In this chapter, we discussed the following:
Business customers want new approaches to wide area networking that preserve the benefits of low-cost, easy-to-deploy IP-based intranet applications and deliver them to mobile users and branch offices. IVPN solutions are emerging as a viable solution that provides the connectivity, transparency, security, and flexibility required by intranet and extranet applications over public wide area backbones such as the Internet.
The availability of advanced outsourced IP networking services will give small and medium-sized businesses the ability to deploy global networks at a manageable price, in order to stay competitive against large corporations.
The groundswell of demand for IVPN services is forcing service providers to plan and implement the deployment of highly scalable IVPNs, preserving the current economic benefits for subscribers while also adding new capabilities and services.
Layer 2 tunneling protocols such as L2TP and PPTP are a good way of providing cost-effective remote access in mixed-protocol environments; however, they offer no privacy (well, PPTP has extensions for encryption and authentication). Without the complementary use of strong, scalable, security techniques (as provided by IPSec), a Layer 2 tunnel alone does not provide adequate security for today's e-commerce applications.
An advantage of tunneling protocols such as L2TP and GRE is that providers can offer finer-grained QoS than with IPsec solutions alone (since routers have visibility into IP header information necessary for application-level QoS). In an IPSec packet, the payload protocol and user data are encrypted, obfuscating all of the useful data required to prioritize applications. The disadvantage of a pure encapsulation solution is that by definition it is not secure.
L2TP enables remote users to connect to a local ISP and tunnel through the Internet to a home network, avoiding long-distance charges. L2TP has emerged as the open standard protocol for multiprotocol Layer 2 tunneling. L2TP should be used over IPSec for true VPN provisioning.
IPSec is becoming the standard for IP-based VPN applications. IPSec is now a powerful and mature standard with excellent support for authentication, confidentiality, and key management (via IKE). Since IPSec works at the Network Layer, it is totally transparent to applications. While the combination of the IPSec protocols in theory leads to a large number of possibilities, in practice only a few are commonly used.
 B. Schneier, Applied Cryptography (New York: John Wiley & Sons, 1994).
 B. Schneier, Secrets and Lies: Digital Security in a Networked World (New York: John Wiley & Sons, 2000).
 M. Goncalves, Firewalls Complete (New York: McGraw-Hill, 1998).
 Hypertext Transfer Protocol—HTTP/1.1, RFC 2616, June 1999.
 www.nta-monitor.com, NTA Monitor home page—leading European security testing organization.
 A. Northcutt, Network Intrusion Detection: An Analyst's Handbook (City, State: New Riders Professional Library, 1999).
 www.sophist.demon.co.uk/ping/, Information about ping-of-death fragmentation issues.
 Site Security Handbook, RFC 2196, September 1997.
 The MD2 Message-Digest Algorithm, RFC 1319, April 1992.
 The MD4 Message-Digest Algorithm, RFC 1320, April 1992.
 The MD5 Message-Digest Algorithm, RFC 1321, April 1992.
 A. Arsenault, and S. Turner, Internet X.509 Public Key Infrastructure, PKIX Roadmap. Internet Draft draft-ietf-pkix-roadmap-05.txt, March 10, 2000.
 www.rsa.com/smime, RSA page about S-MIME.
 www.setco.org/, Information about the SET specifications.
 developer.netscape.com/docs/manuals/security.html, NetScape pages about security, including SSL.
 www.ietf.org/html.charters/ipsec-charter.html, IETF IPSec Working Group charter.
 www.ietf.org/html.charters/pppext-charter.html, IETF PPP Working Group charter.
 www.baltimore.com, Baltimore Technologies home page.
 www.entrust.com, Entrust Technologies home page for PKI products and solutions.
 www.rsa.com, RSA Security Inc. home page.
 www.verisign.com, Versisign Inc. home page.
 PPP Authentication Protocols, RFC 1334, October 1992.
 PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994, August 1996.
 Sun's SKIP Firewall Traversal for Mobile IP, RFC 235, June 1998.
 Remote Authentication Dial-In User Service (RADIUS), RFC 2138, April 1997.
 An Access Control Protocol, sometimes called TACACS, RFC 1492, July 1993.
 D. Carrel, and L. Grant, The TACACS+ Protocol, Version 1.78. Internet Draft draft-grant-tacacs-02.txt, January 1997.
 www.cisco.com, Cisco home page.
 The Kerberos Network Authentication Service (V5), RFC 1510, September 1993.
 web.mit.edu/kerberos/www/, Kerberos information and source code from the Massachusetts Institute of Technology (MIT).
 www.isi.edu/gost/info/kerberos/, USC/ISI Kerberos home page.
 www.netscape.com, Netscape home page.
 The TLS Protocol Version 1.0, RFC 2246, January 1999.
 www.fsecure.com, F-Secure home page.
 HMAC: Keyed Hashing for Message Authentication, RFC 2104, February 1997.
 SOCKS Protocol Version 5, RFC 1928, April 1996.
 User name/Password Authentication for SOCKS v5, RFC 1929, April 1996.
 GSS-API Authentication Method for SOCKS Version 5, RFC 1961, June 1996.
 www.socks.nec.com, SOCKS home page.
 www.checkpoint.com, Checkpoint Technologies home page.
 www.macafee.com, McAfee home page.
 http://www.fsecure.com/virus-info/, F-Secure online database of viruses.
 www.lopht.com, Lopht Heavy Industries home page, advisories, tools, and information about security vulnerabilities.
 www.symantec.com, Symantec home page for antivirus, firewall, and URL screening software.
 www.Websense.com, Websense Inc. (formerly Netpartners Internet Solutions) home page.
 www.mimesweeper.com, Content Technologies home page for the MIMEsweeper product range.
 www.iss.net, Internet Security System home page (RealSecure).
 www.intrucion.com, Intrusion Detection home page (Kane Security Monitor).
 www.nai.com, Network Associate home page.
 www.axent.com, Axent Technologies home page (OmniGuard/Intruder Alert).
 www.tis.com, Trusted Information Systems home page (Stalkers IDS).
 www.advisortechnologies.com, Advisor Technologies home site for intrusion detection event monitoring.
 E. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response (City, State: AT&T Laboratories. 1999).
 Security Architecture for the Internet Protocol, RFC 2401, November 1998.
 IP Authentication Header, RFC 2402, November 1998.
 IP Encapsulating Security Payload, RFC 2406, November 1998.
 The Internet IP Security Domain of Interpretation for ISAKMP, RFC 2407, November 1998.
 Internet Security Association and Key Management Protocol, RFC 2408, November 1998.
 The Internet Key Exchange (IKE), RFC 2409, November 1998.
 The Oakley Key Determination Protocol, RFC 2412, November 1998.
 IP Encapsulation within IP, RFC 2003, October 1996.
 The ESP DES-CBC Cipher Algorithm with Explicit IV, RFC 2405, November 1998.
 IP Encapsulating Security Payload (ESP), RFC 1827, August 1995, (obsoleted by RFC 2406).
 H. Krawczyk, "SKEME: A Versatile Secure Key Exchange Mechanism for the Internet," in IEEE Proceedings of the 1996 Symposium on Network and Distributed Systems Security, 1996.