Three crucial elements for maximum security: optimize network security architectures with integrated VPN/firewalls - Network management: security

Communications News, Dec, 2001

Deploying the optimal security architecture, one that is effective and cost-efficient, requires three primary elements: maximum threat protection with minimum risk, high performance and ease of administration. Meeting all three requirements at the same time is a fairly straightforward task these days, thanks to the advent of integrated virtual private network (VPN)/firewall solutions.

Firewalls are the gatekeepers that work to control access both in and out of corporate networks. VPNs use encryption and tunneling to privately connect users over a public network. Both indispensable security mainstays, they coexisted quite well for a decade until their integration was prompted by one pesky problem: Firewalls cannot enforce access control of encrypted traffic.

This dilemma means that companies using stand-alone VPNs must think carefully about the placement of the VPN gateway in relation to the firewall. Certain placements will limit access control and present multiple authentication challenges. Others will affect routing processes.

All placements, clearly, will require that the VPN remain separate from the firewall, thereby saddling security engineers with two devices to manage and maintain, each with its own policies and procedures. By opting to use integrated devices, however, companies can reduce the burden of security administration, while improving protection and performance.

Most corporate networks seek the same primary security objective: Keep threats to a minimum. An integrated VPN/firewall solution better meets this objective because the VPN gateway, and therefore VPN connectivity, receives protection from the firewall.

Since the devices share user information, access control keeps prohibited content and users from passing through the firewall, while remote users with permission to access specific resources behind the firewall are recognized and allowed to proceed.

Without firewall protection, however, a VPN is vulnerable to a number of threats. Stand-alone VPN gateways only have rudimentary access control techniques--such as packet filtering--that apply solely to the data being transmitted and do not apply to remote users gaining appropriate access to corporate resources.

If the VPN is placed in front of the firewall and is compromised by an attack, all VPN communications will cease, or worse yet, be transmitted in the clear. If the VPN is placed behind the firewall, a port must be opened within the firewall to let the encrypted traffic through, before being decrypted within the VPN. Even if the VPN is placed parallel to the firewall, the gateway still has a direct connection to the Internet and represents a visible target for malicious activity.

Despite claims by some critics, integrated VPN/firewalls can potentially improve performance through the use of cryptographic acceleration cards, which offload processor-intensive cryptographic operations from the host CPU to a dedicated processor on the card. Integrated bandwidth management addresses network congestion issues by prioritizing business-critical traffic over discretionary traffic to optimize available WAN links.

Conversely, the use of stand-alone VPNs can actually undermine the efficiency of the security architecture. VPNs placed in front or to the side of the firewall often do not share information with the firewall, posing a problem for traffic passing through from remote access users. The VPN gateways decrypt traffic, but they do not control access. This means that decrypted connections must also pass through the firewall to obtain clearance, so a user may be forced to authenticate at the VPN gateway and again for every firewall rule requiring authentication.

When the VPN sits on the firewall side, this procedure becomes even more inefficient. Once the gateway has decrypted the traffic, it routes the data to the firewall for access control before being forwarded to the network resource for which it is destined. Outbound traffic is processed by the firewall and VPN gateway in a similar fashion.

This means that every VPN communication request requires two connections to the firewall, affecting access control efficiency for the entire network, and limiting the performance of the VPN device to the throughput of the overburdened firewall. It complicates management and usability--which have a direct impact on the performance of the security devices.

A stand-alone VPN gateway placed parallel with the firewall also encumbers optimal performance. To make the configuration possible, the VPN gateway must provide integrated network address translation (NAT), as well as support for a pool of IP addresses that can be assigned dynamically to remote access VPN users. If the gateway does not support NAT, connectivity issues can result.

Finally, integrated VPN/firewall solutions scale into VPN networks with minimal interruption to network operations.

www.checkpoint.com

Circle 253 for more information from Check Point Software Technologies