Print
Discuss
Send to friend
RSS feedsThere is pressure on businesses of all sizes to enable remote access to their systems. Companies are having to look at improving productivity while striking a suitable work-life balance for staff needing to work more from home.
Then there's the problem of how best to handle field workers and electronic access for ordering systems for trusted parties such as suppliers and major customers.
Companies have traditionally invested in dedicated remote access servers to handle access for staff in the field, but these often rely on dedicated dial-up or fixed-line connections, making them expensive, inflexible and often slow.
The more flexible, and often cheaper, modern alternative is a virtual private network (VPN), a mechanism for making secure, direct connections between the edge of the corporate Lan and a remote user, using open networks such as the internet and cheap unsecured access such as broadband and wireless Lan hotspots.
"Economic pressures mean that companies are looking for lower-cost alternatives to remote access servers and wide area services such as leased lines, while network resilience and security are now at the top of the corporate agenda," said Sarah Daniels, vice president of marketing at Secure Socket Layer (SSL) VPN vendor Aventail.
Dedicated leased lines cost thousands of pounds a year to run, but have the benefit of dedicated bandwidth and a dedicated link from point to point.
The same effect can be achieved with a £30-a-month DSL line and a series of VPN connections running over the internet.
"A VPN is potentially the killer application for things such as GPRS data access, because it allows people working in the field to connect to the office and actually do the work they normally had to be in the office for, rather than just surf the web and play with Hotmail," explained Simon Hodge, marketing director at IP VPN vendor BCW Advanced Technologies.
Network security has traditionally been a barrier to remote and field working. For remote workers to get access to corporate systems across the net would involve employers leaving network ports wide open and systems in a public-facing state - making them east prey for hackers and malicious code writers.
But by securing these services, you shut them off from anyone outside the physical limits of the corporate network.
This leaves businesses with the challenge of providing access across an untrusted link, but at the same time trying to retain security.
"It's no longer the case that IT people deliver access across networks they trust, to people that work for their company on machines they manage," said Daniels.
"And this presents a big problem if you're a chief information officer challenged with extending and managing remote access to more people and places and across more networks."
What is a VPN?
A VPN allows users to securely connect across an open network such as the internet, so that data being sent cannot be intercepted, read or otherwise interfered with.
It works much like the direct cable connection you have at your desk linking your PC to the network - only there is no cable. Everything is done using strong encryption and advanced data packet handling.
There are two types of VPN in use. The most common is an IP VPN, based on the same internet protocol we use every day. The other is SSL VPN, often found in larger, high-end systems and in dedicated hardware VPN systems.
The key benefit in both cases is secure data, and remote users connected via a VPN do not compromise your systems in the same way as simply allowing direct remote connections over untrusted networks.
However, as with most security technologies, it's all too easy to think you are safe just because you have a VPN, even if you are not using it properly.
"There is a risk that VPNs create a false sense of security," warned Tim Pickard, strategic marketing director at RSA Security.
"By securing the transmission of data, they offer privacy. But they do not verify the identity of the user accessing the network.
"A truly secure VPN needs some form of strong user authentication, something stronger than passwords which can be easily guessed or stolen, to ensure that you know who is accessing your network."
RSA is one of a number of companies offering advanced security tools to protect remote access and login, such as secure tokens to ensure that a VPN is not compromised by someone discovering a user's login name and password.
More than just security
It's all too easy to get bogged down with the security applications for a VPN, but the technology offers far more than that.
As well as providing a secure link between the corporate Lan and the remote user, or between sites, VPNs are also an important enabling technology.
They provide access to features on the corporate Lan such as printers, drive shares, back-end databases and direct access to email servers, rather than just web-based access. Most companies today do not allow open access to the server outside the Lan.
"The VPN is important for making remote and, in particular, expensive wireless access productive," said Hodge.
"Using a VPN will allow a company to provide access to devices and facilities on the Lan that are often not practical or safe to offer openly over the internet, such as access to printers or order systems.
"Imagine how much more productive remote workers would be if they could print out stuff remotely using the office printers, or upload orders without having to come into the office to get access to back-end systems."
That sums up the real point of VPNs: their value is not in security, but rather as a business enabler.
FIVE STEPS TO BUILDING YOUR VPN
With each new product and version, VPNs are becoming easier to implement, use and understand. As with firewalls, VPNs were once highly technical, requiring specialist skills and a deep understanding of the structure of the corporate Lan.
For this example, we are using BCW's Secure Planet, although the process will be similar for most software-based VPNs.
1. The VPN comes in two parts: a client and a gateway. The gateway is installed on the machine on the edge of your network, through which inbound and outbound traffic will pass.
Setting up your gateway is simply a case of installing the application, defining a group of IP addresses that will be used for the VPN connections, and adding some company information such as name, country of origin, IT department contact information and your choice of encryption algorithm.
2. Next you will need to enter your licence key. Most VPN products are licensed by number of concurrent users, so it is important to investigate how much use a VPN is likely to get, so that you can specify an appropriate licence in the first instance.
3. Next you need to make a couple of tweaks to your firewall to ensure that VPN traffic can pass through it. Access to and from port 500 for user datagram protocol (UDP) traffic is needed.
UDP is a communications protocol that offers a limited amount of extra central when messages are exchanged between computers in an IP network. UDP is an alternative to the transmission control protocol and, together with IP, is sometimes referred to as UDP/IP.
You may also have to enable access for internet control message protocol traffic, which is a message control and error reporting protocol between a host server and a net gateway.
4. The client set-up process is just a matter of installing the client application on the user's PC or laptop, then sending them a welcome email from the VPN Gateway application, which will include all the necessary configuration information needed for access.
Once this has been received and actioned, the client will become 'enrolled' as a trusted user able to access the VPN, subject to their username and password being entered.
5. When a user connects to the network via the VPN, they run the client, log in and wait to establish the connection. The user will be securely tied into the corporate network and retain access to network drives and databases, internal email servers and printers.
See also:
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack. 15 Apr 2004
All Network Infrastructure
del.icio.us
Digg this
reddit!
