White Paper September 2007
Virtual Private Network (VPN) Certification:
iBAHN® Keeps Mobile Workers Productive and Secure
“iBAHN’s VPN certification program has improved my hotel’s
ability to work with large corporate customers, like Lockheed-Martin.
Now when they schedule corporate events and travelers at my hotel,
I can be sure that the HSIA service will be secure,
and will work flawlessly for them.”
– Lon Breedlove
Residence Inn by Marriott,
Minneapolis-St. Paul Airport (Eagen)
Virtual Private Network (VPN) Certification
What Is a Virtual Private Network (VPN)? while traveling has to wait. And, if it is simply too difficult
With an ever-increasing mobile workforce, organizations to gain and maintain a secure connection, workers are
have had to provide a method for secure connections unable to perform critical tasks and to stay in touch easily
to enterprise networks for traveling or mobile workers. with the corporate enterprise.
That is the purpose of a VPN; giving mobile or traveling
workers secure access network resources over the While the ability to be productive is a critical issue to the
Internet or other networks. While VPNs function over public vast majority of traveling or mobile workers, security is
networks, they “inherit” the characteristics of the private almost equally important. In the same survey, respondents
corporate network, thus the “Virtual” Private Network. At revealed that 39% of them had been the victim of malicious
its most basic definition, a virtual private network is an attacks, including viruses, data theft and malware while
extension of a private corporate or organizational network traveling on business, and 43% while on personal trips.
that aggregates links across shared or public networks
like the Internet. With a VPN, you can send information
between two computers across the Internet that mimics the Why Does VPN Certification Matter?
traditional home network point-to-point private link. VPNs Many hospitality broadband service providers have
use tunneling, encryption, authentication, and access taken the time to check standard VPN configurations
control to establish and maintain a secure connection. to ensure they will generally work on their networks.
Leading providers, like iBAHN, have taken additional steps
to set up certification programs for specific corporation
Why Should You Care? configurations, to ensure their seamless operation.
In a recent survey of business travelers performed
by FGI Research, nearly 50% of the respondents There are literally thousands of combinations of
admitted to using public, open Wi-Fi networks in locations software, hardware, chipsets and configurations for
such as parks, coffee shops, and hotelsi. These locations all those business travelers’ devices — and there is
are typically using non-secure network services, thus no “one size fits all” VPN solution. There is simply no
exposing the business traveler to malicious attacks both way for any network provider to consider all of the
on their data transmissions and on the data stored on combinations and configurations that might occur. The
their laptop hard drive. Interestingly, 86% of these same iBAHN VPN certification program is unique in addressing
respondents ranked public Wi-Fi hotspots as extremely the major challenge faced by business travelers — VPN
insecure to fairly insecure; indicating they are aware of the configurations that will not easily connect through the
lack of security, yet will still use the service. How then, can hotel network.
companies protect their mobile workers and help them
to stay productive, while using open Wi-Fi networks? The Lack of sufficient IP addresses — another key issue — is
answer: Providing Virtual Private Networks. also solved by the iBAHN patented private network. VPN
access requires a discrete IP address for each user. Many
Being productive is driven by several factors; among those connectivity providers to hotels can only allocate a few
factors are security and ease of use. If a mobile worker is discrete IP addresses at each individual property; thus
unable to find a way to connect to his or her corporate or users can be “locked out” of their corporate VPNs, and
organizational network securely, work that could get done unable to complete the work they need to do. Because
Virtual Private Network (VPN) Certification
iBAHN owns its managed network, the company is able connection to the same public network, thereby
to provide a virtually unlimited pool of IP addresses to saving money on long private leased-lines. Site-to-
assign. The result: employees remain productive, and site VPNs can be further categorized into intranets or
critical corporate data remains secure. extranets. A site-to-site VPN built between offices of
the same company is said to be an intranet VPN, while
It is not good enough to be compliant with standard a VPN built to connect the company to its partner or
VPN configurations. A true VPN certification process for customer is referred to as an extranet VPN.
corporate networks includes a thorough understanding of
the corporation’s specific and unique VPN configuration
and how that setup relates to the iBAHN network. Once VPN Technologies: What Does it All Mean?
a company’s VPN is certified, its business travelers and Internet Protocol Security (IPSec)
mobile workers are ensured the highest level of Internet Protocol Security Protocol (IPSec) provides
reliable connectivity, security, and ease of use at all enhanced security features such as stronger encryption
iBAHN-enabled hotels. algorithms and more comprehensive authentication. IPSec
has two encryption modes: tunnel and transport. Tunnel
mode encrypts the header and the payload of each packet
What Kind of VPN Should You Consider? while transport mode only encrypts the payload. Only
The landscape of VPN products and services offered by a systems that are IPSec-compliant can take advantage of
wide variety of vendors continues to evolve. Typically VPN this protocol. Also, all devices must use a common key or
usage falls into two broad categories, Remote access and certificate and must have very similar security policies set up.
Site-to-Site access. Each has its own features, benefits
and issues. Advantages:
• Very secure – good encryption and authentication
• Remote Access - This is a user-to-LAN connection • Supports a wide variety of encryption algorithms
used by companies where employees must connect
to the enterprise network from remote locations, such Disadvantages:
as an office at home over a broadband connection • More difficult to setup
or a road warrior over a broadband connection. A • Requires some type of client
good example of a company that needs a remote- • Various vendors have different ways of implementing
access VPN would be a large firm with many sales • Doesn’t work well with PAT
people in the field. Remote access VPNs permit
secure, encrypted connections between a company’s Uses ISAKMP (udp 500 or tcp 500) for key exchange. IP
private network and remote users through a third-party protocol 50 (ESP) is then used for data transport.
For remote-access VPN users, some form of third-party
• Site-to-Site Access - Through the use of dedicated software package provides the connection and encryption
equipment and large-scale encryption, a company on the users PC. IPSec supports various encryption
can connect multiple fixed sites over a public network algorithms such as 56-bit (single-DES) and 168-bit
such as the Internet. Each site needs only a local (triple-DES) encryption.
Virtual Private Network (VPN) Certification
Point-To-Point Tunneling Protocol (PPTP) Secure Socket Layer (SSL)
Advantages: One of the newest technologies in the VPN marketplace
• Easy to setup – included with every Windows OS is called a SSL VPN. Some companies prefer Secure
• Provides “reasonable” security Sockets Layer (SSL) to the traditional IPSec enterprise
VPN technology. One of the many benefits of an SSL VPN
Disadvantages: over traditional technologies is the flexibility inherent in ini-
• Authentication uses weak algorithms – some versions tial user setup. SSL VPNs have also been cited as easier
of PPTP can leak user’s password to connect over remote networks, and also do not require
• Some encrypted data can be unencrypted by a third client side software to run.
party with reasonable effort
• Easier to pass through PAT, but still has problems in There are several immediate advantages to Secure Socket
many cases Layer VPNs, including:
• It will be a clientless VPN, making set-up and use
Security Problems: easier
• password hashing – weak algorithms allow eaves- • It will provide application layer security for its users
droppers to learn the user’s password • Because it is a higher lever of security for users, it
• Challenge/Reply Authentication Protocol – a design will provide increased protection when using insecure
flaw allows an attacker to masquerade as the server public networks
• encryption – implementation mistakes allow encrypted
data to be recovered There are, however, some immediate disadvantages,
• encryption key – common passwords yield breakable including:
keys, even for 128-bit encryption • An SSL VPN will require a significant amount of time in
• control channel – unauthenticated messages let administrative set-up
attackers crash PPTP servers • Applications that can be used may be limited to those
available on the VPN concentrator.
Uses TCP port 1723 for connection negotiation and IP
protocol 47 (GRE) for data transport.
MPPE uses unique keys in each direction. This is to prevent It is increasingly clear in our digital world that business
the trivial cryptanalytic attack of XORing the text stream in travelers face a unique set of challenges in working
each direction to remove the effects of the encryption. productively and safely while on the road. The
implementation of a VPN, and subsequent certification,
This protocol is still vulnerable to offline password-guessing will help to ensure that mobile workers can continue to do
attacks from hacker tools. their work via secure, easy-to-use connections provided