Virtual private networks - Don't be a sitting duck

Virtual private networks may cut a company's costs by making use of public networks, but they can be far from secure. Fortunately, there are ways to safeguard your systems.

Feeling secure behind your VPN? Think again. Mathew Bevan made a nameublic networks, but they can be far from secure. Fortunately, there are ways to safeguard your systems. for himself when he cracked into the US defence network. Now, as a poacher-turned-gamekeeper for Tiger Security, Bevan has strong words for those who think they are safe behind their VPNs, with their firewalls and encryption.

"There is always a vulnerability, particularly since VPNs are technically in their infancy," he warned.

To Bevan, a VPN's weakness is usually its authentication system. "A VPN's purpose is to allow people access to the network. If a hacker is able to present themselves to the network as a legitimate user, say by spoofing authentication, they can compromise huge chunks of it."

Yet there seems to be a misconception that VPNs are a safe way of using public networks without the risk of attack. Alan Laird, sales development manager for SecurWare at Bull Information Systems, said that because VPNs promise security, big organisations have begun to feel more comfortable about the internet and are seeing the advantages of using them to link with their supply chain. But many have not looked beyond standard VPN defences - firewalls with low levels of encryption - and fail to realise that more needs to be done to prevent mission-critical data from falling into the wrong hands.

Laird concurred that authentication procedures on a VPN need to be extremely tight. Some firms are investigating biometric access systems such as fingerprints or voice authentication systems.

Another type of authentication system in current usage is the generation of 'one-time' encryption keys. A handheld token generates these keys, usually every few seconds, and the user can read the current key from a display on the token. A central security server can calculate these keys in order to decrypt the data and authenticate the originator.

Although the cost of these systems is falling, Laird said the technology is still immature and he has yet to see many companies roll it out. Until these systems become common, the standard authentication process is based around the user keying in a name and a password. To the network manager this means protecting the password from spoofing or other types of theft.

Laird is adamant that to protect passwords, heavily encrypted authentication processes need to be adopted. "We have developed smart cards that can be plugged into a remote site that will do the encryption and authentication processes. If the card is stolen or lost, it will not do hackers any good because they will still have to know the password," he said.

Using smart cards, it is possible for the authentication process to include contacting trusted third parties to provide further identification of the user's identity before they approach the firewall.

Andrew Pickles, network consultant at Corporate Network Services (CNS), said that while a firewall is necessary to impose broad security restrictions at the network perimeter and to provide auditing capabilities, strong security policies are needed within the VPN.

"A large number of attacks come from deliberate or accidental traffic within the VPN, so tough internal user authorisation systems are needed," he said.

He argued that VPN managers need to look closely at the administration of digital certificates. These are digital passports that authenticate a user's identity and right to 'travel' around the VPN.

In addition, they contain the public key for that individual and help prevent someone from using a fake key to impersonate someone else.

In its simplest form, a certificate contains a public key and a name.

Usually it also contains an expiry date, the name of the certifying authority that issued it, a serial number and the digital signature of the certificate's sender. Just like a letter where a seal identifies the user, in electronic transactions the equivalent of a seal must be coded into the information.

By checking that the electronic seal is present, the recipient can confirm the identity of the message sender and ensure that the message content was not altered in transit. The most widely accepted format for certificates is defined by the ITU-T X.509 international standard so that they can be read or written by any application complying with X.509. Pickles said most browsers support the standard.

X.509 certificates use public-key cryptography, which does not involve the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, a mathematically matched pair of keys that complement each other is used. When a message is encrypted by one key, only the other key can unlock it.

The 'private key' is installed on your server and not shared with anyone.

In contrast, the matching 'public key' can be distributed freely. Customers or correspondents who want to communicate with you privately can use the public key in your Secure Server ID to encrypt information before sending it to you. Only you can decrypt the information, because only you have your private key.

So how much encryption hardware do you actually need on a VPN? Laird said a remote site need only be armed with a smart card - which typically costs #100 per seat. However, bulk encryption needing speeds of more than 30 bytes per second requires security encryption boards to be placed on the gateway hub and each VPN box. These can cost between #3,000-5,000 each, or about #100-#150 per seat.

Another way to increase security is to boost the level of encryption.

Laird said that for most situations, the DES 56-bit standard, which takes 1,000 PCs about 24 hours to crack, should be enough. Stronger encryption, such as the Triple DES 192-bit keys, or RSA public keys of more than 256 bits, are more than enough for the government agencies that are likely to be granted the licences to own them.

However, if you want organisations in other countries to be on your extranet, it is important to check that the level of encryption on your VPN matches that country's controls, Laird warned.

But bear in mind that all this might prove useless if you don't have a good security policy for your VPN. Bevan is amazed at how many companies fail to update their VPN software or check the manufacturer's website, where patches for security glitches are posted. "It is almost as if VPN managers think an attack will not happen to them," Bevan mused.

TIPS FOR IMPROVING THE SECURITY ON YOUR VPN

- Carry out a review of your authentication procedures, assessing who should be allowed where on the VPN, and tighten up access.

- Pilot-test biometric or smart card reading devices for your VPN. These are almost certain to be the technology for the future. Even if you do not decide to roll them out now, the experience gained in their use will prove valuable.

- Investigate and preferably roll out some form of digital certification system, with private and public keys along the lines of the X.509 standard.

- Hire a security company to examine your VPN for 'back door' approaches.

- Check that your VPN software is up-to-date with the latest patches.

- Check that the configurations on your firewalls are set correctly.

- Carry out a study on encryption use within the company. Some data may not require encryption while other areas will.