This is how data encryption works in VPN. A key is a shared secret
that provides the actual security in the scrambling process. Both parties
must know the key, and its use must be managed with care.
If intruders are trying to discover the content of private messages,
and A and B continue to use the same key over and over again, it's only
a matter of time before the intruders will be able to use their knowledge
of the scrambling machine, and of common phrase and word occurrences, to
figure out the key. At that point, the private messages are no longer secure.
In short, if A and B are smart, they will figure out a way to keep changing
their shared secret, and somehow notify each other of the changes to continue
effective scrambled communications. Data encryption follows this same principle
- the keys used in encryption must be updated and passed to both communicating
parties at regular intervals to retain the security of the whole system.
To complete this analogy, if A and B add 100 more parties to their "virtual
private" communication system, they will need a separate system just
to manage passing keys out to every pair of communicators in the group.
The technology that automates this key-passing function in a VPN is called
key management.
Although it is - in technical terms - much more complex than this illustration
permits, the main point to remember is without an automatic key management
system, it is impossible to use VPN for more than a few remote users or
offices at a time.
|
Since the goal of VPN will be to eliminate as many unnecessary
private network connections as possible, key management is rather important.
Flexible configurations
Another important issue to consider when evaluating VPN is design flexibility.
While many organizations will start by using VPN to outsource telecommuters
or remote offices, most organizations will eventually want to do both.
This means the VPN solution of choice should have dial-up and LAN-to-LAN
capabilities.
Finally, an ever-present and crucial design issue to consider is interoperability.
Open standards from a group such as the Internet Engineering Task Force,
with broad vendor support, are crucial. This is because VPN will encompass
the myriad InterNetworking Systems and security devices already deployed.
VPN promises to be a practical new application for the Internet, with
measurable bottom-line return on investment in the form of cost savings
compared with building private networks.
Next week's "Technology Update" will explore some VPN protocols
in light of these design criteria.
Henthorn is security product manager at Lucent Technologies InterNetworking Systems in Pleasanton, Calif. He can be reached by phone
at (925) 737-2156 or via the Internet at alex@livingston.com.
|