Beyond Firewalls: Public Utility Computing for Private Networks

With demand for telecommuting, IT outsourcing, and B2B rising sharply, "remote access" often spells headaches for private networks. Firewalls, Virtual Private Networks, web portals -- sentries and staples of the networked environment -- have emerged as part of the problem. Surmounting these barriers is a new approach being tested at Sun Microsystems Laboratories. The Virtual Enterprise Network may help open the door to public utility computing for private networks.

Sun Microsystems Laboratories is building a better way to access networks from anywhere over any media - a secure multi-point IP tunnel that serves the wired workplace and anticipates public utility computing.

Consider the much-maligned firewall. Protector of enterprise data, or bane of system administrators? Screener of unwanted email, or bottleneck for telecommuters and outsourced service providers?

Firewalls and web portals are the sentries and parapets of private networks that guard corporations and agencies against outside attack and unwanted surveillance. Part screening router, part host server, and part web cache, the firewall has long been tolerated as a necessary evil. Necessary because it hides client addresses, encrypts proprietary data, and generally filters incoming packets that might be from intruders. Evil? Well, certainly frustrating.

Chokepoint Charlie

Firewall and web portal architectures reflect dated assumptions about the world of work. That's because they were designed for an era when going to work meant physically commuting to a geographically fixed site. This picture is changing. According to the Gartner Group, "the 1990s witnessed the 'mainstreaming' ... of telework and alternative workplace models, including remote access."

The workplace is now rapidly evolving "from a 'place-centric' to a 'network-centric' orientation" concluded the Gartner study, "Workplace Transformation: A Business Imperative," published this June. The upshot: As mobile workplace computing has grown, "anywhere, anytime" connectivity to work has replaced the old model.

Two trends are also driving demand for remote workplace access: Business-to-Business (B2B) transactions and IT outsourcing. The Forrester Group predicts that by 2004, there will be $1.4 trillion in goods and services transacted online between domestic businesses. Between now and 2002, businesses may spend as much as $500 billion buying software to wire virtually every aspect of their operations to the Internet, according to Beth Gold-Bernstein of eBiz.com.

At the same time, global revenues from outsourcing IT services are projected to grow to $120 billion by 2002. By then, according to MetaGroup research, "leading CIO's will outsource between 35-40% of most large organizations' IT budgets." Outsourcing of computer resources ranges from third-party data storage and IT integration to application service providers.

As these trends conspire to boost the volume of wired traffic into and out of enterprise networks, many find themselves regularly working from outside a corporate firewall. More than a few find that the firewall relegates them to the status of "second class citizen," says Glenn Scott, senior engineer at Sun Microsystems Laboratories. "Firewalls typically have been a chokepoint on server access for remote, authorized users," according to Scott.

When workers dial up from home or a hotel room, remote access feels like, and often functions as, a barrier rather than a bridge to their work environments and computing resources. In fact, to accommodate firewall processing - packet filtering, IP address translation and web buffering - performance, reliability, and availability may plummet for workers on both sides of the firewall. Observes Scott, "firewalls represent single points of failure as well as traffic congestion problems for everyone."

If Scott, Christoph Schuba, and their colleagues have their way, "remote access" architectures may soon join the parapet as artifact.

Addressing Breakthrough

This summer Scott's team achieved a breakthrough: an addressing and data encapsulation scheme that allows users inside and outside a private network to bypass the firewall without compromising security. To get there, Scott's team has re-imagined and re-engineered private networks to make them more amenable to services offered over a publicly available infrastructure.

"Firewalls represent single points of failure as well as traffic congestion problems for everyone." Glenn Scott, Senior Engineer, Sun Microsystems Laboratories

Traditional transport layers have two endpoints through which remote communications "tunnel." For example, a worker at home (or anywhere outside of her office) wants to check email at her workplace. She logs onto her computer at home (point 1) and dials up her local ISP. She communicates via the firewall (point 2), rather than directly, with perhaps two, three, or more internal servers to get at email and shared files. Now multiply her demand for remote access by hundreds of other users – mobile employees, B2B vendors, and outsourced consultants. The point-to-point model begins to resemble a funnel. It has enormous potential to slow access and limit work performance. And the "single point of failure" - the firewall - is not only vulnerable to catastrophic events, but also is difficult to scale as demand for access grows.

Scott uses a different sort of "tunnel," one in which "the firewall function is pushed all the way to the remote client." Once the remote client - the telecommuter's computer - is authenticated, it becomes merely another node in the workplace network. The effect is to closely integrate remote users into the workplace network for a more responsive experience. Remote access is no longer "remote" from the point of view of performance. Scott's multi-point IP tunnel is scalable, too. "Our tunnels have as many endpoints as there are machines participating in the virtual enterprise network," says Scott.

The virtual enterprise network (VEN) is a big idea - the backdrop to the remote access solution - and a prototype in Scott's lab.

The New New Thing: Virtual Enterprise Networks

Example layout

A VEN is a unique addressing and security layer located on top of the private network. A working prototype at Sun Microsystems Laboratories suggests how VEN's may soon bring secure, reliable, high performance remote access to private networks.

A VEN security service protects all private data transmitted by the network. It accomplishes this by deploying a variety of encryption techniques to hide data, creating unique "channels" between nodes. For example, group encryption keys define workgroup channels such that each member enjoys multi-point access to secure servers and storage no matter where members log in and with no performance compromise save that of the speed of their connection. The security service supports encryption key management that can be revised on the fly, too.

Perhaps the most impressive feat the VEN performs is its addressing service. The trick is to give remote authorized users full multi-point Access to all the computing resources in the private network. The VEN layer accomplishes this by using virtual network addresses for nodes and an address resolution engine. As Schuba explains it, "the engine translates the IP addresses of all networked machines in a single channel -- client machines inside the enterprise as well as those linking up from the outside." The result is a unifying scheme for access through the Internet that makes it possible for a home computer on the outside to appear and function as the equal of machines on the inside of the private network. "It's a way to build a network," explains Scott, "in which an address does not indicate a physical, but rather a logical point of attachment in the network infrastructure."

"It's a way to build a network in which an address does not indicate a physical, but rather a logical point of attachment in the network infrastructure." Glenn Scott, Senior Engineer, Sun Microsystems Laboratories

"On a virtual enterprise network level, every node is directly connected, one hop away from every other node on the same channel," says Scott.

So far, Scott and his staff have tested the VEN address and security features over ethernet, aironet, wirless RF, DSL, twisted pair, and even using ATM (asynchronous transfer mode). His group has already filed 13 VEN-related patents. The next step: persuading Sun Microsystems Laboratories to be an early adopter.

Scott's VEN technology is persuasive. In a lab at Building 15 on the Menlo Park campus, Scott and Schuba demonstrate their addressing scheme as well as an intriguing security feature. From machine to machine, communications are secured by encrypting packets and tunneling them to destination addresses. One "outside" node represents a file storage vendor where encrypted data is stored. Scott's team launches a network sniffer to show that the storage service provider never sees plaintext data. Yet any authorized user accesses plaintext files easily.

The moral of this outsourcing prototype? The storage provider focuses on keeping its services to the enterprise up and available. That helps it do what it does best, and that frees workers in the prototype enterprise from computer maintenance and support.

The demo successfully models a public infrastructure resource - storage space - serving a private network. And that, Scott believes, is the future.