Proceed with caution - Page 2

By Lauren Gibbons Paul | Posted Jun 1, 1999
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn


Components Of A Secure VPN:
VPN gateway (server, router, or firewall)
VPN client software
VPN PKI (Public Key Infrastructure) encryption strategy
VPN client software
Encryption accelerators
X.509 authentication certificates
Certificate authority
Directory services (e.g., LDAP)
Transport connections (private or public)
Source: VeriSign Inc.

But Forrester's Julian says access control--rather than encryption and authentication--is the biggest piece of the VPN security puzzle. "Authentication and encryption are just the beginning. We need a way not just to figure out who someone is and make sure the data is safe, but also to make subsets of applications available to user groups. There's no good way to do that today," he says. No one has yet figured out a way for companies to let employees into the piece of the SAP R/3 financials application that applies to them, for example, rather than giving them access to the whole application. Says Julian, "Today, you're either in the application or you're not."

Leslie Stern, product marketing manager for Check Point, acknowledges that the company's VPN products are not currently integrated with enterprise applications like R/3, so the application would automatically recognize the user's access rights and let him see only appropriate data. This level of integration will require much work on the part of the enterprise application vendors, according to Stern. "For that to happen, there's a certain amount of sophistication that will have to be on the application vendor's side," she says. "We attack part of the process but the application vendors will have to do their part, too."

Many companies today are choosing to protect a single application server with Check Point's VPN gateway/firewall product, adds Stern. This allows them to avoid many access control problems by filtering out unauthorized users with extra-strong authentication just prior to entering the application. "[Using the application server firewall,] we can create classes of users with varying access levels. Then it's up to the application to deliver precisely the right information to the user."

Julian calls access control relative to security the "missing link" of VPN technology, although he expects the gap to be filled relatively soon.

Keeping Intruders Out
Companies employ different security measures to protect their VPNs. Some install and manage their own VPN security, while others outsource security to a third-party service provider.

Source: Forrester Research Inc., late 1997 report

This will hamper companies' ability to build extranet VPNs. After all, no company wants its business partners--no matter how close--to have unfettered access to their data. Access control remains thorny. Several start-up companies are working to address this problem, but none has succeeded to date, according to Julian.

E-commerce in general and VPNs in particular put a company's security organization in a whole new light, says Julian. "Security people have never had the opportunity to have such a strategic impact on the organization. The challenge is to find a way to open up more of the corporation while still keeping it secure," he says.

Richard Karon, a security analyst for Perot Systems Corp., agrees. Perot uses the Check Point VPN-1 gateway to let consultants access the corporate intranet from the road. When he was preparing the business case to justify buying the Check Point product, Karon relished the opportunity to show a clear return on investment. "This is the first time where I've ever seen a security product that could help lower your costs," says Karon, at Perot headquarters in Dallas.

Not a done deal

Lessons Learned
Don't skimp on user education. Dave Dengler, CIO of Keane Inc., which has a large VPN, says he would spend a lot more time preparing the users if he had the project to do over again. Especially where the remote users are spread out geographically, it's important to educate them via e-mail, newsletters, and the like on what to expect. Dengler has now teamed up with his corporate marketing department to get the word out on VPN usage.
Take stock. Dengler recommends doing a complete inventory of remote users' hardware prior to implementing a VPN. You'll need to know configuration information on all the laptops when planning your VPN rollout.
VPNs have been the subject of much interest--and much hype--in the past year or two, but that doesn't mean the technology is necessarily ready for prime time. "Many people see VPNs as nirvana, solving all their remote-access problems, but it's not. [This approach] has its own problems," admits VeriSign's Chaudhry, who sells VPN technology. For example, all VPNs require some software to reside on the client. Most VPN clients today are "fat" rather than lightweight and easy to manage.

Many early adopters are proceeding with caution. Ellen Van Cleve, director of data communications for The New York Times, has been researching VPNs for more than two years. She's attracted to the idea of giving Times employees easy and cheap access to the intranet while away from the office. But she worries about--among other things--the reliability of the Internet, the transport protocol for VPNs.

"We won't place mission-critical applications on a [VPN-based] intranet without a readily available fallback to non-Internet access methods--not yet, anyway," says Van Cleve, in New York City. Her team is conducting rigorous testing of Internet security and reliability. These users are "beating up" on the VPN to see if they can uncover security holes and testing mission-critical applications to see if the reliability is adequate.

The truth is VPN technology is not quite there, says Forrester's Julian. "It's not really happening now. VPNs are too complex for a mass of people to be doing them at this point. You find tire-kicks for the most part." But if you're eyeing your dial-up bills with despair, start checking out your VPN options now. Julian expects most issues to be resolved within six months to a year. //

Lauren Gibbons Paul is a contributing editor and monthly columnist for Datamation. She writes frequently on intranet and e-commerce issues. You can reach her at laurenpaul@mediaone.net.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter