Want to put a VPN or firewall on your network card? A new class of product handles all the processing, keeping your server free to do the hard work.
Virtual Private Networks (VPNs) have seen boom times since the focus has been turned up on the lack of security in transmitting data on the Internet. With a host of readily available packet sniffing applications on the market, virtually no transmissions can be classified as secure unless they are encrypted prior to being sent. Even then, in some cases, even transmissions can be captured and with some expertise decrypted--if the cracker has enough incentive to do so. To achieve the best possible security currently available, one of the most popular technologies currently implemented is VPNs.
A VPN is either a software or hardware solution that creates an encrypted data tunnel across an unsecured network such as the Internet or a wireless network. Once created, this tunnel is essentially a point-to-point connection, despite running through many routers and different telecommunications equipment and links Technically, the only equipment that can access the encrypted data on that link is the equipment on each end.
VPNs can be run either as software on a server or PC, or offloaded to a dedicated hardware device. Most security-minded IS Managers would generally opt for a hardware VPN solution over a software VPN solution due to the potential resource performance hit associated with encrypting and decrypting the data that is transmitted and received.
The majority of VPN/firewall hardware solutions are generally standalone appliances that look very similar to switches or routers. However, in recent months, a new class of product has emerged--firewall/VPN network cards. These are PCI or PCMCIA network cards that you would install in a single server or PC that handle the encryption and processing for running a firewall and VPN, and can be configured remotely.
Why would you want to do that?
For example, think about the link between the file server and the database server. If this link was running a VPN, effectively that would stop any external or even internal compromises via your corporate LAN infrastructure on the all-important database server, while still allowing the file server access to your data store. This is just one of many different uses for a VPN on an internal network.
|
To test the firewalling capabilities of these cards, we used NMAP, which is a port scanning tool that checks IP addresses for open ports and therefore potential access points for hackers to exploit and gain access to the system. All cards that supported the firewalling options provided excellent control for allowing and denying access to ports. Some even allowed the administrator to set the firewall configuration to open and close access to ports during set time periods, for instance, to open a specific port between the hours of 8am and 6pm Monday to Friday to allow telecommuters access to their data during operating hours only.
The vendors that submitted products for this review are 3Com, Netmaster and 14 South Networks (previously known as OmniCluster). Other vendors that make similar products include Intel and Brisbane-based SnapGear, who were unable to submit products for the review.
Amongst the products 3Com submitted a PCMCIA VPN card for a notebook. This may provide a valuable addition to your mobile resources if you needed to have portable security to transfer encrypted data to and from a remote site. Establishing a VPN this way would remove some of the resource overheads associated with software VPN solutions, particularly as most notebooks are relatively low-powered compared to desktops and servers. It would also reduce costs, as any Internet connection could be used instead of dialling in to establish a point-to-point connection, and would prevent having to suffer the slow speeds of a 56Kbps or worse modem connection. And finally if a VPN over the internet was the only solution to get the data through securely from a remote site via a notebook, the PCMCIA card fits neatly in your notebook and saves having to carry a separate VPN router around just to connect securely.
