VPNs in the distributed enterprise: security begins with the firewall. (Network Management).

Although larger companies may be able to address the need for security in a disributed network by linking their various locations with leased lines, this approach is expensive and not affordable for many midsize and smaller companies that still favor a distributed enterprise business model.

The key to efficient and successful distributed computing is creating a virtual private network (VPN) by maintaining always-on connections to the Internet--and protecting these connections with a firewall to prevent unauthorized access to private corporate resources over the public network.

Many companies clamp down, and do not allow communication over the public network for any company-related matter. Dial-up is a secure option, but the 56-kbps speed does not meet today's business needs. Often, companies will beef up security at the corporate headquarters, but leave remote employees with few options. This approach fragments the corporation and can have repercussions on the company's performance. Working as a seamless, single organization is essential to rapidly respond to market demands and stay competitive.

Take a company that has protected its corporate headquarters LAN, but has not yet implemented the network, management and data security required for a secure VPN between this LAN and a remote branch office or a telecommuter. Each time a remote employee accesses the corporate LAN, the entire network is exposed to a security risk. Why? To gain access to all corporate resources, all a hacker has to do is access the branch office LAN, then use this position to step across to the headquarters LAN.

THE WEAKEST LINK

Distributed enterprises should also be aware that as the number of branch offices and telecommuters increases, so does the risk of exposure to this type of security breach--unless each and every point of access to the LAN is secured over a VPN that supports dedicated private links between distributed sites. The security in a distributed enterprise is only as strong as its weakest link, because, lacking a VPN, the weak link can always be exploited to gain full access to the entire network.

This risk is not eliminated with network address translation (NAT) systems. With NAT, ports are dynamically opened and closed to create links between remote sites; but the ports, once opened, are not always closed as soon as the communication ends. During this delay, a hacker can gain access and re-establish the link.

A secure VPN is also essential for fostering strong business-to-business and peer-to-peer relationships. No potential trading partner would want to engage in Web-based transactions unless absolutely sure that these transactions would not present an opportunity for a hacker to gain access to its own network.

With this perspective, securing links in a distributed enterprise can be viewed as a market imperative--and a marketing advantage. A company with a highly secure VPN linking its entire distributed enterprise--with a high level of security protection at every site--is surely far more attractive than one that relies on NAT, or no security at all, to prevent unauthorized access.

Good security that relies on VPNs begins with a firewall, a device that is located between the private LAN and the Internet. A firewall permits only the passage of packets authorized on the basis of several parameters, including packet filtering, address translation, access control lists, stateful inspection and content filtering. Firewalls must be located at every node on the distributed enterprise and can be personal (i.e., dedicated to a single workstation) or shared among several workstations.

ADDITIONAL PROTECTION

Firewalls are available as stand-alone devices or as integrated elements in the router platform that provides VPN functionality and full data security through support of additional security components, such as encryption and authentication algorithms. Encryption algorithms ensure that data is protected while traveling on the public network by preventing unauthorized snooping. Authentication algorithms ensure that only authorized users gain access to the network.

Routers that support industry-standard algorithms enable greater flexibility in configuring the security infrastructure and VPNs in a distributed enterprise because they can seamlessly interface with "big iron" corporate routers. This enables leveraging of existing firewall investments when adding remote facilities. With support for industry standards, routers at remote facilities can be linked to the corporate LAN through secure tunnels.

Another important factor to consider when creating VPNs in a secure distributed enterprise network is management. Because firewalls and routers are both manageable, they can be configured and customized to suit diverse network environments. Once configured, however, the security of the entire network is dependent on the security of the management interface. If an attacker gained access to the management interface of the firewall, the settings could be changed to suit the attacker's needs.

As a result, all management interfaces to firewalls and routers--including Web-based management (HTTP), Telnet-based management, simple network management protocol management, and RS-232 (local console)--must all be controlled using any, or all, of the following:

* A user must know the password to "log in" to the management interface.

* Specific management interfaces can be closed down to minimize the number of different potential points of attack.

* Management is accessible on a different IP address than that used to operate the routers or firewalls.

* Management can be performed only from specific workstations on the LAN or WAN.

VPN management security can be further enhanced by centralizing control through a single Web-based interface. With fewer points of management access, risks are reduced, and so is the need to hire IT managers for each of these sites.

A solution to support the security requirements of a distributed enterprise should also provide the high availability demanded of a business-critical infrastructure. This can be achieved with a routing platform that supports dual paths; if one access method fails for any reason, communications can be transparently handed off to another path. With a communications platform that offers optimized network, data and management security, a distributed enterprise can create a VPN-based infrastructure that provides the best possible protection and privacy for all corporate resources.

For more information from Efficient Networks: www.rsleads.com/211cn-251

RELATED ARTICLE: 10 steps to VPN security.

1. Do not skimp on assessment. Take time to do a thorough analysis of security needs, and write a security policy document--remember to consider internal, as well as external threats--before deciding on products and solutions.

2. Do not forget client systems. Consider the mobile workforce as an extension of the corporate network, and secure each device accordingly, including PDAs and hand-held devices.

3. Centralize security management, which guarantees that up-to-date security is always implemented.

4. Integrate the VPN and the firewall to warrant VPN traffic is subject to network access control, in addition to several other important benefits.

5. Take a layered security approach. Security is more than a firewall. Evaluate complementary security products, such as intrusion detection and virus scanning. Make sure that complementary solutions can be integrated with existing security solutions.

6. If quality of service (QoS) plays a role in the network, choose a solution that allows integration of QoS with VPN/security infrastructure. An integrated solution makes certain that traffic can be inspected and prioritized.

7. Invest in training. Software is only as good as the people implementing and managing it.

8. Upgrade security software on a regular basis. New security threats crop up continuously.

9. Consider outsourcing security.

10. Put a system in place to measure results of security efforts. Audits and reporting solutions can help.

5 VPN QoS tips to consider

1. Integrate VPN and QoS--an integrated solution ensures that traffic is both inspected and prioritized, and is the only way to make sure that both the QoS device and the VPN function optimally.

2. Undertake a thorough analysis of which types of network traffic are most important to the business, then develop a QoS policy--with priorities, guarantees and limits--that safeguards the best performance and reliable delivery for specific types of network traffic.

3. Do not place a QoS device on the WAN side of the firewall/VPN--the QoS device faces potential denial of service attacks and cannot prioritize encrypted traffic.

4. Do not place a QoS device on the LAN side of the firewall/VPN--the link can flood inadvertently because encryption software frequently increases packet size.

5. Incorporate a QoS device that utilizes stateful inspection; because stateful inspection looks at packets down to the application level, priority levels can be set based on file types.

For more information from CheckPoint: www.rsleads.com/211cn-257