implcmciit a LKI, you should VI
policy (CI) rcg;irtllcss 01 whether y o u oporatc or
outsourcc your CA.Ihc CI) deline;itcs the requiroincrits
t o i.cceive ii certifiixtc Irom the CA (lor caaniple, ii
certiiicatc must lie rccliicsted in persoti iiiid recluircs twn
loriiis (IC 111, one a piciurc 11)) m l / o r ;I lcvcl o l authority
([or cx;iiiiple, this ccrtilicatc ;~llowssignatwc aiitlioriiy
(or oiic nrillioti dollars).
For iin 11Sec clidpoint, ihc CIdciiiics &it in lnrin;ition must lie siilimi~tcdto thc CA lor ccrtific;itioii.
lMorenver, the CI shnuld
that tlrr CA must iiieet for

,.10

successfully implement ii CA, tlic operator iiiust

write a c:crtilicatc practico stateiiicnt (CIS), which sp1~11s
out how ilio opcratiim n l the C/\ iiiiitclicis ihc CI
(ccrtilicatc policy) recluircmcnts. Il you iiiiplimeiil yiour
o\wi CA, you should c:rc;itc both tlic CI;iiid the CIS. Sincc
you have full control iil the implciiiciitatioii, this niiglit
Iiut ii is important lor iwo misoiis.
I;irst, it uisurcs optiniiil sccui-itp Iiy requiring: written

Conclusion
Whether implc~mcntcd;is iiii intranet or iin cxtranct, a
VIN can reduce coiiiinunicatioiis costs Iiy utilising ii
single connection with niic piece o l ccluipment f i x cach
location instead oC what would otlicrr
coiii~nu~iic:;itionlinlts using legacy cq
Cost is usu;illy the dcterrnining iiictor ol whether the
VIN is Iiuilt in-liouso or is contracted out. Cost pcr
coiincc:tioii lor ii scwice is wcighctl against the total
equipment, iraining, maiiitcii;incc, ;ind management
costs spi-ccatlover tlir number of connections rccpii-cd Tor
ii VIW built in-house. Aiiotlirr important considcratioii is
wlin iixiint;iiiis conti.ol o l thc equipmeiit. Some c:nmpanics
do not use coiitl;ict services, rcgartllcss ol cost, bcc;iusc:
thcy ~ w i i i lull
t
control ovvr the VI.
{Jsiiig VINs, compariics (:;in rc1i;ibly aiitl securely
share iiilorni:ition ;icross the Inicrnot or a iiiaiiagccl 11
iictivvoi-It.Todiiy VINs ai-c Iicing used to hclp corporapplicatiotis, tic: I)usincss partners
and suppliers togcthcr, and support the explosion o l
e-cni~i~iici-c~:,
cspccielly in husincss-to-husiiicss applicii1ions.