Security for Remote Access VPNs Must Be Simple

By Bruce Schneier
Network World
March 2, 1998

Unlike site-to-site VPNs, where remote offices are hard-wired to a central facility firewall, remote access VPNs are fraught with security problems. Much of the security consists of trusted passwords that traveling workers use on their notebook computers.

To be effective, a VPN's security implementation must be user-friendly while not penalizing your enterprise in other ways, such as by degrading network performance or compromising corporate control of the remote access network.

Think of the lock on the front door of your home. It certainly is easy to use, and it doesn't force you to endure undue hardship to install, maintain or control.

But what if you found out your front-door lock was not really secure? How much of a burden are you willing to endure to ensure the security of your home?

Most people are not willing to inconvenience themselves much for security. If a truly secure front-door lock required a key holder to fiddle with it for 10 minutes, many people would not bother to lock their doors.

Today's VPN users face a similar situation. VPN security has improved, but at the expense of usability and network performance.

First-generation VPNs were based on routers and other network infrastructure products, with secure tunnels confined to the boundaries of the Internet. They delivered predictable bandwidth for site-to-site connections and were easy to use. However, they la cked the end-to-end security needed to safeguard dial access ports exposed by remote users.

To address the problem, several network security companies developed a second generation of VPNs that extend security to the remote edge of the enterprise network. But while second-generation VPNs succeed in providing end-to-end security, they lack the p erformance benefits of the first-generation products. This only makes sense when you consider how unlikely it is that a single server could provide wire-speed tunnel aggregation for 200 or more remote users while simultaneously performing high-speed firew all packet filtering to safeguard the corporate network.

In addition, the security mechanisms of second-generation VPNs are harder to use. Remote users must gain access to the corporate network through higher level mechanisms suitable for a firewall, such as digital certificates and certificate authorities.

For many people, learning to use these sophisticated security mechanisms is like having to learn a whole new way of opening their front-door locks.

So where do we go from here? The first order of business is to determine what the next generation of VPNs - the operational remote access VPN - should be securing.

The only role of a remote access VPN is to allow someone at a remote location to tunnel into the network's front door. It's the user's job to log on with a secure password or authentication device, and it's the corporate network firewall's job to grant or deny permission.

In effect, all the next-generation VPN should do is collapse the space between the remote user and the corporate network. That means the security of the client computers and the enterprise network must be dealt with individually. It's the only inexpensive and operational model for a remote access VPN that provides secure network connections and usability.

In the end, many security systems are broken by the people who use them. Most users want simplicity, convenience and compatibility with existing (insecure) systems. It's hard to sell door locks to people who don't want to be bothered with keys.

earlier essay: Security Pitfalls in Cryptography
later essay: The Secret Story of Nonsecret Encryption
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..