Picking a VPN Solution
Picking a virtual private networking solution requires careful examination of your networking and security needs, because the chosen solution must be tightly integrated into your existing network. The solution you choose should not only provide adequate encryption and authentication, but it should also perform logging and auditing functions. Network security comes down to your administrator's ability to identify and track potential problems. Without detailed logging and auditing, that job becomes much more dif
ficult, if not impossible.
Ideally, your VPN solution sh
ould have as little impact as possible on how your users access network resources, because as networking becomes more complex for the average user (for example, having to remember more user ID and password pairs), the less likely users will be to adopt the VPN strategy.
IPSec technologies require little, if any, intervention because authentication and encryption is not user-based. IPSec really derives its security from the workstation's IP address or its certificate. With IPSec implementation, you extend trust to the workstation without knowing who is at the console--there isn't any provision for user-based authentication. On the other hand, authentication using a non-IPSec solution--such as Aventail Corp.'s Socks 5 VPN server, Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Forwarding (L2F)--is user-based and can be integrated into existing user databases such as NT Domains and RADIUS. Users have to be verified using a password, token card or other authentication before they can access network servic
es.
Of course, user access is just one piece of the puzzle. Once a user is authenticated, data traffic needs to be protected as well. Generally speaking, the strength of an encryption key grows as the key becomes longer. RSA's RC4 40-bit key (Microsoft Corp.'s Point-to-Point Encryption international key length) is weaker than a 128-bit key. But the longer key length is not readily exportable outside the United States. If you plan on tunneling internationally, your VPN solution needs to support a variety of encryption and key lengths, complying not only with U.S. export laws, but also with those of other countries.
Strong encryption is not enough to safeguard corporate secrets--an uncrackable algorithm has yet to be developed. To minimize the damage of a cracked key, you need to be able to change the keys while the VPN is in session. Then, if one key is broken during a VPN session, the rest of the session remains secured with another (unknown) key
. You need to balance the key exchange intervals with t
he amount of data that is exchanged. An interval that is too short puts undue processing on the VPN servers for key generation, while a key exchange interval that is too long exposes too much data to a single key.
|
RSS
