FORGET THE INFORMATION HIGHWAY, YOU NEED AN INFORMATION TUNNEL

Imagine that you are on a business trip and you come across a tremendous opportunity to sell case loads of your product to a new customer. But there's a catch. You must have sufficient inventory to ship tomorrow without completely disrupting shipments to long-standing accounts. You could call the office and have someone chase down inventory levels and outstanding orders for you but wouldn't it be nice if you could simply connect to the office network and find out for yourself?

This is easier to do than you might think. Many vendors supply sophisticated software applications to handle this problem. However, one issue that holds companies back is information security. How do you prevent unauthorized access to such a system and how do you know the data it contains is safe from eavesdropping?

All of us deal with sensitive information--credit card and bank account numbers, unique identifiers and passwords, personal and corporate financial data, personnel records, and any information that you wouldn't want a competitor to see. Yet this private information frequently travels across the internet reaching locations around the globe. Is it secure?

Consider the business traveler who carries a laptop computer or a personal digital assistant to stay connected to the office. Keeping up with inventory levels, price changes, shipment statuses and e-mail messages requires frequent interaction with the home office no matter where you are. Connectivity is essential.

So how does the internet protect your information? Can anyone simply intercept your communications and read all about it?

Let's explore how secure internet communication works.

To be secure, information must be encrypted, that is, converted into a code that cannot easily be deciphered. Understanding encryption requires a complex, mathematical discussion. Luckily, you don't need to know how encryption works in order to take advantage of it. The concept of a Virtual Private Network (VPN) takes care of the details for you. A VPN creates a virtual pathway or "information tunnel" connecting two computers. The data within the information tunnel is automatically encrypted so that users of the public internet cannot understand the content even if they were able to intercept it.

A properly installed VPN provides safe, secure communications anywhere around the globe. This applies not just to business travelers but also to partners, suppliers and customers. There is a slight performance penalty due to the overhead of encryption but it's a small price to pay.

So, what's behind VPNs?

There are two approaches to creating a VPN; Internet Protocol Security (IPSec) and Secure Sockets Layer (SSL). While both techniques encrypt data, their approach to sending and receiving it is quite different. (Note: Microsoft also supports techniques known as PPTP and L2TP but these are either less secure or a variation on IPSec so I won't go into them in this article.)

IPSec operates at the network layer in a computer which means that it encrypts all data traveling between two systems regardless of what software application is being used. Accomplishing this means installing special software on both endpoints. This provides the advantage that only PCs with the proper software will be able to connect.

IPSec carries the disadvantage of requiring you to license and install software on every PC that may connect to the private network. Also be aware that once connected, a user has access to all network resources including file servers and applications. For some employees this is required, but in many cases a more restrictive solution is better.

SSL operates at the application layer meaning it only encrypts data sent by a conforming application or website. All the major web browsers including Internet Explorer, Firefox, Mozilla, Netscape and Safari have SSL built into them. Thus your PC, PDA and mobile phone are already equipped for secure communications. This makes SSL inexpensive and simple to manage.

SSL only works with specific applications that are designed to communicate through SSL so your entire network is not exposed. Providing application access to employees, customers, suppliers and partners is a simple matter of assigning them user IDs and passwords. If you've ever used electronic banking or made an electronic purchase, you've used SSL.

The downside for SSL is that each application must be designed or modified to communicate via a web browser interface known as HTTPS (HyperText Transfer Protocol Secure). This also implies that users don't have access to network resources such as printers or centralized file storage and are unable to use the VPN for file sharing or backups unless specialized software is implemented.

Which approach to use, IPSec or SSL, depends on your needs. Both offer secure information transfer. There are many vendors offering VPN products as well as open-source solutions. A few commercial vendors that you might consider are Avaya, Cisco, Enterasys, Juniper, SonicWall, Symantec and WatchGuard. If you'd like to pursue an open-source solution, take a look at OpenVPN, Stunnel and Tinc.

If you're considering opening up a system to external access, don't let concerns over data transfer hold you back. Despite all we hear about security problems on the internet, secure information transfer works quite well and is highly reliable when properly implemented.

Forget the highway. Take the tunnel.

Vin D'Amico is Founder and President of DAMICON, your ADJUNCT CIO™. He is an expert in leveraging open software to drive growth. DAMICON provides Freelance Technical Writing, IT Disaster Response Planning, and Network Security Management services to firms throughout New England.

This article appeared in Vin's monthly Virtual Business column for the IndUS Business Journal in April 2005.

To learn more about how DAMICON can help your business, please take a look at our service programs.