On the VPN Trail

The Kansas Bureau of Investigation has become the first state law enforcement agency in the nation to launch a virtual private network to exchange highly sensitive files with the state's police departments over the Internet.

The pioneering network application links the KBI and local law enforcement agents to an IBM Corp. AS/400 midrange system containing adult and juvenile criminal history files. The network is available in 250 Kansas law enforcement offices with 4,000 employees and is expected to reach 750 offices with 12,000 law enforcement officials by the end the year.

VPNs combine the easy access and low cost of the Internet with the security and management benefits of a private network, including guaranteed bandwidth availability and network monitoring. For the KBI, the security features of a network are the most critical factor in deciding which network to develop.

"We are required by law to ensure that strict security procedures are in place whenever we transmit criminal records," said Ron Rohrer, information resource manager for the KBI's law enforcement bureau, which has 200 employees in five Kansas cities: Great Bend, Overland Park, Pittsburg, Topeka and Wichita.

The agency functions like a state version of the FBI, helping understaffed local police departments investigate felonies such as narcotics trafficking, rape and murder. In the past, when KBI agents and local police met to discuss a case and wanted to examine case histories, they used a 4.8 kilobits/sec connection to tap an IBM System Network Architecture network to reach the AS/400. Because of the limitations of the network, they could download only text-based data; fingerprints and photos were not feasible.

A higher-speed connection was needed to transmit graphic information between offices. Although a private network was one option, it would have required the KBI to purchase network equipment, install it at each law enforcement office and manage the connections. A more appealing option was piggybacking law enforcement transmissions on a state-operated Internet Protocol network that serves 105 counties.

The KBI also determined that a private network would have cost $2.5 million more than the VPN, with $1.5 million coming from the KBI and $1 million coming from the local law enforcement agencies that would access the network.

To use the state IP network, the KBI had to guarantee that other departments or outsiders could not tap into network transmissions. The agency had been using a firewall from Redwood City, Calif.-based CheckPoint Software Technologies Ltd. to monitor Internet access and was interested in its VPN products. CheckPoint referred the KBI to FishNet Consulting Inc., a Kansas City, Kan., reseller that specializes in security systems.

FishNet has a tight bond with CheckPoint. "Our philosophy is to select best-of-breed products and work with only one vendor," said Gary Fish, the company's president. "That way, we develop a deeper level of expertise about the products and a closer relationship with the suppliers." The philosophy seems work because FishNet's revenues grew 400 percent in 1998, with much of the growth coming from VPN deployments.

Security Measures

Because of the sensitive nature of its work, the KBI required a top-of-the-line security system. FishNet recommended three products: VPN-1 from CheckPoint; public-key software from Entrust Technologies Inc., Richardson, Texas; and network and computer auditing tools from Internet Security Systems (ISS) Inc., Atlanta.

Security checks can be deployed at various levels on an Internet connection. A firewall offers the lowest level of security by examining incoming and outgoing IP addresses and blocking unauthorized connections. However, hackers can bypass firewall checks by pretending to be someone else, a technique called spoofing.

Encryption products ratchet up security by coding information before sending it along a transmission line and then decoding it at the end point. The Internet Engineering Task Force (IETF), an ad hoc standards group, developed the IPSec standard for transmitting encrypted information on the Internet, and compliant products began to appear during the past couple of years.

With encrypted information, the challenge has been to develop a technique that encrypts information and also makes it easy for the sender to transmit the data and the receiver to open it. Two-key cryptography-using a private key and a public key-is one approach.

A public key is available to anyone and can be used only to encrypt messages. A private key can be used only to decrypt the messages created by the public key. At the KBI, the agency's servers encrypt transmissions with public keys. Then private keys on each agent's desktop system decrypt those transmissions.

Because employees come and go, a company needs a mechanism to track public and private keys. A digital certificate is a piece of digital data that contains a public key, the name of the key's owner and other information, such as the expiration date and the algorithm used for encryption. Entrust/PKI, based on the IETF Internet Key Exchange key management standard, monitors the exchange of cryptographic keys between devices.

Digital certificates are designed to work with directories, which basically act as network traffic cops and route authorized users to corporate resources, such as applications and printers. The KBI installed the Netscape Directory Server from Netscape Communications Corp., Mountain View, Calif.

Encryption comes in different flavors. KBI selected the triple Data Encryption Standard, which is the highest encryption standard available.

Organizations have been slow to deploy encryption systems because they can add a lot of processing overhead to computers or networks. To combat the problem, equipment vendors have been integrating on-board microprocessors that offload encryption functions from a device's main microprocessor. The information also is compressed so that it does not take up a lot of bandwidth. The KBI placed a couple of encryption boards on its firewall, which sits in front of its servers.

While the CheckPoint and Entrust packages are designed to ensure that unwanted visitors are not fiddling with the agency's data, they offer little help in determining what is actually happening on the network.

The agency filled this gap with ISS' RealSecure, an integrated network and host intrusion-detection and response system. The product monitors network traffic and host logs, detects suspicious activity and responds to host and network abuse before systems are compromised.

Working Together

FishNet completed a pilot installation in September to ensure that all components would work together. "CheckPoint and Entrust had just announced the integration of their products, so the [KBI] was one of the first organizations to deploy them, and there were a few rough spots getting the software to operate," Fish said.

As an added hurdle, the KBI had to clear the system with the FBI, whose policy states that federal criminal information cannot be transmitted over the Internet unless a state can provide assurances that adequate security is in place to safeguard the data. That approval came in November 1998, and the KBI began to roll out its VPN. "We are adding about 15 sites a week to the VPN," Rohrer said.

The transition has been better than expected. "The agents immediately see the benefits of being able to download graphic information while working on a case," said Norma Jean Schaefer, an information technology consultant at the KBI who was hired to help smooth the transition to the system.

"A VPN really is a new environment, and an agency needs someone with networking expertise to drive the project in the right direction," Rohrer said.

State and local agencies have been a bit behind commercial companies in deploying VPNs for a couple of reasons. "The budgeting cycles that state agencies go through are not conducive to rapid deployment of new technology," Rohrer said. Budgets often are set 18 to 24 months before purchases are made-a lifetime in the rapidly moving computer industry. Also, pressing issues such as making systems Year 2000-compliant also have had a higher priority than new network projects.

But VPN projects should become more common because the technology offers so many benefits. "For many or-ganizations, moving to a VPN is easy to justify. Paybacks can come in as little as six to 12 months," said Ray Valvassori, a program manager at Entrust.

Paul Korzeniowski is a free-lance writer in Sudbury, Mass., who specializes in networking issues. He can be reached at paulkorzen@aol.com.