A/C
WebWorks
A TUNNEL TOO FAR Tunneling is not a new phenomenon to chemists. Particles in a box can do it, protons often do it, tunnel diodes all do it. Web users arefindingthat their communications may also like to do it. The basic concept is simple. Take the messages that pass between different organizational sites, compress and encrypt them, wrap them into packets, ship them down the Internet or private lines, and untangle them at the other end. This kind of system also verifies senders ensures integrity of messages, and prevents "spoofing"—stealing information bv setting up phonv Web sites. Along with oroviding security, this bundling technique lets you create vour own virtual private network (VPN) for intranet and extranet applications and tunnel through the Internet "mountain". A tunnel enables one network to send its data via another network's connections. VPN tunneling works by encapsulating your network protocol within packets carried on the Internet. A strong proponent of VPN is the Automotive Network eXchange (ANX), a secure network for electronic commerce among a group of automotive trading partners Chrysler Ford and General Motors plan to connect their facilities and their suppliers' sites through the ANX VPN
Ray Dessy 44 A
Imagine analytical labs sending sensitive client information over organizational intranets, or via extranets for contract and out-sourced services, using a VPN. After all, the analytical lab is a factory environment—reagents and samples come in, results go out. What are the dangers,
rity of messages (SAVT) may be compromised by persistent, technically-able individuals if normal network conduits are used. Leased lines, such as Tl and T3 options, provide a more secure alternate but at a significant cost. Power users, who enjoy reading instruction manuals, configuring software, and grappling with changing protocols, can use the security, encryption, and compression tools available in most office suites browsers and thirdparty add-ons to achieve quite good SAVI characteristics—but at a price in personneltimeand energy. Why the time and energy? Most people have never explored the security button on their browser's tool bar, and those who have probably don't want to know what it all means. Have you activated your Netscape Navigator 4.0 to include SSL version 2 or 3 turned on digital signatures and certificates and implemented PKCS #11? Have you selected X 509 for vour Lotus Notes? Have you set up seciiritv zones and asserted Dersonal and Web site certificates in Internet FxMorere
strategies, and tactics for winning the game of "A Tunnel Too Far", in which poor planning can lead to disaster? (1) What are other corporations and universities doing? Although most Web users think of the World Wide Web as a private communicaIf you haven't, you are not alone. But, in tions medium, it is more llke CB radio. Secu- an organizational environment in which disrity, authenticity, and verification and integpersed geographical intranet sites are corn-
Analytical Chemistry News & Features, January 1, 1999
Virtual Private Networks mon and preferred clients need access to extranet features, some way to achieve SAVI becomes essential. A virtual private network may be the answer. These can be built inhouse, designed and installed by Internet service providers or network service providers, or offered by a third party. VPNs extend corporate intranets to distant offices, home workers, and road warriors, and provide rich flexible access to customers students business partners and suppliers via extranets. Don't be intimidated by the acronyms; the concept is simple even if the history is a bit tangled Just keep in mind that the Internet was not designed with high security in mind nor was it designed to dellver performance eiiarantees Nonetheless these are becoming imnnrtant issues as traffic and hacking increase
Because there is no confirmation, any acknowledgment or connection control must be provided by higher-level protocols. The Transmission Control Protocol (TCP) and Hyper Text Transfer Protocol (HTTP) are connection-oriented protocols, and, in contrast with IPX, require that a virtual channel be established between the sender and receiver before any messages are transmitted. The familiar TCP/IP (Internet Protocol) for accessing remote servers is a combination of TCP with the lowerlevel IP. Whereas IP deals only with packet architecture TCP enables two hosts to establish a connection and exchange streams of data HTTP is the underlying protocol used on the WWW The httt''// command in a URL requests the return of the WWW home page whose address follows
Client-Server tunnels/applications. Understanding tunneling requires a little background on network protocols, which exist to get a message from here to there. The various protocols specify the format of packets, also called datagrams, and the addressing scheme. They are usually analyzed using the Open System Interconnect (OSI), a theoretical standard model for worldwide communications. OSI defines a networking protocol in seven layers: physical, datalink, network transport session, presentation and application. Control is passed from one layer to the next starting at the highest layer (the application
Imagine the Internet as a long series of connected tubes through which packets pass. To tunnel, you take a message, put it in your custom institutional envelope, and then enclose that in a packet that is Internet-compatible. At the other end, the outer envelope is ripped off. You can imagine that a VPN tunnel is created by slipping a smaller diameter tube inside the larger Internet tube. Why call it tunneling? ?ecause bridge technology alreedy exists that allows for the connection of two different networks across various levels of the OSI model. These connections are protocolindependent. Routers also exist, which use protocol information for filtering and directing purposes. The Internet uses routers extensively to forward packets from one host to another. Let's tunnel.
C\V C P U -
enth layer) in one
station and nroceeding to the bottom layer (the physioal or first laver) which then goes over the channel to the next station and hack nn the hierarchy Novell s Inteanetwork Packet eXchange (lrA) is pernaps tne simplesthcheme. It is a low-level protocol used for connectionless communicationst and its datagrams are launched with no attempf to ensure receipt.
First came the Point-to-Point Tunneling Protocol (PPTP)—the initial client-server tunnel design that was developed by Microsoft and the telecommunicationstechnology company Ascend Communica-
tions. The protocol was intended for use in Ascend's remote access server hardware and Microsoft's early versions of Windows NT. The Layer 2 Tunneling Protocol (L2TP) was developed when the backers of the Point-to-Point Tunneling Protocol collaborated with the network hardware and software supplier Cisco Systems. The result was a hybrid of Cisco's datalink protocol, which operated at level two of the seven-layer Open System Interconnect model, and PPTP. PPTP and L2TP focus on a client-server environment. These protocols, operating at OSI level two, can encapsulate IP and IPX, which comprise most network traffic. Security features are not implicitly included in PPTP and L2TP, although the user can layer them on. Host-Host tunnels/applications. The Internet Engineering Task Force has been working for many years on specifications that address authentication and security issues. The result is IP Security (IPSec)) a set of protocols that supports the secure exchange of packets. IPSec supports two encryption modes: transport and tunnel. The transport mode encrypts only the data portion (payload) of each packet, leaving the header material untouched. The more secure tunnel mode encrypts the header and the payload. On the receiving side an IPSeccompliant device decrypts each packet For IPSec to work the sending and receiving devices must share a public encrvDtion key This is accomplished through a Drotocol known as Internet Semrity Association and Key Management Protocol/Oakley key exchange (ISAKMP/Oakley) which allows receiver to obtain a nirblic
thenticates the sender using digital ceruficates. Microsoft's Windows 2000 (renamed from Windows NT 5.0) will incornorate IPSec features. When developing tactics for
Analytical Chemistry News & Features, January 1, 1999 4 5 A
A/C
WebWorks
VPNs, just make sure that your IPSecs are compatible. A tutorial on certificates, digital signatures, encryption, and keys is available in print or on the WWW. (2) IPSec operates at the third level of the OSI model and handles IP datagrams. This protocol can offer simultaneous multipoint tunneling and public access, while PPTP and L2TP are limited to single point-topoint tunnels. Also heard on the Net. These approaches should not be confused with two commonly encountered security measures at the client-server OSI level seven (application level). One is die Secure Sockets Layer (SSL), a protocol developed by Netscape Communications for transmitting private documents via the Internet. SSL works by using a private key to encrypt transferred data. Both Netscape Navigator and Internet Explorer support SSL and many Web sites use the protocol to obtain confidential user information such as credit card numbers SSL creates a secure connection between a client and a server which amount of data can be sent Web pae"es that reauire an SSL connection start with htthv// IBM's eNetwork sur>nnrt5 ^ m
a
