Secure Corporate Communications over VPN-Based … · Secure Corporate Communications over...
82
Secure Corporate Communications over VPN-Based WANs REZAN FISLI Master’s Degree Project Stockholm, Sweden 2005 TRITA-NA-E05182
Transcript of Secure Corporate Communications over VPN-Based … · Secure Corporate Communications over...
Secure Corporate Communications over VPN-Based WANs
REZAN FISLI
Master’s Degree Project Stockholm, Sweden 2005
TRITA-NA-E05182
Numerisk analys och datalogi Department of Numerical Analysis KTH and Computer Science 100 44 Stockholm Royal Institute of Technology SE-100 44 Stockholm, Sweden
REZAN FISLI
TRITA-NA-E05182
Master’s Thesis in Computer Science (20 credits) at the School of Computer Science and Engineering,
Royal Institute of Technology year 2005 Supervisor at Nada was Olof Hagsand
Examiner was Stefan Arnborg
Secure Corporate Communications
over VPN-Based WANs
Secure Corporate Communications Over VPN-BasedWANs
AbstractThis report describes and compares various techniques for creating corporate
Wide Area Networks (WANs), based on Virtual Private Network (VPN) technology.VPN technology is the comprehensive term for techniques that use public or sharednetworks for connecting sites or users together. VPNs can be contrasted with actualprivate networks, created by a system of owned or leased dedicated lines. The mainbenefits of VPNs over private networks are that they are more scalable and reducecosts, without impairing security.
VPNs can be categorized as either secure or trusted VPNs, Customer Edge (CE)or Provider Edge (PE) based VPNs, or client-based or web-based VPNs. Thesecategories often overlap each other.
The main purpose of the report is to serve as a basis when choosing among VPNtechnologies. The report will show that a combination of technologies (i.e. a hybridsolution) is usually the best solution.
Säker företagskommunikation över VPN-baserade WAN
SammanfattningI denna exjobbsrapport jämförs och beskrivs olika tekniker för att skapa VPN-
baserade företags-WAN (Wide Area Network). VPN (Virtuella Privata Nätverk) ärsamlingsnamnet för de tekniker som använder publika eller delade nätverk för attkoppla ihop kontor och användare. VPN kan jämföras med privata nätverk. Privatanätverk byggs upp av ägda eller hyrda dedikerade förbindelser. De huvudsakligafördelarna med VPN i jämförelse med privata nätverk är att VPN är billigare ochmer skalbara. Samtidigt är säkerheten i VPN likvärdig den i privata nätverk.
VPN kan kategoriseras som antingen säkra eller pålitliga, kundnätsbaserade el-ler leverantörnätsbaserade, eller klientbaserade eller webbaserade. Dessa kategorieröverlappar ofta varandra.
Det huvudsakliga syftet med denna rapport är att utgöra en grund vid val avVPN-tekniker. I rapporten framgår att en hybrid lösning ofta är den bästa lösningen.
Contents
1 General 11.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.4 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.5 What is a VPN? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.6 The Benefits of VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 31.7 Supported Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . 41.8 VPN Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.8.1 General Requirements . . . . . . . . . . . . . . . . . . . . . . 61.8.2 Remote Access Requirements . . . . . . . . . . . . . . . . . . 71.8.3 Extranet Requirements . . . . . . . . . . . . . . . . . . . . . . 8
2 Categorization of VPNs 102.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2 Secure and Trusted VPNs . . . . . . . . . . . . . . . . . . . . . . . . 112.3 PE-based and CE-based VPNs . . . . . . . . . . . . . . . . . . . . . 112.4 Client-Based and Web-Based VPNs . . . . . . . . . . . . . . . . . . . 13
2.4.1 Advantages of the Client-Based VPN Approach . . . . . . . . 142.4.2 Disadvantages of the Client-Based Approach . . . . . . . . . . 152.4.3 Advantages of the Web-Based VPN Approach . . . . . . . . . 162.4.4 Disadvantages of the Web-Based VPN Approach . . . . . . . 172.4.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.5 Outsourced and In-House Secure VPNs . . . . . . . . . . . . . . . . . 19
3 Technologies/Protocols 213.1 Pre-VPN Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.1.1 Site-to-Site Leased Lines . . . . . . . . . . . . . . . . . . . . 213.1.2 Remote Access - Dial-In Access . . . . . . . . . . . . . . . . . 22
3.2 Trusted VPN technologies . . . . . . . . . . . . . . . . . . . . . . . . 233.2.1 X.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.2.2 Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2.3 ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.2.4 MPLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.3 Secure VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.3.1 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.3.2 L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.3.3 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.3.4 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4 WAN Design 354.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.2 Design Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2.1 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.2.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364.2.3 Accommodating Growth and Change . . . . . . . . . . . . . . 364.2.4 Management and Manageability . . . . . . . . . . . . . . . . 364.2.5 Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . 364.2.6 Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.3 Understanding the Network Environment . . . . . . . . . . . . . . . 374.3.1 Network Applications . . . . . . . . . . . . . . . . . . . . . . 374.3.2 Cost of Downtime . . . . . . . . . . . . . . . . . . . . . . . . 37
4.4 Design the WAN Topology . . . . . . . . . . . . . . . . . . . . . . . . 384.4.1 Flat vs. Hierarchical Topology . . . . . . . . . . . . . . . . . 384.4.2 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.5 Achieve the Design Goals . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Case Studies 425.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425.2 Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.2.1 What does your topology look like (sites, links, redundancy,management)? . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2.2 What applications are you running over your WAN? . . . . . 445.2.3 Are you using leased lines, trusted VPNs, secure VPNs or a
hybrid solution? . . . . . . . . . . . . . . . . . . . . . . . . . 445.2.4 When are you using leased lines or trusted VPNs and why? . 445.2.5 When are you using secure VPNs and why? . . . . . . . . . . 445.2.6 What secure VPN technology are you using? . . . . . . . . . 455.2.7 What remote access solution(s) are you using? . . . . . . . . 455.2.8 How are you using extranet communications? . . . . . . . . . 465.2.9 Do you outsource your secure VPNs or manage them yourselves? 475.2.10 Future trends? . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6 Discussion and Conclusions 496.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496.2 Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
6.2.1 Site-to-Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496.2.2 Remote access . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.2.3 Extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526.3 In-House or Outsourced VPN management . . . . . . . . . . . . . . . 536.4 WAN Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546.5 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
References 56
A Security Policies 1A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1A.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1A.3 Fundamental Security Requirements . . . . . . . . . . . . . . . . . . 2A.4 Introduction to Security Policies . . . . . . . . . . . . . . . . . . . . 2
A.4.1 What is a Security Policy? . . . . . . . . . . . . . . . . . . . . 2A.4.2 What is the Purpose of a Security Policy? . . . . . . . . . . . 2A.4.3 What Makes a Good Security Policy? . . . . . . . . . . . . . 3
A.5 How to Develop a Security Policy? . . . . . . . . . . . . . . . . . . . 3A.5.1 Assessment/Risk Analysis . . . . . . . . . . . . . . . . . . . . 3A.5.2 Write the Security Policy . . . . . . . . . . . . . . . . . . . . 5A.5.3 Implement the Policy . . . . . . . . . . . . . . . . . . . . . . 13
List of Acronyms
ADSL Assymetric Digital Subscriber LineAH Authentication HeaderATM Asynchronous Transfer ModeBGP Border Gateway ProtocolCE Customer EdgeCIR Committed Information RateDCE Data Circuit-terminating EquipmentDES Data Encryption StandardDMZ De-Militarized ZoneDLCI Data Link Connection IdentifiersDTE Data Terminal EquipmentESP Encapsulation Security PayloadFEC Forward Equivalence ClassGRE Generic Routing EncapsulationIETF Internet Engineering Task ForceIKE Internet Key ExchangeIP Internet ProtocolIPSec Internet Protocol SecurityISKMP Internet Security Association and Key Management ProtocolLAN Local Area NetworkLDP Label Distribution ProtocolLER Label Edge RouterLIB Label Information BaseLSP Label Switch PathLSR Label Switch RouterLMI Line Management ProtocolL2F Layer Two ForwardingL2TP Layer Two Tunneling ProtocolMAC Message Authentication CodeMD5 Message Digest algorithm 5MPLS Multi Protocol Label SwitchingMPPE Microsoft Point-to-Point EncryptionNAT Network Address TranslationOSI Open System InterconnectionOSPF Open Shortest Path FirstPE Provider EdgePPTP Point-to-Point Tunneling ProtocolQoS Quality of ServiceRSA Rivest Shamir AdlemanRSVP ReSerVation ProtocolSA Security AssociationSDH Synchronous Digital Hierarchy
SHA Secure Hash AlgorithmSLA Service Level AgreementSNA Systems Network ArchitectureSSL Secure Sockets LayerTCP Transmission Control ProtocolUDP User Datagram ProtocolVCI Virtual Circuit IdentifierVoIP Voice over Internet ProtocolVPI Virtual Path IdentifierVPN Virtual Private NetworkVPNC Virtual Private Network ConsortiumWAN Wide Area Network
Summary
The infrastructure of corporate WANs can be divided into three distinct parts (seeSection 1.7). The various VPN technologies presented in this report (see Chapter3), are more or less suitable for each part. The first part describes connectionsbetween corporate sites (site-to-site intranets), the second part describes connectionsbetween external parties and corporate sites (extranet), and the third part describesconnections between remote users and corporate sites (remote access).
VPNs can be categorized as secure or trusted VPNs (see Section 2.2), CE-basedor PE-based VPNs (see Section 2.3), or client-based or web-based VPNs (see Section2.4). These categories often overlap each other.
Trusted VPNs usually originate and terminate in a service providers network (i.e.PE-based VPNs). The privacy afforded by these VPNs is based on data separationand an assurance from the service provider than no one else is using the same circuit.Examples of technologies used in trusted VPNs are X.25, Frame Relay, ATM, andMPLS (see Section 3.2). Secure VPNs are constructed using encryption and othersecurity mechanisms (e.g. authentication, integrity checking). These VPNs originateand terminate at the network edge (i.e. CE-based VPNs) or sending computer (i.e.client-based/web-based VPNs). In secure VPNs, communication is done over theInternet, and the underlying protocols are usually IPSec (see Section 3.3.3)or SSL(see Section 3.3.4).
In client-based VPNs, the device that builds up the VPN tunnel is softwarerunning on a PC. Client-based VPNs are often compared to web-based VPNs. Inweb-based VPNs, a web browser can be used to originate VPN tunnels. The mostcommon protocol used in client-based VPNs is IPSec, and the most common protocolused in web-based VPNs is the SSL protocol. IPSec operates on layer three of theOSI model while SSL operates at layer five. This means that when connections areestablished with IPSec, more access to the network is allowed. Client and web-basedVPNs are most commonly used for creating remote access VPNs.
Trusted VPN technologies, although being reliable and offering high perform-ance, are often expensive and do not scale well. MPLS is an exception (see Sec-tion 3.2.4). It inherently offers any-to-any connectivity and performs well (i.e. highthroughput, low latency etc.). MPLS is therefore a good choice for site-to-site VPNs.MPLS is offered as a managed service. If service charges are too high, or network re-quirements are not very high, a CE- and IPSec-based VPN can be chosen. IPSec is agood choice since it is seamless as opposed to SSL. If network requirements are highhowever, IPSec is not sufficient since it uses the public Internet as communicationsmeans.
Network requirements mostly depend on the applications running over the cor-porate WAN. Some applications might, for example, require more bandwidth, othersmight be more sensitive to delay or jitter. A deep understanding of the network re-quirements of the applications running over the WAN is therefore required whenchoosing among the VPN technologies (see Section 4.3.1).
When creating remote access VPNs, two types of users must be discerned: roam-ing users, which can connect from any computer and any location, and users con-necting from trusted environments. In the case of roaming users, more attentionshould be paid to security since connections are established from insecure locations.A two-factor authentication solution should be considered in these cases. A web-based solution based on SSL is a good solution for roaming users since it does notrequire a preinstalled client. Mobility is thus supported. Users connecting from trus-ted environments could use a client-based approach. Since the environment is moresecure, there is no need for a two-factor authentication solution (which is cheaper).In addition, a client-based solution based on IPSec is more seamless, which suitsthese types of users better. Roaming users often have lower access requirements,e.g. an employee checking his/her e-mail from the airport, while users connectingfrom trusted environments more likely need to work in a seamless environment, e.g.a user working from home or customer premises.
When granting third parties access to internal resources, thus creating extranets,the principle of least access should be followed. This means that no more accessshould be granted than what is required by the external user. External users shouldbe grouped into access levels based on their access requirements. If access require-ments are low, a web-based solution based on SSL can be used. If access requirementsare higher, other solutions must be used, for example a client-based solution.
VPNs can be managed internally, these are called in-house VPNs, or outsourced,these are called managed VPNs (see Section 2.5). Trusted VPNs are usually man-aged. When choosing between an in-house or managed solution, security and costtrade-offs must be performed.
When creating a corporate WAN, design issues must be addressed (see Chapter4), in addition to choosing technology. WAN design concerns issues such as determ-ining the network topology. The network could have a flat or a hierarchical topology.The flat topology has two layers; one main sites to which all remote sites connect.In the hierarchical topology, at least one other layer is introduced between the mainand remote site(s). A flat design is less complex and thus easier to manage. Italso has less router hops, which decreases latency when forwarding data across thenetwork. The hierarchical model, on the other hand, allows for a better disasterrecovery.
Chapter 1
General
1.1 Background
This master’s project was commissioned by Teleca Sweden East AB which is a partof the Teleca business group [22]. The Teleca business group is an internationalIT services company focused on R&D that develops and integrates advanced soft-ware and IT solutions. Teleca has more than 3,000 employees in 16 countries allacross the world. Teleca has until now conducted business in a decentralized waywith the different subsidiaries being almost independent from each other. This wayof conducting business is now changing. The cooperation between the subsidiariesis getting more intensified, and more and more projects are staffed with consult-ants from different Teleca subsidiaries. In order to better support the changes, thedifferent subsidiaries need to be able to share development environments and re-sources which, at least, requires connectivity between the participating subsidiaries.The purpose of this Master’s project is to propose a WAN solution for the Telecabusiness group. The WAN solution must support the infrastructure described inSection 1.7. That is, it must support communication between Teleca sites (intranetsite-to-site connectivity), between Teleca sites and customer/partner sites (extranetsite-to-site connectivity) and between Teleca sites and remote users (remote access).
1.2 Scope
This report will mainly cover technologies that fall within the VPN concept. Tech-nologies that fall outside the VPN concept will only be covered briefly. The actualVPN technologies included, are those that have had historical importance, are widelyused today, or are believed to play an important role in the future. Those that donot match these criteria have thus been left out.
Cost issues will only be covered briefly. In some cases however, cost considera-tions cannot be ignored. For example, we cannot ignore cost when we compare leasedlines to Internet based VPN-solutions because leased lines are far more expensive.
1
The same goes for some technical issues. For example, we will not include routingprotocol limitations (see Section 4.4.1) or describe label distribution in MPLS indetail (see Section 3.2.4).
1.3 Acknowledgements
I would like to thank a number of people who have helped me during the master’sproject. I would like to thank my supervisor at Nada, Olof Hagsand, my examinerat Nada Stefan Arnborg, and my supervisor at Teleca, Lennart Preuss. I wouldalso like to thank Åke Lind and Erik Linse at Teleca for commissioning the master’sproject. Furthermore I would like to thank Johan Papp, Sverker Forsberg, LouiseBjörklund and Mats Wallander at Teleca, and Göran Larsson at GVL Consultingfor their valuable help.
1.4 Introduction
The business landscape has changed for many companies during the last few years.The reason for this change is, among other things, the rapid development of sharedcomputer networks (e.g. the Internet) and their use as communications means forcritical business data. The change has led to an increasing exchange of electronictraffic within and between companies. This includes traffic exchange between branchoffices of a company (intranet site-to-site connectivity) and between the offices andremote and mobile workers (remote-access). According to the International DataCorporation (IDC), subsidiary to the International Data Group (IDG), 40 percentof workers travelled for business in 2004. In 2006 this figure will rise to two thirdsaccording to estimations [27]. In addition to this increase in intra-company commu-nication, the on-line interaction with business partners and customers has increased(extranet site-to-site connectivity). Along with the increased exchange and sharingof corporate resources (often of confidential nature), security becomes an importantissue.
Today, there are many technologies that provide, more or less, secure ways toconnect remote sites or users together, each with different features, advantages anddisadvantages. The comprehensive term that will be used throughout this reportfor these technologies is Virtual Private Network (VPN) technologies. As previouslystated, the report will also briefly cover technologies that fall outside the VPNconcept. These technologies are called pre-VPN technologies in this report andinclude dial-in access and dedicated leased lines. The reason why they are calledpre-VPN technologies is because, before the emergence of VPNs, they used to bethe standard solutions for creating WANs. They are still in use today, but to adecreasing extent.
The purpose of this report is to serve as a basis when creating a company WANwhich connects sites and users together using VPN technology. The purpose ofcreating such a WAN is to allow the resources of a company to be remotely accessed.
2
Resources include files on the corporate Local Area Network (LAN), e-mail, variousapplications, employee desktops etc.
In addition to choosing proper VPN technology (covered in Chapter 3), WANcreation includes design issues. WAN design issues will therefore be covered inChapter 4. Any other issues, for example budget issues, will only be covered brieflyin this report.
As an attempt to make the WAN creation easier, a few case studies showing howtwo major companies have created their WAN, will be provided (Chapter 5).
Finally, in Chapter 6, conclusions will be provided. Originally, Chapter 6 wascalled “The Teleca Deployment”. But since that chapter contained confidential in-formation, the whole chapter was replaced with the present chapter.
1.5 What is a VPN?
A VPN is a private network that uses a public or shared network (e.g. the Internetor the network of a service provider) to connect remote sites or users together. Itcan be contrasted with an actual private network, created by a system of owned orleased dedicated lines.
1.6 The Benefits of VPNs
VPN technology has emerged from the fact that many companies have facilitiesspread out across the country or around the world. Wherever their offices, employees,partners or customers are, there is a need for secure, fast and reliable corporate dataexchange. The main purpose of a VPN is to give companies the same capabilities,or even better in some cases as the list below shows, as in private networks, but ata much lower cost. More specifically, depending on the chosen solution, companiesbenefit from VPNs in the following ways:
• The geographic connectivity of companies is extended when using VPNs. Thisallows companies to keep up with national and global expansion. The sameglobal connectivity might not be reached when using purchased or leased lines,and even if connectivity could be reached, the cost would be enormous. VPNsalso allow easier and more secure support for telecommuters.
• Security is not impaired when using VPNs since transmitted data is eitherencrypted or, if sent unencrypted, forwarded through trusted networks.
• When using VPNs, cost is reduced in many ways. Most importantly, VPNseliminate the fixed monthly charge of dedicated leased lines. The cost is evenhigher if the lines are purchased.
• VPNs offer better scalability, more or less depending on the chosen solution.Scalability can be seen as another form of a cost saving. Why is that? A com-pany with only two branch offices can connect the two offices with just one
3
leased line. But as the organization grows, full-mesh connectivity might berequired between the different offices. This means that the number of leasedlines, and the total cost associated with deploying them, increases exponen-tially. In addition, if a company wants to scale globally, the cost associatedwith deploying leased lines will be even higher, if it is even possible to reachthe same global connectivity with leased lines. VPNs that utilize the Internetavoid this problem by simply using the infrastructure already available. MPLS(see Section 3.2.4) also solve this problem as it offers any-to-any connectivityat a lower cost.
• In addition to cost savings, VPNs increase profits by improving productivity.The improved productivity results from the ability to access resources fromanywhere at anytime (i.e. more business can be conducted).
1.7 Supported Infrastructure
A VPN should typically support the following infrastructure (see Figure 1.1): Amain LAN at the headquarters of a company, other LANs at remote offices, partneror customer company LANs or employees, and individual users connecting from outin the field.
Internet or Network of Service Provider
Corporate Main Office
Branch Office
Partner Office
`
Remote Users
Remote Access
Extranet
Intranet
Figure 1.1. The different parts of a corporate WAN.
4
There are basically two types of VPNs, remote access VPNs and those thatsupport site-to-site networks. Site-to-site VPNs can further be divided into wide-area intranet VPNs and extranet VPNs. Often, companies have to implement asolution covering all these types.
Remote Access
The remote access VPN is a user-to-LAN connection used by companies that haveemployees who need to connect to their private network from various remote loca-tions (e.g. homes, hotel rooms, airports). Since users access the network over theInternet, the remote access VPN is a low-cost solution, compared to the dial-upsolution which often results in costly phone bills.
Site-to-Site
By using dedicated equipment, companies can connect multiple sites over a publicnetwork such as the Internet, thus creating a site-to-site VPN. Site-to-site VPNscan be one of two types:
Intranet Site-to-Site VPNs If a company has one or more branch offices thatthey wish to join in a single private network, they can create an intranet VPN. Thisis a low-cost solution compared to maintaining dedicated leased lines.
Extranet Site-to-Site VPNs When a company has a close relationship withanother company (for example, a partner, supplier or customer), it can build anextranet VPN which connects LANs together. By doing so, the partner companiescan work in a shared environment.
VPN within an Intranet
Intranets can also utilize VPN technology to implement controlled access to subnetson the private network. Even though a public network is not involved in this case,the security features (e.g. encryption, authentication) of secure VPN technology aretaken advantage of.
1.8 VPN Requirements
Creating a WAN with VPN technology might not be as simple as it sounds. Thereare many different VPN technologies out there, and just deciding which one tochoose can be difficult since they all have advantages and disadvantages. The chosensolution should be the one that best meets the requirements of the company.
5
1.8.1 General Requirements
Each company has different requirements on their VPN, but usually, the require-ments listed below are included [17, p. 6]. A more detailed description of remoteaccess and extranet requirements will follow the list of general requirements.
• Availability. The services offered by the WAN need to be available. Thisrequirement is best met by a reliable network where redundancy is provided.Companies should choose service providers that can offer their customers guar-antees for network up time and performance, regulated in Service Level Agree-ments (SLAs). An SLA is a formal agreement made between a service providerand a company (service recipient) defining a specified level of service.
• Quality of Service (QoS). The users might require a certain QoS for certainVPN connections. QoS means that some traffic is prioritized based on itstype. These requirements often depend on the applications running over theconnection. See Section 4.3.1 for additional information about bandwidthrequirements of WAN applications.
• Security. If the data sent over the VPN is sensitive, it might need to be encryp-ted. Not all the VPN solutions, presented in this report, provide encryption.Even if encryption is not provided, other security measures must be taken, forexample, traffic from different VPNs must be separated so that traffic fromone company’s VPN does not flow onto another company’s VPN
• Cost. The cost for different VPN solutions can vary tremendously. Somesolutions natively differ in cost, some allow the reuse of existing hardware (e.g.by using firewalls as VPN terminators) etc. In reality, the chosen solution willmost probably be based on cost considerations. Cost issues will however onlybe covered briefly in this report as previously stated.
• Manageability. Some VPN solutions require more maintenance and supportthan others. These solutions require skilled IT-personnel to perform thesetasks. Manageability can thus also be seen as a cost issue since the costs asso-ciated with deploying a WAN based on VPN technology can be additionallyreduced if the chosen solution is easy to configure and maintain. This is onlyan issue if an in-house secure VPN solution is chosen, see Section 2.5.
• Scalability. Enterprise networks often need to change over time. The changesmight result from the addition of new sites, the increased need for remote ac-cess (by telecommuters), extranet connectivity etc. The chosen VPN solutionshould thus have the ability to scale to accommodate these changes.
6
1.8.2 Remote Access Requirements
Remote access requirements are mainly about encryption and authentication.
Authentication When it comes to authenticating the remote user, two types ofusers can be discerned: roaming/mobile users and users connecting from trustedcomputers. The first type of user can connect from any location and any computer,e.g. from a public computer at the airport. In this case, the remote computer cannotbe trusted and a two-factor authentication, i.e. strong authentication, is required inorder to avoid that someone else later connects to the company network by providinginformation (i.e. userid and password) that has been logged on the computer by akeylogger. The scenario just described is possible with weak authentication. Inweak authentication, only one factor (usually a password) is used in combinationwith the userid. Strong authentication, on the other hand, requires two forms ofauthentication (i.e. factors) to access a system. The first factor is usually somethingthat the user knows, such as a password. The second factor is something that theuser has, such as an electronic badge.
The second type of user is believed to connect from a trusted computer, i.e. loc-ated at a trusted location/used only by employees. In this case, weak authenticationis sufficient. The provided password should however be strong. That is, it shouldbe created by following certain rules, e.g. have a minimum length, mix upper andlower case characters etc. How to create a strong password should be described inthe password policy (see Appendix A).
Two-factor authentication is more secure and one might ask why this solutionis not always used. The answer is that two-factor authentication systems are morecostly, since the second factor must be purchased etc, and difficult to manage, sincetokens must be distributed etc.
Regardless of what type of authentication is used, login information should atno time be provided to anyone (not even family members). Furthermore, it is theresponsibility of the remote user to ensure that the connection to the companynetwork is given the same consideration as any on-site-connection. It should alsobe stated that anyone found to have violated this responsibility may be subject todisciplinary action.
Encryption Since remote access connections are often launched from unknownlocations, and thus over public networks since it would be impossible to extenddedicated lines to each remote user’s location, data should be properly encryptedbefore transmission. By properly encrypted, we mean that the use of encryptionshould be limited to those algorithms that have received substantial public reviewand have been proven to work effectively. Examples of such algorithms are theData Encryption Standard (DES) algorithm and the Rivest Shamir Adleman (RSA)algorithm. Encryption issues should also be addressed in an encryption policy. Anencryption policy should be part of an overall company security policy.
7
Other Remote Access Requirements There are a few other security require-ments related to remote access connections. These requirements have come up dueto the fact that when a computer remotely accesses a corporate network, it actuallybecomes a node on that network. First of all, when a computer remotely connectsto the corporate network, it should not be connected to any other network at thesame time. Because then, that other network would also be a part of the corporatenetwork. An exception would be when the other network is trusted, e.g. a personalnetwork under the control of the employee.
All remote computers, including personal computers, connected to the corporatenetwork should use the most up-to-date anti-virus software.
Finally, if the remote computer is owned by the employee, it should meet therequirements of company owned equipment for remote access, e.g. only approvedVPN clients should be installed etc.
1.8.3 Extranet Requirements
An extranet is created when third-party organizations are granted access to non-public resources. A third party organization, in this report, is a business that is nota formal or subsidiary part of the company.
When granting access to third-party organizations, different classes of accessshould be defined depending on the access requirements of each organization. Theaccess classes should follow the principle of least access which means that only accessthat matches business and security requirements should be allowed. Generally, thereare two main classes of access. The first class includes cases where the third-partyorganization only needs access to information. This type of access is more securesince it does not require low level (OSI speaking) access. Access to lower levels ismore insecure since more changes can be done the lower you get. If only informationneeds to be accessed, a web server containing the information can be placed on theDMZ. The second access class should include cases where the third party organiz-ation requires a lower level of access. This type of access is mainly required whensome part of the business has been outsourced to the third-party organization whichneeds to configure and maintain that part. As previously stated, these are only themain access classes. A more granular classification should be defined. For example,the external user might need access to more than just information but less accessthan what would be required to perform maintenance, e.g. the extranet user mightneed to run applications on the company LAN.
Any changes in access must be accompanied by a valid business justification andare subject to security reviews. The team responsible for the extranet connectionsshould regularly conduct audits of these connections to ensure that only the con-nections still needed exist and that the connections that are no longer needed areterminated immediately.
Before access is granted to a third party organization, some form of agreementshould be signed by representatives of the company granting the access, and thethird party organization. The agreement should specify the terms and conditions
8
(what technology to use etc.) of the connection. Other security considerationswhen creating extranets might include more control over the data transmitted overthe extranet connections, e.g. more filtering rules in the firewalls, and locating theextranet resources on more secure locations, e.g. on a DMZ.
9
Chapter 2
Categorization of VPNs
2.1 Introduction
The selection criteria for the VPN technologies included in this report, have alreadybeen listed in the first chapter (see Section 1.2). The technologies can be categorizedin several ways. Some of these ways are described in this report, see Figure 2.1.
WAN Solutions
VPNSolutions
Pre-VPNSolutions
Secure VPNs Trusted VPNs Leased/Owned Lines Dial-In Access
CE-Based PE-BasedClient-Based Web-based
Frame Relay ATM MPLSIPSec PPTP SSL
Figure 2.1. Categorization of VPN and pre-VPN technologies.
10
2.2 Secure and Trusted VPNs
The main categorization used in this report is, among others, supported by theVPN Consortium(VPNC) [23], which is the international trade association for themanufacturers in the VPN market. According to this categorization, VPN solutionscan be divided into secure and trusted VPNs.
With trusted VPNs we mean a VPN consisting of one or more circuits leased froma service provider. These VPNs usually originate and terminate in the provider’snetwork (PE-based/Network Based VPNs). The privacy afforded by trusted VPNs isonly that the service provider assures the customer that no one else is using the samecircuit. A leased circuit runs through one or more communications switches, any ofwhich can be compromised by someone wanting to observe the network traffic. TheVPN customer trusts the VPN provider to maintain the integrity of the circuits andto use the best available practices to avoid snooping of the network traffic. It shouldbe stated that trusted VPNs do not prohibit security. If confidentiality is an issue,traffic can be encrypted before it is sent through the trusted VPN, thus creating ahybrid solution between trusted and secure VPNs. Examples of technologies usedin trusted VPNs are Frame Relay, Asynchronous Transfer Mode (ATM), and MultiProtocol Label Switching (MPLS).
With secure VPNs we mean networks that are constructed using encryption andother security mechanisms (e.g. authentication, integrity checking). The trafficis encrypted at the network edge (CE-based VPNs) or sending computer (client-based/web-based VPNs), before moving over the Internet, and then decrypted whenit reaches the corporate network or a receiving computer. Even if attackers can seethe encrypted traffic, they cannot read it, nor can they change it since secure VPNprotocols features integrity checking mechanisms. In addition, secure VPN proto-cols provide authentication. Examples of secure VPN technologies are the InternetProtocol Security (IPSec) protocol and the Secure Sockets Layer (SSL) protocol.Since communication is done over the Internet, the availability and performance ofsecure VPNs depends on factors largely outside of a company’s control. The cost,resulted by communications delays and cuts, must thus be considered.
Trusted and secure VPNs often operate on different layers of the OSI model.Trusted VPNs often use layer 2 technologies whereas secure VPNs mostly operateon layers above IP. Trusted VPNs are usually offered by service providers as managedservices. For example, by allowing a customer to connect to an ATM, Frame Relay,or MPLS cloud for a fixed monthly fee. Creating a secure VPN, on the other hand,often includes purchasing, configuring and maintaining hardware and software (eventhough secure VPNs come as managed services as well).
2.3 PE-based and CE-based VPNs
VPN technologies can also be divided into Customer Edge (CE) based and Pro-vider Edge (PE) based VPNs. PE-based VPNs are sometimes called Network-Based
11
VPNs. Generally, trusted VPNs can bee seen as PE-based VPNs while secure VPNscan be seen as CE-based VPNs.
Before describing these two types, a description of terminology will follow (seeFigure 2.2).
The device (e.g. switch, router), located at the edge of the customer networkis called the customer edge device (CE). This device, although located on customerpremises, is sometimes managed or owned by the service provider.
The device that the CE connects to in the service provider’s network is calledthe provider edge (PE) device (e.g. router). This device is, as the name implies,located at the edge of the service provider’s network (which also owns and managesit).
Within the service provider’s core network, there are several devices (e.g. routers).These devices are only forwarding data and not providing any VPN functionality.These devices are simply called provider (P) devices.
Site 1
Provider Network
Site 2
CE
PE
P
PE
CE
P
Figure 2.2. Components of CE-based and PE-based VPNs.
In CE-based VPNs, all the VPN processing takes place in the CE devices. Whenemploying this solution, the service provider does not take part in any layer 2 orlayer 3 routing of VPN traffic, which means that the PE devices can be standard IProuters. A tunnel is simply created between the CE devices, and the properties of theVPN created this way depends on the specific tunneling protocol (e.g. IPSec) used tocreate the tunnel. The problem with CE-based VPNs is that the CE devices requirea high amount of management and configuration. Sometimes, the CE equipmentneed to be purchased, which makes the CE-based solution even more inconvenient.
12
One way to solve all these problems is to outsource the CE-based solution to aservice provider. By outsourcing the solution, the service provider is responsible ofmanaging and (often) supplying the equipment. CE-based VPNs are usually basedon the IPSec protocol.
The biggest disadvantage of CE-based VPNs is at the same time their biggestadvantage, namely the cost. In addition to the costs associated with buying expens-ive hardware and software when deploying CE-based VPNs, a deep understandingof general network security issues and VPN technologies is required. This bringsalong the cost of training and allocating personnel to implement and maintain theVPN devices. However, with an in-house CE-based VPN, the monthly fee to theservice provider is reduced.
In PE-based VPNs, the majority of the VPN management and configurationtakes place in the PE devices as opposed to CE-based VPNs, where each participat-ing site must have its own VPN device. By having the PE-devices perform the VPNprocessing, the CE devices can be standard routers and switches, there is thereforeusually no need to upgrade the equipment on the customer premises. In addition,little work is required by the customer since the service provider is responsible ofmanaging and configuring the VPN. The PE devices run several virtual instanceswhich can be assigned to several customers. This means that several VPNs canbe run on the same device. PE-based VPNs are usually based on layer 2 WANtechnologies such as Frame Relay or ATM.
One important cost that must be considered sometimes (see end of this para-graph) when a PE-based VPN is chosen, is the cost of connecting to the serviceprovider’s network. This wiring is called the “last mile/kilometer” or the “localloop” and often consists of a dedicated leased line (thus very expensive). Since thecost of these types of connections is based on the actual length of the wire, an altern-ative solution should be considered if the distance between the PE-device and thecustomer network is too far. It should however be stated that the local loop cost isoften bundled with the service. The additional cost should thus only be consideredif the local loop must be purchased as an additional service, which is a very rarebusiness model.
2.4 Client-Based and Web-Based VPNs
Sometimes, the VPN device that terminates the VPN tunnel is a software runningon a PC, for example, in the case of home users where a specific hardware devicecannot be afforded for each user. VPNs built up in this way are called client-based VPNs because a client software, terminating the VPN tunnel, needs to beinstalled on the computer. Client-based VPNs are often compared to web-basedVPNs. The reason for the comparison is that these two solutions are often used inthe same part of the WAN infrastructure, namely to support remote access users.This does not necessarily mean that the two solutions compete with each other.Rather, they complement each other as this report will show. Furthermore, the
13
solutions (especially client-based solutions) are used by on-site users as well, buttheir strength is that they provide remote access connectivity.
Since the client-based VPN solution is usually based on IPSec, which is con-sidered to be the standard client-based VPN technology today, and the web-basedVPN solution is based on SSL, which is considered to be the standard web-basedVPN technology today, many of the advantages and disadvantages of client-basedand web-based approaches depends on the properties of these underlying protocols.A comparison between client-based and web-based VPNs will therefore partly over-lap with a comparison between IPSec and SSL. It might therefore be useful to befamiliar with those two protocols if one wants to fully understand the comparison.IPSec is described in Section 3.3.3 and SSL is described in Section 3.3.4.
The main difference between client-based and web-based VPNs, is that client-based VPNs require a client to be installed on each host that is remotely connectingto the corporate network while web-based solutions are based on SSL encryptionused with web browsers. Client-based VPN technology initially served as a meansto protect site-to-site data communication as a cheaper alternative to trusted VPNs.Later on, it was extended to protect data communication between remote usersaccessing corporate networks as an attempt to replace dial-in technology (becauseof the disadvantages of dial-in access described in Section 3.1.2).
Over the years, as mobility has become a trend, the increased use of client-basedVPNs while providing secure access for mobile users, has become a burden and a highcost to companies. This concern has driven the need to create clientless/web-basedVPNs. But the web-based approach also has its disadvantages. We will thereforecompare the two solutions in order to see where which solution is suited best.
2.4.1 Advantages of the Client-Based VPN Approach
Even though significant hardware and software costs exist when implementing client-based VPNs, some of these can be reduced by reusing existing equipment. First ofall, though it is not certain that one chooses to use these clients, built-in VPNclients are provided in later versions of the Windows operating system. By usingthese, installation and training costs can be reduced because of the familiarity toWindows products.
Client based VPNs allow companies to fully use the processing power of theremote users’ PCs, which allows for an adoption of distributed technologies.
Client-based VPNs provide support for offline work. This allows users, withlaptops in locations that do not offer Internet access, to utilize the applications ontheir PCs and connect to the network when necessary.
If client-based VPNs are properly implemented, users have seamless access toe-mail, files and intranet sites from their PCs. This means that network drives canbe mapped directly into the computer, providing access to network-based files fromany application, and the user browser can provide seamless access to intranet sites.The reason for this is that the underlying protocol (mostly IPSec) operates at layer3 (as opposed to SSL which operates at layer 5). This means that all IP-packets
14
are encapsulated regardless of their function which implies that all applications thatrun over IP are automatically supported which allows for an on-the-LAN-experience.More access to the network also allow technical staff (e.g. network administrators,developers) to get a low-level remote access to network functions such as deviceconfiguration etc.
2.4.2 Disadvantages of the Client-Based Approach
The client-based VPN approach also has a few disadvantages, mostly associatedwith the unexpected cost and complexity of implementing the technology.
The client-based VPN approach brings about the cost of purchasing, installingand maintaining client software on every PC. This cost increases with the numberof remote users 1. Since many client-based VPN solutions are based on the IPsecprotocol, the installation and maintenance of the software becomes even more com-plex (for example, consider the case where the installation must be performed bya remote untrained user) . IPsec is natively more difficult to configure and main-tain as it requires manual user configuration and involves complex key managementand encryption algorithms. Because of this complexity, IPSec VPNs are harder totroubleshoot than SSL VPNs, which use the well-known and well-understood httpsprotocol. According to a survey [14, p. 3] conducted in November 2002, over 50%of the respondents indicated that difficulty in managing IP VPNs was an inhibitorto VPN adoption. Because of the complexity of the IPSec protocol, it might also beharder to train administrators to understand client-based VPNs.
In addition to the software costs, the corresponding hardware must be purchasedand deployed. These costs become even higher if some of the hardware cannotbe reused as described in Section 2.4.1. The lack of standards among competingvendors is also a concern. This concern is particularly serious when partner LANs,with equipment purchased from other vendors, are included.
The requirement to install client software on each PC is not just costly. It alsoreduces availability by limiting access to corporate resources to situations where theremote PC has the properly configured client installed on it. Mobile users, whomight not have a corporate laptop with them at all time, are therefore not very wellsupported with the client-based approach.
Companies that use the client-based VPN solution feel confident about the se-curity of remote connections because VPN technology is often based on very secureprotocols (e.g. IPsec). This confidence can sometimes result in a neglect of othersecurity issues such as ensuring that the remote user’s computer, now being a nodeon the network, is secure (e.g anti-virus software installed). Client-based VPNs al-low for data to be securely sent to a remote user. But once on the remote user’scomputer, this data remains vulnerable to loss and theft. Another security concern,is that since a full LAN access (i.e. network level access) is provided, which has
1Deploying VPN software to hundreds or thousands of machines can be handled by a standardPC configuration management service such as Microsoft’s SMS, Novadigm’s Radia etc. However,if no such solution is in place, deployment can be very costly.
15
previously been described as an advantage, users can get access to more sensitiveinformation.
The client computer must handle routing, DNS and proxy reconfiguration issuesin order to offer seamless access to company resources. These tasks can be very hardto implement.
Another challenge is the incompatibility between Network Address Translation(NAT) and IPSec. The changes made to each IP packet through NAT appear to thereceiving VPN device as altered and potentially malicious data, causing the packetsto be rejected upon arrival. Many companies have chosen to use Microsoft XPsbuilt-in client (based on PPTP) to overcome these problems even though clientsbased on IPSec are considered to be better (more secure, more features etc.). Thereare also also several ways around NAT and IPSec (e.g. tunnel ESP/AH in TCP orUDP).
Distributed applications (one of the benefits of the client-based approach, men-tioned in the previous subsection) must be installed and properly configured on allremote users’ computers.
If a user’s home computer is used to connect to the company network, the ap-plications on the remote computer should be automatically reconfigured for remoteaccess use. For example, the network drivers should automatically be mapped tothe user’s computer, the e-mail client should automatically point to the company’se-mail server and so forth.
Client-based VPNs, especially those based on IPSec, are processor-intense andbandwidth-heavy. End-users with slow connections can therefore not benefit fromthe broadband advantages they first expected.
The support required for addressing these problems (which can be more thanfirst expected), must be considered as they can significantly increase the cost ofdeploying client-based VPNs.
2.4.3 Advantages of the Web-Based VPN Approach
As an attempt to compensate the drawbacks of client-based VPN solutions, theweb-based (clientless) VPN solution has emerged. Since the web-based solution isbased on the SSL protocol, it is often referred to as the SSL-based approach.
The main advantage of the web-based VPN approach is that it is “clientless”.This means that no additional software needs to be installed on the remote host.Any computer with a web browser installed on it can, thereby, be used to connectto the company network after the user has been authenticated. This allows for abetter support of mobility. By mobility, we mean that any computer with a webbrowser can be used to connect to the corporate network. Workers that do not haveaccess to their own computers or who are unable to to connect to a network whichcan or will carry VPN traffic especially benefit from this.
16
In addition to better support of mobility, the clientless approach reduces anycost associated with acquiring, installing and maintaining the client software. Theuser training costs are also reduced since most users are familiar with how to use aweb browser.
The advantage of not having to install a client also allows devices such as web-enabled phones and PDAs, to be included in the web-based approach, as long asthey run a standard web browser.
Operating system flexibility is another advantage of web-based VPNs. Web-enabled access is possible regardless of what operating system the browser runs on,because SSL is built-in in most browsers.
While first-generation SSL VPNs supported only web browsing and e-mail, today’scommercial products support all web-based applications by default and many moreapplications for which plug-ins exist or can be developed.
Web-based solutions provide complete access to intranet sites, files on networkdrives and network applications.
With the client-based approach, it can be problematic to access corporate re-sources from behind NAT implementations or an Internet Proxy. With the web-based solution, this is usually not a problem.
2.4.4 Disadvantages of the Web-Based VPN Approach
With the web-based approach, all the application processing is done by the webserver. This means that the remote user is highly dependant on internet connectivityfor getting work done. Recall that client-based approaches use the remote machinefor application processing and thus support offline work.
Some functionality is usually limited to browsers with Java or ActiveX support.This can, for example, cause the browser to “hang” (because Java is not supportedby the browser) when a Java applet is being launched.
While the web-based approach provides access to web applications and networkshares, it offers limited support for non web-based systems on Windows, UNIX,Linux or mainframe machines 2. The result is an environment which is not seamlessfor the user. The previous section presented a solution to this problem: plug-ins.But still, not all applications have plug-ins and developing them might be a difficulttask. Plug-ins can also be expensive. Since the environment is not seamless tothe user when accessing the corporate network with a web browser, accomplishingsimple tasks (e.g. attaching files to e-mails) might become difficult and confusing.
The web-based approach, although reducing some security risks associated withthe client-based approach, introduces its own security concerns with employees con-necting from untrusted environments. Security concerns may arise, for example, ifthe corporate network is accessed from a computer with spyware installed. This
2SSL VPNs tunnel traffic at the session layer of the OSI model (layer 5), not the network layer(layer 3). So by default, it only supports some specific IP applications, typically web access ande-mail.
17
allows a third party to monitor user activities and steal sensitive information (forexample if a keylogger is installed on the remote machine).
The cost of maintaining the concentrator end of the web-based approach is higherthan that of IPSec concentrators; four hours of consulting just for adding anotherserver to the list of accessible servers is not uncommon.
The concentrator end of the web-based approach does not scale well. A clusterof concentrators is not uncommon when supporting more than 10s of simultaneoususers.
2.4.5 Conclusions
Both web-based and client-based VPNs are highly effective remote access solutions.They are both based on field-tested protocols offering the same level of encryptionand authentication. However, as we have seen, they both have advantages anddisadvantages making them more or less suitable for certain situations. We can thusdraw the conclusion that both are effective and complementary.
Client-based VPNs are considered as a good solution in situations where a con-trolled (i.e. trusted and not very big) set of remote users need access to applicationsnot supported by SSL.
In situations where these two solutions are connecting sites together for site-to-site VPNs, IPSec is recommended for site-to-site intranet VPNs where long andstatic connections are required between branch offices, and SSL for extranets. Com-panies that need to provide remote access to large numbers of mobile users wouldneed to install, configure and manage client software on each user’s PC, which wouldresult in an administrative and financial burden. In this situation SSL VPNs aremore appropriate . The benefits of using SSL VPNs when creating extranets arethat they do not give as much access to the company network as IPSec VPNs andalso because it is difficult to install client software on partner company networks.Furthermore SSL is not dependant of the partner company operating system.
Before starting to implement a particular solution, there are a few issues toconsider. First of all, an analysis should be performed to determine the following:
• Which applications are being used by the remote users?
• Are these applications critical or could remote users manage without them?
• At what frequency are the applications being used?
• From where are the applications being used?
This analysis will help determine whether a client-based solution based on IPSecis required or a web-based solution based on SSL is enough, and if SSL is enough,what additional plug-ins (if any) are required.
Furthermore, if you plan on implementing an SSL solution, you should checkwhether your current infrastructure supports SSL or not. Because, as SSL VPNsolutions become more and more common, many IPSec VPN hardware vendors (e.g.
18
Cisco, Checkpoint) offer SSL support on their products. By doing this, you reducecosts associated with purchasing SSL specific hardware and software.
If your company has implemented a client-based VPN already, you might wantto check whether or not all the clients are necessary. Some users might not needaccess to applications supported by IPSec, i.e., the benefits of IPSec are not takenadvantage of which leaves only the disadvantages. For these users, a migration fromclient-based solution to a web-based one might be a simple way of reducing supportand licensing costs associated with maintaining clients. In actual implementationprojects, between 90% and 95% of an organization’s remote users only require webaccess and e-mail. Additional needs can be met with standard plug-ins (i.e. neednot be developed) [14, p. 5]. A clever approach to follow here is to offer web-based access as the default option to all remote users, and provide the client-basedapproach only to the few users who need non-standard application support. By doingso the company can reduce the cost of client-based VPNs (and the complexity ofthe IPSec protocol) while enabling access from more remote locations (e.g. airport,hotel room) and different devices (PDAs etc.).
2.5 Outsourced and In-House Secure VPNs
One final comparison remains in this report: the comparison between outsourcedand in-house secure VPNs. Trusted VPNs are, as defined in this report, alwaysmanaged by a service provider. This comparison is not a technical one but ratherone of manageability and cost.
The evolution of secure VPN technology has enabled ISPs to outsource VPNsas a service. Outsourced VPNs support all the VPN types described in section“supported infrastructure”, that is, remote access and intranet/extranet site-to-siteVPNs. The key benefits of outsourcing the secure VPN are:
Cost Reduction. The cost to train personnel to implement and maintain theVPN is reduced. Some ISPs include hardware and software as well which mightadditionally reduce the costs (here, a trade-off must be made between the cost ofpurchasing the hardware and hiring it since IPSs that provide hardware are probablymore expensive).
Security Expertise. As we have read in the previous sections, designing, im-plementing, managing, updating, upgrading, and monitoring of VPN infrastructureare complicated tasks. By outsourcing the VPN solution to an ISP, these duties arehandled by experienced network security professionals.
Around the clock (24x7.) Management and Monitoring An outsourcedVPN solution provides a 24x7 management and monitoring of the VPN . This in-creases the security and productivity of a company since business can be conducted
19
around the clock without the company having to worry about security and availab-ility issues.
The disadvantage of an outsourced VPN is that it might be costly. Especially ifthe number of remote users and branch offices are increasing (since these solutionsoften charge per user).
20
Chapter 3
Technologies/Protocols
3.1 Pre-VPN Solutions
This section will describe solutions that fall outside the VPN-concept, as defined inthis report.
3.1.1 Site-to-Site Leased Lines
Traditionally (that is, before the emergence of VPNs), if organizations wanted toconnect their branch offices together, they purchased or leased dedicated lines fora fixed monthly charge. This solution is used to a decreasing extent today. Theconnection is established through a permanent point-to-point connection betweenthe sites (e.g. a T1/E1 connection). Since the connection is only used by onecompany, the result is an actual private network.
Disadvantages
Creating a WAN with leased lines is a very expensive solution which does not scalewell at all, especially if redundancy is needed between some sites. If redundancy isnot added, the solution suffers from a single faulty link syndrome which means thatif a connection goes down, the company faces a minor or major disaster since allcommunication is terminated. The cost consists of a fixed monthly fee.
In addition to the high cost, leased lines have a few other shortcomings. Leasedlines do not support mobile workers (remote access) because the lines fail to extendto people’s homes or their travel destinations.
There is sometimes also a need to give access to parts of the company network toexternal users (extranet), and that would not be possible over a physically separatednetwork.
Seen from the service provider’s point of view, the leased lines solution failsto share under-utilized bandwidth across several customers or dynamically increasebandwidth between sites in order to meet peaks.
21
Advantages
The advantage of leased lines is that they provide a secure way to connect remoteoffices together since no one else shares the link.
Leased lines also provide guaranteed bandwidth, as long as the connection is notdown, fast data rates and good quality. A given level of quality and guaranteedbandwidth, latency, latency variation (jitter), and availability can be assured sincethe connection only carries the company’s data.
3.1.2 Remote Access - Dial-In Access
Leased Lines only allows for the connection of remote sites (i.e. site-to-site connectiv-ity). Remote access is thus not supported by this solution. Before the emergenceof VPNs, dial-in access was used to provide remote access to company networks(dial-in access is still widely used).
Dial-in access means connecting to a network via a modem and a public telephonenetwork. Because traditional copper telephone lines are used, the data rates arelow. Even though new technologies like ISDN provide faster rates than the previousmaximum rate of 56 Kbps, dial-in access is still a slow alternative compared to otherexisting technologies.
Disadvantages
In addition to being slow, dial-in connections can also be expensive, especially ifthe remote user is not in the same calling area as the remote access server. In thatcase, the company will have to pay long distance phone charges. The remote accessserver might also need multiple phone lines and modems in order to accommodatemore than one incoming connection at a time.
Security issues must also be considered when using dial-in connections since theyallow attackers to sneak around the firewall and connect directly to a computer onthe company network.
Some common security measures that have been taken to make the modemsmore secure are, for example, active administration of the modems, examination oflogs for strange behaviour, strong passwords, removal of user accounts that are nolonger in use etc.
Another more refined solution is to provide dial-back capability. Dial-back meansthat a connection is established during a two-part procedure. During the first part,the remote user dials into the system with the correct user-id and password. Thesystem will then drop the connection (after having authenticated the user) and callthe authenticated user back at a known telephone number. If the user answers thecall, the connection is established. This solution prevents attackers from accessingthe company network just by providing the right user credentials. The disadvantageof dial-back systems is that they only work if the user is calling from a locationknown to the system (i.e. permanent location like home). The problem arises whenthe user wishes to dial-in from a location unknown to the system (e.g. hotel room).
22
This problem can be overcome by entering the number that the system should callback to during the authentication process (that is, the number is not preconfigured),but then the security mechanism of dial-back would not be benefited from.
Advantages
The advantage of using dial-in access technology is that it provides a way to accesscompany resources from locations where Internet access is not provided. The tele-phone infrastructure is still more widespread than the Internet infrastructure. Butthis will probably not be the case forever.
3.2 Trusted VPN technologies
We will now look at the actual VPN technologies. We will begin by presenting thetechnologies categorized as trusted VPN technologies.
When choosing a trusted VPN solution, all the technology is on the provider’sside. It is thus not a prerequisite to know all the technical details before gettingstarted. Since the purpose of this report is to serve as a basis when choosing amongVPN services, the technical details of purchased services are less important thanthose of secure VPNs (in the case of an in-house solution). The technical descriptionsof the trusted VPNs will thus not be as detailed as the technical descriptions of secureVPNs.
3.2.1 X.25
X.25 [1] is a WAN technology that transfers data via packet switching. It is arguablythe first public packet-switching technology ever. In packet switching, each packet isindividually routed over data links between two end nodes. The data links may at thesame time be used by other nodes. The purpose of the packet switching paradigmis to optimize the use of available bandwidth in a network, and to minimize thetransmission latency. Packet switching can be contrasted with circuit switchingwhere a dedicated connection is set up between two end nodes for their exclusiveuse for the duration of the communication. X.25 operates at the bottom two layersof the OSI model. It was originally designed in the late 1970s for the transport ofdata traffic over analog lines.
In order to understand the motivation behind design of the X.25 networks, thetechnological context of that era must be understood.
First of all, the terminals, PCs and workstations where not widespread at thattime, used to access distant mainframes over computer networks had minimal in-telligence. Therefore, the developers of X.25 put the intelligence in the network asopposed to today where much of the intelligence is put in the end systems. The de-velopers of X.25 put intelligence in the network, for example, by employing virtualcircuits. A virtual circuit is a connection between two devices that appears to be
23
a discrete, physical path but is actually a managed pool of circuit resources fromwhich specific circuits are allocated as needed to meet traffic requirements.
Another fact that determined the design of the X.25 networks was that the wiredcopper links of those days where error-prone. Because of the high error rates of theselinks, the X.25 protocol has been designed with error recovery on a hop-by-hop basis.Error recovery is implemented by letting each switch keep a copy of each packet sentuntil the receiving switch sends an acknowledgement back. The acknowledgement issent only after the receiving switch has performed error checking. This hop-by-hoperror recovery significantly reduces link transmission rates.
Because of the error correction capabilities of the X.25 protocol, X.25 networkshave been advantageous in networks with bad line quality. But since the technolo-gical context has changed so drastically from the early 1980s when X.25 was created,X.25 networks are almost never used today.
3.2.2 Frame Relay
Frame Relay [16] is another example of a WAN technology that transfers data asvariable-length frames through packet-switching. The maximum frame size is 4094bytes,and the recommended size is 1600 bytes. It was developed in the late 1980sby DEC, Northern Telecom, Cisco and Stratacom.
Frame relay is often called the successor of X.25. It is basically a stripped downedversion of X.25 with the error correction features removed. Like X.25, it operateson layer two of the OSI model and uses virtual circuits.
Frame Relay as a WAN technology is purchased from a service provider. Thecustomer is attached to the Frame Relay network by a point-to-point link betweena device at the customer’s site called the Data Terminal Equipment (DTE), and adevice at the service provider’s site called the Data Circuit-terminating Equipment(DCE). Once the customer is connected to the Frame Relay cloud, PVCs are createdwhich allow for communication between different sites. The endpoints of the PVCsare identified with 10-bit numbers called Data Link Connection Identifiers (DLCI).The customer can monitor the line using the Line Management Protocol (LMI),which provides management information to the customer.
When an error is detected in a packet in a Frame Relay network, it is simply dis-carded. The error checking mechanisms have been removed because of the emergenceof less error-prone physical links (e.g. fiber links) which have eliminated the needfor such extensive error checking. In addition, error checking can now be performedby higher layers (e.g. TCP). This has enabled Frame Relay to become more efficientand perform better than X.25, and thus more suitable for current WAN applications(e.g. connecting remote offices). It can provide speeds up to 43 Mbps (depending onthe capability of the service provider’s network). The minimum level of throughputguaranteed by the service provider is expressed in the Commited Information Rate(CIR).
24
3.2.3 ATM
ATM [28] was developed in the mid-1980s by two standards committees, the ATMForum and the International Telecommunications Union (ITU). Since there were twotypes of networks at this time, telephone networks (primarily used to carry real-timevoice) and data networks (primarily used to transfer textfiles, e-mail etc.), ATM wasdesigned to transport real-time audio and video as well as text, e-mail and imagefiles. During the development of the ATM standards, many companies throughoutthe world contributed to the research and development. This has resulted in anumber of high-performing technologies, e.g. ATM switches that can switch terabitsper second, that have been deployed within the telephone networks and Internetbackbone. Where ATM has been deployed in the Internet backbone, TCP/IP runson top of ATM and views the ATM network as one link-layer network. This isthe most common use of ATM today and is referred to as IP-over ATM 1. ATMtechnology has however only rarely extended itself to end stations, as opposed tothe TCP/IP protocol suite.
ATM uses packet switching with fixed-length packets of 53 bytes called cells.Each cell has 5 bytes of header and 48 bytes of payload. By having small andfixed-length cells and simple headers, high-speed switching is facilitated since smalland fixed-length cells do not suffer from delays that result from having to waitfor a large data packet to download. ATM uses virtual circuits. These are calledvirtual channels in ATM jargon. The virtual circuits are identified by numbers calledvirtual channel identifiers. These numbers are included in the ATM header. If aswitch detects an error in an ATM header, it attempts to correct the error. If theerror cannot be corrected, the cell is simply dropped. No retransmission is thusrequested from the preceding switch. ATM is not dependent on a specific physical-layer implementation, but it requires a high-speed medium such as fiber optic tosupport the amount of bandwidth that it uses.
ATMs chief advantage is that it is fast and seamless. Its disadvantages are that ituses a great deal of overhead and is expensive. Furthermore, since few end stationshave “native” ATM interfaces, some form of conversion is required, usually in a switchor a router. If the advantage of ATM is not benefited from and necessary, the highcost and overhead makes it a bad choice. ATM should thus only be used if there areno other viable alternatives for meeting the requirements of the applications runningover the WAN. Today, the trend is that service providers are retiring ATM in favorof MPLS because of lower cost of operation.
3.2.4 MPLS
MPLS [5] is a label-based packet switching technique that has evolved from numerousprior technologies such as Cisco’s “Tag Switching” and IBM’s “ARIS”. The initial goalof MPLS, or label based switching technologies in general, was to bring the speed
1The ATM protocol stack actually consists of three layers: the ATM physical layer, the ATMlayer (the core of the ATM standard, defines the structure of the ATM cell) and the ATM adaptationlayer 5 (AAL5). IP runs on top of the adaptation layer.
25
of Layer 2 switching to Layer 3. As Layer 3 switches have become sufficiently fast,the speed of switching is no longer considered as being the main benefit of MPLS.Another benefit of MPLS is that it provides reservation of bandwidth for traffic withhigher QoS requirements. It also enables the use of VPNs.
MPLS is independent of the Layer 2 and Layer 3 protocols which means that itsupports numerous protocols both at the network layer (e.g. IPv6, IPv4, IPX, appletalk) and the link layer (e.g. Ethernet, ATM, Frame Relay).
How does MPLS work? In an MPLS network, incoming packets are given a labelby a Label Edge Router (LER)and forwarded along a Label Switch Path (LSP) whereeach Label Switch Router (LSR) makes forwarding decisions based on the contextof the label and the incoming interface.
A LSR is a high-speed router that operates in the core of the MPLS network.A LER, on the other hand, operates on the edge of the network. The LER isresponsible of assigning labels to (ingress LERs) - and removing them (egress LERs)from - packets, as they enter or exit an MPLS network
Before a packet enters an MPLS network, it is assigned to a particular ForwardEquivalence Class (FEC). This assignment is done only once when the packet entersthe network. All the packets in the same FEC are given the same treatment ontheir way to their final destination. What FEC a packet should belong to dependson factors such as destination address, QoS requirements and the current state ofthe network.
The LSP, i.e. what path the packet should take through the MPLS network, ofa certain packet depends on what FEC it belongs to. Several FECs may be mappedto the same LSP. LSPs allows placing high-priority traffic on the most expensivecircuits while allowing routine traffic to take other paths. This, in turn, guaranteesa certain level of performance.
After a LSP has been deduced from a FEC, a fixed-length 32-bit label is added tothe packet. What label to add to a certain packet depends on what LSP it will take.The LSP, in turn, depends on what FEC the packet belongs to. In other words, thelabel determines what path (LSP) the packet will take through the MPLS network.The label values can be derived from the underlying data link layer. For FrameRelay or ATM, identifiers such as DLCIs, in the case of Frame Relay, or VCIs/VPIs,in the case of ATM, can be directly used as labels. In the case of ATM and FrameRelay, the label is embedded in the header of the data link layer (e.g. VCI/VPIfield in ATM, DLCI field in Frame Relay). For other Layer 2 protocols, the labelis embedded between the headers of Layer 2 and Layer 3 (i.e. the shim)). Afterthe label has been added to the packet, the packet is forwarded on the appropriateinterface (i.e. the right LSP).
A table, specifying how each packet should be forwarded, is built by each LSR.This table is called the Label Information Base (LIB). When an intermediary LSR inthe MPLS network receives a packet, it performs a table lookup to see what outgoinginterface and label value the incoming interface and label value corresponds to. TheLSR then swaps the label (the new label tells the next hop how to forward the
26
packet) and forwards the packet according to the LIB. This procedure, i.e. to swaplabel and forward the packet according to the LIB table, is repeated throughout theLSP. The last router, i.e. the egress LER, finally strips the label off the packet andforwards the packet to an IP network using layer 3 routing.
In order for LSPs to be used, the LIBs at each LSR must be populated withthe correct mappings between incoming and outgoing interfaces and label values.This can be done by letting the LSRs distribute labels between them. The processis called label distribution. The labels can be distributed using various protocols,i.e. a specific method is not mandated by the MPLS architecture, for example byusing existing routing protocols, such as the Border Gateway Protocol (BGP) orthe Open Shortest Path First (OSPF) protocol, to piggyback the label information.The Internet Engineering Task Force (IETF) 2 has also defined a new protocol, theLabel Distribution Protocol (LDP), which is explicitly developed for MPLS labelexchange.The most common protocol for distributing labels today is the ReSerVationProtocol (RSVP).
MPLS-based VPNs Since data is forwarded only based on the MPLS label, andnot the rest of the payload, including the IP header, an LSP is considered to forma tunnel within the MPLS network. Where LSPs for different FECs run parallel,these LSPs can be routed together down a higher-level LSP tunnel. For labelledpackets, entering these higher-level tunnels, an additional label must be assignedto them. This process is known as label stacking and allows a finer granularity oftraffic classification between tunnel ingress and egress nodes, while at the same timereducing the size of the forwarding tables maintained by the LSRs since the LSRneeds only to route data on the basis of the topmost label in the stack.
MPLS provides a VPN solution based on the use of LSP tunnels. By labellingthe VPN data as it enters such a tunnel, the LSR segregates the VPN flows fromthe rest of the data flowing in the MPLS network.
MPLS VPNs have several favourable characteristics:Multiple protocols can be encapsulated by the LER since the data traversing an
LSP tunnel is opaque to LSR within the MPLS network.The traffic of different VPNs can be multiplexed onto the same links by using
separate labels (separate LSPs) for each VPN. This feature makes MPLS VPNs morescalable. Why? We know that the LSRs in the core of the network must maintaina forwarding table. If many VPNs are supported by the MPLS network, the LSRsmust maintain many LSPs. If the number of LSPs is large, maintaining them mightbe beyond the capacity of the LRS switching hardware. The solution is, as alreadystated, to multiplex the traffic from multiple VPNs that share the same ingress andegress LERs within a single LSP tunnel between those LERs. This can be done byusing label stacks with one outer LSP set up across the network and an inner LSPfor each VPN. The lower label (belonging to a specific VPN) is only known to the
2The IETF is a large open international community of network designers, operators, vendors,and researchers concerned with the evolution of the Internet architecture and the smooth operationof the Internet.
27
ingress and egress LERs. By multiplexing, the number of tunnels scale according tothe number m of LERs rather than the much larger number n of VPN sites.
QoS can be assured for VPN traffic by reserving network resources for the LSPtunnels.
The label distribution protocols provide a failure-correction mechanism by en-suring that, if a link or a router fails, the failure can be corrected by re-routing ofLSP tunnels without management intervention.
Security MPLS security can be compared to the security provided by Frame Relayand ATM. A general description of the security of trusted VPNs was provided in theintroduction of this chapter. In MPLS, security is achieved by assigning a uniquelabel stack for each VPN destination. This ensures that data is not leaked outof the VPN. Any other traffic entered to the MPLS network (not destined for aspecific VPN) is assigned a different label stack, ensuring that no data can be sentinto the VPN by an unauthorized user. In addition, the MPLS routers can usecryptographic algorithms (e.g. MD5) if the service provider wants to protect thelabel distribution protocols from the insertion of fake labels or routers. As previouslystated, there is no prohibition from encrypting data (e.g. by using IPSec) beforesending it into a MPLS network. This should however only be done if the transmitteddata is of such confidential nature that even the service provider’s network cannotbe trusted, or when the data passes through several MPLS networks before reachingthe destination. In the latter case, the service provider is responsible of encryptingdata between parts of the path where there is no direct MPLS connection betweenthe service providers 3.
When creating MPLS-based VPNs, the tunnel feature of MPLS is used. Thisallows for the control of an entire path of a packet without explicitly specifying theintermediate routers by creating tunnels through the intermediary routers that canspan multiple segments. To achieve this, a label stack is used. Currently there aretwo main approaches to implementing MPLS-based VPNs: the Layer 3 approach(MPLS/BGP VPNs) [5] and the Layer 2 approach (specified in the Martini drafts),both with their strength and weaknesses.
3.3 Secure VPNs
Several network protocols have been implemented to be used in secure VPNs andcompete with each other for acceptance in the industry. They emphasize authen-tication and encryption and are generally incompatible with each other (thoughexceptions exist). Below, the four most popular secure VPN protocols are listed.Which protocol to choose depends on a number of factors: server and client operatingsystems, resources to which access is needed, level of security required, performanceissues, administrative overhead, and so forth. The protocols are:
3In the first case, the customer is responsible of key distribution. In the second case, the serviceprovider is responsible of key distribution.
28
• Point-to-Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
• IPSec
• SSL
Among these four protocols, the last two (IPSec and SSL) are even more pop-ular and are believed to dominate the market in the future, even though Windowsprovides built-in support for PPTP and L2TP (the advantage of IPSec over L2TPand PPTP is that it is the only one that addresses future VPN environments, suchas new IP protocols). Emphasis will therefore be put on describing and comparingthem.
3.3.1 PPTP
The PPTP protocol [6] is usually associated with Microsoft even though it wasoriginally developed by several corporations. The reason for this association is thatthe Windows operating system includes built-in client support for it. Today PPTPis the most widely supported VPN method among Windows clients.
PPTP is an extension of the Point to Point protocol (PPP), which is used totransmit IP packets over serial links, and uses the same types of authentication.PPTP establishes a tunnel but does not provide encryption. The encryption isprovided by Microsoft’s Point-to-Point Encryption (MPPE) protocol.
PPTP operates at layer 2 of the OSI model and is described in RFC 2637.Even though it supports site-to-site VPNs, it is best suited for remote access VPNs.The initial release of PPTP by Microsoft was claimed to have too many securityweaknesses for serious use. The weaknesses have been addressed in current versions,which have lead to an improvement of the protocol.
PPTP has a relatively low overhead which makes it faster than some otherVPN methods. Other advantages are, for example, that since the client software isbuilt into most Microsoft operating systems, PPTP servers can be deployed withouthaving to worry about installing client software on those systems. PPTP clients arealso available for Linux and Macintosh OS 9.x. PPTP VPNs are also supported bymany major firewall appliances and software firewalls (e.g. Cisco PIX, SonicWalland some models of WatchGuard). Yet another advantage with PPTP is that thereis no requirement for a Public Key Infrastructure; however EAP does use digitalcertificates for mutual authentication (both client and server).
3.3.2 L2TP
The original competitor to PPTP was L2F (Layer 2 Forwarding), a protocol imple-mented primarily in Cisco products. The Layer 2 Tunneling Protocol (L2TP) [7]was developed in cooperation between Cisco and Microsoft as an attempt to improveL2F by combining the best features of L2F and PPTP.
29
There are several similarities between L2TP and PPTP. First of all, like thename implies, they both operate at Layer Two (data link layer) of the OSI model.Like PPTP, most Windows versions have L2TP clients built into them. Furthermore,L2TP VPNs are also supported by many major firewall products such as ISA Server,CheckPoint, Cisco PIX, and WatchGuard. L2TP uses digital certificates. Userauthentication can be performed via the same mechanisms as PPTP.
Advantages of L2TP over PPTP are that L2TP provides data integrity, sourceauthentication and replay protection, in addition to the data confidentiality providedby PPTP. Another advantage of L2TP is that it can be used on non-IP networks (e.g. ATM, frame relay)
The disadvantage with L2TP is that the overhead involved in providing thisextra security results in a slightly slower performance than PPTP.
3.3.3 IPSec
The IPSec protocol [2] provides security at the network layer (i.e. Layer Three inthe OSI model). By security at the network layer, we mean that confidentiality,integrity, and authenticity of data communications across a public IP network areensured.
IPSec can be used as a complete VPN solution, or simply as the encryptionscheme within L2TP or PPTP (see previous sections). IPSec is considered, by many,to be the standard VPN solution for site-to-site secure VPNs and is implementedby many hardware VPN appliances. For example Cisco’s VPN Concentrators andPIX firewalls, furthermore, hardware vendors like Cisco and CheckPoint also provideclient software for their IPSec-based VPNs. IPSec support is also included in thelatest Windows operating systems (Windows 2000/XP/2003).
IPSec is actually a suite of protocols consisting of two main protocols: the Au-thentication Header (AH) protocol and the Encapsulation Security Payload (ESP)protocol. Secure IP datagrams are sent with either one of these protocol, dependingon the security service required. The AH protocol provides source authenticationand data integrity while the ESP protocol, in addition to the services provided byAH, also provides confidentiality. Since ESP provides more services, it is also morecomplicated and requires more processing than AH. IPSec can encrypt data betweenvarious devices, such as:
• Router to router.
• Firewall to router.
• PC to router.
• PC to server.
Before sending secured datagrams with IPSec, the source and destination deviceshandshake and create a logical simplex connection called a Security Association(SA). Simplex means that the connection is unidirectional which implies that if
30
both hosts want to send secure datagrams to each other, then two SAs must beestablished. The connectionless network layer is thereby being transformed into alayer with logical connections. An SA is uniquely identified by the following three-tuple:
• A protocol identifier which indicates whether AH or ESP is being used.
• The source IP address.
• A 32 bit connection identifier called the Security Parameter Index (SPI), thevalue in this field will be the same for all datagrams within a given SA.
Transport and Tunnel Modes IPSec provides two modes of operation, trans-port and tunnel mode.
In transport mode, only the IP payload is secured, and the original IP headersare left intact. In tunnel mode, the entire original IP datagram is secured, and itbecomes the payload in a new IP packet.
The transport mode has the advantage of adding only a few bytes to each packet.It also allows devices on the public network to see the final source and destinationof the packet. Unfortunately, by passing the IP header in the clear, transport modeallows an attacker to perform some traffic analysis. Transport mode can only beused when both the source and the destination systems understand IPSec.
The major advantage of tunnel mode is that the end systems do not need to bemodified to enjoy the benefits of IPSec. Tunnel mode also protects against trafficanalysis. With tunnel mode, an attacker can only determine the tunnel endpointsand not the true source and destination of the tunneled packets, even if they arethe same as the tunnel endpoints. In most cases, you deploy IPSec with tunnelmode. Doing so allows you to implement IPSec in the network architecture withoutmodifying the operating system or any applications on your PCs, servers, and hosts.
Tunnel mode is most commonly used between gateways, or at an end-station toa gateway, the gateway acting as a proxy for the hosts behind it.
Transport mode is used between end-stations or between an end-station and agateway, if the gateway is being treated as a host. For example, as in an encryptedTelnet session from a workstation to a router, in which the router is the actualdestination.
Basically, transport mode should be used for end-to-end sessions and tunnelmode should be used for everything else.
AH The first thing a host has to do when it wants to send datagrams to a particulardestination, is to establish an SA with the destination. When the SA has beenestablished, secure datagrams can be sent with the AH header included. The AHheader is inserted between the original IP datagram data and the IP header. TheAS header is thus regarded as payload in an ordinary IP datagram. The number 51is used in the protocol field in the IP header to indicate to the destination host thatthe datagram should be processed using the AH protocol.
31
The following fields are included in the AH header:Next header field, since the protocol field in the IP header is already being used
(to indicate the AH protocol in this case), there is a need for a new field to indicatewhat protocol is following the AH header (e.g. TCP,UDP,ICMP).
Security parameter index field, used for identifying an SA as explained aboveSequence number field, a 31-bit field initially set to 0 at the establishment of an
SA and then incremented after each datagram sent. This field is used to preventplayback and man-in-the-middle attacks.
Authentication Data field, a variable-length field containing a digital signaturefor each datagram. The digital signature is calculated over the original IP datagram,thereby providing source host authentication and data integrity. The algorithm usedto calculate the digital signature is specified by the SA (usually MD5 or SHA).
AH is incompatible with NAT because NAT changes the source IP address, whichbreaks the AH header and causes the packets to be rejected by the IPSec peer.
ESP As mentioned above, in addition to the services provided by the AH protocolthe ESP protocol also provides network layer confidentiality. The SA is establishedin the same manner as with the AH protocol. A secured datagram is created bysurrounding the original IP datagram data with header and trailer fields, and theninserting this encapsulated data into the data field of an IP datagram. The protocolfield in the IP header will use the value 50. The original IP datagram data alongwith the ESP trailer field are encrypted. Confidentiality is provided with DES CBCencryption (RFC 2405) or other encryption algorithms (e.g. 3DES, AES, Blowfishetc.). The ESP header consists of a SPI field and a sequence number field whichhave the same roles as in AH. The trailer includes the next header field, which alsohas the same role as in AH. The next header field is also encrypted along with theoriginal data. This disables an intruder to determine the transport protocol that isbeing used.
Following the trailer, comes the authentication data field, which also serves thesame role as in the AH protocol.
SA and Key Management for successful deployment of the IPSec protocol,a scalable and automated SA and key management scheme is necessary. Severalprotocols have been defined for these tasks, but the Internet Key Exchange (IKE)protocol [4] is the default key management protocol for IPsec.
The Internet Security Association and Key Managmenet Protocol (ISKMP) [2]defines procedures for establishing and tearing down SAs, these are completely sep-arate from IKE.
3.3.4 SSL
SSL is today being used as the standard web-based VPN solution and is constantlygrowing in popularity (its advantages are described in Section 5.5).
32
What is SSL The SSL protocol [3] was originally developed by Netscape fortransmitting private information across the Internet. It is designed to provide dataencryption between a web client and a web server, authenticate the server to theclient, and, optionally, authenticate the client to the server.
SSL sits between the application layer and the transport layer (i.e. TCP), thisis the session layer of the OSI reference model (layer 5). On the sending side, SSLreceives data from an application (such as an HTTP message), encrypts the data,and directs the encrypted data to a TCP socket. On the receiving side, SSL readsfrom the TCP socket, decrypts the data, and directs the data to the application.SSL is widely used in Internet commerce, being implemented in almost all popularbrowsers and web servers. SSL is used by invoking https when communicating overa web link (i.e. write “https” instead of “http” when using in URLs).
Features of SSL SSL provides the following features:
• SSL server authentication, allows a user to authenticate the server.
• SSL client authentication, allows a server to authenticate the user. This isan optional feature, used when, for example, a bank wants to authenticate acustomer.
• An encrypted SSL session, ensures that all information being sent/received bythe browser/Web server software is encrypted using a shared secret key definedby the handshake protocol described further down.
• Message integrity, ensures that the information sent has not been altered in anyway. Another shared secret key, also defined during the handshake protocol,is used to form a Message Authentication Code (MAC).
How SSL works The SSL protocol begins with a handshake phase which aimsto create an SSL session. Sessions are used to avoid the expensive negotiation ofnew security parameters for each connection. During the handshake, an encryptionalgorithm (e.g. DES) and keys are negotiated. Once the handshake is complete, alltransmitted data is encrypted, using session keys negotiated during the handshake.
The following list is a concise description of the handshake process.
• The browser sends the server the browser’s SSL number, i.e. the SSL versionnumber (the highest supported by both the server and client is used), andcryptographic preferences.
• The server sends the browser the server’s SSL version, cryptographic pref-erences and a certificate certified by some CA. This certificate includes theserver’s public key.
• The browser checks the certificate by comparing it to a trusted list of CAs(and public keys for each CA), that it stores. If the CA is not on the browser’s
33
list, the user is warned and a secure session cannot be created. If the CA ison the list, the browser uses the CAs public key to validate the certificate andobtain the server’s public key.
• Optionally, the server can now require client authentication
• The browser generates a symmetric session key to use for future communica-tion, encrypts it with the server’s public key and sends it (encrypted) to theserver.
• The server uses its private key to learn the session key.
• The browser sends a message to the server informing it that future messagesfrom the server will be encrypted with the session key. It then sends a separ-ate (encrypted) message saying that the browser portion of the handshake isfinished.
• The server sends a message to the browser informing it that future messagesfrom the server will be encrypted with the session key. It then sends a sep-arate (encrypted) message saying that the server portion of the handshake isfinished.
• The SSL handshake is complete. The SSL connection is now established andall data is encrypted and decrypted with the session key. The session key isalso used to validate the integrity of the data.
The encryption/decryption process, requires longer processing time for a request.On single pages, this probably is not an issue. However on multiple pages, increasedresponse time can be significant. This is a reason why SSL is not always used, inaddition to the obvious fact that not all information being transmitted over theInternet is confidential.
34
Chapter 4
WAN Design
4.1 Introduction
When creating a WAN, two main issues must be considered. One is to choose ap-propriate WAN technology. WAN technologies, presented as various VPN solutions,along with their advantages and disadvantages were discussed in Chapter 3.
The other issue to be considered is the design of the WAN [26]. WAN designincludes defining network objectives, choosing network topology and so forth.
When addressing both of the issues above (i.e. technology and design), an under-standing of the bandwidth requirements of the applications running over the WANis required. The role of the applications used is so important that it is said that“the applications drive the design process” [26, p. 3]. Bandwidth requirements ofbusiness applications will therefore be discussed in Section 4.3.1.
4.2 Design Objectives
This section will discuss the objectives that characterize a satisfactory networkdesign. These objectives should be parameters against which the quality of thenetwork design can be measured.
4.2.1 Performance
The performance of the network can be measured with a number of parameters.The first parameter is the application response time. The application response timeis the interval between when an inquiry message is sent to an application and theclient receives the response message. This is one way of measuring the applicationresponse time, which includes the network. Another way is to only measure the timeinterval between when the application receives the message and the beginning of thetranmission of a response message. It is especially important for delay-sensitive orreal-time applications to have a low application response time. Examples of such ap-plications are VoIP (IP Telephony), SNA (Systems Network Architecture) which is
35
IBM’s proprietary networking architecture created in 1974 for interconnecting com-puters and their resources, and LAT (Local Area Transport) which is a networkingtechnology developed by Digital Equipment Corporation for controlling terminaltraffic in a DECnet environment.
The next parameter is the application co-existence parameter. This parametermeasures the ability of a network to support multiple applications with differentcharacteristics and requirements. The requirements of a new applications beingintroduced in the network must be met without impairing the performance of otherapplications. The last parameter that measures the performance of a network isavailability. The availability parameter specifies the tolerated application downtime.
4.2.2 Availability
The availability requirement can be met by providing resilience. Resilience is providedby putting redundant links and devices in the WAN. The level of resilience in a WANis a matter of cost. A fully resilient network will probably not be supported by theWAN budget. It is therefore important to design the network so that redundancyis added where it is most needed.
4.2.3 Accommodating Growth and Change
Accommodating growth and change basically means designing a scalable WAN. Ascalable WAN only needs to be redesigned if the character of the network is fun-damentally changed, for example, if an application that is radically more bandwidth-intensive than the existing applications is introduced. Other less fundamental changes,such as an increase in the number of users or sites, should be predicted as much aspossible.
4.2.4 Management and Manageability
Since support usually is the second greatest single cost of ownership on a network(after WAN technology and bandwidth), it should be minimized by well-plannednetwork management. Network management includes fault management, configur-ation management, security etc. All these components should be decided prior toimplementation.
4.2.5 Disaster Recovery
A disaster recovery plan should be developed for situations more serious than thosethat can be handled by a resilient network (e.g. complete failure of core resources).If a disaster recovery plan is not developed during the design process, the planeventually used may turn out to be very expensive and might not even fully recoverthe network. During the design process it is important to define what a disaster is,what resources that need to be recovered after a disaster and what the budget fordisaster recovery is.
36
4.2.6 Cost
The cost of each element of the network design should be estimated before advancingwith a design proposal.
4.3 Understanding the Network Environment
When the network objectives have been determined, the network environment needsto be understood. The key issue here is to understand the nature and requirementsof the applications that run over the WAN.
4.3.1 Network Applications
An understanding of the business applications running over the WAN and theirnetwork requirements (bandwidth, latency, and jitter requirements) is necessarywhen creating WANs, both when it comes to choosing technology and designing theWAN.For example, if requirements are low in a particular situation, secure VPNover the Internet can be chosen as WAN technology, even though it performs worsethan Frame Relay which is a more expensive alternative.
Each application has its own network requirements. These requirements need tobe quantified in order to assess throughput requirements on the WAN. In addition tounderstanding the network requirements of each specific application, it is importantto know where the applications are located, i.e. which sites host the applicationservers, and from where and by how many clients they are used. By knowing thelocations of servers and clients, traffic flows can be estimated. Traffic flows helpdetermining where connectivity is required. Estimating the number of clients usingeach application is necessary in order to be able to predict how much bandwidth thatis actually needed. Low bandwidth-consuming applications that are used by manyusers might need more bandwidth than high bandwidth-consuming application usedby few users.
Table 4.1, taken from [29], shows the bandwidth requirements of some commonapplications. The rates presented in the table are very high since techniques suchas compression (which can reduce the rates) have not been taken into consideration.The purpose of the table is to show the variation of bandwidth requirements fordifferent applications. Latency and jitter requirements are not covered further inthis report.
4.3.2 Cost of Downtime
An estimation of the cost of downtime enables an accurate analysis of the trade-offbetween cost and availability.
37
Table 4.1. Bandwidth requirements of some common applications.Application Rate
Personal communications 300 to 9,600 bits/sec or higherE-mail transmissions 2,400 to 9,600 bits/sec or higherRemote control programs 9,600 bits/sec to 56 Kbits/secDigitized voice phone call 64,000 bits/secDatabase text query Up to 1 Mbit/secDigital audio 1 to 2 Mbits/secAccess images 1 to 8 Mbits/secCompressed video 2 to 10 Mbits/secMedical transmissions Up to 50 Mbits/secDocument imaging 10 to 100 Mbits/secScientific imaging Up to 1 Gbit/secFull-motion video 1 to 2 Gbits/sec
4.4 Design the WAN Topology
After the objectives of the WAN have been determined and the network environmenthas been understood, it is time to choose the WAN topology. With topology, werefer to the manner and architecture with which different sites on the network areconnected together [26, p. 18] and not to the actual technology employed in theWAN (e.g. ATM, Frame Relay, IP etc.).
Choosing a WAN topology consists of considering issues such as deciding howmany sites each site will connect to, or determining whether or not hierarcy willexist in the way site-connectivity is achieved.
4.4.1 Flat vs. Hierarchical Topology
One of the most important decisions to make when designing the WAN infrastructureis to decide whether to use a flat or hierarchical topology.
The flat WAN topology has two layers; one main site to which all remote sitesconnect (hub-and-spoke topology). In the hierarchical topology model, at least oneother layer is introduced between the main site(s) and remote sites. The remote sites(Tier-3 sites) connect to the main site(s) (Tier-1 site(s)) via the newly introducedsites (Tier-2 sites), and never directly (except in exceptional cases (backup ISDNline)).
Advantages of a Flat Topology
One of the advantages of using a flat WAN topology is that the topology becomesless complex. A less complex WAN is easier to manage.
Another advantage is that flat topologies have fewer router hops. By havingfewer router hops, the latency associated with forwarding data across the networkis decreased.
38
Disadvantages of a Flat Topology
A lower number of leased lines and PVCs is not always a cost saving, particularly inthe context of leased lines. The cost of leased lines increases with distance. It mighttherefore be wise to introduce another layer between the main site and the remotesites. The remote sites should connect to this site which, in turn, should connect tothe main site. This reduces the total length of the leased lines.
The flat design also introduces a set of routing protocol limitations [26, p. 25].
Advantages of a Hierarchical Topology
As already discussed above, when using a hierarchical topology, leased lines or PVCsfrom Tier-3 sites are aggregated at the Tier-2 sites rather than connecting all theway to the Tier-1 site. This allows for a reduction of the total amount of bandwidthpurchased, and shortens the leased lines distances. It also introduces a number ofadvantages associated with routing [26, p. 35].
Another advantage of a hierarchical topology is that it allows for a better disasterrecovery. The main goal of a disaster recovery is to provide backup of the Tier-1 coreresources (located on a backup Tier-1 site). In a flat design, connectivity would berequired from every remote site to the backup Tier-1 site, while in the hierarchicaldesign, connectivity is only required from the Tier-2 sites to the Tier-1 site.
Disadvantages of a Hierarchical Topology
Generally, as a network grows, a hierarchical WAN topology provides a more cost-effective solution. However, the WAN costs can, in some cases, be higher for ahierarchical topology. A cost estimation for your particular WAN must therefore becalculated before one can determine which of solutions is most cost-effective.
Furthermore, with the hierarchical model, more layers are introduced. Morelayers mean additional router hops. Additional router hops always increase latencyor delay on the network.
4.4.2 Redundancy
We have so far discussed whether to use a flat or a hierarchical WAN topology.Another topology issue to consider is that of determining what type of mesh touse. A mesh topology is used to add redundancy in communication links. Thereare several types of mesh topologies. In a full-mesh topology, every site has aconnection to every other site. In a partial-mesh topology every site has connectionto several other sites, but not all other sites. Another form of redundancy is toadd links between sites that are already connected. This type of redundancy is, forexample, needed between sites where bulk traffic flows since more damage is causedif communication fails there.
Full-mesh gives the highest level of redundancy. This seems like a desirablefeature but also very expensive. The high cost is not the only disadvantage with a
39
full-mesh topology. Full redundancy means more connections and more connectionsmeans more time spent for setting up and monitoring the network. The problemwith full-mesh is thus one of management and cost.
But to only use a hub-and-spoke topology (each site connects to the main site)has on fatal flaw, the remote sites depend on the main site for being able to commu-nicate with each other. If the main site is knocked out, the communication betweenthe remote sites is interrupted.
The trend in modern networking environments is to centralize resources (Webservers, e-mail, video conferencing etc.). Since the resources are located at the mainsite(s), there is often no need for direct communication between the remote sites.On networks with less than 20 sites, which are considered as small networks, thereis usually no requirement for direct communication between remote sites.
Partial redundancy might however still be required in many WANs. It is thereforenecessary to decide where redundancy is needed and how to set it up, e.g. whether ornot to use the same technology or service provider for the redundant links. By addingredundancy from different service providers, communication is not interrupted if oneof the service providers’ network crashes. Where to put the redundant links dependsentirely on the requirements of each company (i.e. where clients, servers and trafficflows are).
4.5 Achieve the Design Goals
The book “IP Network Design” [26, p. 10] provides a general guideline on howto achieve the design goals described in Section 4.2. The book emphasizes theimportance of theoretical understanding and practical experience when designingnetworks. It also emphasizes the importance of performing the design in a lab sinceno design tool or model is realistically applicable on anything but a simple network.
The network design guideline consists of 8 steps of which some are iterative.
1. The first step consists of determining the performance parameters that bestspecify each of the design goals described earlier. For example, applicationresponse time is a parameter that specifies the performance goal.
2. The second step consists of identifying any design constraints such as budgetand time.
3. The third step consists of setting up targets for the relevant performance para-meters. For example, the highest tolerable application response time or ap-plication down time.
4. During the fourth step, a high level design can begin. During the high leveldesign major issues are addressed such as what WAN technology to choose.
5. During the fifth step, the design of the fourth step should be compared to theconstraints identified in step two. If the constraints are not met, repeat theprevious step or go back and revise the constraints.
40
6. The sixth step consists of formulating a more specific network design plan inwhich all the technical details and alternatives for the design are addressed.
7. The seventh step consists of testing the major technical solutions in a lab. Ifthe results are not satisfactory, go back to step six.
8. The design is complete when the eighth step is reached.
Conclusions from this chapter can be found in Chapter 6.
41
Chapter 5
Case Studies
5.1 Introduction
The previous chapters have discussed various technologies and topologies that areused when creating VPN-based WANs. In an attempt to make the choice betweenthe technologies and topologies easier, we will now look at the WAN solutions oftwo different companies.
The initial objective was to include more companies in the survey, but since thequestions involve sensitive information, it was difficult to find companies that werewilling to participate.
Information has been collected by conducting interviews with external consult-ants or employees, over the telephone or by e-mail. The process of completing thischapter has been iterative. Several interviews were conducted with the same indi-vidual in order to cover all the gaps. After each interview, the participants weregiven drafts and opportunity to comment the contents of the drafts. The final versionof the text, now included in this chapter, has been approved by all participants.
The first company described will be referred to as company X. It is a businessunit within a large business group. The group will be referred to as the G Group.Company X has some 3000 employees at 60 locations all over the world.
The second company described will be referred to as company Y. Company Yhas more than 35 000 employees in 130 countries all over the world. Company Y isactually a business group consisting of many business units, but since the answersof company Y apply to the whole group and not one specific unit, a distinction willnot be made between the group and the units.
5.2 Questions and Answers
The set of questions chosen is based on what typical issues one must consider whencreating a VPN-based corporate WAN. That is, what type of VPN to choose (e.g.secure or trusted) and why, what type of technology to choose (e.g. SSL or IPSec)and why, how remote access and extranet communications are used etc.
42
5.2.1 What does your topology look like (sites, links, redundancy,management)?
Company X Because of the transition described under the questions “When areyou using leased lines or trusted VPNs and why?” (see Section 5.3.4) and “Futuretrends?” (see Section 5.3.10), the current topology of company X is not as interestingas that of company Y. The topology of company X is undergoing great changes asthe reader will find out. It suffices thus to say that company X has had, and still hasbut not for long, an hierarchical topology with three global hubs located in Sweden,USA and Singapore.
Company Y Company Y has a hierarchical topology with four layers. Threeglobal hubs (Sweden, Singapore, USA) are connected like a triangle. Eight regionalhubs, spread all across the world, are connected to two of the global hubs. Domestichubs are connected to the regional hubs and local sites are connected to the domestichubs.
All global and regional sites have Internet connections. The regional Internetconnections are used for web surfing and supporting secure VPNs. The global Inter-net connections are, in addition to the use described above, also used for incomingexternal services (e.g. web services etc.). The global hubs have redundant firewalls.
Company Y does generally not multihome to any ISP. The IP-routing is donethrough different ISPs to the global hubs. There are however, redundant links tothe same ISP where it is found necessary.
Company Y’s network is managed by an internal IT support unit (ITSU) 1 whichis included in the Y business group. The basic structure of the network has beendetermined by ITSU with efficiency, stability and security as primary objectives.ITSU supports the network 24x7 and has support centres all over the world. The“follow-the-sun” concept is being followed which means that time differences aroundthe world are being exploited in order to provide on-line help to users on a round-the-clock basis, always employing staff to do this during or close to regular workinghours.
A part from this basic design, each site decides what performance the linksconnecting them to the closest hub(s) should have and whether or not redundantlinks are necessary. Recommendations on these issues are however provided by ITSU.The core of the network is financed by a shared budget. The links, any redundantlinks included, connecting local hubs to hubs higher up in the WAN hierarchy arehowever financed by the local hubs. All routers are maintained by ITSU which makesit possible to view the entire network as one single routing domain thus simplifyingrouting issues which results in cost savings and more stability in the network.
1ITSU is not the real name of company Y’s IT support unit.
43
5.2.2 What applications are you running over your WAN?
Company X IP-telephony, SAP etc.
Company Y A great number of applications run over the company Y WAN. Forexample, terminal based (telnet) applications, MQ 2, database connections, webapplications etc. These applications might have different requirements. Terminalbased applications, for example, require low latency, i.e. short application responsetime, while file transfers require high bandwidth.
5.2.3 Are you using leased lines, trusted VPNs, secure VPNs or ahybrid solution?
The expression “hybrid solution” could have two meanings here. The first one is whensecure VPN technology is used when sending data over the network of a trusted VPNservice provider, e.g encrypt data before sending it over a trusted network. The othermeaning refers to when secure and trusted VPNs are used in different situations, e.g.secure VPNs are used for remote access and trusted VPNs are used when connectingsites. In this report, we refer to the latter meaning.
Company X A hybrid solution.
Company Y A hybrid solution.
5.2.4 When are you using leased lines or trusted VPNs and why?
Company X Traditionally, company X has used leased lines and Frame Relay.IPSec tunnels over the Internet have also been used to some extent (see next questionfor why).
Today, the company is moving most of its WAN connections towards an MPLS-based WAN. This transition is based on cost and structural reasons.
Company Y Trusted VPNs are primarily used for most WAN connections becausethey provide the guarantees required by the business applications of company Y. Thetechnologies used are mainly Frame Relay and SDH.
5.2.5 When are you using secure VPNs and why?
Company X IPSec VPN has traditionally only been used as temporary solutions,e.g. where connectivity was required for a shorter period of time, in situations wherethe company wanted to avoid conditions of contracts such as periods of notice etc.
2The IBM MQ Series family of products provides transactional message queueing for manyplatforms (Windows, Linux, IBM mainframe and midrange, and Unix). A Message queue is asoftware-engineering component used for inter-process communication or for server-to-server com-munication.
44
One of the reasons for using IPSec VPN in this limited extent is the lack of trafficcontrol in the WAN. The other reason is the lack of SLA for end-to-end availability,throughput, latency, and jitter.
Company Y IPSec (in tunnel mode) VPNs are used as primary connections inthree situations.
The first one is when small offices connect to the corporate network. In thiscase, connection requirements are generally low. The offices connect to the corporatenetwork by using hardware clients ( Cisco’s 831 routers). Software clients from Ciscoare thus not used.
Furthermore, IPSec VPNs are used as primary connections when WAN serviceproviders cannot offer connectivity (e.g. some places in Africa). In these situations,the cost is not the main reason for using IPSec VPNs (as below).
In some parts of Asia, Africa and South-America, the cost of the services offeredby WAN service providers are extremely high. In these cases, IPSec VPNs (overADSL-Internet) are used as the primary connection while a low-capacity leased lineis used as backup for the most critical applications.
The situations above describe situations where IPSec VPNs are used as primaryconnections. In addition to these situations, IPSec VPNs are often also used asbackup connections while Frame Relay and SDH are used as primary connections.
5.2.6 What secure VPN technology are you using?
Company X IPSec VPNs have been used for site-to-site connectivity. In somesituations (see remote access further down), a web-based access solution has beenemployed.
Company Y Company Y is only using IPSec VPNs. SSL is used by web serversjust for encrypting data, not for authentication.
Company Y is using GRE-tunnels running IPSec in transport mode (IKE+ESP,sometimes also AH). These tunnels are handled by our routers and are included inour routing protocols. The reason why we do this is that routing and redundancythen becomes automated and transparent. From an IP point of view, there is nodifference between a GRE-tunnel and a leased line.
5.2.7 What remote access solution(s) are you using?
Company X The remote users can be divided into two main categories. Thesolutions chosen depend on what category the users belong to.
Roaming/mobile users Roaming or mobile users mean travelling users. Theseusers can connect from any location and any computer, e.g. from public computerson airports or hotel-rooms. For these users, a web-based solution is provided (Port-Wise [21])with strong authentication. The user enters his/her user-id and password.
45
A one-time password is then sent out by SMS, the mobile phones of employees arethus being controlled, which the user must use in order to be able to log in. Thereason why two-factor authentication is being used is because the company cannotbe sure that the user is connecting from a trusted computer. Thus, by having strongauthentication, the threat of passwords being reused after having being logged onthe computer by a keylogger is eliminated.
Another desirable element linked with using a web-based solution is that it onlygrants limited access to the corporate network. Mobile users are not considered tohave the same access needs/rights and by limiting their access rights, security isenhanced. Consultants are another group of users with limited access needs.
Users connecting from trusted computers What signifies these users isthat they are believed to connect from trusted computers, e.g. home computers orlaptops provided by the company, and are considered to need more access to companyresources. A client-based approach is therefore being employed here. A Cisco VPN-client (running IPSec) is preinstalled on the remote computer and connects to acentrally hosted VPN concentrator. The remote computer thus becomes a part ofthe LAN. This solution is only used for employees and not for consultants etc.
For mail access, OWA (Outlook Web Access) is being used. OWA is beingaccessed through PortWise.
Company Y Company Y uses a client-based approach with software and hard-ware from Checkpoint [20]. Company Y has 14 Checkpoint firewall-1 firewalls allover the world. These firewalls are used as VPN terminators. On the client side,remote users connect to the firewalls with Checkpoints SecureClient VPN-clients.The underlying VPN technology used is, as already stated, IPSec in tunnel mode.SecureClient has built in support for checking the remote computer (on which theyare installed) for proper anti-virus software and updated security patches etc. Thesefeatures are not fully used yet, but will be more so in the future. The clients alsohave built-in personal firewalls with rules set by the central firewalls. Every timea client connects to a firewall-1 firewall, the policies are updated if necessary (i.e.if any changes have occurred since the last update). These measures protect theremote computers even when they are not connected to the company network.
5.2.8 How are you using extranet communications?
Company X The extranet use of the company can be categorized into three maintypes.
The first type of extranet is created with partners and customers with whomcompany X has loose ties. These have a limited level of access requirements. Solu-tions such as PortWise can thus be used to allow them to access only selectedinformation.
The second type of extranet is created with customers of company X with higheraccess requirements. These access requirements can generally not be met when
46
using, for instance, PortWise. This type of communications can either use a WANconnection or a LAN-to-LAN connection when company X and the customer arelocated on the same premises. This type of information is always filtered through afirewall controlled by company X.
The third type of extranet is created to give third party organizations (e.g.a service provider of LAN management), to which the company has outsourcedmaintenance of the company network, the access required. These are connectedusing a WAN and the connection is terminated on a DMZ of company X.
Company Y Company Y create their extranet by establishing secure VPN con-nections using Checkpoint firewall-1 firewalls as VPN terminators. The firewallsmaintain access-rules, which depend on the specific access needs of each externalorganization. The resources, intended for external organizations, are located on sev-eral DMZs. They are accessed either directly over the internet through our firewalls(Checkpoint firewall-1), or by LAN-to-LAN VPNs. In the latter solution, firewall-1is used as VPN terminator.
Company Y also provides a client based secure VPN approach for some of theirpartners and customers. These are granted access by using Checkpoints SecureCli-ent. But in this case, in order to enhance security, the access rules are determinedon a user basis.
5.2.9 Do you outsource your secure VPNs or manage them yourselves?
Company X Company X has chosen to outsource WAN management to WANservice providers. The main reasons for doing so are that network management isnot a part of company X’s IT core business and cost reasons.
Company Y Company Y has an in-house management of their secure VPNs.They own the hardware and configure the equipment. This policy, to both ownand manage the equipment, allows them to be more flexible. They also avoid beingdependent on external parties. Furthermore, this policy helps keeping the companyY staff competent which, in the long run, will generate new ideas and solutions.
5.2.10 Future trends?
Company X As stated previously, company X is a business unit within the GGroup. The G Group is transitioning from Frame Relay/leased lines/IPsec VPNs toMPLS (company X has already performed this transition for the European region).There are two reasons for this transition. The first one is cost savings. The secondone is a structural reason. Since there is an increased need for the different sites tocommunicate with each other, MPLS is a good choice as it natively offers any-to-anyconnectivity.
The topology of company X will eventually change from being a hub-and-spoketopology, with three hub sites (the hub site for Europe is located in sweden, the
47
hub site for America is located in USA, and the hub site for Asia-Pacific located inSingapore) connected to each other and local sites connected to the hub sites, intoa flat hierarchy with all sites connected to the MPLS cloud of the G Group.
A trend in company X and the G Group is to perform server consolidation forselected applications. Server consolidation means that central servers (e.g. mail, AD,DNS) will be hosted at main sites/data centers. A wish to achieve standardizationand making outsourcing easier lies behind this transition.
Another trend is that more applications of company X and the G Group areutilizing the WAN (e.g. IP-telephony, SAP). This makes traffic priority in the WANan important issue along with bandwidth requirements.
These changes are decided on centrally. The business units within the G Groupare however participating in the decision and design process.
The main goals of the changes described above are to save costs and to consol-idate the IT infrastructure.
Company Y MPLS VPN solutions are on the rise. Company Y has begun toemploy this solution partly. The main reason for switching from leased lines toMPLS-VPN is the low cost. In addition, it provides any-to-any connectivity betweenthe different sites.
Conclusions from this chapter can be found in Chapter 6.
48
Chapter 6
Discussion and Conclusions
6.1 Introduction
As this report has shown, there are several ways of implementing a WAN, bothwhen it comes to design issues and choice of technology. In this chapter, we presentconclusions for the different parts of the WAN (see Section 1.7). The conclusionswill be based on the contents of the previous chapters, more specifically, on theadvantages and disadvantages of the different technologies and design approaches.
Whatever solutions we choose for the different parts of the WAN, the require-ments and objectives, covered earlier in the report, should be met. VPN require-ments are covered in Section 1.8. Design objectives are covered in Section 4.2.
6.2 Technologies
In order to decide what underlying technologies to choose for different parts of theWAN, we will start by ruling out those that are not suitable. We will start bylooking at site-to-site connections.
6.2.1 Site-to-Site
We will begin by ruling out leased dedicated lines because of their high cost and badscalability properties.
A web-based solution based on SSL should also be ruled out. First of all, theweb-based solution is not seamless. When a web browser is used, simple tasks mightbe difficult and confusing to accomplish. Furthermore, the web-based solution offerslimited access to applications. Remember that SSL tunnels traffic at the sessionlayer of the OSI model and not at the network layer as opposed to IPSec, whichlimits the number of supported applications.
Many of the trusted VPN technologies can also be ruled out. X.25 is ruled outdirectly, unless it is the only available alternative, since it is just a bad version ofFrame Relay. Frame Relay and ATM offer fast and reliable connections, but theyare expensive and do not scale well. They do not inherently provide any-to-any
49
communication; this is achieved by leasing a great number of circuits. Some WANapplications (e.g. voice and video applications) have very high network requirements.If there are no other alternatives for meeting these requirements, a VPN based onFrame Relay or ATM should be considered.
MPLS on the other hand, is an interesting alternative since it offers any-to-anyconnectivity and good performance. In the “Future Trends” section (Section 5.3.10)in the “Case Studies” chapter (Chapter 5), both of the investigated companies aretransitioning/have plans on transitioning to an MPLS solution. This indicates thatMPLS is sufficient for companies with high requirements on the network. Further-more, the cost of deploying MPLS is lower than that of deploying leased lines, FrameRelay, and ATM. MPLS might even be a cheaper alternative than a solution basedon IPSec since the IPSec solution might contain a lot of “hidden costs”. For example,a company might have to purchase hardware and software, if the existing equipmentcan not be reused, and train their staff to understand, configure and maintain theIPSec solution.
A CE-based IPSec VPN is also an interesting alternative for site-to-site connec-tions where network requirements are low, as this solution offers an on-the-LANexperience. In a CE-based IPSec VPN, a VPN-terminator is placed on the edge ofthe corporate network. All VPN-tunnels are terminated from the terminator. Sinceno client is launched on the user computer, the user gets a seamless environment.Some service providers even provide IPSec VPN solutions with SLAs.
The relevant alternatives for creating site-to-site intranets are thus MPLS andCE-based IPSec (in-house and outsourced) VPNs. Do we necessarily have to chooseone of these technologies or can they be combined to complete each other?
By looking at the advantages of MPLS, we can conclude that there are a few situ-ations where MPLS is a better choice than IPSec. First of all, MPLS performs betterthan IPSec. So if a company needs SLAs or plans on converging high-performancerequiring applications onto the network, MPLS is a better choice since these applic-ations can receive the necessary QoS with MPLS. Another situation, in which MPLSis a better choice, is when traffic patterns resemble partial or full-mesh connectivitysince MPLS offers any-to-any connectivity between all the sites connected to theMPLS cloud. Yet another reason for choosing MPLS is that it comes as a managedservice. This suits companies that wish to outsource their WAN.
IPSec, on the other hand, is a good choice when a company needs securitymeasures like encryption, or user and device authentication, even though we havealready stated data can be encrypted before sent through a MPLS network. IPSecVPNs can also sometimes be cheaper than MPLS VPNs. Another advantage ofIPSec VPNs is that they can be deployed more rapidly since new sites can be addedwith little or no change to the existing IP network infrastructure. Finally, IPSec canbe a good choice in situations where traffic flows follow a hub-and-spoke topology.
Basically, for subsidiaries or branch offices, between which there is an intensecooperation, full-mesh is a good choice. The preferable technology here is MPLS.
Subsidiaries or offices that are small and relatively independent from each otherand need only to be connected to main sites where servers needed by the subsi-
50
diaries are located (that is, in situations where a company has performed serverconsolidation 1), should be connected only to these sites, thus creating a hub-and-spoke topology where the main sites hosting the servers constitute the hubs. Thepreferable technology here, if less expensive than MPLS, is IPSec.
A very concise way of putting it is to say that MPLS should be used if it is acheaper alternative than IPSec. If it is a more expensive alternative than IPSec, itshould only be used where there are requirements on the network performance thatcannot be met by an IPSec based VPN.
6.2.2 Remote access
First of all, all the remote access requirements mentioned in Section 1.8.2 should bemet when creating remote access VPNs.
When providing remote access, all other alternatives than Dial-In access, SSLand IPSec can be ruled out. Obviously trusted VPNs and dedicated leased lines areruled out because it would be impossible to extend lines to each remote access user.Even if cost would not be an issue, remote access with leased lines could only besupported to fixed locations and mobility would thus not be supported at all.
Dial-in access should be used in situations where users connect from locationswhere Internet access is not provided. When using a dial-in solution, the securityfeatures of the call-back capability (described in Section 3.1.2) should be benefitedfrom. That is, the system should only call back to preconfigured numbers. Somecompanies allow employees to manually enter the number to which the system callsback to. This is only a way of letting the company stand for the telephone chargesinstead of the employee. Another solution is to associate each user with a set ofpreconfigured numbers from which the user can choose one to be called back at, incase a user has a few fixed locations he usually connects from. To allow the systemto call back to any number should thus not be allowed.
A web-based solution riding on top of SSL is well suited for roaming users. Thissolution does not require the user to install or configure a client in order to beable to connect to the company network. It is also well suited in any situationwhere access requirements are low. Web mail is the perfect example. Roaming usersoften connect from insecure computers and the introduction of strong authenticationwould, in these situations, eliminate the threat of keyloggers. In the absence ofstrong authentication, a security policy defining from which computers connectionsare allowed should be developed and enforced. If such restrictions exist however, themain advantage of a web-based solution, namely the mobility, is not benefited from.
A client-based solution is necessary when users need to work from remote loc-ations in a seamless environment. This is not possible with a web-based solutionbased on SSL as previously stated.
1In this report we mean physical server consolidation. This means collecting servers distributedacross multiple remote/branch offices and business units into a central data center. There are otherways to perform server consolidation, for example, logical server consolidation. These other wayswill however not be covered further in this report.
51
We have seen that a client-based solution, based on IPSec for example, oftengrants more access to the network than a web-based solution. With more access,security should be considered more carefully. The remote computers, connecting tothe company network, should some how be controlled, a mac-address check couldbe performed for example. Two-factor authentication can be avoided, which is goodbecause of the high cost and increased management this solution brings along, if theremote computers are more controlled.
Today, many companies use Windows XPs built-in client (based on PPTP). Aclient based on IPSec has a few advantages over PPTP and should be used if possible.PPTP is not considered as secure as IPSec and has not been ratified by the IETF.IPSec is more field-tested and addresses future VPN environments, such as new IPprotocols. It also includes more features such as split tunneling. In a VPN context,“split tunneling” is the term used to describe a multiple-branch networking path. Atunnel is split when some network traffic is sent to the VPN server and other trafficis sent directly to the remote location without passing through the VPN server.An advantage of using split tunneling is that it alleviates bottlenecks and conservesbandwidth as Internet traffic does not have to pass through the VPN server. Adisadvantage of this method is that it essentially renders the VPN vulnerable toattack as it is accessible through the public, non-secure network [19].
Another security issue concerning remote login is invalid (e.g. old) user ac-counts. Many companies do not have routines for removing invalid user accountswhich means that former employees do not necessarily have their user accounts (andthus their access rights) removed directly. User account removal routines shouldbe defined in a security policy. This problem is even more serious when grantingexternal consultants (next subsection) access rights.
6.2.3 Extranet
Throughout this report, we have seen that the technologies chosen for creating ex-tranets depend on the level of access required by the extranet user, e.g. an externalconsultant, a provider of LAN management services etc. The requirements of eachexternal user must be investigated before a solution can be chosen. But there aresome general conclusions we can come to. First of all, the principle of least accessshould be followed which means that no more access should be granted than what isrequired by the external user. Based on this principle, access levels can be defined.Three main levels of access can be defined (which can also be divided into sublevels).
Information access - For external users requiring access only to inform-ation. For this type of access, a web-based solution is a good choice. We do notrepeat all the benefits of a web-based solution. These can be found in Section 2.4.3.The important issue is however that a web-based solution only allows a limited andselected access to the network which is sufficient when only access to information isrequired. Security is additionally increased since the servers storing the informationcan be located on the DMZ. The security requirements for remote users connecting
52
through a web-based solution should be met by extranet users as well (e.g. strongauthentication etc.).
Application access - For external users requiring access to more than justinformation (e.g. external consultants participating in projects that need to workin a seamless environment, that is, they need to run applications etc.). For this typeof access, a client based solution based on IPSec for example, should be chosen.We omit to repeat all the benefits of a client-based approach. What is importantis that this approach allows for more access to the network. All other benefits arelisted in Section 2.4.1. The security requirements for remote users connecting byusing a client-based solution should be met in the case of extranet users, using thisapproach, as well.
Configuration/Maintenance access - For external users that require accessto maintain or configure parts of the network. For this type of access, a LAN-to-LAN connection can be used. All traffic should be filtered through firewalls, thatis, only certain IP-addresses should be allowed, and access should be allowed only tocertain parts of the network (i.e. the servers that need to be configured/maintain)etc.
6.3 In-House or Outsourced VPN management
In Section 2.5 we listed the advantages and disadvantages of in-house and outsourcedsecure VPNs. The discussion can be applied to VPN management in general and notonly to management of secure VPNs. Before a company decides whether to managetheir own VPN or outsource it to an ISP, they should make a few calculations,including cost and security trade offs.
The security trade-off consists of deciding whether or not the added level ofsecurity, provided by the outsourced solution (24-hour monitoring etc.), is reallyneeded. This is really just another form of cost trade-off since this added level ofsecurity comes at a price. Security is also an issue when choosing between secure andtrusted VPNs since trusted VPN technologies do not inherently provide encryption.We have seen that a hybrid solution between trusted and secure VPNs, where trafficis encrypted before sent into a trusted VPN, can be employed. This solution ishowever more costly.
The company should also investigate whether or not they have the in-houseexpertise to manage a VPN. If not, the cost of an in-house solution is increasedsince the cost of training personnel to implement and maintain the VPN must beadded.
53
6.4 WAN Design
It is difficult to provide general guidelines on how to design a corporate WAN sinceeach company has specific needs and requirements. A few general guidelines canhowever be provided. These guidelines are mainly based on the information presen-ted in Chapter 4 (“WAN Design”) and Chapter 5 (“Case Studies”).
First of all, the design objectives mentioned in Section 4.2 should be kept inmind and the requirements of the applications running over the WAN should befully understood (see Section 4.3). Furthermore, attention should be paid to the8-step network design guideline described in Section 4.5.
A few lines about the WAN topology will now follow. First of all, if an MPLSsolution is chosen, the problem of designing the WAN is simplified as MPLS providesany-to-any connectivity. In other words, since all sites are already connected, we donot have to worry about which sites to connect. If a solution is chosen, that is notbased on MPLS, a hierarchical topology should be avoided if possible since a flattopology is less complex and minimizes the number of router hops, which in turndecreases the latency associated with forwarding data. Since leased lines have beenadvised against, the main advantage of a hierarchical topology is not profited from(i.e. to shorten the total length of these leased lines). Furthermore, all subsidiariesor small offices need to have their own Internet connection. This lessens the burdenon the sites that would otherwise be used for connecting to the Internet.
6.5 Case Studies
First of all, we can state that the companies included in Chapter 5 are large andgeographically dispersed. Company X has 3000 employees in 60 locations all overthe world, and company Y has more than 35 000 employees in 130 countries. Theirsolutions are thus relevant to other large and geographically dispersed companies,and of course to smaller companies since small networks are components in largenetworks.
Section 5.3.1 (“What does your topology look like?”) A solution based onMPLS simplifies WAN design since MPLS inherently provides any-to-any connectiv-ity. We can further conclude that a globally dispersed network should have a 24x7support because of the time differences which means that offices are staffed aroundthe clock. We can also conclude that a company can benefit from allowing smal-ler sites to participate in some WAN design issues, e.g. choosing performance ofconnections to larger sites, choosing whether redundancy to these sites is neces-sary etc. This approach is wise since local sites are more aware of their needs andrequirements. This approach also lessens the burden on the central sites.
Section 5.3.2 (“What applications are you running over your WAN?”) InSection 5.3.2, we learned that the applications running over the company X andcompany Y WANs have high network requirements. IP-telephony and telnet-based
54
applications are sensitive to delay and jitter. We can thus assume that the technolo-gies that these companies have chosen meet the requirements of these applications,e.g. MPLS can meet the requirements of IP-telephony.
Section 5.3.4 (“When are you using leased lines or trusted VPNs andwhy?”), 5.3.5 (“When are you using secure VPNs and why?”), and 5.3.6(“What secure VPN technology are you using?”) Solutions based on secureVPN technology (e.g. IPSec), do not meet the requirements of “demanding” ap-plications. We can thus conclude that when requirements on the network are high,secure VPNs should only be used if no other alternatives exist, or as backup solu-tions. We can also conclude that the statement in Section 3.3, that is, that IPSec isthe dominating protocol when creating secure VPNs, is correct.
Section 5.3.7 (“What remote access solution(s) are you using?”) It is wiseto divide remote access users into remote users and users connecting from trustedenvironments because of the reasons explained earlier. We can also conclude thatIPSec and SSL are the standard protocols in use today when providing remoteaccess, and that SSL should be used where access requirements are low, e.g. whenonly access to mail is required.
Section 5.3.8 (“How are you using extranet communications?”) There area number of ways to create extranets, the access requirements of the third partyshould determine what type of solution to use.
Section 5.3.10 (“Future trends?”) Finally, we can conclude that MPLS is avery interesting popular choice when creating VPNs.
55
References
[1] X.25 Basics. Patton Electronics Co., http://www.patton.com/technotes/x25_basics.pdf,1994.
[2] IPSec RFCs: 2401-2411, and 2451. IETF, ftp://ftp.isi.edu/in-notes/, 1999.
[3] RFC 2246, SSL. IETF, ftp://ftp.isi.edu/in-notes/rfc2246.txt, 1999.
[4] RFC 2409, IKE. IETF, ftp://ftp.isi.edu/in-notes/rfc2409.txt, 1999.
[5] RFC 2547, BGP/MPLS VPNs. IETF, ftp://ftp.isi.edu/in-notes/rfc2547.txt,1999.
[6] RFC 2637, PPTP. IETF, ftp://ftp.isi.edu/in-notes/rfc2637.txt, 1999.
[7] RFC 2661, L2TP. IETF, ftp://ftp.isi.edu/in-notes/rfc2661.txt, 1999.
[8] Security Policies. Ruskwig, http://www.ruskwig.com/security_policies.htm,1999.
[9] A Short Primer for Developing Security Policies. The Sans Institute,http://www.sans.org/resources/policies/Policy _Primer.pdf, 2001.
[10] Site Security Policies. CERT, http://www.cert.org/present/cert-overview-trends/ module-6.pdf, 2002.
[11] Basnivå för IT-säkerhet (BITS) 2003. Krisberedskapsmyndigheten (KBM),http://www.krisberedskapsmyndigheten.se/EPiBrowser/Publikationer/KBMs%20publikationsserier/Rekommenderar/bits_rekomm2003-2.pdf, 2003.
[12] Building and Implementing a Successful Information Security Policy. Wind-wosSecurity.com, http://www.windowsecurity.com/pages/ security-policy.pdf,2003.
[13] Internet Security Today. CERT, http://www.cert.org/present/cert-overview-trends/ module-2.pdf, 2003.
[14] Virtual Private Networks Solutions for Remote Access. Schlumber-ger Information Solutions, http://www.oilfield.slb.com/media/services/ soft-ware/whitepaper/whitepaper_vpnsra.pdf, 2004.
56
[15] CERT/CC Statistics 1985-2005. CERT, http://www.cert.org/stats/cert_stats.html,2005.
[16] Internetworkings Handbook, Chapter 10, Frame Relay. Cisco Systems,http://www.cisco.com/univercd/cc/td/doc/cisintwk/ ito_doc/frame.pdf,2005.
[17] M. Finlayson, J. Harrison, and R. Sugarman. VPN Technologies, A Compar-ison. Data Connection, http://www.dataconnection.com/network/download/whitepapers/vpntechwp.pdf, 2004.
[18] The Information Portal for ISO 17799. http://www.iso17799software.com/.
[19] Taken from Webopedia. www.webopedia.com.
[20] The homepage of Checkpoint. www.checkpoint.com.
[21] The homepage of PortWise. www.portwise.com.
[22] The homepage of Teleca. www.teleca.com.
[23] The homepage of the VPN Consortium. www.vpnc.org.
[24] D. Horton. Wan Design with Frame Relay. http://www.happy-monkey.net/papers/frame-relay- presentation.pdf, 2004.
[25] J. Kurose and K. Ross. Computer Networking, A Top-Down Approach Featuringthe Internet. Addison Wesley, 2003.
[26] C. Long. IP Network Design. McGraw-Hill, 2001.
[27] G. McWilliams. On the Road Again. The Wall Street Journal, 2004.
[28] S. Odom. CCNP CIT Exam Cram 2. Que Publishing, 2004.
[29] Homepage of linktionary. www.linktionary.com/eon2.html.
[30] W. Stallings. Cryptography and Network Security - Principles and Practices.Prentice Hall, 2003.
57
58
Appendix A
Security Policies
A.1 Introduction
The purpose of this chapter is to describe a method for finding out what specificsecurity requirements there are when securing information in a LAN/WAN environ-ment (performing a risk analysis). It will also describe methods for meeting theserequirements (writing, communicating and enforcing security policies). Further-more, the chapter includes fundamental security requirements and common securitypolicy topics. Along with the list of policy topics, suggestions of what issues theyshould address will be provided.
A.2 Background
The number of nodes and users on the Internet is growing and the networks connec-ted to it are getting more complex. Along with this growth and increased networkcomplexity, there is also a growing number of Internet attacks. This might seemreasonable at a first glance. But further studying of statistics [15] shows that thegrowing number of internet attacks is not only due to the growing number of nodesand users since the attacks per node quota is also increasing every year. What isthe reason for this unproportional increase in cyber attacks?
There are several reasons for this. Two of the most important will be mentionedhere. First, the intruder tools are getting more and more sophisticated and easyto use, enabling more people to become successful intruders. Second, organizationstend to put more and more of their activity on the Internet, making them morevulnerable and attractive targets for hackers.
There is obviously a need for protection against outside threats but what aboutinside threats? A recent survey shows [?, p. 8-9] that the incidents originatingfrom inside an organization are fairly as many as those originating from the outside.Companies that only focus on a strong perimeter protection should thus stronglyconsider implementing some security measurements for protecting the organizationfrom within as well.
1
A.3 Fundamental Security Requirements
The process described in this report aims at giving you a better understanding ofwhat specific security requirements there are for your company and how to meet withthem. But even /textitbefore embarking on the process of developing site security(and also /textitduring the process), it might be wise to keep the following securitycriteria in mind since they are considered to be fundamental:
• Authentication Ensuring that a user is who he/she says he/she is.
• Authorization Controlling what information and applications a user canaccess.
• Confidentiality Preventing an unauthorized user from seeing confidentialinformation
• Integrity Preventing a user from making unauthorized changes or deletions
• Availability Ensuring that assets are accessible to authorized parties
Your company’s security requirements will be determined after having performeda risk analysis. A listing of the requirements and guidance on how to meet themshould be stated in a security policy.
A.4 Introduction to Security Policies
This section will provide some basic information about security policies.
A.4.1 What is a Security Policy?
A security policy is a document that specifies requirements or rules, covering dif-ferent areas, that must be met by people who are given access to an organization’stechnology and information assets.
A.4.2 What is the Purpose of a Security Policy?
A security policy is the first step towards enhancing a company’s security. Its mainpurpose is to protect people and information. It does so by establishing standardsand guidelines for accessing a company’s information and application programs.Furthermore it provides a baseline from which to purchase, configure, and auditcomputer systems and networks. It also defines appropriate behaviour for the em-ployees, making sure that they know what is expected of them. A written policy ismandatory if they, in some event, must be held accountable for their actions.
2
A.4.3 What Makes a Good Security Policy?
The introduction of a security policy can be viewed as not only favourable. Noteverybody has the same view about the need for security controls. The policy canbe seen as an impediment to productivity and as a measure to control the employees.Furthermore it can be difficult to follow and implement. It is therefore importantthat the developers of the security policy have the following in mind during thedevelopment process. The security policy should be (see Section A.5.2 for furtherreading):
• Implementable
• Enforceable
• Clear about responsibilities.
• Well balanced between protection and productivity.
A.5 How to Develop a Security Policy?
There are different views on how to develop a security policy and what it shouldinclude. Most people agree on the fact that the development process is cyclic (needsto be reviewed on a regular basis) and should include representatives from a varietyof functional groups. It is especially important to include people, or at least sup-port, from the company management. This support makes it more probable thatthe decisions made during the development will be implemented. Before starting,it might also be useful to study industry standards and review existing companypolicies. One of the most known security standards is the ISO 17799 standard [18].
The process of developing a security policy consists of four phases:
• Risk analysis.
• Writing the policy.
• Communicating the policy.
• Enforcing the policy.
A more detailed description of these phases will now follow.
A.5.1 Assessment/Risk Analysis
Before writing the actual policies you need to conduct a risk analysis. The purpose ofthe risk analysis is to determine what you need to protect, that is, to make decisionsbased on the return-on-investment (ROI) for security implementations. For example:why spend effort on protecting the network from intruders when loss from insidersis greater. A successful risk analysis includes the following steps.
3
Identify the assets
The first step of the risk analysis consists of identifying the assets. What constitutesan asset differs from one organization to another, but the following common list isoften suggested [?, p. 5]:
• Hardware
• Software
• Data
• People
• Documentation
• Supplies
Access Requirements
During the second step of the risk analysis you need to define access requirement,that is, you need to decide who needs access to what. This involves grouping usersaccording to what information they need in order to accomplish their job. Knowingwhat access users have to assets makes the identification of threats easier (see nextsubsection). The access requirements can be visualized by a creating a user/assetmatrix.
Identify the Threats
During the third step you need to identify the threats. A common mistake duringthis phase is to concentrate only on outside threats when several surveys show thatinsiders cause at least as much damage as outsiders.
Likelihood of Threats
During the fourth step you need to determine how likely the threats identified in theprevious step are. The main reason for doing this is to avoid unnecessary expensescoming up while trying to protect the organization from every conceivable threat(see next subsection).
Evaluate Return On Investment (ROI)
Implementing protection for a particular threat might actually cost more than thedamage the threat would cause. In that case, it is wiser not to address that particularthreat at all. The ROI evaluation is a process in which you decide whether or notexisting threats are worth addressing. The decisions are based on tradeoffs betweenrisks and costs (i.e. likelihood of threats, the cost of protecting the threatened assetsand the cost of damage caused by the threats).
4
Explore Protection Options
This step involves finding tools and techniques for protecting your information assets.
A.5.2 Write the Security Policy
After having performed a risk analysis, in which your security requirements havebeen determined, you need to write a security policy with guidelines on how to meetthese requirements.
This section will first give a few guidelines on how to write the security policy.It will then list and describe common security policy components.
How to write a security policy
When writing the actual policy, the most important thing is to balance protectionwith productivity. Furthermore you should make the policy agree with the char-acteristics of a good security policy mentioned in the section what makes a goodsecurity policy. Try to make the policy hardware and software independent and leavethe details to user manuals. Because if the policy is too restrictive, people mightfind ways to circumvent it. Make it as easy to implement as possible, otherwise itmight be ignored. Seek legal assistance in order to avoid conflicts with existing laws(e.g. privacy of employees etc.).
The following list is a suggestion of what information to include in a securitypolicy (in addition to the actual policy statements).
Introduction Introduces the policy by name and locates it within the policy doc-ument hierarchy
Purpose Explains the goals of the policy and the underlying business reason. Italso explains to whom and to what equipment the policy applies
Roles and responsibilities Defines who is responsible for developing and enfor-cing the policy. It should also define how often to review and update the policies.Based on the responsibilities, three distinct roles can be discerned:
• Reviewing, Updating and Approving the security policy. Should fallon the committee in charge of information security.
• Establishing and maintaining the security policy. Should fall on adirector of security.
• Administrating the security policy. Should fall on IT-staff and systemand network administrators.
Policy Statements Defines rules and requirements (see next section for what toinclude here).
5
Contact Information Details who should be contacted in connection with apolicy (for example by providing an e-mail address), for example, if the policy needsto be explained or if there is a need to report a policy violation.
Definition Glossary Defines terms that might not be familiar to the reader, forexample, definitions of technical terms to non-technical readers. Might also includea list of acronyms spelled out.
Security Policy Components
The components, or topics, of a security policy should reflect the security needs ofan organization. Thus, they differ from one organization to another. In order tobe able to determine what exact topics you should put in your security policy, youshould perform a thorough risk analysis. The topics listed here are just examples,based on suggestions from experienced security policy developers [?].
Most organizations divide their topics into groups. Which group to put a topicin often depends on either what security area it covers (e.g. access or network) or towhom it is aimed (e.g. end-user, management or technical staff). In this report thetopics are divided into three groups: access, maintenance and administration andnetwork security.
The contents of the different policies might sometimes overlap each other. Aslong as the policies do not contradict each other, this redundancy is fine since itcovers gaps that might come up if policies are not detailed enough.
Access
System Access Policy (Authorization) The system access policy shoulddefine how to allot (e.g. define who gets “root” or “admin” access to computersystems), update, control (e.g. check if any access rights in access lists are outof date) and remove (e.g. if access rights are out of date) access rights for bothcompany and non-company personnel (contractors, customers etc.). It should alsodefine who is responsible of these tasks.
Password Policy The identification of users is the first line of defence withina system. Even though there are newer technologies that provide secure identifica-tion (one-time passwords etc.), standard reusable passwords are still widely used. Itis therefore important to have a good password policy. The password policy shouldstress the importance of a strong password and point out what a weakly chosenpassword could result in. The password policy should further define how to create(define minimum length, what characters to include etc.), store (relate to the data-base credentials and encryption policy) and maintain (define how to protect andhow often to change passwords etc.).
6
Acceptable Use Policy The acceptable use policy describes the acceptableand unacceptable use of a company’s computer equipment by defining equipmentownership and by regulating system, network (WWW, FTP use etc.), and e-mailuse. By doing so, the company is less likely to get exposed to risks, including virusattacks, or facing legal issues. The policy should be applied to anyone who has beenauthorized to use the equipment. It should also relate to other policies of interest,for example the e-mail and software installation policies.
Logging and Traceability When security incidents occur, the source of theincidents can sometimes be traced by looking in a system log. The log might, forexample, reveal who is responsible of the incident. There are different types of logs,for example, a security log which registers date and time for logging in and out of asystem. Among other things, the log policy should define what to log (consider legalissues) and NOT to log (for example, valid and invalid passwords should NOT belogged since these logs create a potential security breach if they are accessed withoutpermission), for how long the logs should be kept, how and where to store them andhow often to analyze them. The policy should also define who is responsible ofmaintaining and analyzing the logs.
Information Sensitivity Policy The purpose of an information sensitivitypolicy is to classify information according to its sensitivity level. This makes it easierfor employees to determine what information can be disclosed to non-employees. Thepolicy should define:
• Information sensitivity classes (e.g. public or confidential).
• What class each piece of information should belong to.
• Who has access to information belonging to a certain class.
• How the information in a certain class may be distributed, both within andoutside of the company (e.g. mail, e-mail etc.).
• How to store information in a certain class.
• The disposal/destruction of the information in each class.
• Who is responsible and authorized to classify information.
Remote Access policy The need for a remote access policy has emerged fromthe fact that more and more employees work from remote locations (e.g. home). Thepurpose of this policy is to define standards for connecting to the company networkfrom any host. It does so by defining a set of requirements that should be fol-lowed during the connection. For example, by defining the preferred authenticationmethod or by stating that the remotely connected machine should not be connectedto any other network while connected to the company network etc. Furthermore it
7
should refer to requirements defined in the following policies:
• Encryption Policy
• VPN Policy
• Wireless Communications Policy
• Acceptable Use Policy
It should also provide additional information concerning connection options,trouble shooting etc (for example by referring to a remote access information web-site).
Mobile Device Policy The use of mobile devices (e.g. laptops, PDAs etc.)at company sites is increasing. These devices are often connected to other networksas well. The purpose of a mobile device policy is to define requirements that mustbe met when using mobile devices, for example when connecting mobile devices tothe company network. There are two aspects that need to be looked upon. The firstone is how to protect the network from the mobile devices, the most important issuehere being the prevention of virus infections. Other policies should be referred tohere, for example, the virus protection policy and wireless communications policy.
The other aspect is to protect the mobile devices and the information storedon them (both on-site and off-site), the goal here being to protect the devices fromphysical (e.g. theft) and logical (unauthorized use) threats.
Encryption Policy One of the most important aspects of information se-curity, if not the most important, is confidentiality. Confidentiality is achieved byvarious encryption techniques. The existence of a good encryption policy is thereforenecessary. The encryption policy should define what systems, files and documentsthat need to be encrypted. It should also describe which encryption algorithms toallow and set minimum key lengths for them.
Maintenance and Administration
Introduction and Disposal Companies tend to grow and change. New hard-ware and software is constantly being introduced. It is thus important to haveguidelines, from a security point of view, on how to purchase and install new sys-tems. A policy should outline what security procedures a new system must passbefore being used in the company. It should also describe how to dispose storagemedia, containing confidential information, which is no longer in use. Furthermorethe policy should describe people responsible of these tasks.
8
System Development and System Maintenance Policy The purpose ofthis policy is to define roles and responsibilities for people in charge of system de-velopment and system maintenance. That is, to describe who should do what andhow he/she should do it. This policy is a typical example of a policy that might addredundancy since responsibilities are often already defined in other policies. But itis still useful since policies might exist, where responsibilities are not defined.
Documentation Policy The purpose of the documentation policy is to definewhat security related documentation a company needs. It should also describe whattype of information each document should contain. Furthermore it should describehow to store, protect and update the documents.
Antivirus Policy Viruses can cause huge damage to companies. According toseveral surveys [?, p. 10-11] viruses are the type of computer security incidents thatcost companies most losses. As a matter of fact, the incidents second to viruses (i.e.denial of service attacks) do not even cost companies half as much losses, measuredin dollars, as virus incidents do.
The purpose of an antivirus policy is to define which antivirus software to useand how to use it (frequency of updates etc.). Important issues that should beaddressed in the policy are prevention, detection, thwarting and recovery of virusattacks. The antivirus policy is a very central policy and is often being referredto from other policies, for example in the installation of software and use of laptoppolicies.
Software Installation Policy Many issues in a software installation policyconcern how to prevent the system from getting infected with malicious code duringthe software installation process. The necessity of a policy solely dedicated for thiscan hence be questioned since these issues are covered in other policies (e.g. anti-virus policy, acceptable use policy etc.). But there are other pressing issues thatmake this policy important. For example, the legal problems that can arise whendownloading pirated software, or whether or not to allow software being installedfor the amusement of users (instant messaging software, games etc.) knowing thatthese software makes the network more vulnerable. The software installation policyshould thus define which software to allow and not allow, where to acquire thesoftware from and how to install it. It should also define who is responsible of andhas authority to perform installations.
Database Credentials Policy The purpose of the database password policyis to describe requirements for how to securely store and retrieve a company’s data-base usernames and passwords. It should also define user access requirements tothese credentials.
9
Server Security Policy The purpose of the server security policy is to min-imize unauthorized access to information and technology stored on company servers.It does so by defining secure locations of servers and by whom they are accessible.It should also include configuration and monitoring guidelines. Furthermore, thepolicy should define ownership and responsibility of server equipment. The policyshould restrict itself to servers on the internal network. Requirements for serversexternal to the company, on the DMZ, should be covered by other policies (i.e. theDMZ Lab Security Policy).
Incident Handling Policy Even in the most secure networks, security incid-ents will most probably occur. The source of the incidents can be deliberate attacks(both internal and external) or wrongful use of system resources. In either case,there is a need for an incident handling policy. The purpose of the policy is tominimise damage. It does so by defining course of action in case of an incident, forexample whom to report to when suspecting an intrusion attempt or how to handlethe actual intrusion attempt. Furthermore it should define how to follow incidentsup, that is to define what actions should be taken after an incident.
System Backups Policy It is often said that all systems will crash eventually,no matter how secure they are. The purpose of a system backups policy is to helprestore a system after a possible crash by defining how to make backup copies ofimportant information. The policy should among other things define what to includein the backups (i.e. what to copy), how often the copying should be done, whereto store the copies and who has access to the copies. The policy should also defineresponsibilities for these tasks.
Audit and Review Policy To just write and implement the policies is notenough. Your company also has to ensure that all components and employees are incompliance. It is also necessary to review the policies regularly to ensure that theyare still relevant. The purpose of the audit and review policy is to give guidelines onhow to accomplish all of these tasks. It should include issues such how the auditsshould be performed, how often to review the policies etc.
Network Security
Internal Network Policy The purpose of the internal network policy is toaddress issues related to internal network security, for example define security do-mains and control user access to network services. It should also define networkadministrators (not always the same as the system administrators), what they areauthorized to do and their responsibilities (e.g. configure routers and servers). Fur-thermore it should refer to other related policies (e.g. router and server policy etc.)
10
Internal Lab Security Policy An internal lab is any network intended fordeveloping, demonstrating training and/or testing a product. It often stores import-ant information such as newly developed software. It is located within a company’sfirewall and connected to the company’s production network. The production net-work, on the other hand, is the network used for the daily business of the company.The impairment of the production network usually results in loss of functionalityfor the employees while the impairment of the lab network does not. The securityrequirements for the two network types are clearly not the same. It is therefore ne-cessary to include a security policy that explicitly concerns internal labs (the samegoes for the next policy).
The purpose of the internal lab security policy is to ensure that confidentialinformation and technologies on internal labs are not compromised. The policyshould define the responsibilities of lab managers (e.g. ensure compliance with othercompany policies) and basic configuration requirements (e.g. requiring that all trafficbetween the corporate production and lab network must go through a firewall etc.).
Lab Antivirus Policy The purpose of this policy is to ensure effective virusdetection and prevention by defining requirements which must be met by computersconnected to the company’s lab networks. It should give guidelines on what anti-virus software to run, how often it should be run and updated etc. Furthermoreit should describe course of action in case of virus infections and responsibilities ofadministrators and managers.
DMZ Lab Security Policy The DMZ is a network segment external to theproduction network. It is located outside the company’s main firewalls, but is stillunder the company’s administrative control. Typically, the DMZ contains serversaccessible to Internet traffic, such as web servers, ftp servers, e-mail servers and dnsservers. The servers located in the DMZ are exposed to a lot of intrusion attemptsand a distinct security policy for the DMZ is therefore called for.
The purpose of the DMZ lab security policy is to define security standards fornetworks and equipment deployed in the DMZ. It does so by defining responsibilitiesfor owners and managers and basic configuration requirements. The policy shouldalso refer to other policies. For example, the password, wireless communications,anti-virus policies
Firewall Policy The firewall plays an important role in a company’s networksecurity since it implements security at the network level. The level of protectionit provides depends on tradeoffs between level of security required, ease of use,complexity etc. Firewall maintenance requires skilful firewall administrators. Agood firewall policy is therefore a very important feature in the overall networksecurity and makes life easier for network administrators.
The firewall policy should define what services the firewall should provide (checke-mail, check for viruses, what to filter etc.), what to log in the firewall and whatresponsibilities the firewall administrator has.
11
Router Security Policy The purpose of the router security policy is to defineconfiguration requirements for routers and switches connected to a company’s pro-duction network (for routers and switches connected to the DMZ, see DMZ labsecurity policy). The configuration requirements include what accounts to allow onthe router, how to store router passwords securely, what traffic to allow and disallow,how to add access rules etc.
External Connections Policy The external connections policy should definewhat type of external connections to allow and how to monitor these connections.It should also address authentication issues.
Extranet Policy The purpose of the extranet policy is to give third-partyorganizations a controlled access to the non-public resources of a company for thepurpose making transaction of business related information. The policy does notregard the underlying technology (e.g. VPN). Instead it should focus on the processof determining if a new connectivity is secure and handle legal issues between theagreeing parties. The extranet policy should provide an agreement to be signed bythe parties
Dial-In Access Policy Since dial-in connections often allow users direct ac-cess to the company’s internal network, without any firewalls or proxies, there is aneed for regulations when using them.
The purpose of the dial-in access policy is to protect a company’s informationfrom being compromised when using dial-in connections. It should define properauthentication methods and connection techniques. It should also define how toregister all modem lines (and keep this register up to date) and log all connectionattempts, successful or not. Furthermore it should point out what responsibilitiesthe authorized users of the dial-in connections have.
VPN Policy VPNs provide a way for companies with branch-offices, remoteaccess users and/or third party organizations, spread out over a wide area, to main-tain fast, secure and reliable communications over a public infrastructure (i.e. In-ternet) by the means of tunneling protocols.
The purpose of the VPN policy is to provide guidelines for VPN connectionsto the company’s corporate network. It addresses issues such as what protocolsand clients to use, requirements on equipment used, the properties of the VPNconnections (duration of connection etc.) and responsibilities of VPN users andadministrators. It should refer to other policies of importance, such as the remoteaccess policy.
E-Mail Policies Communicating by the use of e-mail has, because of theefficiency and simplicity it provides, become an increasingly popular tool. Sincecommunication is done over the Internet, some security issues must be considered.
12
The purpose of an e-mail policy is to address issues such as how to maintain confid-entiality and integrity during transmission and protect the receiver from maliciouscode. It should also refer to other policies (e.g. anti-virus policy, encryption policyetc.). Furthermore he following sub-policies should be included:
A general E-Mail Use Policy The purpose of a general e-mail use policy is toprotect the public image of the company (considering the fact that the public canview e-mail messages as official policy statements from the company). It does so bydefining what e-mail message content to allow, to what capacity e-mails can be usedfor non-work related use and by informing the employees of the level of privacy theycan expect from their e-mail usage.
An Automatically Forwarded E-Mail Policy The purpose of this policy is toprevent the unauthorized disclosure of sensitive company information. It shoulddefine when (or if) automatic forwarding of e-mails is allowed.
An E-Mail Retention Policy The purpose of this policy is to define what inform-ation in e-mail correspondence to retain and for how long.
Wireless The need of a wireless communications policy has emerged from thefact that there is an increase in connections from wireless systems (e.g. personalcomputers, cellular phones, PDAs etc.) to company networks. The purpose of thepolicy is to define standards for these connections. It should define requirements onequipment (access points, access cards etc.) and technology and address encryptionand authentication issues.
A.5.3 Implement the Policy
This subsection will describe the measures needed for implementing the policy.
Communicate the Policy
Once the security policy is written, it needs to be communicated. The reason forthis is to ensure that the people, to whom the policy is aimed, understand the policyand why it is needed. By doing so you also add security awareness and thinking toyour company.
There are several educational methods through which the policy can be com-municated, for example, through meetings, presentations, newsletters and dedicatedsecurity websites. As the company and the threats posed to it change (new equip-ment, employees, intrusion tools etc.), the policy also has to change. It is thereforeimportant that it is communicated regularly and in a standardized way.
It is also important to emphasize the benefits of the security policy. By doingso, you will have less trouble “selling” it to the people it affects. Benefits might, forexample, constitute minimization of financial loss and maintaining a positive publicimage.
13
Enforce the Policy
Enforcing a security policy requires a few important things. First of all, you haveto allocate additional human resources for dealing with new responsibilities thathave come up for users and administrators while complying with the policies. Foradministrators, these responsibilities might include analyzing logs, installation ofmonitoring software, updating of virus definitions etc. For users, the responsibilitiesmight include learning and following new routines etc.
When enforcing a security policy, you also need disciplinary actions in the caseof the security policy being violated. These disciplinary actions may range from lossof privileges to loss of employment and should depend on factors such as severityand frequency of violations. It is therefore important to make staff aware of andfully understand the consequences of violating the policy.
14
