VPN: Light at the end of the tunnel
The modem rack, once a staple of every department and agency server room,
is heading for extinction. Now that virtually every remote worker can reach
the Internet, direct dial-up access — with the support hassles, long-distance
charges, busy signals, modem hang ups and line-quality problems that plague
it — is giving way to virtual private networks (VPNs).
Security concerns, of course, have made many agencies and departments
skeptical of VPNs. After all, virtual private networks couldn't be as secure
as truly private networks, could they? And news reports of high-profile
Internet break-ins, most recently at America Online, seem to emphasize that
point. If AOL, with all of its intellectual and financial resources, can't
keep intruders away from its private data, who can?
Such security concerns are well- founded, because any socket to the
outside world creates the potential for hacking. But this was true of dial-up
remote access, too. And with recent advances in security technology, VPNs
are arguably more secure than a modem line. It is, in short, time to reconsider
adopting a VPN solution.
And there are obvious benefits for agencies and departments. Moving from
modems to VPNs will have a slimming effect on your department's equipment
rack. If your network supports 10 simultaneous dial-up users, you have 10
modems and 10 data lines. One VPN server or VPN-enabled router can replace
that entire bank of modems.
VPNs further reduce costs by cutting the number of data lines coming
into your facility. That will reduce your monthly phone bill, and your bean
counters will bless you for eliminating long-distance charges incurred by
your dial-up users.
A Snapshot: Three VPN Servers
Implementing a VPN starts with the selection of a server. To illustrate
the most common VPN server types, I tested three representative products:
Network Associates Inc.'s Gauntlet Firewall/VPN 5.5, the VPN services built
into Microsoft Corp.'s Windows 2000 Server and the VPN capabilities of Lucent
Technologies' Pipeline routers. Because two of the servers are implemented
in software, let's first consider some planning issues related to software
You may be able to install VPN software on an existing server that's
being used as a basic router, gateway or proxy server. But if that server
is also handling your firewall, it could be running at its capacity. Active
firewalls that examine the contents of every network packet work particularly
hard. If you add the burden of VPN to that mix, you might degrade performance
for all users.
You may also need to increase the bandwidth of your network. After you
switch to a VPN, some dial-up modem users will connect to your network via
broadband carriers, causing your server load to skyrocket. Just one cable
modem or Digital Subscriber Line user can occupy the equivalent bandwidth
of nearly 100 modem users. If you don't make room for broadband users in
your capacity planning, your remote strategy could fail for poor performance.
You don't want to leave VPN users longing for their old direct-dial modem
Gauntlet Firewall/VPN 5.5
Version 5.5 of Network Associates' Gauntlet Firewall/VPN solution for
Unix and Microsoft Windows NT provides firewall, proxy, McAfee enterprise
virus protection and Layer 2 Tunneling Protocol (L2TP) over IPSec VPN services
in one package. Since all the components come from the same vendor, they
move network data efficiently through the processing pipeline.
Considering its capabilities, Gauntlet's system requirements are minuscule.
Network Associates recommends a Pentium 233 with 128M of RAM. I tested Gauntlet
on a Windows NT Server 4.0 system. Basic installation is quick and more
or less automated. The best feature of the installation process is the thorough
system check that Gauntlet performs before it starts copying files. The
installer identifies conditions that could compromise Gauntlet's effectiveness
A single administrative console manages all of Gauntlet's features — and Gauntlet is loaded with features. Fortunately, it defaults to a fully
locked-down configuration. Any feature you don't configure immediately is
Getting Gauntlet's VPN server running is among its simpler configuration
tasks, but it still takes considerable time and knowledge. Before you install
Gauntlet, you'll need to register your VPN server with a public-key infrastructure
certificate authority such as Verisign Inc. or Entrust Technologies. If
you run your own certificate authority, Gauntlet will use your internally
generated certificate to authenticate your new VPN server.
The administrator has fine control over VPN encryption and authentication
parameters. The online documentation offers some guidance in choosing security
settings, but it would be nice to see templates, wizards or even simple
defaults that ease configuration. The absence of context-sensitive help
slows the process considerably.
Gauntlet appeals most to those who value a rich array of features over
ease of configuration and administration. It is a total solution, including
virtually everything you need to create a secure, bidirectional gateway
to the Internet using affordable hardware. Given its complexity, you should
budget for training and installation consulting before you implement Gauntlet
Windows 2000 Server
In a recent press release, Microsoft stated that in an independently
verified test, an Intel Corp.-based server with four CPUs and 1G of RAM
ran 5,000 simultaneous VPN sessions. Considering the cost of stand-alone
VPN servers capable of handling that kind of volume, Microsoft's approach
to VPN seems worth considering — even for non-Windows shops — on the basis
of cost alone.
Windows 2000 Server and Advanced Server are billed as do-everything
network servers: file/print, Web, applications, databases, objects — you
name it. However, turning a Windows 2000 system into a workable VPN server
requires us to throw out most of the features listed on the side of the
Windows 2000 box. This seems wasteful until you compare the cost of Windows
2000 Server (about $1,000) with VPN solutions such as Gauntlet Firewall/VPN
(starting at about $2,000 per year).
Windows 2000's VPN services are nowhere near as configurable as Gauntlet's,
although Microsoft balances the scales with a much simpler administrative
interface. You'll also find that Windows 2000 is equipped with services
that support VPN, including a remote authentication dial-in server and an
X.509 certificate authority.
With the upcoming release of its Internet Security and Acceleration
(ISA) server, Microsoft plans to round out Windows 2000's suite of services
with Internet caching and a firewall. The company's goal is to make it possible
for one (albeit beefy) PC server to handle all Internet gateway duties for
a sizable enterprise.
Administrators familiar with VPN services under Windows NT 4.0 will recognize
the Windows 2000 approach. The first step is to activate Windows 2000's
optional (but included) routing and remote access service (RRAS).
Windows 2000 also includes a Dynamic Host Configuration Protocol (DHCP)
server that pushes dynamic IP addresses and other network settings to client
systems. VPN benefits from DHCP when it is available — VPN clients are much
easier to configure using DHCP — but the RRAS wizard understands that you
might not have configured DHCP prior to activating VPN. RRAS contains its
own limited DHCP server expressly for simplicity. If you only need DHCP
for VPN and dial-up users, RRAS will automatically configure and use its
built-in DHCP server.
After the RRAS setup wizard is completed, the server is ready to accept
VPN connections. Tuning RRAS for maximum security requires digging through
a maze of dialog boxes to enable certificates and disable backward-compatible
weak authentication. This process takes longer than it should, thanks in
part to the administrative interface's avoidance of potentially unfamiliar
terminology. If you understand network terminology and know how VPN works,
you'll find Microsoft's gentler jargon more frustrating than helpful.
IPSec encryption is part of Windows 2000's core network services and has
its own administrative interface. The RRAS console fails to alert you if
IPSec is disabled (which is the default). As a result, VPN clients may make
L2TP connections believing IPSec encryption is in place, when in fact the
tunneled data is not encrypted.
Windows 2000's lower cost and quick setup make it a good choice for
small groups. It is even better if you plan to use that Windows 2000 server
in other ways. Gauntlet is a more significant investment — training is a
must — but its greater configurability and broad standards support makes
it suitable for large and changeable organizations.
Lucent SecureConnect and VPN Gateway
For hardware-based VPN, we looked at Lucent Technologies' Pipeline series
routers and its VPN Gateway line of stand-alone server appliances. Pipeline
routers — a product line Lucent picked up when it acquired Ascend — originally
offered firewall and IP security software (under the product name SecureConnect)
as an option. With its latest round of firmware upgrades, Lucent now supplies
SecureConnect free of charge for all Pipeline devices from the model 50
Integrated Services Digital Network router up.
Lucent's new SecureConnect firmware equips Pipeline routers with IPSec encryption
(40 bits standard; triple Data Encryption Standard [3DES] optional), X.509
certificate support, network address translation (for sharing one Internet
account across a LAN) and firewall security. That's a slew of features for
such a little box, so it's understandable that the encryption support is
limited on the smaller Pipeline models. They simply don't have the processing
power to manage 3DES encryption for multiple VPN connections.
Pipeline routers, like most others, use a command-line interface for configuration.
For convenience, Lucent supplies a Java-based configuration console called
SecureConnect Manager (SCM), which runs on any Java-capable PC or work-
station that shares a network with Pipeline.
To squeeze SecureConnect's impressive capabilities into Pipeline's tiny
Flash ROM, Lucent eliminated the configurability common to other VPN implementations.
After enduring the endless fiddling required to set up Gauntlet and Windows
2000 VPN, SecureConnect's comparatively cut-and-dried approach is a blessing.
When you enable VPN by creating a new tunnel in SCM, it is configured for
IPSec and L2TP. Period.
Having IPSec and VPN built into your router presents a relatively bulletproof
alternative to server-based solutions. With no moving parts — most Pipeline
models don't even have a cooling fan — there is nothing to wear out. The
device's entire configuration, firewall rules and all, fits in non-volatile
RAM and can be downloaded in a single file. If the device fails, just replace
it with a new unit and upload its configuration file. You're back in business.
The primary shortcoming of router-based VPN is scalability. A low-power
embedded microprocessor is no match for the four-CPU workhorse Microsoft
used to rack up 5,000 simultaneous connections. Some routers offload the
encryption, the most demanding component of VPN, to dedicated hardware.
Lucent uses encryption accelerators in its scalable VPN Gateway product
line. These gateways are full-featured firewall/VPN servers packaged in
convenient, integrated PCs. Bridging the gap between router firmware VPNs
and user-configured servers, Lucent's VPN Gateway systems promise ready-to-run
solutions. With its VPN Gateway 80 slated to sell for less than $5,000,
Lucent hopes to lure prospects away from server-based VPN.
The VPN Outlook
With remote workers, branch offices, off-site conferences and traveling
staff, VPN is a necessity for many organizations and agencies. It is a simple
technology to describe, but it can also be tricky to configure properly.
Integrated and embedded servers seem poised for the most rapid growth.
As faster low-power microprocessors appear, vendors will build VPN and other
network services into smaller and smaller cabinets. I anticipate Lucent
VPN Gateway-class servers that operate entirely in solid state, using Flash
memory instead of hard drives. Embedded Linux and Windows CE 3.0 are ideally
suited to such appliances. We need only wait for the hardware to catch up.
For now, your best VPN choice is determined by the factors most important
to you. If you need VPN running by tomorrow morning and you have a relatively
limited number of connections to support, choose hardware. You may find
that your current router's firmware can be upgraded with VPN capabilities.
If not, stand-alone VPN devices such as the Lucent VPN Gateway set up quickly
and more or less look after themselves, just as you would expect a black
box to do.
In the realm of software VPN, Windows 2000 Server is unique among network
operating systems because it includes a capable VPN server. It is short
on flexibility, but it's extremely affordable, relatively easy to manage
and runs on inexpensive PC systems. The ultimate, super-configurable, cross-platform
solution, Network Associates' Gauntlet Firewall/VPN, covers all the major
standards and is sublimely reconfigurable. Combination firewall/VPN solutions
in Gauntlet's class are incredibly complex, but if you expect your needs
to grow significantly in the next couple of years, the investment in time
and capital is worth it.
Yager is a freelance journalist. He can be reached at