VPNs in the distributed enterprise: security begins with the firewall - Network Management

Communications News,  Nov, 2002  by Stewart Hulett

• E-mail
• Print
• Link

Although larger companies may be able to address the need for security in a disributed network by linking their various locations with leased lines, this approach is expensive and not affordable for many midsize and smaller companies that still favor a distributed enterprise business model. With the latter, these companies understand that they can attract and retain productive employees, while minimizing real estate costs and taking advantage of local resources.

The key to efficient and successful distributed computing is creating a virtual private network (VPN) by maintaining always-on connections to the Internet--and protecting these connections with a firewall to prevent unauthorized access to private corporate resources over the public network.

Many companies clamp down, and do not allow communication over the public network for any company-related matter. Dial-up is a secure option, but the 56-kbps speed does not meet today's business needs. Often, companies will beef up security at the corporate headquarters, but leave remote employees with few options. This approach fragments the corporation and can have repercussions on the company's performance. Working as a seamless, single organization is essential to rapidly respond to market demands and stay competitive.

Take a company that has protected its corporate headquarters LAN, but has not yet implemented the network, management and data security required for a secure VPN between this LAN and a remote branch office or a telecommuter. Each time a remote employee accesses the corporate LAN, the entire network is exposed to a security risk. Why? To gain access to all corporate resources, all a hacker has to do is access the branch office LAN, then use this position to step across to the headquarters LAN.

THE WEAKEST LINK

Distributed enterprises should also be aware that as the number of branch offices and telecommuters increases, so does the risk of exposure to this type of security breach--unless each and every point of access to the LAN is secured over a VPN that supports dedicated private links between distributed sites. The security in a distributed enterprise is only as strong as its weakest link, because, lacking a VPN, the weak link can always be exploited to gain full access to the entire network.

This risk is not eliminated with network address translation (NAT) systems. With NAT, ports are dynamically opened and closed to create links between remote sites; but the ports, once opened, are not always closed as soon as the communication ends. During this delay, a hacker can gain access and re-establish the link.

A secure VPN is also essential for fostering strong business-to-business and peer-to-peer relationships. No potential trading partner would want to engage in Web-based transactions unless absolutely sure that these transactions would not present an opportunity for a hacker to gain access to its own network.

With this perspective, securing links in a distributed enterprise can be viewed as a market imperative--and a marketing advantage. A company with a highly secure VPN linking its entire distributed enterprise--with a high level of security protection at every site--is surely far more attractive than one that relies on NAT, or no security at all, to prevent unauthorized access.

Good security that relies on VPNs begins with a firewall, a device that is located between the private LAN and the Internet. A firewall permits only the passage of packets authorized on the basis of several parameters, including packet filtering, address translation, access control lists, stateful inspection and content filtering. Firewalls must be located at every node on the distributed enterprise and can be personal (i.e., dedicated to a single workstation) or shared among several workstations.

ADDITIONAL PROTECTION

Firewalls are available as stand-alone devices or as integrated elements in the router platform that provides VPN functionality and full data security through support of additional security components, such as encryption and authentication algorithms. Encryption algorithms ensure that data is protected while traveling on the public network by preventing unauthorized snooping. Authentication algorithms ensure that only authorized users gain access to the network.

Routers that support industry-standard algorithms enable greater flexibility in configuring the security infrastructure and VPNs in a distributed enterprise because they can seamlessly interface with "big iron" corporate routers. This enables leveraging of existing firewall investments when adding remote facilities. With support for industry standards, routers at remote facilities can be linked to the corporate LAN through secure tunnels.

Another important factor to consider when creating VPNs in a secure distributed enterprise network is management. Because firewalls and routers are both manageable, they can be configured and customized to suit diverse network environments. Once configured, however, the security of the entire network is dependent on the security of the management interface. If an attacker gained access to the management interface of the firewall, the settings could be changed to suit the attacker's needs.