This chapter covers fundamental business requirements in today’s world, outlines important business challenges, and introduces the promise that virtual private networking (VPN) brings to meet these challenges and requirements. The chapter concludes with important information about VPN scalability, performance, and maintenance as starting considerations in your VPN build or buy decision.
As we witness the unfolding of the information age, it has become essential for businesses to provide access to confidential information for their employees and business partners. This instant access has to be secure because the confidential information is quite frequently the competitive advantage the business has over its competitors. In other cases, regulatory requirements such as Sarbanes-Oxley (SOX), Payment Card Industry–Data Security Standards (PCI-DSS), and the Health Insurance Portability and Accountability Act (HIPAA) also mandate security for confidential data—even while companies need to take advantage of all that VPN has to offer.
In today’s competitive landscape, businesses are always looking to get an edge by exploring new ways to improve revenue and profit margins and at the same time improve productivity. To increase market share in the face of competition, it has become apparent that a workforce needs unprecedented levels of network access. Providing the workforce with secure and remote access to timely and sensitive information in an environment that allows them to use all their essential tools and applications provides a competitive edge.
Complex business models today result in business drivers actually defining the use of technology. Businesses mainly deploy technology to be better at core competency, thus gaining competitive advantage. Even though this is a common practice for businesses, at times, given the state of technology, businesses undertake expansion of their charter to find ways to generate new revenues. As a result, a symbiotic circle exists between business and technology.
An important observation is that with technology usage, businesses first focus on their core competencies by cutting costs to achieve operational efficiency and a better profit margin, which results in an increase in the net income. Technology can also provide a business continuity strategy as a part of the disaster recovery plan should adverse circumstances, including natural disaster, paralyze the business and keep it from functioning at a normal business capacity. It is essential for the business to identify and deploy technology to serve the core competency and main charter. After a business successfully utilizes technology as a tool, it can explore and identify new revenue-stream-generating projects.
Following is a list of business requirements that need fulfilling when deploying VPN technology. It outlines VPN connectivity requirements for securely connecting the mobile workforce, business partners, international workforce, and so on to business assets:
Business resilience and continuance—. The need to provide continuity of operations
Increased responsiveness—. The need for increased responsiveness across geographical, functional, business, and decision-making boundaries
Security and manageability—. The need to provide secure, reliable, manageable employee access to critical network assets and confidential information
Cost containment and reduction—. The need to cost effectively extend data, voice, video, and real-time applications over a common network connection
Teleworking regulatory controls—. Government and state support of teleworker programs to reduce emissions and traffic congestion and to provide employees with incentives to work remotely
Optimizing productivity and performance—. Increasing employee productivity, satisfaction, and retention
TCP/IP has become the de facto standard to deploy on today’s transport networks. IPv4 is the most prominent version of IP deployed on the Internet as well as other private networks. Inherently, IPv4 does not have any built-in security measures. Given the information age, the Internet can address connectivity requirements of businesses in a cost-effective way.
At its inception, the Internet was a “model of implicit trust,” meaning that by connecting to the Internet, you did not experience risks and threat exposure coming from malicious traffic emerging from the Internet. Connecting to the Internet did not entail adverse effects on businesses operations and productivity or risk compromising business assets. In the past decade, a paradigm shift has taken place, and a “model of pervasive distrust” prevails. Security threats disrupting businesses’ operations and productivity because of viruses, worms, denial of service attacks, and other malicious traffic can reach the business network when it connects to the Internet. As a result, each packet coming from the Internet needs scrutiny against the business security policy.
Note
A security policy is a high-level definition, agreed upon by the executives and management of a business, identifying business assets, how they are used, and how they are protected. A security policy is a working document, often defining acceptable use policy for the business assets. As a result, business employees are aware of how to protect business assets while carrying out their job duties, how the security measures are enforced, and which security posture analysis procedures the business has adapted.
Furthermore, businesses connecting to the Internet face additional espionage-type risks. Businesses with network-accessible storage of confidential information face risks of malicious and unauthorized access to assets such as intellectual properties. Hence, it is imperative to protect against malicious attacks as well as defend against attempts to gain access to a business’s operational and confidential data.
Today’s regulatory landscape mandates that businesses must comply with the requirements outlined by respective regulatory bodies and must successfully undergo periodic assessments to continue to operate. Obviously, the impact on business operations is huge, and IT departments are looked to help with solving the regulatory challenge. IP VPN technology actually helps with regulatory compliance. In each compliance, use of VPN technology helps address different requirements, such as the following major regulations:
PCI-DSS to secure payment card information
HIPAA standards for the health industry
Sarbanes-Oxley law
European Union: Directive 2002/58/EC
Asia Pacific Economic Cooperation: APEC Privacy Initiative of 2004
Published in January 2005, PCI-DSS is a globally applicable regulatory requirement. Essentially, VISA and MasterCard developed PCI-DSS, and the other payment card brands have subsequently endorsed it. Entities that process, transmit, or store cardholder data have to adhere to PCI-DSS standards to be compliant with operational requirements. Regardless of size of revenue or employee base, all businesses have to comply with VISA or MasterCard PCI-DSS standards to accept VISA or MasterCard as payment cards. VPN technology helps with protecting payment card data, in transition, from the processing point to the data center.
In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to ensure health-care portability. There are three main components of HIPAA: a privacy standard, a transaction and code set standard, and a security standard.
The privacy standard requires that all individually identifiable health information of all patients be kept private. HIPAA also identifies authorized and unauthorized disclosures and uses of individually identifiable health information. The transactions and code set standards mandates that health-care payers, providers, and clearinghouses across the United States use predefined transaction standards and code sets. The security standard mandates securing the confidentiality, integrity, and availability of patient health records. Beginning in April 2005, health-care professionals, such as doctors and patients accessing health records, must do so in a secured fashion. VPN technology can play a key role here in allowing doctors to access patient records from the most convenient geographical place, such as a clinic, surgery ward, hospital, and so on to provide the most effective patient care.
Sarbanes-Oxley (SOX) came in 2002 to strengthen U.S. corporate accountability in light of major corporate and accounting scandals that resulted in loss of public trust in accounting and reporting practices. Sarbanes-Oxley Act of 2002 and the sections 302, 402, and 404 define the impact of technology used to protect access to data and data storage. High volumes of data and information need to be stored for auditing purposes on storage networks for U.S. Securities and Exchange Commission (SEC) compliance. Together with that, the security of a VPN solution and implementing access controls to data around a VPN to monitor and mitigate identified risks of an unauthorized party accessing the confidential data is crucial to comply with SOX requirements.
Starting enforcement in October 2003, E. Privacy-EU Privacy Directive (Directive 2002/58/EC) harmonizes the provisions of the member states required to ensure an equivalent level of protection of fundamental rights and freedoms. In particular, the right to privacy with respect to the processing of personal data in the electronic communication sector is addressed. EU Privacy Directive also ensures the free movement of such data and of electronic communication equipment and services in the community. VPN technology can play a key role in facilitating personal data privacy with help from the Confidentiality, Integrity, Availability, and Nonrepudiation (CIAN) tenants.
Asia Pacific Economic Cooperation initiative, established in 2004, regulates 21 APEC economies that have developed a procedure for handling data export limitation issues. It is based on the 20-year-old Organization for Economic Cooperation and Development (OECD) guidelines for the Protection of Privacy and Transborder Flows of Personal Data. The APEC privacy initiative provides the potential to encourage the development of stronger privacy laws and help find a regional balance between the protection of privacy and the economic benefits of trade involving personal data. VPN technology with CIAN tenants helps in the same way as the EU initiative to protect privacy of the personal information.
VPN is essentially a private overlay network configured within a public network such as the Internet. VPN provides a cost-effective way to provide user access to business networks from different geographical locations in accordance with a security policy. This user access can include employees, contractors, and partners. Often, VPN overlay means some type of tunnel network across a shared physical infrastructure.
There are two distinct types of IP VPN—trusted VPN and secure VPN:
Trusted VPNs do not use cryptographic tunnels but rely on the security of a service provider’s network to isolate traffic from any other traffic.
Secure VPNs use cryptographic tunnels and provide the four CIAN security tenants: confidentiality, integrity, availability, and nonrepudiation.
Trusted VPN, built on multiprotocol label switching (MPLS) or Layer 2 Forwarding (L2F) technology, provides the same level of trustworthiness as Frame Relay or ATM networks.
Secure VPN, built on the four CIAN tenants, provides security for sensitive and confidential information. Consider the following definition for each element of CIAN:
Confidentiality—. The property of communicating in such a way that the intended recipients know what is being sent, but unintended parties cannot determine what is sent.
Integrity—. The property of ensuring that data is transmitted from source to destination without undetected alteration.
Authentication—. The property of knowing that the data received is the same as the data that was sent and that the claimed sender is in fact the actual sender.
Nonrepudiation—. The property of a receiver being able to prove that the sender of some data did in fact send the data, even though the sender might later desire to deny ever having sent that data.
Secure VPN facilitates the secure communication taking place over the IPv4 transport networks utilizing security standards defined under the umbrella of IP Security, or the IPsec suite of protocols, by the standards body Internet Engineering Task Force (IETF).
The IPsec protocol suite is most widely deployed today for secure VPN implementation.
Another encryption technology, Transport Layer Socket (TLS), also known as Secure Socket Layer (SSL), provides secure VPN as well. SSL is a protocol developed by Netscape for transmitting confidential information in encrypted form from one end-station to another end-station via the Internet. IETF ratified this technology as TLS. SSL/TLS is mainly utilized for remote users, such as a mobile sales force that needs to connect to the business network from insecure networks while on the road.
Note
For authoritative standards on IPsec, refer to these IETF RFCs:
S. Kent and R. Atkinson, Security Architecture for the Internet Protocol, RFC 2401, November 1998.
S. Kent and R. Atkinson, IP Authentication Header, RFC 2402, November 1998.
S. Kent and R. Atkinson, IP Encapsulating Security Payload (ESP), RFC 2406, November 1998.
For authoritative standards on TLS, refer to
E. Rescorla and T. Dierks, The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346, April 2006.
Even as you apply CIAN tenants to a VPN that allows secure access to information and applications for remote users, it is imperative to understand that to increase or maintain user productivity, access provided over VPN also has to be transparent. Remote users need access to applications and information in the same way they access these resources at the corporate site. This access defines the requirements of secure connectivity provided through a VPN solution. Network characteristics such as time to access data and the capability to run data center applications define user experience. Providing a positive user experience to increase productivity and reduce expenses, thus benefiting the business, becomes the pivotal point for justifying the business case for VPN deployment.
For a VPN solution, user base segmentation helps define requirements. Following are some of the categories suggested for user base segmentation:
Mobile workforce requirements
Partner connecting requirements
International workforce requirements
Small site and teleworker connectivity requirements
Hard-to-reach site connectivity requirements
Chapter 3, “VPN Technology Primer and Comparison of VPN Technology Options,” compares the technologies, such as MPLS, IPsec, and SSL, and their capability to meet various requirements. The following is a short list of important requirements that are pertinent to the previously mentioned categories, albeit with different priorities:
The need to connect quickly from a variety of locations, including public places.
The need to connect from customer sites as well as partner sites.
Rapid response time for onsite demos, presentations, and access to information to complete sales transactions.
Response time over the transoceanic links which are particularly important for global connectivity.
Capability to call the help desk to resolve connectivity issues.
Cost-effective solution that still adheres to the security policy.
Rapid deployment; capability to add, move, or change users.
Amount of throughput over the secure connectivity.
Regulatory compliances adherence on global basis.
Availability of carriers providing required connectivity with consistency.
Businesses want to be more competitive, cost-effective, operationally efficient, and successful. This means that factors such as deployment speed and performance, as well as scalability to accommodate future growth and new requirements of the VPN solution, are important. An IP VPN solution also needs maintenance for day-to-day operations, together with monitoring and capacity planning. This includes management and monitoring of the Service Level Agreement (SLA) for the IP VPN services, help desk responsibilities, hardware failures, software malfunctions, VPN usage statistics, and provisioning of additional capacity.
An outline of VPN scalability, performance, and maintenance considerations follows:
The VPN solution needs to scale with increasing numbers of users and data throughput.
The VPN solution needs to offer base performance metrics defined in IP packet round-trip time delay, jitter, and packet loss. Applications needing acceleration require VPN hardware-based acceleration to provide performance and an adequate user experience. Finally, policy push to remote VPN clients is also needed so that performance within the specified criteria can be delivered.
The VPN solution must have the capability to group a number of users with similar requirements with the same policy profiles and user authentication and authorization information for security policy management.
Consider termination of a high number of IP VPN tunnels on the head-end for a remote access solution, so plan for head-end capability to terminate high tunnel counts and perform adequately.
The VPN solution must have the capability to easily manage user policy or policies from a central location.
The VPN solution’s capability to retrieve users’ authentication and authorization information stored in external databases eases performance requirements on the head-end, allowing it to accelerate encryption and decryption tasks as well as tunnel establishment and termination tasks.
The VPN solution must offer multiple security domains operating at gigabit performance rates because business mergers, partner connectivity, and business continuity call for high data throughputs.
Because a mobile workforce often uses handheld PDA devices, wireless connectivity from end stations and handheld devices should be included in a VPN solution.
The VPN solution must be able to terminate and establish thousands of IP VPN tunnels in the event of failure, as with a redundant VPN head-end design; if one head-end fails, the other has to provide connectivity to all users.
The VPN solution must have the capability to accommodate other functionality, such as routing, resilience, load balancing, and the WAN connectivity, because businesses require those for adequate business continuity plans.
Minimal downtime during failover enhances user productivity and acceptability of the VPN solution.
The VPN solution must have the capability to support the use of dynamic IP addressing in conjunction with broadband technology because many mobile users who are remote VPN users connect from airports, coffee shops, and hotels that provide broadband connectivity.
VPNs enable cost-effective, secure remote access to corporate network resources. Businesses across all sectors of the economy have seen substantial increases in workforce mobility and telecommuting. It is now a necessity to provide employees, business partners, and customers with instant access to relevant business-critical data and applications while ensuring privacy and security. Although businesses recognize the value of VPNs, it is important for them to undertake a comprehensive business analysis. The cost-benefit analysis, discussed in the following chapter, allows businesses to first conclude whether they can benefit from a VPN solution and second, should they decide to deploy a VPN, whether they should build it or buy it.
For many businesses, deploying a VPN solution can be a path to a full range of VPN-enabled, enhanced, value-added services, whether the businesses build or buy the VPN solution.