As the need for secure electronic transmissions becomes ever more desirable, the reliance upon encryption and non-repudiation becomes ever more pressing for any company wishing to move forward within the ‘Digital Data Revolution’ we are experiencing. The days of clear text transmissions being acceptable are numbered (and rightfully so). Corporations are turning quickly to one possible solution: Virtual Private Networks (VPN). As with any revolution, there is energy and excitement. However, in this fast-paced, energized atmosphere there is something being forgotten by many. And it is this ‘thing’ that could quite possibly lead to disastrous consequences for many corporations. Not just in financial terms, but in the reputation and good faith arenas as well.

When the push for the Virtual Private Network is felt, many managers react. And they react as most any human would when in a pressure situation: not always thinking of the long-term, instead, focusing on the more obvious short-term and present. How will we push this technology? How much will that appliance cost? Can we use anything we currently have? Is it IPSec compliant? Who can we put in training?

Unfortunately, with so many concerns comes the innate ability to forget something. And that something may turn out to be the most mission critical piece of any Virtual Private Network deployment: management. Not management as in ‘who will be in charge of this box?’ We are talking about management in terms of maintenance and support. User management. Database management. Tunnel management. Key management. Software management. Support management.

During the initial phases of planning and research, each of the above areas cannot be left out. The consequences of not thinking far enough into the future are hard to weigh in the present. However, imagine the following scenario if you will: You are in charge of your company’s VPN. You plan and research. You assign tasks to your coworkers. You turn in a final report for recommendation. In this report you stake your claim – this is the product for us, this is an alternative solution, this is the cost of ‘a’ and the cost of ‘b’, here are the people to deploy the VPN, etc. Your name is signed to this report. And your reputation. In one year’s time there is turmoil. ‘Suddenly’ the budget is not enough. You did not consider in your maintenance plan room for growth in the original database. Another authentication server is needed. Furthermore, the authentication server’s underlying operating system is no longer going to support TACACS for authentication. What will you do now? How will you justify your need for support? These are just examples of situations that may arise.

The above scenario is just that – a scenario. You can change any one ingredient and get another mix. However, you will still end up with the same underlying thought: more time, planning, and research should have been put into the area of VPN Management. Save yourself the headache and heartache by looking at every possible angle from the beginning.

A VPN needs to be viewed as a very dynamic piece of the corporation. Encryption algorithms have changed and will continue to change. Tunneling protocols as well. Will your VPN being able to have a software upgrade to support these new changes? Or, will you have a (usually) more expensive hardware upgrade? Where will the financial support come from when you have to upgrade your bandwidth as more and more VPN sessions begin to bog down the network? If your current VPN solution client software is currently free, will it remain so? What if ‘Company X’ is bought out by ‘Company Z’ and Company Z says no more free client software? Do you have the reserves to purchase the client licenses?

If you view the VPN in a dynamic light then you will begin to see that even though you cannot predict the future in certain terms, you can see trends and move to position your department and ultimately, your company, in such a way as to support your needs now as well as the needs in the future. Perform the needed research and see where others have made mistakes. Do not duplicate them! Learn that most mistakes in VPN Management can be placed into four areas: user/database, tunnel/key, software/hardware, and support.

As mentioned earlier, many mistakes have been made when forecasting (or lack thereof) user and database growth. I define the 'user database' as the total number of users who authenticate to the VPN. It is ‘easy’ to estimate how much your company will grow in size in say, a year’s time frame. You can look at a historical year-by-year growth as well as work with your Human Resources Department to find out how many people they have been authorized to hire for the coming year. But what if your company merges or becomes a player in an acquisition? In many cases the ability to forecast this type of change – and plan accordingly - is near impossible. But if it happens, exactly how many users will be added to your VPN? The mantra here is to play the ‘what if’ game and make sure that your proposed solution(s) support growth. Ensure that the user database can scale. Ensure that the authentication servers can also scale – while minimizing performance degradation. Your total VPN solution (user database, authentication device, Internet access, data tunnels, and encryption devices) needs to be able to SCALE! Ensure that the recommendation report states the possibility of expansion due to mergers and/or acquisitions, and that an action plan is included. Would it be safe to make a plan of action that includes the ability to double the user database in size?

The areas of tunnel management and key management have been the topic of a split personality syndrome lately. It seems that more and more managers are becoming aware of the need for key management. Whether this is a result of recent press or solid planning is unclear. But, since it is happening, the reasons why may not matter. Unfortunately, the area of tunnel management has not been the point of conversation or focus of the press. Deploying a VPN with no regard to the tunnels being used can be a costly mistake in terms of network performance and, ultimately, in financial terms.

Tunnel management can be thought of in terms of what tunneling protocol(s) will be used, network subnetting, and bandwidth absorption. It is imperative to plan what protocol(s) will be used in the VPN. There are ‘legacy tunnel protocols’ (such as PPTP) as well as ‘new technology tunnel protocols’ (such as IPSec) to chose from. Perhaps you will need both protocols initially. The move in the INFOSEC Industry is towards IPSec. With that in mind, deploying a VPN solution without IPSec could be viewed as ‘protocol suicide.’ Also complicating tunnel management is the area of network subnetting. Although a bit more technical than the focus of this paper, it is mentioned because of the unforgiving consequences of not knowing if your proposed VPN solution can work with the architecture of your network. Planning, researching, reporting, and ultimately deploying a VPN only to later find (usually found during the actual configuration stage) that the VPN solution cannot handle the number of subnets in your network! What will be the consequences? Lastly, you must consider the effect of tunnels on your network bandwidth. Not just initially, but in the future as well. Have monies been set aside for another Internet connection? Another router/switch/etc.? As the data throughput increases the available bandwidth decreases. What is the risk of data loss? How do you cost retransmission of data due to network saturation?

Key management can be defined as the generation, distribution, storage, and security of keys. Do you have enough staff on hand to handle each of these tasks? Who will generate the keys? Who is the backup to that person if she or he leaves or falls ill? Probably most important here is the distribution of the keys to the VPN users. How will the keys be distributed and at what cost? Is this method secure? Have you provided for a means of key recovery in the event of an honest accident or a disgruntled (ex) employee? The idea here is like the other areas: think and think some more when drafting your VPN solution report. Is there an acceptable risk of key loss (I.E., data loss)? And if so, what is that risk and who is held responsible?

VPN Management cannot be complete without thorough investigation into both software and hardware issues. These two areas will play a vital role in the long-term financials of your company. It is important to note that we are not talking about ‘normal’ software upgrades. I.E., the installation of the latest VPN software release. Those should be obvious! Instead, we are speaking of the ‘hidden’ costs of the underlying operating system (if applicable). These costs can be defined as the resources (time, money, staff) it takes to apply patches and upgrades to the servers the VPN software runs on.

Who will keep track of updates and patches to the VPN software and the client software, as well as the server software? How will the updates be pushed out to remote users? Who will be responsible for maintaining the security of the VPN servers? What is the cost if a server is compromised, and how will it affect the VPN? What is the plan of action when a server is compromised? Are the resources in place and outlined in the recommendation report?

On the hardware side we need to make sure to research the cost of redundancy. After all, we cannot afford to deploy a solution with any single point of failure! Find the cost for redundant Internet connectivity. Find the cost for any redundant hardware (routers, hubs, switches). Find the cost for redundant power supplies. And do not forget the cost of redundant VPN solutions! Some of these may seem obvious, and perhaps they should. However, something that is new is not always easily defined. Suppose, for example, that you have included redundant power in the scope of your VPN solution. Your engineer takes the two power cables and plugs each into a socket. Safe? Perhaps. Perhaps not. Make sure those sockets are on separate breakers (and preferably on a backed up power supply)!

When putting together your VPN plan, take care to include all areas of support, not just technical support from the solution provider/reseller. Take stock of your current Help Desk team and find out if they can handle another application. Do you have enough manpower? Can the staff handle the technical problems bound to arise in tunneling (especially IPSec)? What is the escalation procedure for incoming calls? Will full documentation be available to all who need it in order to help educate the end user as well as the support staff? Also make sure that your engineering staff are ready to support the product. Will training be necessary and, if so, at what cost? Is there a separation of duties among the staff so as to support the Corporate Security Policy? What sort of monitoring will occur? How often (daily, weekly, etc.) will the logs be analyzed? If the logs are backed up to another server (FTP) is that server secure (access control list, encryption, etc.)?