Technology - always close at hand

Sunday Business Post - Computers in Business Magazine - May 6 2007

The development of Virtual Private Network technology means that information and systems which workers require to do their business are rarely out of reach, writes Dermot Corrigan...

The development and ubiquity of Virtual Private Network (VPN) technology now means that the information and systems which Irish workers require to do their business are almost never out of reach, whether they are at home, temporarily out of the office, or even out of the country.

"If I am in Dublin airport and I want to connect back to the office, I will just connect to the wireless hotspot. I will open a VPN application on my PC which will set up a tunnel across the internet," said Karl McDermott, System Engineering Manager with Cisco Ireland. "It is like I am connected within the office, but it is actually across the network."

A VPN is the connection of private networks across a public or shared network. VPNs allow users who are located away from a company’s headquarters or branch offices to remotely access systems, networks, applications and resources via their own or a stranger’s PC or laptop. Typical VPN users in Irish businesses include mobile sales people filing orders from the road, workers in one branch of an organisation pulling down information from a centralised accounts or customer management system and teleworkers accessing their office applications from home.

More advanced VPN systems can be used to transfer voice and video data, or to connect together two or more branches of a company who are running shared systems or applications in real time. Michael Conway, director of Renaissance Contingency Services, said that the rollout of broadband across Ireland had enabled the deployment and utilisation of VPNs in many organisations.

"If somebody is working from home, they are normally going to have to deliver whatever communications they have via broadband,” said Conway. “VPN is the most secure and flexible way of setting up a company to company communication within a broadband environment."


John Conlon, who heads the solutions team at Cable & Wireless, said that there are a number of different VPN options available to Irish organisations.

"There are two types of VPNs, he said. “Site to site VPNs are used in place of your standard leased line or frame relay circuit to connect two sites together, maybe a head office and a branch site. Then there is the client to site VPN which is normally used by individuals who are on the road, working from home, or as a consultant and want to connect back securely to centralised resources."

Connecting via a VPN network is very simple, not too different from logging on to your network from your desktop or accessing the internet via a dial-up connection.

"Normally you will have on your laptop a VPN client, which is a piece of software," said Conlon. "You will have to give your credentials to the VPN device, which will authenticate you and let you through."


VPN and firewalls
Once there is a VPN solution running on their machine, it might appear to the user that they are hooked up to their company network as normal, but generally this is not the case. The firewall application will place itself in between the remote VPN user and the network and manage and monitor the access to ensure nothing untoward occurs.

"The firewall knows that you are trying to communicate from a remote site and it automatically brings up a tunnel between this site and the remote site,” said Sean Rooney, Technical Director of Integrity Solutions.

“The firewall encapsulates the traffic going via the connection. After the initial setup happens it is all done automatically; the user will not be aware of any of that happening at all."

This apparent ease of access means that there are very real security and privacy concerns around VPN use. Generally people do not want anyone outside their organisation, particularly criminal elements or competitors, to see, hear or otherwise access information which is being communicated or transferred using the VPN. Hence VPN technology is closely linked with firewall applications.

"A VPN offers access to corporate systems and it is essential that such perimeter access is effectively protected to ensure that the central systems are not compromised," said Conway. "Firewalls should be deployed and anti-virus should be centrally deployed, administered and managed to ensure that the integrity of the systems are protected."

In today’s environment of sophisticated spyware threats, phishing scams and myriad other security menaces, networks have to be sure that anyone trying to access their system is who they say they are. Conway said that VPN and firewall solutions now expect users to prove their identity using more than the conventional username and password.

"Traditionally people might have just used password, which is a single factor of identification," he said. "Now we are moving towards two factor identification, either with a physical device, or with no device. A physical device might be a small number generator that you can plug in to the USB port, so that every minute it will generate an actual number. This is combined with the server sitting in your headquarters. You put in your usual ID, plus this random number, and that will then let you log on."

"Two factor identification with no physical device is using SMS technology whereby I have a onetime password or number string sitting on my phone which I get SMSed to me,” said Conway. “I have a PIN which I know and I take the first character, second character, fourth character etc from that string. When I have used it, I will get another string sent to me."

Another level of security is put in place through encryption, where even if someone manages to get a look at your information as it is being carried over the internet, they will be unable to use it.

Conlon said that almost all VPN / firewall solutions will include encryption as standard. "Encryption is an absolute requirement when using a VPN, or the P is lost basically," he said. "It is quite technical, but basically the devices carry out advanced encryption that is almost impossible to hack."

Caroline Ikomi, security engineer with Check Point Software in the UK, said that it is imperative to keep your encryption methods up to date, as hackers will be working on the systems that are in the market to try and crack the codes.

“As new vulnerabilities emerge the software will need to be updated to protect against these vulnerabilities,” said Ikomi. “This is becoming increasingly important as we see hackers using more and more sophisticated attacks.”

Most companies require users to shut down all other programmes on their PC, especially internet browsers or email systems, before opening their VPN application.

"There is an issue about people being allowed to browse out to the internet, and use the VPN, at the same time," said Conlon. "You do not want a situation where somebody could hack into your machine through the internet, and then use that as a channel to get into the company through your VPN."

Web based VPN technologies such as SSL (secure sockets layer) are also increasingly being used by Irish organisations. With SSL VPNs the user goes online as normal and browses to a particular URL that uses HTTPS protocol, for instance https://secure.thepost.ie.

“You log in with your credentials, and extra security such as two factor authentication is optional there as well,” said Rooney. “Depending on what the administrator has configured that can give you access to your desktop, your email or whatever applications you have on your network. Sometimes it will install a little tunnelling client onto the desktop you are using, which will allow you straight access into the network over IP."

The advantage to the user of SSL is that the VPN can be called up from any machine; they do not need to have a laptop with the VPN application installed to hand.

“A lot of people are interested in this as it means you do not need to install clients on their laptops, so they can use somebody else's machine or internet cafes for example to connect to their home site, without having to install any software,” said Rooney.

A disadvantage of SSL VPNs is that security becomes even more of an issue if you are using an unknown or unverifiable machine.

“Generally the VPN or firewall will install a tiny ActiveX or Java control which will clean up the desktop when they are finished," said Rooney.

Many Irish organisations are now looking to incorporate wireless connectivity into their networks. The latest VPN solutions will include this wireless capability.

”The growth in use of VPN technology has been about increasing the level of accessibility, whether users are at home, on their smart phone or Windows mobile device or alternatively using a laptop in a customers’ site or connecting via a wireless LAN (Local Area Network),” said Ikomi.

Next generation VPNs
Most traditional VPNs have been internet based. This means that networks suffer the same issues and drawbacks as the traditional internet, such as quality of service and reliability. "Even if you have high speed internet connections at all of your sites, there is no guarantee that a problem on the internet, like a worm outbreak, will not effect communications on your VPN," said James McLoughlin, senior security specialist with Lan Communications.

Conlon said that another issue with internet based VPN systems is that even high speed broadband access may not be as quick as people are used to in their internal LAN (Local Area Network). "There can be performance deficiencies,” he said. “It is not as fast as it would normally be if you were on the LAN.”

Newer technologies, such as MPLS (Multiprotocol Label Switching) are stepping in to deal with these issues.

"MPLS based networks will gain a lot of ground in the coming years," said McLaughlin. "MPLS based VPN is intended as a replacement for traditional Wide Area Network (WAN) technologies. It has the ability to eliminate quality of service issues and decrease integration problems."

MPLS VPNs also allow for greater flexibility and mobility of connections across the network. Internet based VPNs use a hub and spoke type model, with individuals connecting back to a central system.

McDermott said that MPLS technology allows individual users or branches to communicate directly with each other, without having to be routed through HQ.

"A lot of companies are moving to MPLS based VPNs because in a leased line world you have got a hub and a spoke,” he said. “You have the headquarters and then the branches and if one branch wants to talk to another, it goes via the headquarters. An MPLS VPN allows one branch to talk to another branch directly. All of our customers that have more than one office and want to connect branches are now utilising VPNs and starting to move to MPLS.”

As organisations get used to greater and more sophisticated levels of data over their standard networks, including voice or video traffic, they also expect to be able to use their VPN in a similar way. Using the internet for a VPN makes it difficult for anyone to guarantee the level of reliability and quality required for voice or video traffic.

McDermott said that MPLS technology allows networks to carry a greater level of traffic, including data, voice and video, and also can provide the reliability and quality required.

Importantly, it also facilitates the intelligent management of a network, which also helps to maintain service levels.

"One of the benefits of the VPN is that the service provider can offer the customer the ability to prioritise the different applications across the VPN,” said McDermott. “That is something that they would not have previously been able to offer."

"A very good example of that is the move to IP telephony or Voice over IP, where that ability to prioritise voice traffic ahead of data traffic is very important. Likewise if they have a particular application that is quite critical or client sensitive, the VPN technology will allow them to prioritise that application ahead of others, such as email or batch transfers."

McDermott said that as MPLS is a private network solution, there is not the same requirement for security and encryption features.

"Most customers do not firewall the traffic," he said. "MPLS based VPNs are as secure as leased lines or any other wide area technology. However, some customers are choosing to encrypt communication across the network. Very often these are financial institutions, but they would be the exception rather than the rule."

The ability to carry extra loads, specifically voice over IP traffic, means that one quite basic, but very important, benefit of resilient and reliable VPNs is to help organisations eat into their fixed line and mobile phone bills.

Conlon said that when he contacted people from outside the office, he was still using his office phone line, and did not have mobile costs "or anything like that."

Conlon also referred to a customer who had a lot of staff working on projects in the Far East.

“They have a requirement for regular conference calls back to Belfast, to other colleagues around the world, and also to speak to their family, so they had a lot of mobile costs,” he said. “We were able to integrate VPN technology into their telephony which allowed them to give the guys a phone which if they had access to the internet, which is now basically ubiquitous, they could connect across the VPN and could make local phone calls and set up conference calls as if they were in the office."

Conway said that VPN technology is increasingly being used to allow people not on the company payroll, including customers, suppliers or consultants, restricted access to an organisation’s internal network.

"People now are using VPNs to place orders on their suppliers' sites," he said. "They are making secure access available on a controlled basis to the supplier or the customer, depending on their relationship. Very often in the manufacturing environment you may have situations where the customer is looking at what is coming off the line, or even getting some levels of reporting.”


Different VPN product options
There is a wide range of different VPN products available at present to Irish organisations. The best purchase for a company will depend on the budget and requirements of their business.

"A VPN can be very simple, very inexpensive, or it can be something that can be very complicated and expensive," said Conway. "Large corporate customers look at solutions that support lots of remote users and can be centrally managed and administered, whereas when you get into the small business end you will get a lot of fairly straightforward systems."

Rooney said that setup costs for a VPN start at about €400 for a basic firewall with VPN functionality, and a lot of companies would have these firewalls in place already.

A mid sized company looking for full VPN usage, including teleworking capability, full site-to-site access and full security measures should budget around €5,000 for a full VPN installation, he said. At enterprise level the costs then go up into the tens of thousands.

Companies can decide to purchase a full VPN and firewall solution and run it themselves, or they can opt for VPN, and all the associated security aspects, as a managed service from a service provider.

"A network provider can provide and manage the whole VPN infrastructure for you,” said Conlon. “With the latter case there are more ongoing costs, and with the former there are more costs up front."

McLoughlin said that integrating a VPN solution properly into an organisation’s systems can prove challenging if the proper care and attention is not taken or paid.

"It is easy to go to the local retail park computer store and buy a VPN solution off the shelf and VPNs themselves are relatively plug and play," he said "The trick is making sure your network and the applications on it function the way you want them to. The applications need to be made aware that there is a network in place where there was not before. It is the same issues and challenges and deploying a Wide Area Network in that respect."

Ikomi said that integration is especially key when considering the security issues around VPN deployment, as a breakdown in communication between two security systems can have particularly damaging consequences.

“Managing the use of solutions from multiple vendors can be challenging,” said Ikomi. “That is why it’s best to consolidate and minimise the number of security vendors providing solutions for any given security infrastructure.”

Conlon said that in some cases VPN installations can cause extra headaches and man hours for an IT support team. However, correctly managed deployments can lessen the IT support workload.

"You have to be careful about how you deploy your VPN," said Conlon. "You do not want them to become a huge overhead in terms of managing. Anything that has a lot of users, and you have to manage passwords and people's profiles, you need to make sure that you have an infrastructure that allows you to manage that centrally, and then to push that out to the client."

Conlon said that a managed services partner can intelligently use a MPLS VPN to move other services and systems off site and streamline a company’s internal network.

"Then you can begin to use a managed services partner to manage your VPN traffic,” he said. “It can take all those headaches away, you can have internet based firewalls, internet based email exchange etc. You can take all that out of the core of your network and hand it over to a service provider."