Creating a VPN is a snap with Netlock
- By Earl Greer
- Mar 27, 2001
Security doesn't have to be difficult. In an ideal network, all communications would be automatically encrypted at the sending workstations and would be deciphered by the receiving computers. A manager computer on the network would provide certificates so that the workstations could be sure they were talking to trustworthy computers and not to strangers. The humans could ignore the whole process and concentrate on getting their jobs done.
In a nutshell, that is the idea behind a virtual private network (VPN).
While several VPN products are hardware-based, Netlock Technologies Inc.'s Netlock is purely a software solution. I downloaded the new 3.1 version from the Netlock website, including files to install the VPN on the different operating systems I wanted to test. My first task was to install the Manager program on a Microsoft Corp.'s Windows 2000 Professional workstation, which is now supported under the new version.
Installation of the Manager took less than five minutes. I didn't read the manual before installing the Manager, which was a minor mistake. Some of the parameters you have to enter during installation, such as the organization, manager name and country code, can't be changed later. These entries are based on the ITU X.500 distributed directory standard and are used in constructing each agent's X.509 certificate.
The installation should have placed an icon on my desktop for the Netlock Manager, and I was puzzled when it did not appear. I had originally installed Windows 2000 over Windows 98 on that PC, so my system files were in a directory named Windows instead of one named WINNT. It is possible that this confused the installation program.
I used some reasonably simple tools in the Manager to create several agent names, which was all that was required to begin constructing my VPN. The next step was to install an agent on another workstation. Because the installation files for the agent totaled about 4M, which is too much for a diskette, I simply mapped a drive over the network to my Manager PC. After installing the agent, I got a cryptic error message that appeared to be caused by the drive mapping, but after rebooting the installed workstation, I was rewarded with a closed-lock icon in the system tray of my agent PC. This showed that Netlock had worked its magic and formed a secure connection between the agents. I then burned a CD with the installation programs and carried it around to the workstations. There were no more problems with error messages.
Unfortunately, each protected host has to be installed manually. And at each workstation, I had to enter 76 random keystrokes to seed a random number generator. I would have liked to have had a Linux agent, but other than that, Netlock has an agent for all the hosts you are likely to have on your network.
Out of curiosity, I used my trusty Sniffer Technologies' Sniffer protocol analyzer to capture a few packets passing between the secured PCs. As expected, the data packets simply looked like garbage.
The beauty of the system is that everything from that point on was transparent to the users. All communications sent among protected workstations were encrypted, and messages to unprotected workstations were still in the clear.
To see if the users could easily turn their protection off, I tried killing the Netlock agent service from the Windows Task Manager on a Windows 2000 workstation. When the system denied access for this blunt-force approach, I resorted to finesse by making a tiny hack in the registry to prevent the agent from loading at bootup. When I rebooted the PC, the agent did not load, but the network was not accessible either. Good for Netlock.
Alas, the users' freedom is the network administrator's straightjacket. The administrator must master a manual of formidable size, install workstations and spend some time at the Netlock Manager. Fortunately, the Manager console is reasonably easy to use. The main page consists of six tabs, leading to windows for constructing agents, security rules, tunnels, domains and so forth. I found these concepts easy to grasp and apply. On windows for entering data, there is a pane on the right giving context-sensitive help.
The Netlock VPN is a heavyweight boxer with a glass jaw, because it depends on the manager PC. In order to return this PC to service immediately after a crash, you will want to modify the registry to automatically login the default user. This involves placing the user password into the registry in the clear. It's also important to arrange for the physical security of the manager PC. The VPN can operate while the manager is down, but new workstations and those with expiring certificates will be unprotected.
Netlock can handle large networks, but it does require that all clocks be synchronized within two minutes.
Netlock is an established company and has a solid user base in other countries. It is not the least-expensive VPN solution, but it is complete. It can be installed on multiple platforms and on secure intranets, extranets and the public networks without concern for existing routers and bridges. Unlike some other software solutions, Netlock is a complete suite and includes Netlock Gateway and Auditor. It lacks a specific firewall component, but provides a "virtual firewall" with port filtering that restricts applications to necessary uses, such as FTP and telnet.
Netlock answers one question with ease: Is it difficult to set up a VPN? Not at all.
Greer is a senior network analyst at a large Texas state agency. His e-mail address is Earl.Greer@dhs.state.tx.us