Gallery

Soft-centred security

Posted on 15 Jun 2007 at 11:23

Steve Cassidy follows up last month's summary of hardware VPNs with a look at software VPN-based network designs.

I'm a very sensitive person. Look at my mugshot - doesn't that scream "sensitive" to you? Doesn't the thought pop into your head unprompted "now there's a chap who responds to the slightest nuance that he detects in other people's communications"? Okay well, perhaps not. Nevertheless, before I delve any further into the fine detail of software-mediated Virtual Private Networks, as my promised follow-up to last month's summary of the design principles behind hardware-mediated VPNs, let me spend a minute or two commenting on the recent contents of my mailbag.

First of all, be reassured that I do like to hear from people, even if all I ever do after I've heard from them is twist what they say to fit my own particular interpretation. Second, to those of you who believe that since this column is about networking in the real world, my habit of highlighting faults and diagnoses is a licence to find fault with my choice of topics, actually it isn't, and I take no notice. You'd do well to pay close attention to my preferred group of correspondents: I welcome those who don't understand anything far more warmly than those who are quite sure they understand everything. Let's face it, if those blessed with perfect comprehension were equally good at communicating what they know - without rancour or put-down - I wouldn't get half as many emails from the bewildered, the mistaken and the misconfigured as I do.

Tiger balm

So, on to my summary of software VPN network designs. This isn't going to be simply a roll call of product names, inventors, RFCs or IEEE standards subcommittee designations. As General Omar Bradley (and many others) may have remarked, "The Map is not the Territory", and all of those product details are nothing more than so many dots on a map. And we don't really have that much use for a map when we're stuck in the long grass surrounded by Bengal tigers...

Is this an over-dramatised way to introduce the mundane topic of the software VPN? Obviously, I don't think so. We're an awful long way from the cosy meeting rooms of those standards committees, stuck in a world in which the majority of home PCs already have a virus or trojan infection; where wireless networks that are alleged to be secured take five minutes to crack so long as traffic keeps moving through them; and where identity theft is rapidly becoming the most frequently encountered criminal intrusion into our lives. It's astonishing how many people insist on perfect laptop roaming, with global access to the whole LAN while whisking up the motorway, but then are perfectly happy with a BlackBerry and a laptop at home, secured by a sensibly specified hardware firewall. That said, the global slowdown in passing through airports, plus what appears to be a steep increase in hotel-based working, has put pressure back on to implement software VPNs mounted on the users' laptop, so let's have a look at your options.

1 Software client to hardware product

This is the method of choice for larger networks afflicted with roaming users. A dedicated gateway device of the type I described last month receives connections across the internet from machines set up with the matching software client, generally by the central networking support group of the big corporation in question. The methods of hand-shaking and authentication can be elaborate, verging on the paranoid - RADIUS is the buzzword here, which covers a whole universe of ways of verifying that the guy connecting from a software client really is "one of us", and what the user sees happening at the their end is as nothing to the blitzkrieg of lookups, key exchanges, proxy configurations, licence checks and access rights assignments that then ensue at the far end.