92

6.2.2 Security Drawbacks of User Authentication

Though the security features are one of the most powerful aspects of the AltaVista Tunnel, user-based authentication still poses some security concerns. In order to provide the flexibility to log in from anywhere, the product removes one of the most common types of authentication normally used by VPNs: checking the incoming IP address. Network administrators, already burdened with users losing or compromising passwords to the system, must stress extra care in protecting generated keys, tunnel user group names, and passwords; these are the only factors by which AltaVista Tunnel verifies its connections. As stated, the AltaVista Tunnel Extranet server should be closely managed as a highly trusted system, because compromising a tunnel key negates the purpose of the virtual private network in the first place.

6.3 How the AltaVista Tunnel Works

Each AltaVista Tunnel network consists of two sides, the inbound and outbound, both connected to the Internet in some fashion. The inbound side is the private network, which consists of some number of hosts and an AltaVista Extranet server. The outbound side can be either a single computer or another LAN. In the first case, the user would run the AltaVista Telecommuter client, and in the second, the remote LAN would have an Extranet server of its own to manage inbound or outbound tunnel traffic by hosts on its network. The Extranet server on the inbound side always manages authentication, dynamic IP assignment, and the routing of tunnel traffic for incoming connections. A simple VPN might consist of three individual users connected to the Internet via three separate ISPs. Each user is running a Telecommuter client, and has access to the tunnel group through the remote LANs Extranet server. Users have unique physical IP addresses on their respective ISPs networks. The tunnel server and hosts on the remote LAN are likewise assigned physical IP addresses. On the tunnel server, a range of virtual IP addresses is available for assignment to incoming tunnel connections. Each tunnel receives two virtual IP addresses: one for the client end and one for the server end. Tunnel traffic destined for the virtual private network is first routed, via the tunnel client software, from the clients physical IP address to its virtual IP address. This virtual IP address points to the tunnel servers virtual IP address for that connection, which, in turn, is routed to an internal host on the local networks physical IP range. In this way, the remote clients act as if they were nodes on the local network. When a remote user initiates a tunnel session with the tunnel server, an encrypted connection request is sent, which, once relayed through the firewall, is authenticated against the tunnel servers list of authorized clients. Once the request is granted, the tunnel server issues a response encrypted with the clients public key. The client decrypts this message using its own private key, and then the two exchange parts of a session key. These parts are combined to form a secret session key, which is regenerated every 30 to 1,440 minutes of the connection. The AltaVista Tunnel 98 software on both ends is installed as a separate network protocol, and is routed to a piece of software called a pseudo-adapter. The virtual IP address assigned for the tunnel connection is attached to this pseudo-adapter through which all tunnel traffic is