You re Wearing Your Credit Card Number on Your T-Shirt

You're Wearing Your Credit Card Number on Your T-Shirt

There was a TV commercial in the recent past that showed people wearing T-shirts that had things like "My social security number is 123-45-6789" and "My credit card number is 1234-4321-5544-110" written on them. These days, you have to be careful with your credit card information and other vital personal information to prevent people from stealing your identity, taking your money, and driving up the cost of doing business.

When you connect to the Internet, connect to a server in the corporate network, and then view sensitive data, it really is just like wearing your credit card number on your T-shirt. The packets do pass through your ISP, and possibly several others.

The WAN cables do go outside where anyone can physically touch them, assuming they're willing to break the law. You are exposed, but thankfully, you can do something about it.

There are lots of movies with spies or bank robbers in which the bad guys have ended up stealing what they were after, only to find out it was worthless. In networking, you can send packets, knowing that other people can steal a copy, but you can make them worthless through encryption.

Encryption allows a computer to apply a mathematical formula to some data, sending the results of the mathematical function over the network. The computer receiving the data can then re-create the original data by decrypting the data. Anyone who looks at the data when it's encrypted can't read it. The data just looks like a bunch of random bits and bytes. The only way to tell what the data looks like is to decrypt the data, and to decrypt the data, you need a secret password called an encryption key. Of course, you don't let anyone know the encryption key, so the data stays private.

These days, it is somewhat common for users to encrypt data before sending it over the Internet. However, most people don't just call it encryption; instead, they call it a virtual private network (VPN).

The enterprise network at Barney's company is a private network, with all the components inside privately controlled office space. The Internet is public. VPNs make the Internet act like a private network, in that there's no danger of others seeing the contents of the packets. Because the packets do go across the Internet, it's still a physical public network. VPNs create a private network, but they do so logically, or virtually, if you will. Figure 17-6 shows an example of a VPN.

Figure 17-6. Encrypting IP Packets for a VPN

For Barney to use the VPN, he must encrypt the packet as he creates it. To do this, Barney needs to have VPN software installed on his computer. The VPN client software performs encryption before sending packets, and it performs decryption when receiving packets. Barney also needs to know what encryption key to use. Barney sends this packet to a VPN device inside the corporate network called a VPN concentrator, which decrypts packets received from Barney and others, as well as decrypting packets that need to be sent back to Barney.

The steps from Figure 17-6 are as follows:

1.	Barney creates a new packet and then encrypts the packet. The original packet has a destination IP address of the web server, but the new IP header put around the encrypted packet has a destination IP address of the VPN concentrator.
2.	Barney forwards the packet, destination IP address of the VPN concentrator, into the Internet.
3.	The packet passes through the public Internet. However, the only thing in the packet that makes any sense is the IP header. The rest of the packet contents has been encrypted. If anyone were to capture the packet, he would see just a bunch of jumbled bits inside the IP packet.
4.	The VPN concentrator receives the packet, extracts the encrypted original packet, and decrypts the packet. Decryption refers to the reverse of encryption, taking the encrypted data and converting it back to the original datain this case, the same IP packet that Barney created in the first place.
5.	The VPN concentrator forwards the packet to the original destination, which is the web server in this case.

The steps list the actions, as well as some of the implications, of using VPNs. In fact, this example shows just one type of VPN (called an IPSec VPN); there are many other types. However, in general, all VPNs make a public network, such as the Internet, work more like a private network, and often, VPNs include encryption to protect your data.