Virtual Private Networks

I've been doing a little reading on Virtual Private Networks, primarily in the interest of determining whether there is anything we could use now. So far, I'm not sure of the answer, but I think its no, but could become yes shortly. I thought I'd send out what I knew at the moment and then get on with my other investigations, so don't regard this as complete or authoritative analysis.

The Datamation article that Pete Herman sent is a good, and reasonably up-to-date summary, but I was still too fuzzy after reading it.

The way I see it the different solutions (e.g. PPTP, IPSec, Altavista Tunnel, SSL) differ in several dimensions:

1) the level of the TCP/IP stack at which they work

2) the specific problem they were directed to solve

3) the platforms they run on

SSL (Netscape's Secure Sockets Level) is an application level protocol for securing individual application-specific communications. Applications must be modified to use it. The rest of these are implemented at some lower level in the IP stack, thereby becoming application independent, and not requiring modifications to applications to run. [OMG has just issued an SSL RFP for CORBA. -cwt]

PPTP, at the moment, is a technology for securing tcp/ip traffic between Windows 95/NT clients connected to the internet via PPP and Windows NT servers on LANs behind Corporate firewalls. It was developed by US Robotics and is primarily being promoted by Microsoft as its VPN solution. Ascend, 3COM, and ECI Telematics are also enhancing their telecommunications equipment (mainly IP routers) to support the protocol, which requires support in such equipment. FYI, a new beta release of the sw for our pipelines supports PPTP. It is MS's stated intent to standardize this protocol (and release specs and source) via IETF, and encourage its adoption on other client platforms running PPP. The criticism of this, as always, is that is currently a MS-only solution, which would be the initial problem with us using it. Its unclear whether this solution will even support other servers than NT. The current implementation depends heavily on NT RAS features, which will make ports to other platforms more difficult. I'd guess that MS wouldn't mind if that gave them a head start, and improved NT's desirability as an VPN server, but in the long run, if PPTP ends up an a standard protocol, it will be supported on other platforms. Also, the equipment upgrades will, for a while at least, be a roadblock to actually using it over the Internet.

Altavista Tunnel is a similar product to MS PPTP, but doesn't require router support (good news), which makes it more usable now. However, I believe (you can paste this in front of most of what I'm saying) that the only server they currently support is DEC Unix. They support 95 & NT clients. Their protocol will also be submitted to IETF for standardization.

IPsec is the emerging IETF standard for secure TCP/IP. It is implemented as an integral part of the next major revision of the tcp/ip protocol (known as IPv6 (version 6) or IPng (next generation)), not over PPP. In the long term, I think (for whatever that is worth), that this will replace the above two technologies, which are more quick hacks. The IPsec standard supports host-to-host and lan-to-lan security, in addition to client/server security supported by the above products. As I see it, host-to-host security is more likely the best fit for us. In other words, we would create a VPN involving authorization and encryption of communications between only the specific machines we use, not our LANs or only client/server communications. However, its a ways off (years) before IPv6 is available on everything, so this is not immediately useful to us. There is, or almost is, an implementation of IPSec for IPv4 called S/WAN (Secure WAN) that is being developed by a group of companies led by RSA Data Security (the public key encryption folks). Those companies are generally firewall and tcp/ip vendors (Bay Networks; CheckPoint Software Technologies, Ltd.; Digital Pathways; Frontier Technologies; FTP Software; Gemini Computers, Inc.; IBM Corporation; Netrend Corporation; Raptor Systems, Inc.; Secure Computing Corporation; Sun Microsystems; TGV Inc.; TimeStep Corporation; Trusted Information Systems, Inc.; V-ONE; VeriSign, Inc.; VPNet; and Attachmate/Wollongong). To me this sounds like the technically superior solution and the one most likely to be compatible with our needs. However, it also appears that more ducks have to line up for this to work for us, so it sounds a little farther off.

This research is sponsored by the Defense Advanced Research Projects Agency and managed by the U.S. Army Research Laboratory under contract DAAL01-95-C-0112. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied of the Defense Advanced Research Projects Agency, U.S. Army Research Laboratory, or the United States Government. 

© Copyright 1996 Object Services and Consulting, Inc. Permission is granted to copy this document provided this copyright statement is retained in all copies. Disclaimer: OBJS does not warrant the accuracy or completeness of the information on this page. 

This page was written by Steve Ford. Send questions and comments about this page to ford@objs.com.

Last updated: 1/6/97 sjf

Back to Internet Tool Survey -- Back to OBJS