Network Computingwww.networkcomputing.com

As is typical of technologies that are still new on the scene, VPN management processes and platforms are somewhat clunky and difficult to use, especially compared to remote-access servers and other network-infrastructure devices. But remarkably, the vendors are making real improvements based on customer feedback. Despite a few rough edges, VPN technology is viable now.

LAN-to-LAN VPNs promise to bring diverse networks together regardless of the underlying infrastructure. With a major IPSec RFC on the standards track at the IETF, interoperable products have been shipping for about 18 months. In light of this, we gave VPNs a middling score for maturity. The ICSA has been certifying VPN products as interoperable since May 1998 and currently lists 12 products as interoperable. While the level of interoperability is somewhat limited, at least in version 1.0 of ICSA certification, the criteria is adequate to ensure usability in a multivendor environment.

For example, current products support only preshared secret IKE and typically support only host-to-host VPN and Class A, B and C networks (see "Making IPSec Work for You," www.networkcomputing.com/922/922ws2.html). As the industry wrestles with interoperability issues through the IETF IPSec Working Group and industry bake-offs, more advanced functionality--such as certificate-based IKE and flexible network addressing--will become available within the year.

Unlike many firewalls and proxy servers, most VPN devices can be configured to sit transparently on the network, requiring no network or client reconfiguration. Transparent VPN devices are analogous to bridges at the IP layer. Packets bound for a distant secure network are bundled into the VPN and all other packets are passed through or dropped depending on the configuration. The impact on the network is negligible, and users need not know, or care, about the VPN device.

Securing remote-access connections is a bit more challenging because of outstanding issues such as configuring remote clients, network addressing and user authentication. Within a single-product environment, remote access generally is a snap. However, supporting remote users can be rather expensive, depending on your vendor. Client prices range from free to nearly $100 for a single-user license. Two ICSA-certified IPSec clients are available: TimeStep Corp.'s Permit/Client 1.1 and IRE's SafeNet/Soft-PK v.2.0.5 (Build 3). However, many of the features taken for granted in single-vendor product families, such as network configuration assignment and compression, are lost with these clients because no industry standards for such mechanisms exist. Of course, with the advent of Windows 2000, the client issue may be moot. Microsoft is planning to support IPSec in Windows 2000, and as with PPP (Point-to-Point Protocol) and Windows 95, there will be little motivation for other vendors to compete with IPSec clients from Microsoft on the desktop.

Lest we forget, IPSec is not the be-all and end-all of VPN--not with Microsoft in the game. Microsoft's PPTP (Point-to-Point Tunneling Protocol) is widely implemented not only in the Windows platform but in VPN devices, such as Nortel Networks' Contivity Extranet Access switch and Altiga Networks' VPN Concentrator. PPTP lacks IPSec's more secure key negotiation mechanisms and is limited to a single cipher (RC4 40-bit or 128-bit), and while it's secure, it's less secure than IPSec. The strength of PPTP lies with remote-access connections. Because PPTP ships with Windows and is as easy to use as dial-up networking, it streamlines management and helpdesk support.

VPN management is rapidly improving; stick to a single-vendor environment, and management stations are straightforward and typically offer strong multiunit support. However, multivendor IPSec VPN management and configuration are difficult at best. For now, it requires in-depth knowledge of IPSec as well as intimate understanding of the participating vendors' varying implementations--involving a babel of terminology.

Many vendors fear using SNMP and syslog for reporting because it is not secure (passing device status information in the clear, even if only on protected networks, should send shivers down any security administrator's spine), but vendors may have to suck it up. A VPN requires the same kinds of management facilities as any other network technology either on the LAN or on the WAN. Obviously, no information about the status of individual sessions within a VPN tunnel will be gleaned while examining encrypted packets flying across the wire. The only point at which that information is available is from the VPN end points. Customers are demanding integration into enterprise management systems that process SNMP traps and syslog events.

Providing high security over public networks is the aim of IPSec, and it meets that challenge with aplomb. Delivering a core set of functionality of encryption, authentication, perfect forward secrecy and antireplay protection, IPSec VPNs are the most secure and robust option. PPTP--simple to use and free with Windows--is a secure alternative in many applications. While VPN technology is far from perfect, it is mature enough to solve critical business needs today and shows every sign of maturing quickly in the next 12 months.

--Mike Fratto