ATM and VPN's

[matthew patton]

On Thu, 30 Mar 2000, Kent Dallas wrote:

Hopefully I can put some numbers to these questions as raised by Todd and
Kent.

> While you have pointed out, as others have privately, that the major cost is
> in "commodity" hardware and the increased processor requirements, there are
> other costs to recognize as well.

I would beg to differ on the 'hardware' costs side. A normal PC with
~300mhz (or lower for client) paired with a server with a crypto
accellerator can be found for $2000 US. (blatent commerical plug: we
have said animal) However, on the 'soft' costs side of tha balance
sheet, having to tweak one's business practices so that secure procedures
are taken is hard to calculate. Having IT roll out VPN client software and
establish keying mechanisms can cost a fair bit.

> How much does it costs to support and maintain?  Your tastes are for Open
> Source Unix with firewall functionality.  Do you trust a kid just out of
> school making $40K to configure it properly?

Depends on the kid. :-) But really the person doing the actual software
installs can be any semi-intelligent animal. The one putting together the
plan and infrastructure and drawing up what needs to be done on the
clients/gateways needs to have a few marbles rattling up top. I take it
then you hand that 40k kid a fancy 10,000 US piece of hardware and say,
"here slap NT on this thing and make me an exchange server?" that takes an
aweful lot of faith, doesn't it?

> properly maintain such system, especially in a large and dynamic
> environment.  How much to recruit and retain those individuals?

This is where outsourcing can be helpful. Rather than ratain and train a
security professional for 100+k/yr you contract out management of the VPN
gateways (and the hardware support thereof) to a 3rd party for < 1000 /
month. Now all you the IT person has to worry about is installing the
client software and issuing an electronic trouble ticket (or filling in a
web page) to enable that new connection. The gateway is updated and
presto, you're done. Even that semi-skilled highschooler can do that. Does
he need to mess with the VPN gateway? No. The 'experts' have already
pooled their knowledge and made optimum choices. Naturally they should be
willing to go over it with a fine tooth comb should you want a review. I
hate nothing more than a security vendor who can't discuss their product
on a technical basis or be willing to lay out what EXACTLY is going
on. "trust us" doesn't cut it in my book.

> How expensive is support on the Open Source software?  Free, right?  If you
> have the developer talent in house to code your own solutions, but I doubt
> you consider his/her time free.

Indeed. But what about windowsD?. Do you have a source license? Do you
have the necessary kernel hackers in your company to fix/tweak that
pernicious TCP stack? I sorta doubt that. That is where firms like
ourselves, RH, LinuxCare and what not come into play. We directly employ
or work with those who have the requisite talents. Case in point. Of all
the 'free' unix's OpenBSD has the best (only) security audit, the only one
with global strong crypto, the only one with top-notch IPSEC and IPv6
support, and now hardware accellerated cryptography. Why? Because we
(NetSec) directly employ 2 OpenBSD developers, and also separately pay
other OpenBSD developers to work on, revise, and enhance code. But rather
than just us benefitting, the whole community does.

Need to talk to an OpenBSD developer or get tech support? We'll spare you
the "your credit card now please, support is 100k/yr" cost of windoze
support from the Redmond giant, and instead support you far faster and
cheaper and you won't get some blithering idiot on the other end whose
skills consist of doing a word search in the knowledge base.

Tech support cost? couple thousand a year. But the beauty of it is, you
don't HAVE to have in-house skills, at least not at "hard core
user" level. We can manage the box for you. Or take your service call and
walk you through the procedures. Naturally, if you want to understand
what we just had you do (should that even be necessary) we could recommend
any number of texts and resources to expand your own skill set.

I personally handle clients that have a dozen VPN pipes up, from as far
away as India (talk about latency). The IT person for this company barely
understands
networking, and unix is way above his head. No matter. He has a
problem? He calls me. Even if the problem isn't ours at all, but his 1/2
penny ISP with those semi-skilled highschoolers doing clueless things, I
get to trouble shoot remotely. He even calls me when he can't get
traffic out of his network because he's screwed up something on his NT
servers. I mean, NT is tripping this guy up, too. It's a lot of fun! (heh)

I handle government clients that can work magic with CISCO routers but
again have no inkling of how their NetWare or NT networks work, what kind
of traffic goes where or anything. We have 250 VPN sites across the US and
posessions and they are all managed by us, and in a limited capacity, by
him. He has a simple means of tweaking the boxes himself that requires
~zero unix knowledge. And he loves them. But again, if he has a problem,
he calls me.

The above was simiply to illustrate that there is no requirement that you
the customer employ a UNIX guru. We ARE your guru and our goal is to be
available and provide rapid assistance and walk you through something as
needed, and at the same time educate you should you desire it.

Are opensource operating systems viable? most definately. I would argue
even more so than commercial ones. The 'unrest' CTO's feel about not being
able to get on the phone and harrange M$'s VP is just that, a
feeling. And unless you're a Fortune 200 (if then) M$ wouldn't give
a hoot in heck who you are. Spit in the wind all you want.  What about us
the small guys? We get an unhappy customer, it is a HIGH priority item. We
DEPEND on keeping ALL of our clients happy. Otherwise we're toast. By
comparison your contribution to M$'s coffers amounts to an insignificant
drop in the ocean. sure, it might be bad PR for a while but they don't
care...They have no incentive to do so.

> How about key management?  Do you use a PKI?  How expensive is the PKI?

OpenSource? Again software costs are extremely low. Want a commercial
product? Be my guest. Again you can pay a 3rd party to worry about that
for you. All you really need from an IT perspective is a machine that's
up, and an easy and speedy way to create certs and distribute them. And
no, doing CERT based VPN's is not my first recommendation. It's nice, I'll
admit but the PKI hurdle is not something to sniff at. If you're not going
to PKI the rest of your IT infrastructure in some fashion or another,
using pre-shared secrets is simply good enough. But this also depends on
your industry and any entangling regulations you may have to deal with.

> And most experts recommend that you have a box dedicated to VPN (for large
> implementations) to handle the encryption, because if your firewall (or
> router) is busy handling encryption, it is not handling its primary tasks.
> This issue directly relates to the opportunity costs.

Heh, may I introduce crypto accellerators? The chips we use handle full T3
speeds at 3DES. The next generation goes to OC3. Firewalling takes very
little CPU. I had a 486/33 with EISA bus handling a T1 with aplumb. Like
3% CPU utilization. The limiting factor when you stuff multiple NICs in a
PeeCee is the PCI bus. When you introduce Gigabit ethernet, the limit is
interrupt handling. The reason the 'experts' recommend a separate box
just for VPN is that it keeps each component (VPN, Firewall) simple. And
one of the bedrock priciples of computer security is KISS (keep it simple
stupid). I'm sure Todd and others would heartily agree. That's why you
don't put ftp/mail/news servers on firewalls. Each layer of functionality
adds security issues adn makes the box that more critical to
operations. That is not smart. But as it relates to VPN's and firewalls,
these two can live on the same box in adequate harmony. But, separating
them does make the firewall rules writer's job a little easier.

I'm sure some folks have very limited rack space, that's why our unit is
only 2U and we design our own NIC card layouts (ie low profile) so that we
can still pull it off. In the future I envision us putting together some
combination of 1U or 4U (with multiple computers insisde) to handle things
like mail, news, and ftp services for those, again, who don't want to
ratain a UNIX guru to enjoy these services. If you want to run NT or
Netware, they you'll have to hire and ratain your own flavor of guru,
contract or otherwise.

> What about integration?  What if the other site uses different VPN
> technology?  How expensive is it to find a common solution?

Meaning IPSEC vs PPTP? Well, I could go on a rant about PPTP but that's
not constructive. The only other option is IPSEC. Are there incompatible
implementations out there? Unfortunately yes. Therefore any 'integrator'
would have to first determine what the conditions were on each end. But
each IPSEC vendor has an incentive (not as big as one might like
purhaps) to get their act together so it's really a function of time. But
for the most part, it is possible to get many products working
together. and when you consider how cheap a VPN box can be, it really
doesn't matter a whole lot if you have an incompetent provider, you simply
dump their excuse of a product. You probably paid 10 times the amount for
their "gateway software" anyway. (granted now you have to explain to your
boss why you paid tens of thousands for something when you could have paid
just a couple thousand...)

But security via VPN's really isn't the end, in a lot of cases. what are
you going to do about mail attachment checking, virus scanning, desktop
policies and all that? Is there a way to do software management as
well? There are a couple of solutions out there right now but again, they
are expensive, incomplete and inconsistant in coverage. Pushing security
to the desktop is a hard nut to crack, indeed. But if you're serious about
it, then PKI is likely to become important. I await the day when having
issued a person a cert, I can have them log onto any unix, nt, or netware
network and do whatever they are supposed to do. One of these days NDS
will use CERTS, and so will Unix. Maybe the actual glue will be
Kerberos. But M$ so nicely shot that option to bits.

> A quote from the Wall Street Journal, March 28, 2000,
page B8, article
> "Internet Encryption's Password is 'SLOW'" - "Although the tools for
> hacker-proof communications have been available since 1977, they are not
> widely used because they are often slow, tricky to install, and difficult to
> link with other systems".  The WSJ may not be the best source for technical
> knowledge, but they do know something about costs.

Well, anyone buying Cisco's, Checkpoints's or TimeStep's VPN solution has
IMO been roundly snookered.

--
Network Security Technologies Inc. - Commercial support for OpenBSD
www.netsec.net       (703) 561-0420       matthew.patton at netsec.net

"Government is not reason; it is not eloquence; it is force!
 Like fire, it is a dangerous servant and a fearful master."
  - George Washington

VPN is sponsored by SecurityFocus.COM