4.3 Virtual private networks

4.3 Virtual private networks

Here is the scenario: You are the network manager of a large company. You know that you must have secure access to five sites around the world. Each site will need to have 20 to 30 computers with a bandwidth of an equivalent of T1 (1.544 Mbps) to each site. One answer to this problem would be to set up direct connect circuits to each site in essence, set up a private network. This actually can be the "right" answer. But for our discussion, this is not a good answer. Why? Cost and availability are just two issues. In some countries, this could be very expensive and may not even be available. So what can you do? You can use the Internet. Now you may have the same problem with availability, but more and more countries are providing T1 access speeds to local businesses. Using the Internet, you can see that your data is not secure, and options like SSL and e-mail encryption are not viable options. A solution in this case is a "virtual private network" (VPN). A VPN is a collection of technologies that creates secure connections via the Internet. In simplest terms, a VPN is a secure connection between two or more locations over some type of a public network. Let's look at four different protocols for creating VPNs over the Internet:

  1. PPTP point-to-point tunneling protocol

  2. L2F layer 2 forwarding

  3. L2TP layer 2 tunneling protocol

  4. IPSec IP security protocol

PPTP, L2F, and L2TP are largely targeted at remote access, like dial-up. LAN-to-LAN solutions would use IPSec.

4.3.1 Point-to-point tunneling protocol (PPTP)

PPTP has been deployed for remote users since Microsoft included support for it in RAS (remote access server) for Windows NT Server 4. PPTP builds on the functionality of PPP to provide remote access that can be tunneled through the Internet to a destination site or computer. PPTP encapsulates PPP packets using generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols other than IP. PPTP is designed to run at open systems interconnection (OSI) Layer 2 and IPSec operates at layer 3.

4.3.2 Layer 2 forwarding (L2F)

L2F is another protocol, developed by Cisco Systems. It is similar to PPTP in that L2F is a layer 2 tunneling protocol. [3]

4.3.3 Layer 2 tunneling protocol (L2TP)

L2TP is a combination of Microsoft's PPTP and the Cisco L2F. L2TP is a network protocol and it can send encapsulated PPP packets over IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM) networks. [4]

For example, say each city has its own network but all of the networks are connected via a VPN as in Figure 4.3. The VPN is secured by using a technology known as IPSec. IPSec is a simple version of an emerging Internet IP security protocol. (Review the series of IETF standards for IPSec, which have been published as Request for Comments 1825 to 1829.) A virtual private network is a network that is not in actuality private but is as safe as a private network. If a company has its main office in Dallas and a branch office in London, the traditional solution for connecting the networks would be to lease a line for each site.

click to expand
Figure 4.3

4.3.4 IP security protocol (IPSec)

The VPN technology using IPSec will encrypt all outgoing data and decrypt all incoming data so that you can use a public network, like the Internet, as transportation media. IPSec can support two encryption modes: transport and tunnel. Transport mode encrypts the data portion of each packet but leaves the header unencrypted. The more secure tunnel mode encrypts both the header and the data. At the receiving side, an IPSec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a key. Remember the public-private key system? This system uses a public key to encrypt the data. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. Key-based cryptography requires a method of exchanging a key, or one key of a pair, between the sender and the recipient. This mutually agreed-upon information forms a security association. In the IPSec architecture, this security information is exchanged as part of the key management session, which precedes any exchange of sensitive data. ISAKMP/Oakley supports more negotiation and has been selected as the basis for the IPSec's mandatory key management protocol for IPv6. ISAKMP/Oakley uses the Diffie-Hellman combination algorithm. It continues with detailed descriptions of how to install and use VPN technologies that are available for Windows NT and UNIX, such as PPTP and L2TP, Altavista Tunnel, Cisco PIX, and the secure shell (SSH).

Following are some VPN product examples you can check out.

[3]For more information regarding L2F, check out http://www.ietf.org/rfc/rfc2341.txt.

[4]See http://msdn.microsoft.com/library/backgrnd/html/msdn_vpn.htm for more information.

Internet Security(c) A Jumpstart for Systems Administrators and IT Managers
Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
Year: 2003
Pages: 103
Authors: Tim Speed, Juanita Ellis

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net