VPN: Light at the end of the tunnel

The modem rack, once a staple of every department and agency server room,

is heading for extinction. Now that virtually every remote worker can reach

the Internet, direct dial-up access — with the support hassles, long-distance

charges, busy signals, modem hang ups and line-quality problems that plague

it — is giving way to virtual private networks (VPNs).

Security concerns, of course, have made many agencies and departments

skeptical of VPNs. After all, virtual private networks couldn't be as secure

as truly private networks, could they? And news reports of high-profile

Internet break-ins, most recently at America Online, seem to emphasize that

point. If AOL, with all of its intellectual and financial resources, can't

keep intruders away from its private data, who can?

Such security concerns are well- founded, because any socket to the

outside world creates the potential for hacking. But this was true of dial-up

remote access, too. And with recent advances in security technology, VPNs

are arguably more secure than a modem line. It is, in short, time to reconsider

adopting a VPN solution.

And there are obvious benefits for agencies and departments. Moving from

modems to VPNs will have a slimming effect on your department's equipment

rack. If your network supports 10 simultaneous dial-up users, you have 10

modems and 10 data lines. One VPN server or VPN-enabled router can replace

that entire bank of modems.

VPNs further reduce costs by cutting the number of data lines coming

into your facility. That will reduce your monthly phone bill, and your bean

counters will bless you for eliminating long-distance charges incurred by

your dial-up users.

A Snapshot: Three VPN Servers

Implementing a VPN starts with the selection of a server. To illustrate

the most common VPN server types, I tested three representative products:

Network Associates Inc.'s Gauntlet Firewall/VPN 5.5, the VPN services built

into Microsoft Corp.'s Windows 2000 Server and the VPN capabilities of Lucent

Technologies' Pipeline routers. Because two of the servers are implemented

in software, let's first consider some planning issues related to software

VPNs.

You may be able to install VPN software on an existing server that's

being used as a basic router, gateway or proxy server. But if that server

is also handling your firewall, it could be running at its capacity. Active

firewalls that examine the contents of every network packet work particularly

hard. If you add the burden of VPN to that mix, you might degrade performance

for all users.

You may also need to increase the bandwidth of your network. After you

switch to a VPN, some dial-up modem users will connect to your network via

broadband carriers, causing your server load to skyrocket. Just one cable

modem or Digital Subscriber Line user can occupy the equivalent bandwidth

of nearly 100 modem users. If you don't make room for broadband users in

your capacity planning, your remote strategy could fail for poor performance.

You don't want to leave VPN users longing for their old direct-dial modem

connections.

Gauntlet Firewall/VPN 5.5

Version 5.5 of Network Associates' Gauntlet Firewall/VPN solution for

Unix and Microsoft Windows NT provides firewall, proxy, McAfee enterprise

virus protection and Layer 2 Tunneling Protocol (L2TP) over IPSec VPN services

in one package. Since all the components come from the same vendor, they

move network data efficiently through the processing pipeline.

Considering its capabilities, Gauntlet's system requirements are minuscule.

Network Associates recommends a Pentium 233 with 128M of RAM. I tested Gauntlet

on a Windows NT Server 4.0 system. Basic installation is quick and more

or less automated. The best feature of the installation process is the thorough

system check that Gauntlet performs before it starts copying files. The

installer identifies conditions that could compromise Gauntlet's effectiveness

or performance.

A single administrative console manages all of Gauntlet's features — and Gauntlet is loaded with features. Fortunately, it defaults to a fully

locked-down configuration. Any feature you don't configure immediately is

effectively disabled.

Getting Gauntlet's VPN server running is among its simpler configuration

tasks, but it still takes considerable time and knowledge. Before you install

Gauntlet, you'll need to register your VPN server with a public-key infrastructure

certificate authority such as Verisign Inc. or Entrust Technologies. If

you run your own certificate authority, Gauntlet will use your internally

generated certificate to authenticate your new VPN server.

The administrator has fine control over VPN encryption and authentication

parameters. The online documentation offers some guidance in choosing security

settings, but it would be nice to see templates, wizards or even simple

defaults that ease configuration. The absence of context-sensitive help

slows the process considerably.

Gauntlet appeals most to those who value a rich array of features over

ease of configuration and administration. It is a total solution, including

virtually everything you need to create a secure, bidirectional gateway

to the Internet using affordable hardware. Given its complexity, you should

budget for training and installation consulting before you implement Gauntlet

Firewall/VPN 5.5.

Windows 2000 Server

In a recent press release, Microsoft stated that in an independently

verified test, an Intel Corp.-based server with four CPUs and 1G of RAM

ran 5,000 simultaneous VPN sessions. Considering the cost of stand-alone

VPN servers capable of handling that kind of volume, Microsoft's approach

to VPN seems worth considering — even for non-Windows shops — on the basis

of cost alone.

Windows 2000 Server and Advanced Server are billed as do-everything

network servers: file/print, Web, applications, databases, objects — you

name it. However, turning a Windows 2000 system into a workable VPN server

requires us to throw out most of the features listed on the side of the

Windows 2000 box. This seems wasteful until you compare the cost of Windows

2000 Server (about $1,000) with VPN solutions such as Gauntlet Firewall/VPN

(starting at about $2,000 per year).

Windows 2000's VPN services are nowhere near as configurable as Gauntlet's,

although Microsoft balances the scales with a much simpler administrative

interface. You'll also find that Windows 2000 is equipped with services

that support VPN, including a remote authentication dial-in server and an

X.509 certificate authority.

With the upcoming release of its Internet Security and Acceleration

(ISA) server, Microsoft plans to round out Windows 2000's suite of services

with Internet caching and a firewall. The company's goal is to make it possible

for one (albeit beefy) PC server to handle all Internet gateway duties for

a sizable enterprise.

Administrators familiar with VPN services under Windows NT 4.0 will recognize

the Windows 2000 approach. The first step is to activate Windows 2000's

optional (but included) routing and remote access service (RRAS).

Windows 2000 also includes a Dynamic Host Configuration Protocol (DHCP)

server that pushes dynamic IP addresses and other network settings to client

systems. VPN benefits from DHCP when it is available — VPN clients are much

easier to configure using DHCP — but the RRAS wizard understands that you

might not have configured DHCP prior to activating VPN. RRAS contains its

own limited DHCP server expressly for simplicity. If you only need DHCP

for VPN and dial-up users, RRAS will automatically configure and use its

built-in DHCP server.

After the RRAS setup wizard is completed, the server is ready to accept

VPN connections. Tuning RRAS for maximum security requires digging through

a maze of dialog boxes to enable certificates and disable backward-compatible

weak authentication. This process takes longer than it should, thanks in

part to the administrative interface's avoidance of potentially unfamiliar

terminology. If you understand network terminology and know how VPN works,

you'll find Microsoft's gentler jargon more frustrating than helpful.

IPSec encryption is part of Windows 2000's core network services and has

its own administrative interface. The RRAS console fails to alert you if

IPSec is disabled (which is the default). As a result, VPN clients may make

L2TP connections believing IPSec encryption is in place, when in fact the

tunneled data is not encrypted.

Windows 2000's lower cost and quick setup make it a good choice for

small groups. It is even better if you plan to use that Windows 2000 server

in other ways. Gauntlet is a more significant investment — training is a

must — but its greater configurability and broad standards support makes

it suitable for large and changeable organizations.

Lucent SecureConnect and VPN Gateway

For hardware-based VPN, we looked at Lucent Technologies' Pipeline series

routers and its VPN Gateway line of stand-alone server appliances. Pipeline

routers — a product line Lucent picked up when it acquired Ascend — originally

offered firewall and IP security software (under the product name SecureConnect)

as an option. With its latest round of firmware upgrades, Lucent now supplies

SecureConnect free of charge for all Pipeline devices from the model 50

Integrated Services Digital Network router up.

Lucent's new SecureConnect firmware equips Pipeline routers with IPSec encryption

(40 bits standard; triple Data Encryption Standard [3DES] optional), X.509

certificate support, network address translation (for sharing one Internet

account across a LAN) and firewall security. That's a slew of features for

such a little box, so it's understandable that the encryption support is

limited on the smaller Pipeline models. They simply don't have the processing

power to manage 3DES encryption for multiple VPN connections.

Pipeline routers, like most others, use a command-line interface for configuration.

For convenience, Lucent supplies a Java-based configuration console called

SecureConnect Manager (SCM), which runs on any Java-capable PC or work-

station that shares a network with Pipeline.

To squeeze SecureConnect's impressive capabilities into Pipeline's tiny

Flash ROM, Lucent eliminated the configurability common to other VPN implementations.

After enduring the endless fiddling required to set up Gauntlet and Windows

2000 VPN, SecureConnect's comparatively cut-and-dried approach is a blessing.

When you enable VPN by creating a new tunnel in SCM, it is configured for

IPSec and L2TP. Period.

Having IPSec and VPN built into your router presents a relatively bulletproof

alternative to server-based solutions. With no moving parts — most Pipeline

models don't even have a cooling fan — there is nothing to wear out. The

device's entire configuration, firewall rules and all, fits in non-volatile

RAM and can be downloaded in a single file. If the device fails, just replace

it with a new unit and upload its configuration file. You're back in business.

The primary shortcoming of router-based VPN is scalability. A low-power

embedded microprocessor is no match for the four-CPU workhorse Microsoft

used to rack up 5,000 simultaneous connections. Some routers offload the

encryption, the most demanding component of VPN, to dedicated hardware.

Lucent uses encryption accelerators in its scalable VPN Gateway product

line. These gateways are full-featured firewall/VPN servers packaged in

convenient, integrated PCs. Bridging the gap between router firmware VPNs

and user-configured servers, Lucent's VPN Gateway systems promise ready-to-run

solutions. With its VPN Gateway 80 slated to sell for less than $5,000,

Lucent hopes to lure prospects away from server-based VPN.

The VPN Outlook

With remote workers, branch offices, off-site conferences and traveling

staff, VPN is a necessity for many organizations and agencies. It is a simple

technology to describe, but it can also be tricky to configure properly.

Integrated and embedded servers seem poised for the most rapid growth.

As faster low-power microprocessors appear, vendors will build VPN and other

network services into smaller and smaller cabinets. I anticipate Lucent

VPN Gateway-class servers that operate entirely in solid state, using Flash

memory instead of hard drives. Embedded Linux and Windows CE 3.0 are ideally

suited to such appliances. We need only wait for the hardware to catch up.

For now, your best VPN choice is determined by the factors most important

to you. If you need VPN running by tomorrow morning and you have a relatively

limited number of connections to support, choose hardware. You may find

that your current router's firmware can be upgraded with VPN capabilities.

If not, stand-alone VPN devices such as the Lucent VPN Gateway set up quickly

and more or less look after themselves, just as you would expect a black

box to do.

In the realm of software VPN, Windows 2000 Server is unique among network

operating systems because it includes a capable VPN server. It is short

on flexibility, but it's extremely affordable, relatively easy to manage

and runs on inexpensive PC systems. The ultimate, super-configurable, cross-platform

solution, Network Associates' Gauntlet Firewall/VPN, covers all the major

standards and is sublimely reconfigurable. Combination firewall/VPN solutions

in Gauntlet's class are incredibly complex, but if you expect your needs

to grow significantly in the next couple of years, the investment in time

and capital is worth it.

Yager is a freelance journalist. He can be reached at

tyager@maxx.net.