Securing The Perimeter

Virtual private networks are helping states expand their networks securely without breaking the bank.

by / April 3, 2001
Security remains a major roadblock to true e-government. Citizens demand certain privacy rights, and agencies must protect the sanctity of their networks. Traditionally, this meant the adoption of wide area networks (WANs) that required expensive equipment, dedicated lines and a large IT staff to maintain operations.

"We could not find nor afford network administrative
staff for installing, upgrading, billing and supporting remote access," said David Lewis, CIO of Massachusetts.

Lewis turned instead to virtual private network (VPN) technology. The network runs over the Web, so the price tag is considerably reduced. But do lower costs result in compromised security? Or do VPNs represent a viable method of connecting a dispersed user community within a secure perimeter?

Powerful Protection

The word "virtual" often connotes "not even close to." But its true meaning is "practically the same as." Fortunately, with VPN technology, the latter definition applies.

"While there have been a lot of networking technologies that havent lived up to the initial hype, that is not the case with VPNs," said Gary Smith, an analyst at Dataquest. "In fact, their acceptance has come a little bit faster than anticipated."

In support of this statement, Infonetics Research reports that worldwide revenue for managed VPN services is expected to grow from $541 million in 1999 to $3.7 billion in 2001 and $12.2 billion in 2003.

VPNs are catching on due to improvements in security, as well as their significant financial advantages. Connecting four buildings via WAN typically requires six dedicated lines. As a result, many jurisdictions cant afford to hook up police and county court systems or even databases within one agency.

A VPN uses a single Internet connection rather than dedicated lines and relies on data encryption techniques to keep information private. In essence, a VPN enables two private networks to be connected securely over a public network. It accomplishes this by establishing an encrypted tunnel that acts as an extension of the private network, riding on the back of the existing Internet infrastructure. Encryption is accomplished via software that is installed in each computer that accesses the VPN. Because a VPN functions comfortably on top of the existing telecommunications infrastructure, it costs a fraction of the amount needed to establish and maintain a WAN.

To enter the network via desktop or laptop, a user enters a logon ID and password. Once a message is ready, the data is encrypted before relay. At the other end, the receiving terminal decrypts it. This process occurs automatically, so the user is not burdened with additional steps.

Although VPNs have several layers of built-in security, individual users still need to protect the data on their own machines. Lewis said all VPN subscribers in Massachusetts are required to use anti-virus and personal firewall software. Further, each person who wishes to remotely access the network is required to sign an acceptable use agreement and a remote access statement. This increases awareness of a users security responsibility.

But how secure are VPNs? For some, VPNs have developed over the past couple of years into a dependable enterprise technology. "Security is on every managers mind, and VPNs are the technology of choice for secure IP communications," said Jeff Wilson, director of access at Infonetics Research.

Kentucky started a VPN service a year ago. "The VPN is ideal for agencies that have mobile or remote employees but are con cerned about the potential security risks of confidential information being intercepted," said Aldona Valicenti, CIO of Kentucky.

Others, however, remain skeptical, pointing out that, like the Internet, security is an evolving discipline.

Although many regard VPNs as secure enough for government deployment, additional security tools are becoming available that can further enhance network security. Digital certificates, for instance, provide agencies with a high level of user authentication. And more robust data encryption and integrity checks are coming onto the market to keep data confidential and prevent it from being tampered with en route.

Setting Up a VPN

Because VPNs operate over existing infrastructures, public telecommunications carriers normally provide the service. Verizon Communications, for instance, worked with Massachusetts Information Technology Division to deploy a VPN through all of the states 100-plus agencies. Verizon provides the Internet bandwidth, technology upgrades, equipment management and billing for remote access in return for a monthly fee. State agencies and businesses use their existing telecommunications services to gain remote access to government databases and resources for $10 to $30 per month, depending upon service configuration.

"By leveraging the power of our $8 billion network in Massachusetts, the state can create electronic bonds between agencies, mobile workers and businesses," said Robert Mudge, president of Verizon-Massachusetts. "This enables Massachusetts to make state government more accessible."

Along with cost and labor advantages, bandwidth can be adjusted depending on demand. Under a dedicated network, engineers had to build enough infrastructure to cope with peak traffic loads, but most of the time the system is underutilized. With a VPN, however, a small agency can begin paying for low bandwidth and increase it depending on its needs.

Although all of these advantages are significant, perhaps the most practical is that a VPN can be remotely accessed from any ISP. No special hardware is needed, and no long-distance or access charges are incurred.

A VPNs ability to authenticate remote users as well as its security is what convinced Massachusetts to switch from their remote-access server dial-in connection. "VPN allows the commonwealth to deliver key elements of our online government strategy," said Lewis. "It has improved our collaborations with business partners, increased access to state resources and [given] our mobile workers the tools they need to better serve the public."

One of the services Massachusetts provides using VPN is instant online access to the Registry of Motor Vehicles databases for the states 3,500 insurance agents. This is accomplished with the Massachusetts Access to Government Network, also known as MAGNet. The VPNs built-in security effectively eliminates the risk of people connecting to MAGNet without authentication.

The states bank examiners also benefit from the new network. By remotely accessing the VPN, they can significantly improve the efficiency of their examinations and banking operations oversight. They can download needed files instantly and upload evaluation reports, thus shortening the time necessary to conduct examinations.

Examiners can also reference an up-to-date intranet site to receive current policies no matter where they are. This replaces the former biweekly bulk mailings of all recent policy updates to each of the 119 personnel.

"MAGNet network security managers approve each agencys remote access deployment plans," said Lewis. "Agencies that use the established patterns can deploy the service more quickly."

Stand and Deliver

In response to increasing demand, most of the major telecommunications service companies now provide managed VPN services. Further, VPN specialists exist, such as Genuity Inc. (formerly GTE-Internetworking), Savvis Communications and Cable & Wireless North America.

"Select a vendor with a large capitalization stake in providing VPN services," advised Massachusetts Lewis. He reasons that those vendors are most likely to provide continuous services.

Kentuckys Valicenti stresses the importance of appropriate business and service policies for remote access when instituting a VPN. She also advises agencies to carefully examine the business case before signing any contracts. Even with costs being reduced substantially when compared to a WAN, some may still find a VPN expensive.

This point is particularly important for smaller agencies. An enterprise-class VPN can cost more than $100,000, but products are beginning to come onto the market that offer small-scale VPNs for less than $1,000. Cybernet Systems, for instance, offers the Linux-based NetMax VPN Server Suite. It can be installed in less than an hour and incorporates a number of the security features mentioned earlier.

This type of application is ideal for counties or cities with limited resources or small jurisdictions that dont need a full-featured network. "Weve seen things evolve from costly WANs to costly VPNs and now to affordable VPNs that state and local agencies can deploy securely," said Rob Falkner, a director in Cybernet Systems NetMax Division.

He concedes, however, that this type of solution may not be enough for large or complex sites. In some areas, an enterprise-class management console is needed in order to control the mass deployment of hundreds of VPNs at a time. Further, firewall complexity sometimes requires the use of a more expensive VPN.

Whichever vendor is utilized, a VPN installation may not turn out to be a simple plug-and-play affair. "Do not underestimate the effort, especially in a non-homogeneous environment like government," concluded Lewis.
Drew Robb Contributing Writer