Re: VPN and firewalls

[tbird () imhotep cerner com]

Hi Rik --

I have been the team leader responsible for the selection and implementation of
a VPN package for my company, Cerner Corporation.  Cerner is a mid-size
company (about 2300 employees) which produces computer systems and software
for the healthcare industry.  Our internal network supports 2000+ Win95 and
WinNT desktop systems, over 100 NT servers providing file and printer sharing
and some applications, and 50 or so back-end machines (VMS, AIX and a few
others).

I began evaluating VPN products in April 1996, and we're finally (now) at the
point of releasing the package for general use.  My answers to your questions
have evolved over time and should probably not be considered valid for more 
than a few months...

Cerner's requirements for a VPN solution included three vital pieces.  Due to
the company's dependence on Microsoft products, the VPN must be able to 
encapsulate all TCP/UDP/ICMP (?) protocols over a single persistent port -- to
compensate for the MS propensity for random port assignments for their network
functions.  Cerner utilizes application proxy firewalls (Sidewinders, to be
precise) and the VPN encapsulation was required to get a few custom applications
through the firewall.  Second, the VPN must be able to support server-to-server
tunnels (f'rinstance, using FW-to-FW encryption) as well as client-to-server
traffic (for all those remote employees).  Finally, the product must support
a variety of external authentication and auditing systems (to integrate with 
the other components of our remote access technology).

Our Sidewinder firewalls have included IPSec encryption of traffic since the
time we implemented them -- however, it's been "crippled" traffic until the
latest release.  Up until v3.2 of the Sidewinder software, the IPSec encryption
worked on a service-by-service basis -- you opt to encrypt one particular port's
traffic to a destination -- which didn't match our requirements for 
encapsulation of all protocols.  In addition, at the time we began our 
evaluation, the PC client for the tunneling was, uh, to put it politely, not
ready for prime time.  (I have recently received a new secure client for the
Sidewinder-based VPN, but haven't had time to give it a test drive.)

We were more interested in evaluating stand-alone systems than those dependent
on a particular firewall because they gave us more flexibility.  We knew that
eventually we would be using the VPN system to provide client support to our
clients over the Internet, as well as potentially using the technology to 
provide (and control) access to our corporate network for consultants and other
non-employees.  It seemed unlikely that we would be able to convince all of
our clients to install Sidewinders so that we could use the built-in VPN --
esp. since the stand-alone systems are much less expensive than full-blown
firewalls.

We briefly considered products like PPTP, but discarded them because of their
lack of support for external authentication, their (as of a year ago) use of
weak encryption, and their difficulty in traversing the application proxy
firewall.  (Okay, I confess -- I looked at PPTP with my pretty major
anti-Microsoft chip on my shoulder -- but MS didn't give me any reason to
change my mind.)

We finally decided on VTCP/Secure, from InfoExpress (disclaimer:  I work with
a couple of organizations that are resellers for InfoExpress, but at this 
point in time I get no financial benefit from recommending them).  It's
very very easy to use; offers a variety of encryption strengths and security
options, for tailoring to a wide range of security requirements; it requires
minimal alterations to your corporate network; and the technical expertise 
provided by InfoExpress is first rate.  The only functionality lacking in
VTCP/Secure was the ability to operate in a server-to-server mode, but we
were able to cover that need using our second choice, the Alta Vista Tunnel
from Alta Vista/Digital. 

Our second choice, the Alta Vista Tunnel, was also relatively easy to manage.
But it works by creating a "pseudo-network adapter" on the client machine --
and those of you who have played around with multiple network adapters on Win95
know that that's not a trivial issue.  I've found the AV tunnel to be a little
cryptic when it breaks -- and somewhat unpredictable in terms of how it will
react to different network hiccups -- which is why it wasn't our first choice
for at least the client-to-server requirement.

However, I should emphasize that Cerner has a very large and, uh, dynamic
network environment, which stresses connectivity products in unusual ways.
I have worked with many IS managers who find the Alta Vista product to be
very useful.

Config issues:  Yes, we plug it straight through the firewall.  Cerner's
security policy for the internal network is pretty open, so we've managed
to create the same sort of unlimited access for tunnel users that they'd
enjoy if physically connected.  I have set up tunnel access for consultants
which limits them to specific hosts -- easy enough to do, and one of the
reasons I like working with VTCP/Secure.

Sorry for the length.  I'm preparing my SANS short course on this topic and
it's making me just a little long-winded.

Cheers -- Tina Bird

------- Forwarded Message

Date: Fri, 6 Feb 1998 09:45:31 -0700 (MST)
From: Rik Farrow  <rik () spirit com>
Subject: VPN and firewalls

I am curious about why people are choosing VPN solutions which
are independent of firewalls, for example, Aventail or TimeStep.  

Do people poke these streams through their firewalls?

Is it a matter of performance?

Why pay extra for VPN capability which is already included in many firewalls?

What products are preferred and why?

I am looking for answers from people who have tried both methods:  using
the VPN as standalone product or bundled with their firewall.

Regards,
Rik


------- End of Forwarded Message