Secure Socket Layer based VPN

One of the alternatives to traditional Virtual Private Networking (VPN) is the SSL based VPN. This alternative is being tried out in many an enterprise and service provider networks. SSL based VPN solutions are fairly easy to implement and is slowly gaining acceptance in the industry, even though this is a very small percentage compared to the traditional VPN implementations.

Typical set-up involves a single or redundant SSL based VPN gateway, which connects into the corporate network on the inside and the outside interface is connected to the firewall. This gateway now acts as the SSL VPN gateway for all remote access and roaming users. A legitimate user can connect to this gateway from anywhere in the Internet and access his internal resources over an encrypted SSL session.

The beauty of the whole solution is that the user no longer needs VPN client software installed on his/her laptop or computer to get connected and access his internal resources. All that the user would ever require to access his internal resources securely is a browser that is SSL-enabled. The background tasks that happen are really transparent to the end user. In reality, the gateway behaves like a proxy and the whole process can be broken down into two processes. On the background the gateway uses the native protocol to communicate to the intranet resource, which the end-user is trying to access. On the foreground the whole application, which is accessed, is encrypted over an SSL session.

This enables the end-user to get the same feel of accessing the application from inside the corporate network. This simple method has proven to work well over the Internet for accessing standard applications, which work well over a web front-end.

This method of securely accessing Intranet resources with minimal cost associated with setting up a secure traditional VPN has captured the imagination of many network administrators. The ease and simplicity of the solution and the cost-effectiveness of SSL based VPNs has made it a viable solution in many cases.

The SSL-VPN network appliance creates a transparency to the end-user accessing his Intranet. In addition to the transparency, the security aspect of it has also been taken care by the strong SSL encryption, but on the other hand, certain applications which are not web-friendly require a client to be installed on the SSL VPN gateway. The transparency of accessing the applications is lost under these circumstances and it becomes a cumbersome task to get this integrated. In all, SSL based VPN is an alternative where the entire enterprise is web enabled and there is no client-server application in the enterprise. This is a difficult pre-requisite and may lead to this solution being used in specific scenarios only. The traditional VPN solution, I am sure will live long.

- CR Srinivasan

IPv6: The Next Generation Internet Protocol

IPv6 popularly referred to as "IPng" (next generation Internet protocol) promises to revolutionize the way the public Internet will be used by various applications, services and end-users. RFC 2460 (on IPv6) was released by the IETF (Internet Engineering Task Force) in December 1998. A lot of developments have happened in the last five years, with the pace of progress on IPv6 development, deployment and migration steadily gaining speed.

Internet Protocol version 6 is abbreviated to IPv6, like the previous version IPv4. IPv6 is a new version of IP that has been designed specifically to offer advanced features like higher address scalability, data integrity, quality of service, better security and auto configuration features.

The 128-bit address space is the most important aspect of IPv6 and is four times bigger than its predecessor IPv4, which is 32 bits only. IPv4 offers close to 4.2 billion IP addresses whereas IPv6 offers 340 trillion, trillion, trillion IP addresses! Though the number of IPv6 addresses looks unthinkable, the rapid adoption of the IP protocol onto popular consumer devices like mobile devices, wireless units, Personal Digital Assistant (PDAs), audio & video equipment, microwave ovens, refrigerators, televisions, music systems and the like is expected to significantly increase the demand for IP addresses world over.

The 6-bone network in the US is an exclusive test-bed setup for the evolution and deployment of IPv6. It has active participation from many countries across the world.

Though the public Internet is not IPv6 enabled (IPv6 traffic has to be tunneled over IPv4 networks), all the major network and software vendors across the world have already started including IPv6 features and service capabilities into their product line.

Organisations will have to approach IPv6 from both the network and application perspective!

- Badri Narayan