avalaris - Services - VPN/Security

The internet connects the world. Information can be retrieved from everywhere at every time. People can communicate with each other and exchange their working results online. Tele-working is the key word in this context. A programmer with best qualifications regrettably sits in another district and doesn't want to commute? No problem! Thanks to the world wide web he/she is able to work at home and simply send the results over the internet to the company he/she works for. A colleague being on business trip doesn't mean anymore, that everyday work cannot be done until he/she comes back. One is able to communicate with colleagues via email, send reports or make decisions. Outdoor staff is able to send customer- and contract data online to the company's data center in the moment of contract conclusion: brave new world...

And the blemishes? Over the internet in general every information is transmitted in plain text. This means that everyone who has an internet access theoretically could read the whole communication of all the other internet users. If Max is chatting with Susi, it may only be embarrassing for them (or not even that). But when a "sufficient motivated offender", as they are called in literature and press, overhears the communication of a certain company, it is possible that severe (financial) problems may occur.

Customer data, details about the next order, problems with the construction of a follow-up product of a successful predecessor...
Listed companies, especially, are often dependent on the privacy of these data. Even though the company may be well, bad rumors could negatively influence the market value of the company.
So, no problems for smaller companies, you are about to think? Think again... Offer data for a public order could get quite interesting for your competitors. Suddenly, this competitor offers 100 Euros less and you are out of the race!!

So, how can one enjoy the advantages of fast and worldwide communication on the one hand and at the same time feel like being in a locked conference room with your trusted co-workers and colleagues?

Frankly spoken: That's difficult! The first step in the direction of information security is the one to make clear which information should be sent over which channel and which information shouldn't. Information that could harm the life of a person, a state's security or other important values, should be worth the money for a messenger with appropriate control. Even though this information would rather belong into a James Bond movie than in this article, data security is always important.
Companies who want to keep their data form being overheard by meddlers have to invest in their data security. For them, there is a cheaper and easier solution to be found – a virtual private network within the internet.

This technology allows the construction of protected networks within another, maybe public, net. On the internet protocol basis, usually data packets are sent from A to B. Their content however, is another encrypted packet. The hacker is still able to watch the data traffic over the internet. But he/she just gets encrypted code mishmash, that is impossible to work with.

Only the right key rebuilds readable information out of the code. By this, a "tunnel" through the internet is created, and the data can be transmitted safely (see illustration).

VPN Layer2 TP

The PC of the teleworker here establishes a completely regular connection with the service provider and gets access to the internet. The company's intranet is connected with the internet as well. A VPN-gateway exists between the intranet and the internet. Between this gateway and the machine of the teleworker first a point to point connection is established.

The teleworker has to authenticate himself. This can happen through different ways, like for example a password query. More secure, and more common in practice is the public/private key-procedure: The teleworker-PC as well as the VPN gateway generate a public key that is published in plain text, and a private one that is kept secret.

The three basic principles of secure communication should be achieved:

Authenticity – the information should come from the right sender
Integrity – the information should arrive without changes
Confidentiality – third parties should not be able to read the information

In order to achieve confidentiality, as mentioned, encryption is deployed. The public key procedure works like that: The client encrypts the information with the public key of the gateway and the gateway decrypts it again with its private key. Integrity is guaranteed by calculating hash values together with the information. The hash value is transmitted encrypted as well, and the recipient in the end has to calculate the hash value again and compare it with what was received. For a certain text there is always just one certain hash value. Or rather, there is no second, meaningful text coming with one and the same hash value. Otherwise a potential offender could just replace both texts.

There are certain certificates, that make sure that both of the communication partners are the ones that they claim to be; more precisely, those certificates have to guarantee that the public key belongs to the partner, that you want to communicate with. The certificates are made out by independent certification sites. There, everyone can compare whether a certain public key really belongs to a certain certificate.

One of the best known VPN-implementations for the Linux operating system is FreeS/WAN. It is available as open source (http://www.freeswan.org). The denomination stands for Free Secure/Wide Area Network, FreeS/WAN uses the standard IPsec (Internet Protocol Security). More precisely, it uses the ESP (Encapsulating Security Protocol) for data encryption and IKE protocol (Internet Key Exchange) for authentication. Together with FreeSWAN there comes KLIPS (Kernel IPsec), that integrates the ESP protocol into the kernel of the operating system. As well as Pluto, and IKE daemon, that assumes the connection with other machines. FreeS/WAN makes it possible to establish VPN tunnels stationary: e.g. between two office-LANs.

VPN Layer2 TP

Also the so-called road-warrior configuration is possible. This allows the connection of various client PS/laptops over the internet to the company-LAN.

VPN Layer2 TP

A lot of Linux distributions are delivered with FreeSWAN "out-of-the-box" (like SuSE, Mandrake, Debian...). However, FreeSWAN can also work on UNIX-derivates, MacOSX and Windows2000/XP clients, as long as those include an ESP and IKE implementation. avalaris of course wants to help you with finding out whether your operating system is compatible with FreeSWAN or other IPsec implementations.

The encryption and decryption requires a lot of calculation, dependent on how strong the encryption should be. Besides, the VPN-tunnel produces a data overhead. By this, the actual use-data-throughput is reduced a little. With small-width internet connections (like over GSM or slow analog modems), the data transfer rates can get extremely low. That's why especially the VPN gateway should be a high-performance machine.

A lot of router- and modem producers also deliver machines with integrated IPsec support. However, in most cases one should ask, which data transfer rate can be expected through the VPN-tunnel. Often, just the "maximum bandwidths" for the internet connection are listed in the technical data information.

(image source: Bundeskanzerlamt, Stabstelle IKT - http://www.cio.gv.at/securenetworks/vpn/)

Top