Virtual Private Networks (VPNs) promise to deliver a host of positive benefits to dynamic and information-driven organizations. By leveraging the flexibility and economies of the Internet backbone, VPNs will vastly reduce the cost of future data communications. The Internet itself offers tremendous resiliency and fault tolerance for critical data transmissions. VPNs will enable companies to extend their internal computing networks effortlessly to satellite offices, telecommuting employees and selected vendors, customers or prospects. But how does an organization extend its network into the virtual realm of the Web and still maintain both security and privacy? To understand the challenges and opportunities of the VPN, let's take a closer look at the security demands of this exciting new network technology.

While there are some variations, most Web-enabled networks are extensions of existing enterprise computing structures consisting of a computing architecture, file systems, applications and hardware. This internal apparatus is connected through a protecting firewall to a Web server, which interfaces via a router to the World Wide Web. Visiting users enter from the Internet through the router and hit the Web server, where the vast majority of enterprise-to-Web communication takes place.

One common configuration, called a "bastion firewall" consists of a router-within-a-router arrangement with inbound and outbound ports used to control the flow of information to and from the enterprise. Most organizations currently take a single-direction approach to Web connectivity. They use outbound ports to send data and Web-content to their Web server, but close off all inbound ports to prevent Internet-originating entry into their system. Under this very security-minded philosophy, even all but the most basic outbound ports ­ those for Web-critical lines such as http, ftp and telnet ­ are set and kept in the off position.

Maintaining strict firewall security is smart. But as the information needs of organizations grow in size and complexity, many now see the advantages of opening those ports to extend the reach of their internal network beyond the frontier of their firewall. By opening these crucial data pathways, and by deploying sophisticated on-line security technologies, companies can now deploy powerful, Internet-driven Virtual Private Networks.

A first step toward creating a Virtual Private Network is to export the Distributed Computing Environment (DCE) to the Web server. While this obviously requires opening various firewall ports needed to transport DCE files and services, it does not necessarily create a security problem. Because there are known DCE services on both ends, and Kerberos-encrypted security protection coming and going, you essentially enjoy the same level of protection enforced inside the firewall.

Transarc (which, as we noted in the January WebWorks column, is an IBM company that markets the Distributed File System (DFS) DCE product) offers a very potent gatekeeping tool called DFS WebSecure. By integrating server-level Web pages within the DFS structure, DFS WebSecure extends the very considerable security protections of DFS and DCE through the firewall and beyond the enterprise.

With this new technology in place, when an Internet browser requests a DFS-situated Web page, WebSecure instantly establishes a Secure Socket Layer (SSL) encrypted data line of communications and then asks the user for a log-in name and password. These code-encrypted entries are communicated to the Kerberos security server on the DCE level, at which point the user is subjected to the same high-level authentication and authorization security checks applied to internal-network users.

If the Internet-originating user is a company employee or associate, for example, we can use DCE's standard Access Control Lists to provide authorized entry to appropriate data or application work areas. We can just as easily assign far more restricted access ­ for essentially unidentified Internet visitors ­ to let them see selected Web page information and nothing else. The powerful authentication, authorization and privacy protections that are native to the DCE/DFS model make it possible.

Moving DCE and DFS to the Web-server level takes us one big step closer to the ability to deploy a true Virtual Private Network. The second critical step involves transporting the DCE structure itself to far-flung client locations and fully leveraging the power and economy of the Internet backbone as our network link. This is when we really put the "virtual" in our VPN.

By loading DCE on various client-level machines, such as desktop PCs at a satellite office or on the laptop computers carried by a mobile sales force, we can do a DCE log-in straight through the Internet without ever talking to the Internet browser. This process establishes the PC as a DCE client over the Internet using standard DCE encryption to privatize the data transmitted. With DFS client software on the PC, the user can access files managed by DFS as easily as if they were on an internal local connection. As in the first-step example described earlier, this arrangement also applies all of the Kerberos security protections to our Virtual Private Network.

This proven approach allows organizations to enjoy the benefits of a Web-enabled network while still protecting the security and privacy of their important enterprise data.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access