The last few chapters showed how data move over internetworks. It starts with the twisted-pair cable running from the desktop. Then we see messages traveling through hubs, switches, and routers. Quickly, the data make it to destinations across buildings or on the other side of the world. All this technology has made it possible to do some amazing things. It's now routine for businesses to sell and support entire product lines from Web sites-unthinkable a decade ago. Just as impressive, whole companies are being managed within internetwork management platforms. It's even possible to operate private networks over the public Internet. But there's a catch to all this technology: networks are two-way streets. If good things can happen over internetworks, it follows that bad things can, too.
Hooking a computer up to any kind of network necessarily incurs risk. Hooking up an entire enterprise, as you might imagine, brings a boatload of security issues. Network security is a broad subject that encompasses policies, safeguards, techniques, standards, protocols, algorithms, and specialized hardware and software products. Security has been paramount in computing since the early years of central mainframes and greenscreen terminals. Experts now regard security as the single biggest hurdle to the Internet becoming the all-encompassing business environment that so many envision. Indeed, network security is such an important subject that it's an entire industry unto itself.
Good security is tougher to attain now because systems are so interconnected. In the old days, you either had a terminal hooked up to the mainframe or you were out. But in this era of connectivity, anybody with sufficient resources and time conceivably can break into any system that is connected to the Internet. Vulnerability is a fact of life in internetworking, and the industry's response is a phalanx of security technologies.
All security starts with access. Even back in the misty days of cavemen, having good security meant not letting bad things in or valuable things out. Internetworking is no different. Running an internetwork is like running a storefront business: It's in your interest to let strangers freely enter and exit the store, but doing so inevitably means giving thieves and vandals a shot at your goods. You have to keep access open; all you can do is try to weed out the bad guys. Three network access technologies try to balance the conflicting needs for access and security:
Firewalls Special routers that intercept and control traffic between a private network and public networks (especially the Internet).
Virtual private networks (VPNs) Private networks operating over a public network (usually the Internet).
Access devices Dedicated devices used to connect remote users to internetworks over the Internet and normal telephone lines. These products include access servers and access routers.
Of the three technologies, only the firewall is solely concerned with security, and it doesn't provide access so much as permit it. The other two-VPNs and access servers-exist primarily to deliver cost-effective connectivity. Access servers provide remote persons a way to enter internetworks. The mission of a VPN is to run a wide area network (WAN) over the Internet, but both access servers and VPNs restrict unauthorized access and attempt to ensure data integrity.
We won't talk about access servers, specifically, in this chapter. What's important to know is that these devices are used to accommodate dial-in access. Dial-in users call into the network and connect using the access server's modem bank. Once authenticated, they are able to access internetwork resources. This chapter covers Cisco access technology from both functional and security perspectives.