ALEXANDRIA, Va. -- Not surprisingly, security was on the minds of attendees at the opening of VPNcon here. While attendance is down from previous shows, many of those who did show up came with a common goal: how to deal with the recent demands for tighter security on smaller budgets.
Carol Stone, vice president of worldwide marketing for Check Point Software Technologies, opened the conference by speaking about the evolution of enterprise networks into Internet-based entities that require layered and comprehensive security measures.
"I know I'm harping on this, but I can't emphasize enough that you have to have a complete security infrastructure, of which VPNs are a component," said Stone. "And also, don't forget your policies and your people."
Stone offered conference-goers an extensive list of questions to take into consideration when developing their VPNs. These included everything from "Are our passwords secure?" to "Is the firewall in my VPN in the right place?" The point, Stone said, was not to answer "yes" to every question, but to really examine all the issues and make informed decisions about the risks involved.
The keynote was followed by sessions highlighting different security protocols for VPNs. Although most enterprise VPNs are being built with Internet Protocol Security (IPsec), there are other options, and these were explored in depth.
One alternative is to implement Secure Sockets Layer (SSL) technology, said Richard Ting, CTO of Aventail, a VPN extranet provider. Most of us are familiar with SSL as the de facto standard for Web-based traffic, especially online shopping. Aventail uses SSL to implement session-level security across the VPN within each of its clients' applications. This solution is a natural fit, said Ting, because firewalls, gateways, network address translation, and public key infrastructure -- the major hurdles for other security protocols -- were all part of the design of SSL.
Layer 2 Tunneling Protocol (L2TP) was also explored, for use by itself and in conjunction with IPsec. Ron Cully, group program manager of network infrastructure services for Microsoft, announced that on Monday the Internet Engineering Task Force approved a specification for L2TP/IPsec developed by Microsoft in conjunction with Cisco. The resulting standard will be "the only approved standard for remote access VPN with IPsec," Cully stated.
At the end of the day, it was difficult to know just which security protocol to choose. It all depends on your business, your applications, and what you hope to achieve with your network in the coming months and years.
As Stone said in her address, it is important to have a flexible network that looks ahead to the future and will be able to adapt to changes in technology. "Security doesn't have to be something that locks you down and keeps everybody out," she said. "It really is opening the future, it enables e-business, and it enables your company to gain more revenue and access more customers."