The current state of the game.
By Eric Van Buskirk

Virtual Private Networks are an evolving class of network protocols and supporting technologies that allow remote users to connect securely to organizational resources over public networks such as the Internet. Modern VPN technology now is mature enough to justify small- to

medium-sized law firm deployment. Such firms no longer need to be constrained by the limitations of early VPN technologies such as Internet Protocol Security and Secure Sockets Layer. Hybrid VPN technologies have overcome the limitations of their predecessors while maintaining all of the benefits. Although some VPNs are expensive, there are affordable VPN solutions for even the smallest law firm.

VPNs provide network resources to remote users. Such provisions can provide law firms with many benefits, such as enabling remote document drafting and assembly, time sheet tracking, Web conferencing, Web discovery, accounting, research and knowledge management, as well as giving customers and clients access to their files. Further, modern VPNs have progressed to the point that remote users can connect not only with laptops or desktops, but also with state-of-the-art mobile devices such as Personal Digital Assistants and smartphones.

The Technology Behind VPNs
To connect the distant branches for remote access to a network, organizations traditionally configured a dedicated leased line, such as a T-1 or T-3. Some organizations even leased multiple lines — one for Internet traffic and another for data traffic. While one dedicated line was expensive, the addition of another line was increasingly so.

Although expensive, leased lines had several benefits. First, the line was dedicated, meaning only traffic initiated at either end of the connection could traverse the link. If the link was accessible, the user usually was a member of the organization sponsoring the network. In a roundabout way, dedicated lines served as a kind of authentication device. Second, dedicated lines reduced the need for encryption because all traffic presumably was authorized. Finally, dedicated leased lines also meant network transmission speeds were high because only organizational traffic used the line.

Unfortunately, although dedicated lines helped ensure fast and private communications between endpoints, deployment of a dedicated line meant there was no one with which to share network costs. Unless there was a leased line between the organization and each individual user, home workers and road warriors were limited to accessing the network through a dial-up modem bank, and could access it only through an approved remote authentication server. The overhead involved in the deployment of dedicated leased lines was sufficiently cost-prohibitive for small- to medium-sized businesses and law firms.

VPNs were intended to solve these problems. The basic goal behind VPN technology is to dispense with the high costs, as well as the administrative and technical burdens associated with dedicated leased lines by using the Internet to transmit data. Routing organizational traffic over the Internet instead of a leased line increases the return on investment because the public and private entities share maintenance and deployment costs worldwide. When a user sends an e-mail, packets pass through a router in London , for example. In effect, the user is shifting part of the communication costs to the owners of that router.

If it were not for the security risks presented by eavesdroppers, interlopers and hackers, a discussion of remote connectivity would end here. There would be no need for VPNs and users simply could use server resources without fuss. However, the Internet is treacherous. Organizations, especially law firms, can’t tolerate unauthorized users reading private communications in transit or accessing the company server. Firms must feel comfortable that the integrity of their information remains intact. It’s foolish and potentially unethical to pass firm communications over the Internet without sufficient security. And yet, today’s law firms and the firm’s clients often demand attorneys be productive even when they are away from the office. To enable productivity while safeguarding information, law firms should strongly consider implementing some form of VPN technology.

As a general matter, VPNs meet the treachery of the Internet by creating a private, encrypted “tunnel” through which only authorized traffic can pass. Generally, users make tunnel requests over the Internet. Servers grant or deny access depending on the credentials of the requester. VPNs can be engineered and configured to demand different kinds of credentials. For some, a simple password is required, while others require a certificate from a “root authority” such as Thawte or VeriSign. Still, others rely on two-factor authentication, which means users must provide a password and possess a physical, digital security token or key to access the VPN. Once authenticated, the VPN will pass the connection to appropriate internal network resource, such as a file server, Web proxy or even the user’s workstation via remote desktop.

The concept of the tunnel is crucial to understanding the VPN. A VPN tunnel is analogous to a pipe running through the ground. In this analogy the pipe is the VPN and the ground is the Internet. Because of the VPN, everything inside the pipe is authorized and encrypted, while everything outside the pipe is unknown, potentially malicious and not to be trusted.

The hallmarks of a VPN are authentication, encryption and remote connectivity. Authentication ensures only authorized users can connect to the network. Encryption ensures only authorized users can decipher network traffic. Remote connectivity ensures users can connect from behind firewalls and from untrusted locations without compromising information security. The quality of a VPN product is largely measured by the vendor’s success in addressing all of these issues in one package.

To evaluate and choose a VPN, a historical foundation is needed. Categorical statements can be difficult to make in the world of VPN technology because VPNs have been, and continue to be, engineered and deployed in many different ways. Further, fierce competition among VPN vendors drives marketers to take liberties with the English language, which makes the technical aspects of this technology even more confusing. That being said, with one exception discussed below, it’s possible to place VPN technology into three general groups: IPSec, SSL and Hybrid.

IPSec VPNs
IPSec is credited with being the first successful VPN protocol. Technically, IPSec denominates one particular network protocol. However, because IPSec shares important features with the Point-to-Point Tunneling Protocol and Layer Two Tunneling Protocol VPN protocols, “IPSec” as used in this article, will be used generally to reference all three.

Traditionally it’s believed IPSec does a good job with site-to-site connectivity, as opposed to connecting remote and scattered individuals.
To illustrate, if users at a branch location in City A needed to access the network resources at a branch location in City B, an IPSec VPN probably would be a good solution for securely connecting these two distant local area networks.

IPSec also is said to give the full desktop experience. This means users can have full access to remote network shares without realizing the treacherous Internet and many miles are between them. To make this concept concrete, when a user browses “My Network Places” within Microsoft Windows, typically the user sees only network shares of those in the same building or campus as that user. In addition to local shares, an IPSec VPN can enable the user to see network shares from remote locations hundreds or thousands of miles away, just as if these shares were on the same local network.

A full desktop experience isn’t the same as a remote desktop, where users see a streaming picture of the desktop of another computer. Rather, the purpose of the IPSec full desktop experience gives the illusion there is no real distance and no firewall between the client and the server: A user requests information and the server provides it, as if the Internet were not in between.

To achieve the full desktop experience, users usually are required to install a client application, although modern versions of Microsoft Windows also come prepackaged with IPSec clients. IPSec clients are said to be “thick” clients because they depend on a full application installation package similar to what the user would get with any other program installed on his or her computer. A side benefit of a thick client is it can provide an additional level of security because would-be hackers typically need possession of the same thick client (make, model and possibly version) to attempt to breach the network.

In spite of the transparency and utility of the full desktop experience,
IPSec has its drawbacks.

• Application cycle: Thick clients must be licensed, installed, patched, updated, relicensed and repatched.
• The application licensing and maintenance cycle can consume significant financial and staff resources, thus diminishing ROI.
• IPSec doesn’t interface well with Network Address Translation. Heroic measures often must be taken to enable remote clients behind firewalls to connect to network resources.
• IPSec typically grants all-or-nothing access. Network administrators might need to employ third-party or custom solutions to grant desired network privileges.
• IPSec doesn’t hide the Internet Protocol address of the VPN host, making it easy for client PCs to enter and infect the corporate network with worms, viruses and Trojan horses.
• IPSec VPNs typically are not available for access from public kiosks and Internet cafes unless users have rights to install the proper thick client on the public terminal.
• IPSec requires knowledgeable staff, network administrators or outsourcers.
• IPSec might require the user to open multiple ports on firewalls between client and server.
• Split tunneling: If configured improperly, IPSec clients can allow users simultaneously to connect to or “split” a network connection between the VPN and the Internet, thus forming an open and dangerous bridge between the two.

SSL VPNs
SSL was intended to be an improvement over IPSec. In many ways it has succeeded, while in others it has not. Like IPSec, SSL is a network protocol for encrypting and authenticating network traffic. The SSL referenced here is the same one we use to check our financial account balances or to purchase products online.

SSL VPNs have the edge on IPSec VPNs in several ways. First, SSL allows network administrators to exercise more precise control over network resources, meaning that SSL VPN users can be given access to only those network resources appropriate for their level of responsibility. Access levels in SSL VPNs can vary depending on a user’s group assignment, IP address or credentials. SSL VPNs don’t rely on thick client software. Instead, SSL users typically connect through an Internet browser, as all modern browsers are SSL-enabled. This need for only a browser is said to make SSL VPNs “clientless.” Furthermore, SSL VPNs require only one open port and therefore, give simplified firewall administration. Finally, SSL VPNs increase security by hiding VPN server IP addresses so as to prevent malicious code moving from client to server.

However, SSL does have noteworthy drawbacks as well. First, for remote users to connect to software applications, such applications must be “Web-enabled” or “Webified.” A Web-enabled application is one that is capable of receiving network requests over Hyper Text Transfer Protocol. Unfortunately, there are not a great number of Webified applications. Thus, SSL VPNs don’t approach the full desktop experience of their IPSec brethren. Although applications can be Webified through custom development, such custom development is expensive.

In the off-chance a firm relies on a Webified application, an SSL VPN still might require technical and administrative oversight that is beyond the means of most small- to medium-sized law firms. For example, standard SSL VPNs often require split Domain Name Service entries — a very complex technology that we will not delve into for this article. However, educated consumers should thoroughly question their VPN vendor or outsourcer regarding the level of knowledge necessary to implement a VPN solution.

SSL VPNs have other limitations to consider. First, SSL can have a complex relationship with Java and ActiveX. On one hand, SSL VPNs have difficulty displaying applications that feed Java or ActiveX applets from server to client. On the other hand, these same SSL VPNs might require each client to download and run a Java or ActiveX “thin” client applet to send packets from client to server. That a user would need to download an ActiveX or Java applet negates SSL VPN’s claim to “clientless” access. Also, the requirement of installing an applet might be practically impossible if users don’t have sufficient rights to install such applets on a given computer, such as if they were logging in from a public terminal.

Second, SSL VPNs typically don’t support all protocols and especially have trouble supporting User Datagram Protocol-based applications such as those employing peer-to-peer networks and streaming voice and video.

A third issue regards client confidentiality. If an SSL VPN client crashes before going through a clean logout, confidential data on the client PC will fail to be securely erased from the client’s temporary directory because the logout or cleanup script didn’t run. Thus, if a user was reading client-confidential material at the time of the crash, a copy of that material might remain on that PC for others to discover.

Hybrid VPNs
Given the limitations of IPSec and SSL VPN technologies, vendors have naturally endeavored to develop technologies that mix the benefits of both protocols, while eliminating the negatives. Rather than melding the SSL and IPSec protocols, some manufacturers have attempted to provide the benefits of both IPSec and SSL via their own proprietary protocol. Others have supplemented and enhanced their IPSec or SSL products.

As might be expected, today’s hybrid VPNs attempt to provide all of the benefits of IPSec and SSL VPNs, while removing all of the burdens.

Hybrid VPNs such as those from Cisco and Citrix now offer VPNs with:

• One port connectivity
• Full desktop experience
• Elimination of relevance of Web-enabled applications
• Full protocol support (including User Datagram Protocol)
• Unrestricted connectivity through firewalls
• Elimination of the Network Address Translation problem
• Remote control (remote desktop)
• Precise user access control
• Hidden IP to prevent network infection
• Two-factor authentication (e.g., password plus certificate)
• Permanent split tunneling restrictions
• Clientless kiosk mode
• Low maintenance costs
• Elimination of thick client application cycle
• Clean-up scripts to eliminate temp file confidentiality issues
• Elimination of DNS complexities
• Elimination of Java and ActiveX issues.

Vendors also have been keen to counter criticism that their products threaten network security by providing network access to users logged in from poorly secured or infected machines, such as those found in an Internet café. Poorly secured machines can threaten the organization if the VPN gives viruses and Trojan horses a backdoor into the central network.

In response, some have developed what might generically be called “smart authentication.” As used here, smart authentication is the provision of levels of network resources to those who meet certain criteria at the time the network request is made. For example, imagine a user is attempting to access firm resources from an Internet café. Should that user be granted access? New thinking says the security posture and employee status of the network requester should determine whether access is granted or not. Users’ security posture is defined by their current software patch level, the currency of their virus definitions, general security settings, their identity and the service they request. If the users fail or do poorly in the security evaluation, they might be redirected through their Web browser to an update where they can install patches, update virus definitions, tighten security settings and so forth. Smart authentication is intended to significantly strengthen client-side security. However, early implementations of smart authentication probably will not be cheap.

VPN on a Budget
While some of the VPN options can be expensive for smaller firms, there is an important and inexpensive exception to IPSec, SSL and Hybrid technologies. This exception is based on the network protocol Secure Shell. SSH basically is an encrypted version of the old program Telnet. A user who logs in to an SSH server typically gets a remote command line, just like Telnet, except the connection traverses an encrypted or “secure” tunnel. SSH provides strong authentication through user names, passwords and public key authentication. SSH is very different from Telnet in that it has a feature called port forwarding. Readers interested in learning about port forwarding should go to http://tinyurl.com/6z9r2.

SSH is a very basic VPN, if it is considered one at all. SSH really starts to shine when combined with other, network-aware applications and services. One such application is Virtual Network Computing, a free program that provides a remote desktop service, similar to GoToMyPC. Unlike GoToMyPC, however, VNC traffic is unencrypted and has only weak user authentication features. However, when VNC and SSH are combined via port forwarding, the result is a remote desktop, as well as file transfer, network sharing and backup functionality, all with encrypted transfers and strong user authentication. Sounds a lot like a traditional VPN doesn’t it? It’s what I use, and I am quite happy with it.

The Choice for Your Firm
Firms that expect attorneys and staff to work from home or the road will derive a number of important benefits from a VPN. VPNs give workers access to everything they could access if they were in the office, even from thousands of miles away. VPNs allow attorneys and staff to remotely:

• Access document storage systems
• Draft and assemble documents
• Send and read e-mail
• Access case management programs
• Perform digital dictation (with output to be transmitted to an assistant for transcription)
• Perform transcript markup
• Access contact records
• Access knowledge management systems
• Engage in Web conferencing with attorneys and clients
• Use litigation management applications
• Perform accounting and billing tasks.

In the future it might not be uncommon for firms to use VPNs to extend remote services to clients. Firms might designate protected areas on the company server in order for clients to access information. Clients could securely log in to review and edit documents and drafts, view presentations, check their bill and so forth.

The size of the firm will dictate the kind of VPN purchased. Smaller firms might prefer to use software VPNs

with a set monthly expense and minimum maintenance. GoToMyPC and eBlvd provide simple solutions for around $20 per month. Users also might obtain a software VPN without any cost by using VNC (or XP remote desktop) over SSH.

Depending on the skill level of the in-house technology staff, larger firms might need to retain the services of outside consultants to assess and service their VPN needs. Although GoToMyPC has a corporate version, larger firms might end up with dedicated VPN hardware. Of course, firms can expect to pay quite a bit more for such hardware. Cisco, Citrix, Juniper and many others are big players in this area and prices begin in the several thousands of dollars. There are less expensive hardware solutions, but firms should exercise due diligence to understand the limitations of any product offered.

The successes and limitations of IPSec and SSL VPNs have set the agenda for Hybrid VPNs. Whereas the choice of a VPN solution formerly involved unpleasant tradeoffs, the future for Hybrid VPNs promises no compromise. These improvements are not inexpensive. Readers acquainted with the tradeoffs of IPSec and SSL VPNs will have come a long way toward making informed choices as they consider VPN adoption.

Attorneys in the market for a VPN should question vendors thoroughly as to exactly what kind of product is being offered, and should not accept marketing blather in place of thorough explanations. Finally, smaller firms should consider a reduced cost VPN solution in the form of VNC over SSH via port forwarding.