ISPPlanet • eTunnels VPN-on-Demand - page 3

Securing Desktops with Client Software
The VPN-On-Demand client runs under Windows 95, 98, NT, and 2000. It connects automatically for always-on links (DSL, cable) or on-demand for dial-up links (v.90, ISDN). At connect time, the PC user must supply a login, password, company VPN name, and realm (below).

Our first few connect attempts failed, but the culprits were quickly identified. First, we could not find "realm" defined in on-line help—this field should be set to the provider's name. Next, firewall software on our PCs foiled tunnel activation. VPN-On-Demand requires two-way protocol 50 (ESP) and outgoing port 443 (SSL). We punched holes in our firewalls to permit ESP. However, this clearly-documented requirement is a show-stopper when it conflicts with enterprise security policy (for example, visitor remote access, multi-company Extranets). In the next release of IPsec AnyWare, ESP will be UDP-encapsulated on port 443, already open on many firewalls.

Once connected, a tree-like display lists all clients and servers currently connected to the VPN, each identified by "hostname.VPN.realm" and a public IP address. Addresses can be used to share folders with other VPN members (right). This "bump-in-the-stack" IPsec client provides split tunneling—traffic to any VPN member is tunneled over IPsec, but traffic to any other destination is unaffected. We exchanged HTTP, FTP, and NetBIOS-over-TCP traffic with other clients and servers in our VPN without incident.

This client is designed for end users; there is little to configure or monitor. VPN connect state is visible from the system tray. Users can change their own passwords. Those with administrative access can also access the VPN management portal. Packet and byte counters are provided by a Security Statistics panel (left). We found nothing here to confuse an end-user. But we also found little to assist with problem diagnosis. Sharing Resources with Server Software In VPN-On-Demand, the term "server" is used to describe web servers, file servers, database servers—any unattended system that provides a networked multi-user service. Here, client software is inappropriate—there is no single user to authenticate or receive email. Instead, these PCs are outfitted with VPN-On-Demand Server software (available for Windows NT and 2000 now; Linux and Solaris in 2Q01).

Servers may export shared resources to VPN members (right). To configure a server, the administrator adds http, file, mailto, and telnet URLs. Files can be local or remote (that is, mapped from another PC in the Windows network). Shared resources are listed on the "VPN tree" displayed by every VPN client. This "point and click" directory makes shared resources very easy to locate, but it is not an access control list. VPN members can still access the server through its IP address. Designed for unattended systems, this software runs as a service and connects to the VPN automatically. In a future release, monitoring features will be added for up-time and bandwidth.

Extranet-in-a-Box: eTunnels Gateway Appliances
In release 2.0, server software can be run on a gateway to create site-to-site VPNs. To better address the Extranet market, eTunnels also is introducing a pair of gateway appliances. Carriers that deploy release 2.0 can offer any combination of remote access, site-to-site, and Extranet VPN services, based on client software, server software, and appliances.

"We're developing an appliance because some of the carriers and B2Bs we're talking to (like Exodus) want a drop-ship Extranet solution that can be installed without any possibility of partner tampering," said Sirota. "For groups like this, a drop-in solution is really required. As soon as you get to installing clients on business partner workstations and separately-administered networks, there are issues for Extranet, and there really isn't a good solution for this today. We believe that IPsec AnyWare appliances will meet this need."

Two appliances are being built by a Seattle-area manufacturer for eTunnels. Specs supplied by eTunnels recommend the e3000 for Ethernet LANs that push 6 Mbps of traffic. The e5000 is said to accommodate Fast Ethernet LANs at 60 Mbps. Both are 1U enclosures that contain a 700 MHz Pentium III CPU, a security-hardened OS, and dual 10/100 NICs. The e5000 will also include a CTGI PowerCrypt card.

According to Sirota, the key difference vs. traditional VPN CPE is installation and configuration. These are transparent, single-address boxes. "For Extranets, client software and a physical appliance can be drop-shipped into a foreign customer environment," said Sirota. "Using a portal, the carrier would delegate selected subnets to appliances. An initial IP address would be assigned to the box with DHCP."

Like VPN-On-Demand clients and servers, these appliances will be centrally-managed. They will use SSL to connect to the eNS for configuration and software updates. They can also be administered directly through a CLI or Telnet, and will use SNMP to forward stats to the eNS.

However, these appliances don't use Internet-standard IKE for tunnel setup. "Because we use SSL for secondary authentication, you still won't be able to use any IPsec/IKE device with VPN-On-Demand," said Sirota. In fact, this true for all VPN members. According to Jovito Salonga, eTunnels VP of Information Technology, "We understand how important it is to stick with standards, especially when it comes to security. IKE and PKI support is planned for our 2.5 release."