This is how data encryption works in VPN. A key is a shared secret that provides the actual security in the scrambling process. Both parties must know the key, and its use must be managed with care.

If intruders are trying to discover the content of private messages, and A and B continue to use the same key over and over again, it's only a matter of time before the intruders will be able to use their knowledge of the scrambling machine, and of common phrase and word occurrences, to figure out the key. At that point, the private messages are no longer secure.

In short, if A and B are smart, they will figure out a way to keep changing their shared secret, and somehow notify each other of the changes to continue effective scrambled communications. Data encryption follows this same principle - the keys used in encryption must be updated and passed to both communicating parties at regular intervals to retain the security of the whole system.

To complete this analogy, if A and B add 100 more parties to their "virtual private" communication system, they will need a separate system just to manage passing keys out to every pair of communicators in the group. The technology that automates this key-passing function in a VPN is called key management.

Although it is - in technical terms - much more complex than this illustration permits, the main point to remember is without an automatic key management system, it is impossible to use VPN for more than a few remote users or offices at a time.

Since the goal of VPN will be to eliminate as many unnecessary private network connections as possible, key management is rather important.

Flexible configurations

Another important issue to consider when evaluating VPN is design flexibility. While many organizations will start by using VPN to outsource telecommuters or remote offices, most organizations will eventually want to do both. This means the VPN solution of choice should have dial-up and LAN-to-LAN capabilities.

Finally, an ever-present and crucial design issue to consider is interoperability. Open standards from a group such as the Internet Engineering Task Force, with broad vendor support, are crucial. This is because VPN will encompass the myriad InterNetworking Systems and security devices already deployed.

VPN promises to be a practical new application for the Internet, with measurable bottom-line return on investment in the form of cost savings compared with building private networks.

Next week's "Technology Update" will explore some VPN protocols in light of these design criteria.

Henthorn is security product manager at Lucent Technologies InterNetworking Systems in Pleasanton, Calif. He can be reached by phone at (925) 737-2156 or via the Internet at alex@livingston.com.

Copyright 1997 by Network World, Inc., Framingham, MA 01701-9172

Reprinted From Network World. An IDG Company