In the world of data security, virtual private networks (VPNs) have already become the de facto standard for building secure communications channels. VPN technology meets the fundamental criteria of information security: integrity, confidentiality and authorized access. With the right choice of VPN, scaling is no problem—that is, using a VPN won’t create growth problems and can help to save all the investments if a business expands. In addition, compared with dedicated lines and networks based on Frame Relay, VPNs are no less reliable in protecting information, but often 5–10x (and sometimes 20x) cheaper.
Everything has a downside, however, and VPN technology is no exception. One drawback of a VPN is a relatively big network-performance drop. It’s associated with the cryptographic processing of traffic passing through a VPN device. The delays come in three main types:
- Delays in establishing a secure connection between VPN devices.
- Delays associated with encrypting and decrypting the protected data, as well as with the transformations necessary to control its integrity.
- Delays associated with adding a new header to the transmitted packets.
Let's take a closer look at each of the above cases.
- Taking into account the strength of cryptographic algorithms, a key change is necessary only after a sufficiently long time interval. Therefore, when building VPNs, such delays have practically no effect on the speed of data exchange.
- Delays of this type begin to affect the performance of communication channels when you transmit data over high-speed lines (100+ Mbps). In other cases, the speed of the software or hardware implementation for the encryption method and integrity-control algorithms is usually high. In the chain of operations, the encryption\decryption time is shorter than the time required to transmit the same packet inside the network.
- The third delay type is the main problem. Adding more header information to each packet passing through the VPN device causes serious delays. For example, consider the control system, which in real time exchanges data between remote stations and the central server. The size of the transmitted data is small—no more than 25 bytes, which is similar to the size of data in the banking sector (payment orders) and in Internet Protocol (IP) telephony. The intensity of the transmitted data is 50–100 variables per second. The interaction between the nodes is travels over channels with a bandwidth of 64 kbps. A packet with the value of one process variable is 25 bytes long (the variable name is 16 bytes, the variable value is 8 bytes and the service header is 1 byte). The IP protocol adds another 24 bytes to the packet length (IP packet header).
Frame Relay (FR) channels add another 10 bytes to the FR header, yielding 59 bytes total (472 bits). Thus, for normal operation, you must ensure your bandwidth fits well with the limitations of 64 kbps.
What do we get when using VPN tools? For IPSec and the specified parameters, we’ll exceed the required bandwidth by 6% (67.8 kbps). It’s just an example for clarity, but the more data transmitted, the greater the delay. Such a drop in network performance isn’t a major problem for most applications and services, but it’s disastrous for, say, streaming video. In addition to the development of information technologies, the need for high-speed transmission of high-volume traffic is increasing, and the requirements for both the communications channels themselves and their protection increase accordingly.
According to the latest research, only 5% of organizations in the financial sector, for example, need such high standards. The remaining 95% are less dependent on speed drops, and such time delays produce no tangible losses.
Business needs and approaches to building information-security systems have formed two main areas for developing VPN technology: IPSec VPN and SSL VPN. The following are the main pros and cons of each.
1. IPSec (IP Security) is a set of protocols that resolve data-encryption issues such as those involving integrity and authentication. IPSec works at the network level. Thus, data protection will be transparent for network applications. Although SSL (Secure Sockets Layer) is an application-level protocol mainly used for secure communication between remote applications (for the most part, they’re requests to web servers), IPSec equally treats higher-level protocol packets—that is, authentication and encryption take part regardless of the pocket content. But SSL requires a reliable transport protocol (for example, TCP). In addition, IPSec reliability is guaranteed because the information about the port with which the connection is established is unavailable to the attacker.
2. IPSec supports three connection types:
- Gateway to gateway
- Gateway to host
- Host to host
SSL only supports connection between two hosts or between a client and a server.
3. IPSec supports digital signatures and the Secret Key Algorithm, whereas SSL only supports digital signatures. Both IPSec and SSL can use PKI (public key infrastructure). The advantage of IPSec lies in its ability to use preshared keys instead of PKI (for small systems), making the task much easier. SSL methods are ideal for establishing a secure connection between a server and a client. The main difference in the authentication methods is that IPSec functions at the network level, allowing you to trace the recipient and source addresses with the same success as the authentication of higher levels. SSL has access only to information at the transport level and above.
4. A disadvantage of IPSec is the large amount of additional information added to the source package. In the case of SSL, the size is much smaller.
5. IPComp handles IPSec compression. SSL compression is much lighter, and only OpenSSL fully supports it. In the case of IPSec, the use of compression algorithms can lead to different results when used under different conditions: the performance can increase as well as decrease. The result depends on the ratio of encryption rates, compression and data-transfer rate.
Most encryption algorithms work faster than compression algorithms. The consequence is slower work. But in the case of a low transmission rate, compression will increase performance.
Compared with IPSec, SSL is developing faster in the VPN client-server segment. SSL VPN provides the necessary information security at low cost. Although SSL is trying to compete on an equal footing with IPSec, the advent and final standardization of IPv6 should change the situation.
What to choose is up to the customer. VPN providers do an excellent job developing both directions and can offer the optimal solution that meets each customer’s individual needs.
About the Author
David Balaban is a computer-security researcher with over 15 years of experience in malware analysis and antivirus-software evaluation. David runs the Privacy-PC.com project, which presents expert opinions on the contemporary information-security matters, including social engineering, penetration testing, threat intelligence, online privacy and white-hat hacking. As part of his work at Privacy-PC, he has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.