Network Encryption and VPN Security

Sponsored Links
Find high paying job. It's quick! It's Free!!	Earn some quick money by spending just 5 minutes!!

Of late, there have been an increasing number of queries from network architects about network encryption, encrypted transport or virtual private network (VPN) security. Maybe that's because of security breaches like the one experienced by TJX, the parent company of TJ Maxx, Marshalls and HomeGoods stores. TJX isn't alone. Some very high-profile breaches of personal information -- including one involving the names of 80% of current active-duty military inside the U.S. government -- have prompted an executive mandate that encryption be used whenever personally identifiable information is in transit or at rest.

The two technologies that are most often used to encrypt information in transit are Secure Sockets Layer (SSL) and IPsec.

Four types of network encryption

1. Clientless SSL: Original use of SSL in which a host computer connects directly to a resource (Web server, mail server, directory, etc.) over an encrypted link.
2. Clientless SSL with a VPN appliance: This use of SSL is similar to the first for the host computer, but the work of encrypting traffic is done by the VPN appliance rather than the on-line resource (Web or mail server).
3. Host-to-network: In the two schemes above, the host connects directly to a resource over an encrypted channel. In this mode, the host runs client software (either an SSL or IPsec client) to connect to a VPN appliance and become part of the network that contains the resources the host is targeting.
   • SSL: Because of the simplicity of configuration, SSL has become the de facto choice for this type of VPN. Client software is often a small, Java-based program that users may not even notice.
   • IPsec: Until SSL became a popular method for creating host-to-network, IPsec clients were used. IPsec is still in use but can present users with a confusing number of options to configure.
4. Network-to-network: This type of encrypted tunnel VPN can be created in any number of ways, but the technology put to use is almost always IPsec.

In the case of a network-to-network VPN, we're talking about encryption from one network device to the next. Because of what we expect today's network equipment to do, some other gotchas might come up in the discussion:

• Interaction with other technologies: WANs often use Quality of Service (QoS), Deep Packet Inspection (DPI) or WAN acceleration, and if it isn't deployed with these services in mind, encryption can render these services useless. Network Address Translation (NAT) is another hurdle to overcome.
• Overlay network: Encrypted tunnel VPNs work by creating an overlay of encrypted links on an existing network. The encrypted links exist between two specific interfaces in the network.
• DNS, IP addressing and routing all require special attention in a secure VPN. Some secure VPN technologies work quite well with private address space, others work even though the endpoints in the network are dynamically addressed.
• Bandwidth: Network engineers are constantly juggling bandwidth to give their users the best possible experience, but in the case of a secure VPN, they have to consider encryption bandwidth, or the ability to encrypt and decrypt large streams of data.

Whatever the motivation, the time is right to explore the technology. Encryption technology is less expensive and more available (the technology is embedded in firewalls, routers and WAN accelerators) than it has ever been. Word of caution: Choose among technologies by considering them in order of complexity; try to minimize the burden on the network and on network users; and so on. By keeping to a few basic principles, you can ensure that encryption will become a very useful -- even vital -- tool for securing your network.

Source: An article written by Jeff Young, senior analyst at Burton Group.