November 1999

IPSec: Hot VPN Protocol's Realities Revealed

BY CARY HAYWARD

The Internet Protocol (IP), easy to manage and route, is a major communications tool for large corporations, academia, and the government. But IP-based networks, like intranets and the Internet, are often unregulated and wide-ranging, making data security a paramount concern. IP is vulnerable to security risks, such as:

• Spoofing, in which a rogue device impersonates another;
• Sniffing, in which a rogue device eavesdrops on a communication; and
• Session hijacking, in which a rogue device masquerades as a bona fide party in an ongoing communication.

With this in mind, the Internet Engineering Task Force’s (IETF) IP Security Working Group developed a framework of open standards to bring security to IP communications through secure virtual private networks (VPNs) — essentially closed networks on shared infrastructures.

The IETF’s IP security (IPSec) standard, like a “Good Housekeeping Seal of Approval,” signifies privacy (foiling eavesdroppers), integrity (ensuring communications travel unchanged), and authentication (proving the sender’s identity) in data communications. In December 1998, the multivendor IP Security Working Group announced that the last of the IPSec Internet Drafts were moving to request for comment (RFC) stage.

Group members and 120 companies have worked nearly six years to draft the standard, perform interoperability testing, and begin integrating it into products. Now all vendors have a complete set of guidelines from which to develop compliant solutions. A vendor’s compliance with IPSec assures customers that their IP-based communications incorporate the most secure and comprehensive standard available today for encryption, integrity and authentication. IPSec also provides a framework for interoperability between two or more vendors’ compliant products.

BUSINESS CASE FOR IPSec
Secure IP services are fast becoming less of a luxury and more of an imperative for businesses which are sharing more of their digital assets across broader geographies to increasingly mobile employees. Factors driving demand for VPNs include:

Security Needs
Organizations use the Internet heavily to display their Web sites and exchange e-mail, but companies still need private networks to share proprietary information with customers, partners, suppliers and mobile employees. The IPSec protocol is the ideal foundation for VPNs, which bring closed-network security to IP and the Internet.

Worker Mobility
Employees are more mobile than ever, and they are increasingly working from home. International Data Corp. (IDC) estimates that the number of mobile and telecommuting workers will grow by 330 percent by the year 2000. As a result, companies need to provide spontaneous, low-maintenance communications between any two points with the privacy of an enterprise network. Secure VPNs let mobile employees and telecommuters connect to “their enterprise network” with a local call to their ISP. VPNs also save companies money on long-distance calls, remote-access hardware, system upgrades, and administration.

Cost Savings
Companies want seamless data communications with their branch offices, customers, suppliers, and partners, and the cost of private lines for connectivity can be enormous. This pressure has driven the communications industry to IPSec as a means to combine the security and privacy of private lines with the low cost and ubiquity of the Internet. The result, by some accounts, is a monthly saving of up to 60 percent by using public networks (e.g., the Internet) over equivalent private (e.g., leased line) networks, according to a Forrester Research study.

Administrative Simplicity
Creating and maintaining a global network with the latest data communications technology is a complex task, especially for fast-growing companies that are constantly entering new markets. Secure VPNs make it easy for organizations to change and grow, since extending a VPN to new branch offices is as simple as obtaining Internet access. And with secure VPNs, it’s the ISP’s duty to install and upgrade the latest technology, not the organization’s. IPSec also lowers administrative complexity by requiring users to prove their identities to their network environment, minimizing the need for companies to administer security of every application in the enterprise.

THE REALITY OF IPSec
Like any emerging standard, IPSec is a work in progress. As such, it has unique strengths as well as weaknesses that need to be improved. Among IPSec’s specific strengths:

• Six years of development, trials, and input from 120 companies makes IPSec truly reliable and open among other tunneling standards. No one company “owns” it, though many have thoroughly trialed it.

• IPSec encrypts and encapsulates IP datagrams, including source and destination addresses, protecting communications from “man-in the-middle” attackers. IPSec even provides for faux IP headers that divert attackers.

• IPSec works seamlessly with unsecured IP: If two network nodes are IPSec-compliant, their communications are secure even if they cross networks that are not IPSec-secured.

• IPSec uses public key digital certificates for authentication. This enables companies to integrate IPSec into their existing public key infrastructure (PKI) programs for strong, transparent user authentication inside and outside the enterprise. PKI technology is a cornerstone of Internet commerce, and since IPSec makes PKIs more secure, IPSec is a leap forward for Internet commerce.

• IPSec’s anti-replay service ensures that rogue packets cannot be inserted into the data stream, providing additional security beyond encryption and authentication. With anti-replay service, each IP datagram passing within the secure association is tagged with a sequence number. On the receiving end, each datagram’s sequence number is checked to see if it falls within a specified range. If an IP datagram tag number does not fall within the range, the datagram is blocked.

• IPSec’s Internet Key Exchange (IKE) protocol lets users ignore the considerable complexity of authentication and encryption. The IKE key management scheme negotiates and decides all the protocols, encryption algorithms, and keys (encryption codes tailored to each user) for a secure communication. It also allows users to exchange keys (which can change frequently for added security) and keep track of all these transactions.

Despite its strengths, there’s room for improvement around IPSec in several areas, including:

• The IETF IPSec RFCs provide no more than a framework for vendor product development. Each vendor finds a way to make IPSec work within existing operating systems and product platforms. Companies that seek IPSec interoperability between multiple vendors’ products should contact the IETF for results of recent VPN “bakeoffs.”

• IPSec consumes a lot of bandwidth. Since it is actually a combination of several standards designed to address the issues of privacy, integrity, and authentication of data passing over IP networks, it requires computational intensities that will burden the main processor of any networking device it runs on (e.g., remote access concentrator, router, firewall, gateway device). Fortunately, hardware (i.e., chip-based) assistance and compression technology make IPSec a practical alternative. Hardware-assisted encryption is an order of magnitude faster than software-based solutions. Bench tests have shown that software-based IPSec clients for mobile and telecommuting employees work with little or no degradation for ISDN (128 Kbps) and standard modem (56 Kbps) connections.

• IPSec provides support only for IP. Those companies that continue to use non-IP protocols such as IPX, the networking protocol for Novell’s NetWare clients and servers, will need to find other means of securing their data communications. Some network administrators have provided an IPX-to-IP translator device at the gateway to the IP network, allowing secure IPX data communications over public networks.

• The IPSec standard does not tell vendors how to develop a graphical user interface (GUI) or command line to set up, tear down, manage and monitor IPSec-based tunnels. Therefore, vendors are offering proprietary management interfaces, terminology, and deployment/usage schemes (theories of operation). Also, many IPSec software solutions require complex end-user configuration, which can be a challenge for less sophisticated users. Fortunately, vendors are increasingly providing customers with configuration wizards, quick-start user guides, and theory of operation documents to help remote users and network administrators understand and use IPSec.

OTHER VPN STANDARDS
There are other tunneling standards that allow customers to set up VPNs, and these standards warrant examination. The chief competing technologies are Layer Two Tunneling Protocol (L2TP), Point-To-Point Tunneling Protocol (PPTP) and Layer Two Forwarding (L2F). Here’s how they compare:

L2TP. L2TP is an IETF standard for providing an open, scalable tunneling solution over the public infrastructure for low-cost, easily accessible feature services like voice over IP (VoIP), Internet call waiting, and distance learning. L2TP’s chief benefit and advantage over IPSec is its multiprotocol support for IP, IPX, SNA, and others. Its weaknesses include limited authentication and data integrity capabilities and lack of privacy (encryption). Because of this lack of security in L2TP, there is an IETF effort to combine IPSec with L2TP to add security characteristics to L2TP. This will allow more secure feature services for carriers, service providers and ISPs.

PPTP. PPTP is Microsoft’s extension of Point-To-Point Protocol (PPP), a scheme for serial communication in Windows NT and NetWare client/server environments. PPTP supports IP and IPX.

L2F. L2F is a tunneling protocol that encapsulates IP and forwards it to an L2F network server. L2F is better than PPTP, but may lack encryption capabilities.

By most accounts, IPSec is the best commercially available tunneling protocol today. It is a solid and open standard, and it is a complete security framework for IP. It will bring bulletproof security to private networks, and it will bring private network security to the world’s most public networks. This new generation of secure, affordable communications will enable companies to slash costs and simplify business processes as they use IP and the Internet to prosper.

Cary Hayward is VPN product manager for Lucent Technologies’ Remote Access Business Unit. Lucent, headquartered in Murray Hill, N.J., designs, builds, and delivers a wide range of public and private networks, communications systems and software, data networking systems, business telephone systems and microelectronics components. Bell Labs is the research and development arm for the company. Additional information about Lucent Technologies is available on the company’s Web site at www.lucent.com.

BY SHANNON PLEASANT

It is no secret that the incredible growth of the Internet and the broad proliferation of IP (Internet Protocol) has changed the way businesses look at voice and data communications. In fact, voice and data “convergence,” a much-discussed topic for the last decade, finally seems to be upon us. Every vendor, service provider and industry pundit is passionately decrying the benefits of integrated voice and data networks that leverage the power of the Internet.

While there are considerable benefits associated with taking advantage of the widespread acceptance of IP, the reality is that we are still developing and deploying new technologies that do not immediately offer the advantages of converged communications. For example, Voice over IP (VoIP) and IP-based Virtual Private Networks (VPNs).

Although very much alike in their business proposition to the end user, VoIP and VPNs have largely been positioned as separate technologies/services, one designed to save money on voice traffic, the other to save money on data traffic. However, when combined, these two solutions offer an even greater value proposition. Both markets are expected to grow exponentially over the next five years, reaching $35 billion combined in service revenues by the end of 2001.

The Opportunities of VoVPN
Cost savings are the number one reason businesses deploy VoIP and/or VPNs. Internet telephony eliminates long-distance telephone charges, which typically make up a large percentage of the phone bill. VPNs allow businesses to more efficiently deploy LAN-to-LAN and remote access solutions, alleviating the costs of leased lines and dial-in charges. Combined, the solution offers service providers an opportunity to offer services based on integrated Voice over VPN (VoVPN) solutions, and offers end users a way to increase their savings.

Second to cost savings, security is a major benefit of linking VPN and VoIP solutions. Security ranks as the number one concern in implementing VPNs and is second only to quality as a concern for implementing VoIP. Recent efforts by the IETF have enabled vendors and service providers to offer VPNs with a very high degree of security. IPSec is the IETF’s standard for IP security. It addresses the integrity, encryption, authentication, and access control of IP packets. Optimal for use in both LAN-to-LAN and dial up VPNs, IPSec allows for native end to end secure tunneling, authenticating every packet of data that is passed through the network.

By enabling secure VPNs, IPSec can also ensure voice integrity when implemented over the secure VPN. A virtual private network implemented with IPSec is a protected vehicle for voice traffic that guarantees a private, authenticated voice connection.

The Challenges Of VoVPN
Both VPNs and VoIP separately have not overcome all of the hurdles to quick and easy deployment, and combined, they introduce several significant issues that need to be addressed to achieve any degree of deployment.

First, of course, is latency. Voice communications are very sensitive to any delay introduced by either the network or the hardware. The nature of the Internet alone makes it a tricky and unpredictable environment for voice traffic. Combined with the heavy encryption and compression required from the hardware, there is little hope that your voice traffic will arrive at its destination without sounding like you are calling from a small village in the middle of nowhere.

Service providers are creating measurements and qualifications to allow them to provide service level agreements that will help ensure that voice traffic will not be badly degraded due to bursty Internet traffic. In the hardware, latency is much easier to predict and monitor, which means you can greatly improve the delivery of voice over VPN circuits.

The computational overhead associated with many of the encryption-related algorithms used in IPSec introduces delay and affects performance of typical VPN hardware. One solution is to add acceleration hardware to the VPN gateway to offload the CPU intensive tasks. Offloaded onto a dedicated processor, encryption overhead will not interfere with voice traffic.

Finally, there are no true quality guarantees on the Internet. This affects both VoIP and VPNs, which require some degree of certainty of voice fidelity and network availability. Again, the IETF is hard at work introducing specifications that will allow for QoS over public IP networks. MPLS is a routing technology that provides the capability of selecting a specific path across the Internet and choosing a specific quality of service. DiffServ (Differentiated Services) is the IP backbone specification for establishing QoS from end to end across the public WAN. The combination of these two specifications will bring VoVPN solutions closer to meeting the requirements of companies looking to unify their networks.

The Target Market
VPNs are an ideal way for companies to stick their toes in the VoIP waters. So who are these companies looking to adopt an integrated VoIP/VPN solution? Mid-sized businesses (100-999 employees) are an excellent target for the VoVPN solution. Among the first to adopt VPN technology, the goal of these companies is to improve communications among their offices and with their remote work force, increase productivity, and decrease costs. Forty-two percent of mid-sized businesses in the US are currently deploying or planning to deploy VPN solutions in the next 12 months. These companies are also in a position to reap the benefits of VoIP because they have a dispersed employee base (typically six branch offices) and a growing telecommuter work force. This is an excellent target market for service providers and hardware vendors offering integrated VoVPN solutions.

Shannon Pleasant is a Senior Analyst at Cahners In-Stat Group a high-technology market research firm covering the consumer and convergence, networking, wireless, telecommunications, Internet, and semiconductor markets.