Configuration for a U.K.-based VPN connection to the U.S.

Configuration for a U.K.-based VPN connection to the U.S.

Is it true that we need to configure our encryption in the U.K. differently for connections to the U.S. because of U.S. laws?

Our remote-access VPN switch has different encryption standards configured compared to the U.S. switch. When I asked about why there are differences, the answer is, "Probably due to encryption exporting laws." Can you provide any more details?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The short answer to your question is, "No. It is not true." Furthermore, it was never true.

The history of U.S. export regulations (not laws) dealing with encryption is endlessly fascinating to people like me, but a confusing bore to most of the world. However, even in its most draconian, it did not apply to encrypted data. What this means for you is that you can set your VPN to whatever you want. Set it to something nice and strong.

Whoever told you this is almost certainly confused. In the "bad old days," it may have been difficult to get a VPN switch from the U.S. to the U.K.; but if they had one there, then nothing in the U.S. export regulations kept you from setting it up so they can talk to each other.

Having said that, I feel a slight need to weasel a bit. It is possible that there is some U.K. requirement that applies, but I would be very surprised to hear that. It is also possible that there are other details that neither you nor I know about. But again, I would be very surprised to hear this.

If whoever is telling you this is adamant about the need to have them different, collect as much information as you can and write me back. However, I suspect that if they're defending something with "probably due to" then this is simple garden-variety confusion. If you reply to them with something like, "Separate settings for the U.S. and U.K. are no longer needed," then you bypass any potential arguments about whether it was once a reasonable thing to do.

At the risk of getting into that confusing, boring stuff, it is possible that your VPN switches are old enough that they could have had triple-DES in the U.S., but only single-DES in the U.K. In this case setting the connection to use triple-DES wouldn't work, as the switch in the U.K. wouldn't have it. It is possible that was and is the case. If so, then the real issue is that you should upgrade the U.K. switch.

For more info on this topic, visit these SearchSecurity.com resources:
  • Featured Topic: VPNs -- IPsec vs. SSL
  • Best Web Links: VPNs
  • White paper: A functional and cost comparison of VPN solutions: SSL vs. IPsec

    This was first published in March 2004

    • Back to top