Network security

Virtual private networks play a key role in creating secure communication channels for end users and protecting corporate data. As enterprises in the Middle East strive to achieve maximum security for their operations, best-of-breed solutions are at the top of a CIO’s shopping list.

  • E-Mail
By  Sarah Gain Published  April 25, 2005

|~|Tradecom-BODY.jpg|~|It is only a matter of time before most enterprises adopt VPNs, says Tradecom’s Francois Nabhan.|~|The world has changed a lot. Instead of dealing with local or regional concerns, enterprises now have to think about global markets and logistics. Today, businesses not only have operations spread out across the country, but also around the world and there is one thing that all of them need: A way to maintain secure and reliable communications wherever their offices are.

Until recently, this has meant that enterprises had to use leased lines to maintain a wide area network (WAN). Leased lines, ranging from ISDN (integrated services digital network) to OC3 (optical carrier-3) fiber, provided organisations a way to expand their private network beyond their immediate geographic area. A WAN had advantages over a public network like the internet when it came to reliability, performance and security. However, maintaining a WAN, especially when using leased lines, can be expensive.

As the internet gained momentum, enterprises turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company staff. However, global players needed to be in touch with their staff in other parts of the world as well; hence the creation of a VPN (virtual private network) to accommodate the needs of remote employees and distant offices.

With internet accessibility and bandwidth capacities on the increase, large corporations no longer have to expend considerable resources to set up complex private networks and intranets. However, like with most changes, the introduction of a private network had related issues such as online security. At the beginning, enterprises were comfortable to work with a low-level of security, but that is not the case today. Businesses want their corporate data safe and secure. In the Middle East, enterprises are exploring every possible avenue and IT solutions to secure that extra level of security.

Network security continues to be a critical issue for enterprises in the Middle East. Despite the fact that security solutions have been available in the market place for some time, it is only recently that businesses have started using them.
While the early VPNs required expertise to implement, the technology has matured to a level that makes its deployment simple and affordable for enterprises of all sizes.

One company that understands the host of benefits that mobile operations can offer is the Al Ghurair Group, which has a business portfolio that spans six major market areas, comprising infrastructure development, manufacturing, trading, retail, event management and tourism. The Group is about to complete a VPN implementation for its enterprise. It will go live by the end of May.

By providing remote access to business applications for both remote staff and customers, Al Ghurair hopes the improved connectivity will enable employees to work faster and more efficiently. “When you open up your business to the outside world in this way, it is necessary to take security very seriously. Security threats are becoming increasingly sophisticated and automated worms such as Sasser, which hit Dubai recently, create major problems for companies that do not have effective security,” says Hatem Al-Sibai, CIO for the Al Ghurair Group. “VPN is only one part of an effective protection framework, but it is a crucial element,” he adds.

This expectation is likely to be met, according to Graham Porter, Sun Microsystems’ marketing manager in the Middle East and North Africa region. At its office, which is based at Dubai Internet City (DIC), Sun operates a highly mobile business environment and can give first hand testimony to the success of these practices. “Being able to offer employees a more flexible working environment means that they generally have a greater degree of job satisfaction,” Porter says. “This means the staff are more productive. When employees have the freedom to work whenever and wherever is convenient, their [productivity] level goes up substantially. There is a huge increase in the total number of hours that they are logged into the company system,” he adds. ||**|||~|Ziad-Monla---Lunasat-BODY.jpg|~|At the end of the day, time means money and with VPN there is no dead time, says Lunasat’s Ziad Monla. |~|The ubiquitous public internet offers remote access to central corporate systems such as e-mail, directories, internal and external websites, security and other shared applications over a 24-hour local access facility. Ziad Monla, general manager of Lebanon-based Lunasat, expounds the reasons behind the increased efficiency that is enabled by a VPN: “With the increase of data communication all around the world, companies have to be interconnected all the time. Businesses cannot afford to have to wait for their information — this is why a secure VPN is so revolutionary. Employees can access operational systems anytime, anywhere. At the end of the day, time means money and with VPN there is no dead time.”

Greater output and efficiency are not the only benefits to be had from a secure VPN. Since corporate operations occur over a public network, the virtual solution will cost significantly less to execute than privately owned or leased services. “The VPN approach allows customers to reduce communication costs without jeopardising security requirements,” says Munzer Aloush, network consultant for 3Com Middle East. The high return on investment (ROI) that the technology offers will outweigh any concern about investing in new products, which is a common problem for businesses not only in the Middle East, but also around the globe.

In an IDC report, Charles J. Kolodgy, research director for security products, explains that the growing recognition for the financial savings that the component entails is a key driver behind investment in VPNs. “Enterprises spend billions of dollars on network security, and at the same time, CIOs are being challenged to expose their IT infrastructures to more users — those who are company employees and those who are not. The increasing need for quick but secure remote access is being accomplished using technology that leverages the secure sockets layer (SSL) built into standard internet browsers to create a VPN,” he says.

For Tradecom, which is a distributor of Samsung IT equipment in Iraq, VPN has provided considerable fiscal gains. With offices and warehouses in Baghdad, Mosul, Basra and headquartered in Beirut, the company was finding relying on e-mail and mobile phone calls for communication between branches to be unreliable and expensive, resulting in delays and loss of both data and revenues. Since establishing a VPN between its offices last month, along with mobile units for its sales representatives, the company has improved communication.

“The VPN has increased our project and operations profit by 35%. The system has improved connectivity and removed the need for international calls to and from the head office because we are all on the same network,” explains Francois Nabhan, general manager of Tradecom. “We now have immediate access to all our sales and warehouse movements in Iraq and we can talk to our offices internally at any time,” he enthuses.

The boost to profits seen at Tradecom is not uncommon. Since remote users can establish connections to local internet service providers (ISPs) and connect via the internet to a VPN server at the headquarters, the replacement of long-distance services and the elimination of the need for remote access servers (RAS) means that recurring savings are possible. “Studies show that the cost savings in long-distance charges alone pay for the setup within a few months,” says Porter.

Research by Infonetics reveals that LAN-to-LAN connectivity costs can be reduced by 20%-40%, and remote access costs can be slashed by up to 80% by the inclusion of a VPN in a security architecture.

While the financial savings brought about by a secure private network are a major factor in favour of its adoption, money is not everything. Organisations that have a VPN means that their mission-critical data is in the public domain. As a result, the most valuable benefit that VPNs offer is their high level of security.

A major concern for CIOs when setting up a VPN is to ensure equilibrium between ensuring the security of this channel and making sure connection speeds are not compromised. “CIOs need to consider the capacity required for the number of users at their company. Enterprises cannot trade off security for performance. However, the secure network still has to perform to the expectations of the users,” says Aloush.

It is equally important, however, to prevent unauthorised parties from tampering with sensitive data before it reaches its destination. “While we want to ensure complete transparency to our customers and to our senior managers in the field, the last thing we want is for our confidential information to be transparent to hackers,” points out the Al Ghurair Group’s Al-Sibai.

Indeed, Mercator, the IT division of the Emirates Group and a supplier of IT solutions to the global air travel industry, has discovered that in order to serve customers such as Emirates Airways, Kuwait Airways, Philippine Airlines, Royal Air Maroc, Royal Brunei and Singapore Airlines, it needs to deploy two separate VPNs to ensure maximum connectivity as well as optimum security. “We have one exclusive VPN for Emirate’s reservations, and a second for all third parties that allow customers to access our Dubai-based systems. Public transportation is an extremely sensitive area and involves the safe-guarding of a great deal of confidential information, so for this reason, we use the VPNs to encapsulate, encrypt and authenticate packets of information,” says Robert Kane, Mercator’s head of BPL services.||**|||~||~||~|Using complex tunneling protocols and encryption procedures, a VPN allows data integrity and privacy to be achieved in a connection that gives the impression of being a dedicated one-to-one channel. “The thing that makes a VPN ‘virtually private’ is a tunnel. Even though you access your network via the internet, you are not really on the internet. Tunneling technology encrypts and encapsulates your own network protocols within the internet protocol (IP). In this way, you can route and bridge, enable filters, and deploy cost-control features the same way as any other traditional WAN links. You have the speed of an internet connection, but the privacy of your own network — that is the essence of a VPN,” Aloush explains.

Once data leaves the protective custody of an organisation’s firewall, encryption algorithms enable the creation of the virtual tunnel. The gateway at the sending location encrypts the information into cipher-text before sending it through the tunnel over the internet to the receiving location, where another VPN gateway decrypts the information back into clear-text.

The encryption algorithm uses a code known as a ‘key’ to create a unique version of cipher-text and transmission security depends on the length of the key used. If, for example, a 16bit key is used, an intruder would only have to make 65,536 attempts to crack the combination. The majority of VPN products on the market today are using 168bit keys and there are some enterprises going even higher. “Even the fastest computers today would need extended time to crack a code that complex,” according to Khaled Rifai, director of business development for Lucent Technologies in the Middle East and Africa.

If a business uses a particular key for a short period of time, or ‘crypto-period’, trespassers are even more unlikely to gain access. “Some crypto-periods change at a particular volume of transmitted data, while others change at the start of each new session. However, the danger of this is that the likelihood of key-code disclosure increases the more you re-key,” Rifai continues. Creative use of key types can alleviate this. Asymmetrical keys, which allow material to be encrypted with one key and decrypted with another, mean that the key is not a shared secret that must be guarded by both parties and a company can have a private key, which it safeguards itself and public keys that can be distributed to users.

User and system authentication and data verification are the final stages in a VPN transmission, allowing the recipient to confirm the identity of the sender and check that the data has not been redirected or corrupted en route. Using a hash function, the original data is fingerprinted with an inimitable number, which the sender attaches to the data packet prior to the encryption stage. “When the recipient receives the information and decrypts it, he is able to generate his own hash independently and the output of his calculation is compared to the stored value appended by the sender. If the hashes do not match, it can be assumed that the data has been interfered with,” Lunasat’s Monla elucidates.

Understanding the operational technologies is only part of implementing a successful VPN. Security policies define acceptable access privileges based staff job roles; special projects and levels of trust, but these should be granular enough to allow differentiation by organisation, server group, and user levels. “It must be kept in mind that a business must walk a fine line between limited access and collaborative computing. Resources should be protected at the highest possible level without jeopardising employee productivity,” emphasises 3Com’s Aloush.

The management of the devices is a critical and potentially expensive investment in terms of the time and personnel required. Device management is best handled with dedicated software and the Al Ghurair Group has found that auto-policy setting and the configuration capabilities for accommodating branch offices and remote clients need to be carefully examined when evaluating management platforms. “We have a dedicated team in charge of selecting the solution and carried out a great deal of research before moving on to deploy,” says Al-Sibai.

For small, site-to-site VPN implementations, the less expensive element-based management and monitoring systems are adequate, but for a large network, centralised policy-based management is a must. This allows intrusion attempts, VPN tunnel failures, concurrent tunnel reports and software validations to be centrally monitored. This saves time and prevents the increased likelihood of misconfigurations that can occur when administrators have to enter hundreds of individual commands. “Some corporations prefer to outsource these services to their ISP or to a secure application service provider (SASP) with management infrastructures already in place. This means that expenditure is on recurring monthly fees rather than in capital investment,” adds Monla.

The technology’s capacities for stability, vast area coverage and real time updating of company records will also prove to be driving factors in the VPN market. Tradecom has come to realise that these qualities make VPNs ideal for emerging markets like the Middle East. “This is a sound and profitable investment and has lowered our costs significantly. This fits with the priorities of all businesses in this region — we all strategise to make money. Thus, we are in the process of planning the extension of our VPN to cover our new partner company in Saudi Arabia. I know other businesses will embrace the technology and roll it out across their operations,” says Nabhan.

The trends in the worldwide VPN appliance market indicate that on a global scale, the benefits the network offers are tempting many organisations. IDC estimates that the vendor revenue in 2004 was over US$200 million — a 172% increase on the previous year. “By 2009, the market is expected to reach nearly US$900 million in revenue. This represents a compound annual growth rate (CAGR) of 35% from 2004’s figures,” states Kolodgy. The research firm also predicts strong growth for secure sockets layer (SSL) VPN, which allows users to securely connect to internal corporate applications via the public internet. “This is predicated on continued deployment of web-based remote access applications and services. The use of SSL-VPN within a corporate LAN will greatly expand the available market for this technology,” he adds.

The growth in the number of virus and phishing threats per capita in the Middle East has dropped considerably over last quarter, increasing by just 4% in Q404 in contrast to a leap of 63% that was seen in Q304. “This can be attributed, at least in part, to a massive increase in awareness and education that has occurred around information security issues across the region in the past six months,” comments Kevin Isaac, the regional director for Symantec Middle East and Africa. The growing awareness among CIOs means that all areas of security are experiencing a boost in sales. Mercator’s Kane believes that a significant amount of this growth, specifically the anticipated growth in the VPN market, will be generated in the Middle East region. “The solutions are easy to implement and infinitely scalable. More and more companies are starting to establish VPNs. The world, as far as security goes, is not getting safer and data protection will continue to be a major priority,” he asserts. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code