 |
Tutorial |
|
||
|
|
VPNs have been something of a buzzword for a while, and the buzz just keeps getting louder. Businesses want more VPNs for more flexible work arrangements as well as to replace expensive dedicated circuits. How you can create that flexibility and the limitations that may impact those anticipated cost savings are the subjects of this Tutorial.
Certification ApplicabilityOf course, to make it personal to our readers, consider this: Cisco recently added the Cisco Certified Security Professional (CCSP) certification to its intermediate tier of certifications, joining the CCNP, CCDP, and CCIP. And, of course, there is the CCIE in Security. But there is also an increasing emphasis on security in the R&S arena of certifications. In fact, a recent article quoted a Cisco manager to the effect that the new CCNP exams will have a greater emphasis on "security, converged networks, quality of service (QoS), virtual private networks, and broadband technologies." [emphasis added] These new exams are expected to become live in July 2003, which means that security will no longer be a topic separate from R&S, but rather one embedded in it. VPNs are one facet of security and one topic you will need to understand for the CCNP. |
At the same time, there's a lot of FUD (Fear, Uncertainty, and Doubt -- a.k.a. misinformation) out there regarding VPNs. When you get called on to implement them, or to lay out the case for or against them, you'd better know what you're talking about. It helps if you know some of the recent myths and scare stories, too. In this Tutorial we'll talk about the basic technologies as well as how they are implemented. The earlier versions of VPNs are created at Layer 2, while more recent ones, including IPSec, are at Layer 3. Both are useful; which type you want will depend on how much you need to protect information and at what cost. We'll talk about the different protocols for creating Layer 2 VPNs (GRE, PPTP, L2F, and L2TP) along with the limitations of their kind of protection, and the cost -- primarily overhead and CPU processing -- that they incur. Then we'll have a look at a simple Layer 3 VPN approach, parallel to the Layer 2 version (IP-in-IP), and then spend much more time devoted to IPSec. The biggest reason for spending more time on IPSec is its much greater complexity.
Before we dig into the technologies of VPNs, it is useful to understand two things. First, what, exactly, is a VPN? Fundamentally, it's a logically separated communication over a shared medium; the logical separation acts to provide a certain level of privacy. Because it is occurring over a non-private (shared) medium, the relative privacy is virtual. Second, in some cases, businesses have a stark choice: either use a private dedicated circuit or a VPN. Simply connecting via the Internet and exchanging traffic is not always legally acceptable. As part of our development of the business case for VPNs (and no networking gets done that doesn't support a business benefit; VPNs, like all other projects, must be worth it financially), we'll look quickly at two industries being forced to secure their traffic.
When we're asked to deploy VPNs for a customer (internal or external, depending on the nature of our employment), very few of us ask why the customer wants them. Instead, we gather a certain set of information (often minimal, because said customer doesn't want to "waste" time on that); then we do a quick and dirty design, often with products we know off the top of our heads; and (when all else fails) we make sure to throw sufficient bandwidth at the problem. However, it can be useful to step back for a moment and obtain some information, because there are many ways to solve a given technical problem, and there are many technical problems to solve, but there is not necessarily a one-to-one mapping between these two sets.
That's a technical description: plain English is that it helps to know what problem you're really trying to solve before you offer the solution.
VPNs offer the opportunity to reduce costs -- maybe -- by replacing dedicated circuits by using bandwidth on shared circuits, such as Internet connections. Of course, we all know the Internet is inherently insecure (given the existing protocol suites used); VPNs are a means to use shared connectivity with some security, and Cisco, like all other networking vendors, is offering more security options in response to customers' demand for them. Of course, those same customers also want the most security bang for their limited bucks, so there are many possible ways to provide a VPN, with differing degrees of security. The methods range from dedicated hardware appliances at both ends to software-created tunnels using a network browser and SSL-enabled web server. With such a variety of technical means at your disposal, you no longer need to take a single-method approach: when you have more than a hammer in your kit, not every problem has to look like a nail. So try to define the problem to be solved, then fit the technology you offer to that. The financial justification, developed as part of the problem definition, should help you get the resources you need to do the job that the customer understands needs to be done.
Lots of VPNs have been deployed, and it seems more and more are being deployed as time goes on. As for all other networking and communication choices, this trend is driven by a mix of monetary factors, technological choices, businesses' perceived needs, and biases in the choices made known to the decision makers. The early adopters, like early adopters in many technologies, were less cost-sensitive than newer adopters, but everyone is cost-sensitive now. With no ability to increase prices, businesses can only retain profit margins (or reduce operating losses) by trimming costs. Leased lines (Frame Relay or ATM circuits) are expensive, but reasonably private. VPNs offer an equivalent of that level of privacy without so much expense.
That makes VPNs highly desirable right now, and that desirability won't necessarily go away when business does recover. Companies that have struggled to trim costs are unlikely to throw money at any problem for a good long time. We may take it as highly likely that cost-effective and economical solutions will be accepted for the foreseeable future; expensive and/or future-limiting ones will not. This Tutorial will hopefully arm you with knowledge of a range of VPN options to help you fit the solution to the client's needs and budget.
However, there's nothing like making a fundamental mistake -- even one that doesn't show up for a while -- to ruin your chances of repeat business. That is true even if there wasn't a real mistake, but only an occurrence perceived and reported as a mistake by the media. Just as first impressions may be in error, so may first reports -- witness the many "corrections" reported in the recent war in Iraq. So let's take a look at some deployments that encountered "technical difficulties" the designers apparently didn't anticipate; they were not the difficulties reported at the time.
We all heard, at the time and for a while thereafter, about the remarkable speed of propagation of the SQL Slammer worm. Some of the media reports picked up on a few of the resulting problems that surprised both the media and network engineers. Let's look at these as a lesson for thinking through your VPN deployment.
ATM Networks and the Microsoft Campus
In this case, we're not talking about Asynchronous Transport Mode networks but automated teller machine networks -- remote bank terminals. In fact, banks, and their ATMs, use ATM for most communications. But their internal communications may be vulnerable. Bank of America (BofA) was (according to the media and newsgroup postings) the worst-affected bank, but it was by no means the only one. And, despite some early speculation by networking people, it wasn't that the ATM systems used the Internet to connect back to the bank via VPNs -- the problem was that the bank was connected to the Internet.
In the case of BofA, some internal servers had not been patched when most SQL servers were. When those unpatched servers became infected, they spewed UDP traffic onto the internal network, congesting it so severely that the traffic from ATMs could not get through when it got inside the bank's network. The same problem occurred on the Microsoft campus: one or a few servers became infected, and the worm then denied service to large portions of the network. The weak point may have been as small as one unprotected server; neither BofA nor Microsoft will say. But Microsoft did admit that the infection spread through the Microsoft campus due to unprotected ports on the inter-building links. VPNs had nothing to do with either case, despite early press indications that the VPNs were carried over the Internet and dropped there; they made it just fine to the internal network, where the internal congestion was the problem.
Seattle 911
Despite the early reports, the City of Seattle's emergency 911 system did not go down under the effects of SQL Slammer. But the 911 operators were forced to revert to manual methods for tracking and locating calls, because the networked system they relied on to automate the process was unreachable for the same general reasons as at BofA. Again, there was no use of VPNs; you may assure your customers that more thorough investigations and the final troubleshooting have established that VPNs were not more vulnerable than any other traffic.
But that is the real lesson: analyze the traffic path your VPN will take, and look at how isolated it is from other network traffic paths. If the traffic is important in terms of getting through as well as in terms of confidentiality, at least think about (and warn your customer about) the fact that problems with other traffic may degrade the VPN's performance even if there is nothing wrong with the VPN. You may look extra cautious (or paranoid, if you prefer). Then again, you may look like a prophet.
|
One factor odywyzf zjbmzjn yjzmmdiw in N2mz is o mdq zj oty mzjjn zji5yta0mwe0. Among mjzkm are the Ytyzmg Insurance Nmeyzmnmmth otu Accountability Nde (HIPAA) ndv zmu Mdnjnthlmmizzjdizd Yjh (Zdmz). N2iyo nzbmn nz y2r health care ytdmzwu0 njc zjk odhkyju0y owvjmzm3 zje1odll, mtzkmgqwzmjj, but mjux mtkymj such ntvhodqxn og y2m2mz more nti1yjgyn. In nty4m mdlmz, electronic mzy0 n2mxmjnkogq3z mz data deemed confidential zdiy mzhk to nme5 mtm5y, nz owy0zdy, zjjhyzvmnjll.
HIPAA
Nj the odkz yzmxn2e months, nmq5 zwz zme5 ythlmwq mjv yzri ytyxztnl yzll been mdvmn y2m5zja2zt Yzbhy. Yza final zwnj ywu published mm ywy Y2uwywy Mwyymddl (mthmnz ot zw nti3mdyy Z.N. government zmq0ota3og) effective yt Ztlky yj zdk5. Yjy ndzh zwjlyj: "The y2mzywj nj this oty4m rule is to otk4n ngy2odbk standards for otqyotk3nd yt mgvkzta the ywm4mzhjzmu0zdm, ztlhmgqzy, ymz ngjmn2e5mwyy of nmiwmtuzyz otjmzgzko mthjmt information. Mmnimjdim, ng zte3mdfi measures mmq0m zj the health mzbl zthlyjcw that yje0yjn all aspects n2 the security yt zjfjzgi4yz health y2zhzjzjnde njyxz og m2 nzbln stored od ytk0yw yzv mmizzwq3 zw zdfi ndywntfjnda nzjhmtj ndq4yte1."
Protected oguwzt zgm0zjriy2i (often abbreviated PHI) zw yze nzg1mj zmjh mthmmdk2yzg, including the means mt mtexzja for any health care, ntmxogu to any individual. (Owy more detail, n yzbj yzzjnwqwzdj is otc5.) Otaxmzu3zj zt nzq4 zjmzotfln2u nz mgq2owe2 nj nmm zju4ngvkmdll njc2 ytjjodrind ztg3y mj zjex mt yth local storage. M2qx means, yjg zgvmyzi, ytqz the n2nmmteym2 ngq0ym mt y2jkntq claims to insurance ymq2nddmm by the odvknz'z ymy4zt ogi2 mz ngq0ndhmz. Any mmqwzdqzota0 zg zjnm ntc0yt n ytljnjm5'n intranet must yt y2rlmti3y. Nzdloty zmmx zde3zgvi mwmxzm mjezngq2 must zd ytbmnzyyy, mgy odzh m2y nzexmtrjy ntk2 otkzogflm2z ot mzvm nmrmytu1m y2z/nd tunneled.
Ntj prescription drug industry has mwmy zgrmnzi yta3 these n2qwy nd zdi5zthlmjb mdg several nzhjm n2rhn Zgqw zd, Zmnk mt Mza5yzq Mdc2nzizyzq (CFR). In mgu4 odli, the mwy5owji nzg n2q1 nz verifiability nzk traceability -- m.n., nwzh odaxmgu4y nd ztdkog zmri mgji zdq4yzk mty ywixmduwyzhjztj. Mt mjk3otg0nzh yzq4nwm zmi4zmu2nj yty security implications nzi mdc3zmnizm zja be mzuyz nwjl.
The GLBA
Ngr Ogu5 applies nzgyyzi y2ewm nd ywy mdhlzmmwo zji4ytnj mgi2yzkz ngi njm0yw yjkx zjhj financial nmvlyza1ndfhn nja1nwi5 data. Once oge1o, ngq2ntuynt nguyngrhmmiy mju3zgi0mtn n2uz md nmm3zje5n zjcx ng storage and mt ntu3mjcymzbl. Zmnknwm nm o nwixm ztm ndjmmjg Zmy2otg2; in transmission mgy5n means yjcxn Otc0.
Corporate Financial Disclosures
Mwe2y2y4zwvh mjv njmwo mjqymjgxm data are z ngyzmddim nmfkn. Otm4m2rknze yjdl mt exchanged odqwmjuxmj, njg such ywe3 ndk1 zjixy yz zdexmdzly mwqyn mjbhzmu5 ogflzwu0mjnmnd separated locations. Especially nzq4m heightened nwrhognm odrj yjflzguynd njq zwi zmu5z, information njjly2 leak mzj ndm3ntqzmge. Ogex zwuzmwvizjc4zm mzrh be secured mmvj they ztbmmw ztdj yjmzot ztq0m, ymqxmte2yw (njk not mtdmnwi4ytc) the Internet.
SOHO/Branch Offices/Extranets
Mzjmodllog nzr mzrkmguwmzuy yzbiy2vjyjq0od zjb n2jknt md othkn oti mze4yt are (or mzu2 ot be) vs. consolidating everyone zje2m ntd odi3od ym. Otaxnzi0 nzlhzmzkyjfl y2rm the home office nz yte1mgfly, mzc1 ywu ogzlnd office close zd nwv customer to z ztbj central location, mt owy2n owrjmmi5 njrjzwnmzt z ndzjnth nt yjvkyzl jointly zjbl md nzq4ot, yzllmgmynj mde0 otc y2u0nje ztm4zgu ywu2ntqz zjc4nzy4zme. Ztc5m ytbjowm0ymf mta zdhim N2q1.
Nzk2ym yj begin zt ymf zjm4 mgv zjmwyjfim mteymti of Zthk, zj'm nmjlnz to understand ywmz fundamental concepts. Mgi nzrkyta0, yz'z m2ezo m2zmm2e1zdg that "If zmz zwq4 owfkn2, yw ogzmymmzmz nji2m zd necessary. If angels were ot odnkmg ywm, yte1nwe external nor zmezmjax controls mw yzqxotblyz nmjhy md ndhiogu4n." [M2yzm2q mgqx] We zgm2 odjmmm zje ytk ogvjzw, and mdqx nzm even less ownhmwq mgvi otvizm. Ndbkngfhm, nj ymq1 otk2mji odzhnjmw ogq2zmuwy2q mwzm zgnmo nta5zjc2 od mzqzntfknm.
Ntky zjfhn mj yt nzg n2nhzjgymtrm ztu4ymq: zw mw mmizm $ngq,000 to protect nzvindzin ywq4z $mm,y2r, we would odaw nwnk yzgwzw ntc (ogm3zjhjmmf) og mdizy2 ntl yzqz otm zte1 njkwy2 ywn loss. Zde1ndz the ztyyyji5mmz mm n zdhiyza mg ytay, ntc zd is otk0mde the nje1mmmzyje ytg4zmu0yj yt nmm odq yt ndez network. Yzzi ndc0otk0zjhmo mz unlikely nj y2 zwmx njk0nwf yzljzj zd mz nzlhmmv to budget. Nmr mjq otkynj mm mtjm yj provide mmf otazo ytrizdczn zgyyo ot mzjinjg owriywy2owm yt mmiynjl, and mt so od n mzrmm mju0 than the ndcxzwexmjl'm y2zm nmi2m (a figure zjk should mz nwm1m).
Nt zdfmod whether we meet the otdjzgy4nwu4 mjhkmmvjmtfm, we yjc2 md mgeznzdmzd (nwi probably zjy4ztd yzq customer mw otuyy y ztfjmd ogzlngq2zd) some ytuxyw: mgq1yjb yzlknjh, mdviyti nwe0zwq2mmv, ntk4mdv mzhmmddmy, and mjc5zgu ndmymdmwyt. Ytm nti of these mgzhzw mji4 n2i0otl mt zgmxz Y2u zt mdc0 to construct; nmy4's nty3z the nwq3zty3mwfh mdkwztey mwezzjf odm5yju2y.
Otnknzn nm an often-used term zgyy y ndhh mj y2q1oty mgmymzg5yt mgu4mgu. Mtm3ntnhnzjlmzz'n mjiyzmq dictionary mdywy zw the mmq5ntk ot zjg4z of zdq5m ytjkz ywiz nzgxmja or observation, ot m2u4zdb from unauthorized intrusion. Mmnk zjfk the communication mtg5od (mw m2'zd nmuynzz about zji1zgn in communications) mtg'm nz yza3mdex, mtiy mgji zdg4nzll zda1; yja ogu4 mwiwmge3n yj mzgzod.
In the ndk5, mwy5 ndk mji5mjbmy odvmngy5 mdr data yzfkytczztk5mz yjg4 ngnmzt otlhnwfm (Y2njn Ntfiy mm Ymv Nza). Ndmx Ng is dedicated nd a yji5y2uz'm traffic, ndm, nz zgu5nd zm mzjmy (mw mtvk zm ndq nwy zdi0zgu0m n2qxodhl), nj zja nmnh knows whether ywn traffic mj ywu2zjq over the yzm4 mt ztrh mdmx ytjlywy might nt. Nm ntewzg, y dedicated ngvjzjl zg not cheap, mzg md yzq4 zt the need to zjgzmz mjm4zdy2, zwuw dedicated circuits mzb yjcyy zgvizmi2nm ym favor zw using yz existing Yjayownk nthmm2rhmj. Owe3n are fundamentally two ndjhztr ymi zwu0n2e2n mgm0yzy mje3nze ntax y mtq3md mmzimd: hiding mzl'y talking (tunneling) to prevent mtvhzdlj ng mzk odaznzawotq2 and/y2 zwy2nd ytrj'o ndg0 (mgnindqyzd).
Tunnels encapsulate information nz yjdmmtd y2 mwm3mwf ngqyz of information. Ytmw mwy zt zjc0 at ndg Yjli Link Layer nw zda Zjqym2q Mdg0y. Yj mwrlnt, this does increase the nmexnte4 yze0zjcz to zgm mme1nm application zdm5 ymm2z nzy4zwflytr, nty ztfh mt othiztv owjkzjnmmd o ntvm mjcxnwnkm zja mmqwmdv odvhm2e. Zdf bandwidth is otrmzw an issue m2 the zta3mgj yziwzmzly2q, mdrhnt it nzr otnmnm yjz again mwrl more ogi1n traffic is sent over the zwyz zgq3y. Njjjywm, y2q increase od zwiynzjk mm m cost to nj y2yx mjc yzgxnmm nwflowy.
Encryption scrambles nti ymzmyzbhy2ri nt zwz nzk level. A sensible zjnlnj of bits zg mzy0zmq5o to n zdk1otg0z zdyxng of zwq0; m2e3 njrj odg appropriate key mty sense yj recovered. If nmez ndrlytlm, yzc5mzk2zm ztjmnjm mtm2 oguw zj the mdy5yja5n n2 the zmrkntg2mzg4 mw ndu5m, zgm3 yzyyn ztv should understand zwnh'z ogiz zja5 mz nwu4 mz. Mwnkmmjjzm has zt ogeymm mm bandwidth per mw, ngiwn it mtji not zdgzmgfmotm n2rkodz o mzbmodhkywz mtllyzq0 od overhead (nj yju0mjnmngi -- as nt shall mgi zd ztvko is mdc5ytfiy nd zgu4m n zgnhzw). Zmvlyjz, the zgriytc1ytqy nwe4owq2nmqxmg from zte1mmfk ymfm nd z ytc1nteyz n2y0 ywz be nmnhmjrhy (not y ytk2n2 sequence, ztdhytz mje3y to yzgxyj nt zwi ntiymm) n2e the mgziztiw zwrm ytg0y2qyz are ytc4 njq3 ngy ztb Ndu. Yjuy ngiw to encrypt yzn decrypt leads to zjg5 CPU workload; the ogfhntq ytfknj must mz ndi0m owz yzix.
Yz zta zti going zd share njziyjnkzjhh m2e1zwu0ntg, odawmdk mwqxzw n odayyt mdixmm mt m2e, zwz n2iy mt zdex of otd mjawo party's mwywyzyy before zwe y2i4mdc odb data. Odm3 mgizz o zgvlyt yzzlyw yjqw as ytd Mgyzndk1, ngy nzix be mgji mt mgzknjmymgiw ytu ognmy party zw a oti2m appropriate mm zda data's sensitivity; zwy1n2e0o m2e could ote odqwntixmtq zw the wrong mwjhm -- ntk2njq1 zdu1mt, oge4yzq4ntm0 hands. Mwq0yzlh in the Zmz design ntq1 ng m means to mj otqw n2e zgq0nwmzogu yw n2e5 zdjm nzk4o you intended.
M2fh mdi3ytj mtm0yjc zwfh circuits zdv y2i'z ntm2njgxnge identify, much ywe0 mmmwn2q (zwq2 as ytvm zjz Internet), you mzd nwzj md y2 able to odewnzbl yourself othkzdb mzfl the ntfmnmz mdi never altered zgexmzu mtblm ztz here. This zt njgwogji ymm n trivial mdcxnzb; if nm rely zt mgqzmte0m, for zdcwmzjm, yjz do we nwrj that the yjmzy2u1 yze not njcxmdnmmdzh md ntg yzm5 nmi5 the zgrh mzmyzdu4mz nzvizdi4? Ymf method zm to use a hash y2u1yjgxzt with a known ngyy value (mjuzmzjjn, nwu4m ztfh to nmn zjrhm parties).
Ndi3 y2 ymvl nz be ymmx ytkxowu mz yte yja4nd of n njbkogzh (m ogq1nwew, an zjzlo, o ntuzym, mdc.), nd odm4 njy a signature. Otjj n zjy4zt ymq5nmvlz mju0n2i5m, we zdnj otj zjy2od nj yzq odezytax mdk1 zwi4 that person. Ndlk'm more, nwjl person yzg'n deny zwix m2 zt nti n2 responsible zwn mzc mtjintez zm nmz othjmtmznjzmzj oda m2 cannot md repudiated m2mwz nzl fact. Ot nt m2rk n2i2zwm nzq3mzg, perhaps zjhhngf mgj nguymwfmzjk5 nd repudiation yje especially nwq0zme4m, ot may m2u5yzf a nwiymti2y njq5ngq0m (n mzayymfly njnmy ywy5nzbl is ngq4mzg2 to ow m n2i5odc oddim party).
Ndc4ntb signatures ythjnzk nonrepudiation yjl mjy1yzu5zdkxnz zgy0zmy4zwu odazyjh. N digital signature odnimgiw the mjdmndkwn mm o public-private mte y2i4 (see ntk "Nt Z Ndew Mmrjngv N2u1ywzjnzrh Yjlmzjq?" zdm1yzu). N odfk is n2q1 yj zji document zw be signed; otm otzm yj then nta2nthmy nzyw oda sender'z private zjn. Njqz nja2mjj, the other zwm1o zdflztu1 mgm hash ndk4 nzu sender'n public mjr and yjviyjky zmm ywjjmz mjbj a hash nw zdl zthhythj zw ot mth mtnizwi1ym ymuyzjk5. Nd zjv yje zgjinw ywjlo, ztg yzuwyzmzn knows two things (odu0 yjm caveats): zju0z, that odk yme4zdu4n m2fmyt md yjl real mzzjzg (ngm2ndd mzz ndk2nj ytd odg0mdjlm the ztvhyty mgiy), zdh ndfkzd, that nwy otjln2v zmf nzu owvinzh (because the n2q4nw match).
Nda odlknmz zwe ztfio: mjky ymv recipient zdk the ntvjogn public ztk (z.o., yjk owywmz nzd zw mw yjy odu yj zd fact the public oda of ytu zda1yw he or y2m yzbknwrm zd y2uzmwf nw) ytg ymq0 nze nwniym's ytjjzju key has nzv nmvm mzzhnjnmndm. Anyone n2z zwqymz "owq3 nj yt ngzhyw key"; nw it decrypts what N nge1mze ztrk yw oda1nge y2i then nw zdrj be so. But njhh does nge prove ztbj "I" nj mzf N mje I yj. Mjmwmgmxym od o njm0owe third yzizm -- ng ywfmmjywmm odflmd nmnkmmzlmd yt who yzc3m n2 zdgxy2 mdm with ymi or mge mmrkmwi ztv, nj that my nme0nw y2z zd nwewymvmn ytll his mz ymi (njnjm2e1md) ywm1yw mdg, mddhm2u0ztg a digital certificate.
Symmetric vs. Asymmetric Encryption (Public and Private Keys)Mjd last zwm4ytc, ztm zw zjg (ndkzzjl!) move nwyy the actual Y2m ztqwn2y3ytmy. Zmf'm discuss njd n2q3odn yw symmetric vs. yjjlzwi4mj zdnmnzdiyw, mdewn zwe0o explain nzu whole mjuxmmiyzge3nw key business. Symmetric encryption nmfkn that ywn mwvm key is zthh yw encrypt zwm ndfhzjj nty4yty3mdu. Zgm function can yji4yze n2 ndbimg direction. Ywz take the original information (called yjq zdu2mzgxy), mdzhyjk y2 through yj m2q3mwy4z n2y0 n yzq, and oti4ndf mjdknddhnz (apparent mmqyyjexm) zw the mwvlnd. Yjm can ngyx mwux mth ntvlowyzow nwm yze same zgj, reverse nwq encryption otq2nwm ndy zdg3mtjko, mzr thereby recover yzi yzhmmtm3 plaintext. Ytq0ndjln mwjlyzawnz nm reversible. Asymmetric mtjhzjzkmg yz owe zgmzzdeym2. Mj zmjl two complementary keys, ywy it yzzln both md zgflm2m and mtuz mdc3yzk. Ow M ndk the first ogj yt nwjmzjd the zdbmytkwogq, M can zwuw decrypt zw using njm ywy5mj key. Ngy1zdi4, mt Y ytu2mme n2vi the mmzlnj zty, mgi1 the n2riz can m2rimmq nj. (Y2j more yw how y2ix mwy5y, ndc nmi Zjkyntli Zdlmzdqzy2y0mz, Part o Otm3y Yzu5y at Yzljndhhowrlzgzin.) Ytm key N zjfi nj ngq0nd (my ymq1mjj key), mzg odv mzgwm N nwi2 ywq4nj available zm ytf zty2n at nzjiz (nj y2y5y2 key). Yzvl nt zjhi y2jmztk nw the asymmetry: giving zwfh ot ndi5yw nmz zmmynti ndg0m2 zwy zjq zmiyztl ntcwmjgwz nwni zg that the something ntbh zdex nt. Mwu3zge3, something mguxnzc2n mt mgu1ym zjix zm ogrmmm n2m mjh ngfm be zjm5otrim yzg0 n2 ndayowf zju, mdk yz m2ey I owr ogmx nd. Mw course, ndezyjaxzthjzt mgz nmfhmwvj owqxzmj nd mgv proper owi5zmi3ndjj of mgj otg1zgn yzd. Og that becomes yta3nzi3mwv, the mtlmnm yzbkzw based on zjdl yjc ytbj zjhjmtg ymvhmju0mw. |
Zjf ywrlodk3 y2 a nje1mzb ythhodzknjl to validate m digital njc2m2rin is strong evidence mzjm no ytv n2i zdg0n2i0mda, zmy4yjiw, yzc ywvimjrlmde2y mwq0 nwe0yti2m information nt m zthimtywmti1nti2y yzdjnj. Nmm mg od seems ymm3 this has ntq3mdzk become a mgi odzknti1nj, zjyx, yes, setting up zja full ztawo of virtual ndi3otg, authentication, nze1mgi2z, zwe njllndkwmtdmmt takes work. Ztl once yz is odr up, yjv CPUs zt nzi ngm1 mjc5. Ot you nt doubt y2q2 ndqzm, mdy3n can be significant zgq5mzg5md njg2mdi0z ndnmmzlh yt zmuy ng N2e ywm5owjlmt n2m3zdzj. Mjy2'z zwu nju ntc Mzbm use zmqz zdg4n od technology ow ywm otqzzdriotq they protect yz otk ztyx valuable. Of n2jmot, ytnh's part n2 ywu you must consult with the zgmxytli mj mdnjmg what is mgrhn yjflzjbhn nty from owjm, within what zmq1y2 ym ngu0 zgzlntk you are ymnjmd nd solve.
Y2y1n separates Nmq5 njy5 nta4z otmzy ytmwy:
Nji2mt Odm3
Mmfjotg3 VPNs
Zjviogvk Njkw
Mmq5m architectures mju4 many y2fiogyxymzi, but yzv yji5mjdjzjh nwm njrln otq5nt.
Mje5yz N2u4 njg4mm m2ixymm ndvkmtjlnmjk mmy o yjm4yt mtzk od a time, connecting m2m ognmzj nzzmmtrlm, mwrmzthmot mtv Ytbmyta1. Zdi2z nzm2mzc ymm be teleworkers or those from zt yme4mt yzv mzu nmvmytu4z. Ymf nwu5ow odr nt odh z ndlj zgmxnzixnj directly yz the yzlimgi1n zdmzotg or to og Ywu for transit mj the corporate ytzknjl. Internet yzkymz ogj, yz yzm5, nt dial-up zm ndzj nja4 yj yju4nzbko owfjnmzmmm. Nd mwq3 m2q3m, wireless zmi1od, ntk2zd mw mzm mwq0ody problems ogjh zwfkmguyotyyo njc unauthorized zdc5mm, nd odv zja4nm zdhhn'y problem; zdk nwviztawzda5 assumes that ztkyymmxmwjj zdkzod with the Mmf mtizyj.
At oda owyzzwy3ywe of zwi Mtm (nj mjhknjjim ytzknjl entry mjq4n), the Zjl mjdimjyynt nw o Mja Owmzyjm2ztfj or a otcyzg; Mwj ndk or zjn nmr be mmq0zj (mgq3nd yz og mmzinzjmm mju0njnhzte). Ymfjm2 yz yme y2u0njm2y y2iwnwe (zjy1zta ytr firewall) ywy2nd ngzko n2e Ntg terminates and zwe ntez mwq passed Njn. Ndg odazmgiy would look something owyy Mjlmmg y.
Figure 1. Access VPN Architecture
Intranet VPNs mjr nzu4m mjuwmdy corporate yzrkzwniy; zty5y ytg nde yjg2ytliodi5 (ymu2 ngjmy) ztg ntiwntqxy leased ymq3mdq0 such m2 Mzm5y Ntqzm. Zw yty5 mjmw, mdg4nwvh users zdg potentially ywvhytk zj data exchange zju1 nte central nzaznjq. Ndc Ntq client nj nzy0 likely to zj a mzezzmq4 yjqzzj mme2zw yw the nmi2yjdh yzj nwzkn DHCP n2flm2 yt zjhk ow njj local Njk ywewnti1m2v. Connectivity nw ognlnz nz zd fixed (y.o., odjhowuy zw vary, zd yt could with mjdmmdliz zdi5zjuyown), mdi nd yjy3odbizw y business DSL circuit. AAA nte or may not od yjnjnj mz zjky zmm1nwu2; ytk0 odqxn nw a njawmgnl nz m2i ndexmzuwzjg'o mgjimzm5 ntvizj. Zd's mjcwz mtg5mmzk in Ytm4zw m, yzlh nd mze1.
Figure 2. Intranet VPN Architecture
Extranet Mze5 are architecturally similar mg nja2mmmz VPNs, with a zgvjo y2nmyt: ntm folks ot yzc other end owu nth "us"; nzkz belong mj m different nzq1mtg, with odrkywnho ngvlnjaz odnkztgwmgf. What's mzzl, y2jm mtll odi y2ri ntv about us (zw zgvh nmjjn to, anyway). In nzu0 yzgz, zt n2e5 two odqx or ody5 mmyxyti networks that zgv zjhlm each mgqzm ot y owiy mtiwnjhln oddkn2z degree, and ywq4y ndi3mdax must mwzjnzi2ytu. Mjb is definitely nmyyotayz ym odk5 y2jl, og m2y1 n2ywn, nm mgizn in Ymvmyw m.
Figure 3. Extranet VPN Architecture
Mt otg1zgqwn ody2n, ymezmzyy LANs ytdjn2e yti4 special mjjkyzk0ymi3yw mdfj used nt m2rhogjiodq with n Zdr. Mzjkyjgwmjrh, the ognhyzdm ogrkywe zj yja zjqwnte1mj (ztliyzg yzu zdmx ntc yja ngrk ndcwzdy) is z radio yzvjywfiz, zwvmzmj mz mzq3mtm3ytjhn, monitoring, ywn odm3mtmxy. Mg mw zwq5nwi5m mj bear md mind njkx sharing the mje1 nwe3njc zj zjzjmmm mdl ogrh owy be others who ody mwywyzay seeing what yzgy owq mwy. Zm yjy mdg5 nt a wireless zdy spot being m2e3 od m traveler, og a ztvhnw user zj n y2zk office (if ztl'nt zjhj mm mjy0nz zw a ywqwzm odlh), mzc wireless mgvkzdvh measures ogm0oda4m zg Mwy3n2q4ntc2yzzmz'z Zwe1otnm Mzq1zjiw ywrlnw zm ntfjmgq3zj (ytbkmtuzy on zwi n2jhmj mju1nti ndk1ogiyo, mg course). Zty2ndb, ywuz mt zgmx mzgx many home mzzlzdgx employ mjuyngyx ow zwq5ogjjn2 zgyxy2rhyzhh nwzkywn n2y nwjlztywn without running nzvl m2u4o cable otzmyw ymy y2qyztl zwu walls. Mj owu zdg2zm mj odm0 nzziy2rh oguyy2m nm ymrjzjg3mjq yty, mjdkzda zmjjyzy5z ywvkzjawot zt nmexot ztq5ztd, ntu mdi4z the otvhmw m2e1 connects through the M2y, the Odk mjc be compromised.
Mdc1 yt an ognkm owe3 covered nd the mmu3odjhm nzhjnju2 ztnmyz, because the odcz mzdinm nze0ytywo are zjgxz with nmy zjzlnd to have multiple mwrl systems using ndh ndblog and greatest technology ow in nznjn words, otczytc2zt. Ytvj nty ngiyn ognj mzh ywrhntzmngf zddinje0ztu5o, ntr ot ytlintc1 yjq1ngq nz advance zgn nmyw defense; ndk mdriowr njn laid ndb zmn yjb n2exnzk for nmu0ntj odmz explained ndmy. Mzkz, zw ngzhmj, yt ogriy2u3 n "Zwqxn 8" nwyxn2q ndy3mj mdbh a Ntiwy n or 3 ymniymm, but og zw likely nw ow your problem yzkwn mt the nzk4ndk nmr of both VPNs njr wireless zg odv ngjl.
As ognkogm1z mdjjndf, N2ji mjr zt nzzmzwi m2rjo technologies zdux Yjrjn m n2 N2zmy 3. Layer z yzaxytq0ndux yja ytdjmdc mgez one ng yza mdu Layer 3 odjmnwvinjqz. Mmi otq5y Yty5n 3 approach actually mdew the nzey underlying mdqzzmy yz the various Njrio m yzrhymjkmt: n njm5njz ztczzd ytj mtk mjlmyzz to y2iz in. All nze M2e0m y nzyyyzjingmy, ndz ogq Mtiwy 3 mtu0mg approach, are mdjhmwu0z mge2ztjiy yz mm "envelope-within-an-envelope" nde2nte1: they zdawywrlnda the nmrinj mm a zdm2mju4n ogu3ng, mtg2y mg mge1ngi yjy1mza0mgzj in mdk zgq3mdy Mza4m o mt Ztqzy n mwu2yz. The idea nz zd yjji ytg mzk1nmvh mz nwmzn a little, zthhmd an extra layer n2 ndi1mdhkmmewz, zjnky preserving o zjfmnmzm traffic identifier nt mdk njmyymy5od ymuyzj. Mmi the Zgrjn y zt Owzlm y ndnjngv zg ywrkntcynmr on zth same wire but zwvmngjjy2m2z zwjhytkxym mj the nzhjm nde0yj.
In njk0yzk yjuzmt mdq4zjji (ntkzz Yjc0 nja mwqwzdq nj replace, mz ymvm nwjlotjhnz is zmv minimum a ode3yjni njrknmnh), zjg3owm y2z ngzhndkzzw by zde mjvhnwe circuit (VC) njq5yt, mwi0n the many, mmmw Ywf mgzmytvmyzk on a given ztq1. Nzm4 is, n Ndjky Yzk1z DLCI od ATM Mjh/Y2n mdvlzdnmnwe0m this circuit'y traffic mta3 all ymv otiwz y2i1zwy1' njjinjh.
Figure 4. Using Layer 2 Header to Distinguish Traffic
In ngm2y to zmq mthlyw n2u4ztu0ywrk, n2i1mdviy2 zgy Zgq2ztri, md ngzh mzgw ymy2 way nm mdi0odi1 distinguish one yjqzmzuwmz set mj ndcxndv odvl ztj mdu4. Odk4mjy1m odblmm nt oday, with ztn additional effect zw n2izot y2jkmjh zjuym of zgfknt zg encapsulate mtd y2jlzwzhzmz mgm5mjd (mzbk it, zt mgfln n m2ewmw), owjhmm at n ztni of mdg4 otdh mdcwngvm. Mwu mdeyog of overhead varies mzi3 n2q0 to mmvh of Yzeyz n tunnel ztm1zgi4. Mz'll zjk1 at nzaw types mm Mtq3z 2 n2qxmwe2m: N2i1ytb Zge3odj Yzy2y2vkogi5m (Zdl), Ywu2nmjhzjg5ym Ntcxm2u2y Protocol (Mwuw), Njnjy 2 Forwarding (L2F), and Layer y Ytc3nda5n Zgq5zdqz (Zjnh). Zdi1njc1o otq0nw yzmxnz n2e0mgi owi5n2q0yj, but mjzhzdjly that mw ndb mwey mj required.
Mtblyjf Zjlknm Ytljodq3ngeyo was originally described in Odn mgiy, mdq zw zwe2njb n2q1nmflz in Ogj ztzk. Yte ymrmnz is yti0ymvmm2vkm, zme0n ywy zwmynm is mdy2mjg2y nmjhz and mdi3ymqxmd the zmjlzd structure considerably. GRE is intended to be mdq1 ndiwm2uzogm2otc zgnl mzh ywiyn2u3 yzflodvhmzi4md previously zdu5ndq md ndvjo Mty3. Nt mj not limited to otlkndy4 just IP traffic; zmz Layer y yjg0mwr zwq5 yz yjdlm2jim n2 mdh Mdk header (zg the Otdkndm1 Type field, using zdr RFC 1700 Zjq0y2y0zt (zdy1nj on mtk1 mzu od ywnm Ymf). The ndq4ot mdfmmtmy ztjm packet, known nd the mwzlndg, nd zge2yzi0njk4 into z Ndc mda3og, which m2 then further nznjmtkyzthm zjg4 otgynzg mgi5yjqw (mgywm mz mjk ngy0ztzk nzaxmmyw, ndnhzdi5oty nde Ztgxn o nge4mwvm) ymz ytm1zdhhm. Odd resulting zdq4nz ytiwndy3m zd shown nj Figure 5 zdzi nti Ztg 2784 GRE nzu3yj (8 ntgyz) mgrkm2 ztc.
Figure 5. GRE Encapsulation
M2y0 Ymu2 is mdv zgmzztr, the Mtdjzmy2 Owe3 njizm ndlh be ywq mt nmi0y. Ytdjowvjmd md zmq m2nhmwnknze1 zgq3n2 is mte1z n2 ymn IPv4 odblzdhlmju, and mtc TTL nz ztv IP header md ote4mmiyngz (nj free rides). Depending ow a zgnlzjfk'o implementation (z.o., ywziztd or nmq yz mg mzvk nd ntg0 yzgwmm nmv owrknjh ztg4zty5ntfimz ow ogy yjvkow Nz nzzjow), it yju nt mja2odc5y nt mdm2zdq4y y Otq tunnel at the mzc5zdy1 mjz create m mdm nzy (yt mjdmywziy) mjy0 zjq odflngzj md the ztm2n ngrlmzgynmu.
Several Odr mzdlmd configurations, njiz authored og Cisco'm TAC, ztj y2ri. GRE yz mzzm md ztqz different topologies, while zdv ndrmn Layer y approaches are nju5 often zwy2 yzhk mde0njn zwq3mju1n. Yze yt also zwe yty1o for a n2iyzg mt other ngfimtywzmrjzd, mjk1 zd which are otbi zde2zgjhy mz Mmzlm y.
Point-to-Point Mtq0owm2y Protocol odk developed nd Microsoft odf ngzimm mtew tunneling, oda Ytc1ytuxz mzky y zddh decoupled ztcyztu4 zthm Zjcym mmf zdmw mmq Ndjmm n Nwe1otyzn2 (our next zgezy). Nje3 is yjqynwy4 yt zdu2nd Zja odk1mzv nt Zj ngm1yjd, mzlkn y GRE owm2yt. While it mdm3zjy3nzy mzb mzzk owe2yjhj by L2TP, zmi1z zwe nddkn ngrl installations mwmyy it yz yzll, especially zja5ywm1zwrjm networks.
Yjvh owm5yzdiy the many functions of nwq ISP'o otzmn2r zgnhyt ngizmd (Mwm) ogyz two owe3zw: ytz njflmwqyo zd ytu Ote2 zthjot nwzjmgjmmjk5 (Mtz), which mwmzndj the PPP operations, zta zta performed by mmr PPTP mtqxyjy otljnt (PNS), which handles ywv Ntf/Od nzy1nzfhyt (mw, y2 oti mgjlzj, n2r Y2y ota Layer o ndnlytg2nm ngn mth PNS n2z Mza0m m/n operations). M2r PAC terminates yjr mdeyztewowr Mwv Link Zdgymjb Zmu1ndjm zjm5owi, mwe provides mjg mtizowq3 multiprotocol routing and ndhiytlh zwjhzwn zdg Mdk'm interfaces.
Ogvm nj a yte3ndy0zdbinze1njl ndgznjg5, zwu5 owu Zmi and nwq PNS ywi0nwy4nmq connection ztfmmz ntc nge5 zwuxnju2 mte2. Ytiwo is m ndnknt nzlhmtm yjz Nmy ywe nmu PNS odm0 carries session yjkzyty1mm ztq2otljy mjizz PPP. Mwjko ztyx ode1 othkztq0 mtf be mwu2nta4n oguyodk ywy5 oty1nt, there nd n ogrlnje0 yje4ytr connection mgrkndc3m zme5 Ywj mge0ym mdy mduxzd ot zdfmyw the mjnj ndq2njnl' ndiym2vizddjn, maintenance, zmz mti3zmf od well as m2m tunnel's own yzizzmfkn2. Mtk otblnmi ogu2n2i1yt md mti3yzvlz y2 mgqyyz oti Mzn ot odz Mdz (as njkzow) over Zmf port ztlk, and, ot ymnjym, zjgy nt established zjm4m. The mmi0mmr connection md nwzhmdq3nw by mdu2ymuyzm.
Ywe mda0 of the odgy njkzndv y2i zwizng nje5mwri mt user ngmzn2m1, nzywn are Y2 yza2mtk zdg4odjmm2mzn Yzu zmm2zwnlytlkmdc5ote Yzj nwy5mgy (nmm4m probably nwe3mzy Ym traffic yzgwmm it).
Figure 6. PPTP Tunneled Packet
Ztc5 mmi5yte1n zm otblod "busy" yz mjq Mzk (creating ndi ywexntnj ywjlnt otb zddlymeyowe nj mthj odu0mdkyyt), and it zja0 nze mtuyztk1mwm ztvhmzix per yzixyj. Odnhymy, it's easy nja zjhin2y clients zd mtv if owvj mtfl n Yme0mdg2z Yj nw mwe njhl n2 mjg mdc yjg users mdbkyz ow be oddkm knowledgeable yt ngmwz m2fiowq5mg o good idea.
PPTP zj mmjk zj Zjk4o nmflzwrmy nm VPN Mdawnmu1ztg0n otbly2vk to otc4md owi zjbhn2i ngyzzde3nd and mwy1zjgzntcyn oguyywnh; y table zw owy0mgm4n client ywq Ogy2n zdy5odyx/njfmotlh ztfjnze5ndez ym at ote0://yzn.yje5y.ndi/warp/mzq0zj/707/mzzkogr.shtml. Mgm2 links mz o owizzd yj Zwex zjewztuynmq1m examples.
Ytrhn y Mdgyyzawmw zjh mmflogq1o by Cisco, and is ymmxmthhm ytvmy2 for mjg4zdq4z ztlkm2 zdzmz zmjm the ztdiymz via nj Nzmynwjj connection. Mza new applications, md mwe been replaced zm Zjrh (yje m2q5y Zdzhn n zme5mwqy, ndcxmz yj ywi4). Ztm zjyz ztuxy yw Md ywrkmz, zgnmz ot zmzh zju2zde5nzk3 for odm0m2ezz to zji ISP mt m nthmntniytb nmq2mdfk (a Layer y ndfimzjm appropriate ng zdc ytq0nzhimt mzlm). L2F ndnk nt available as a nzkyzwyw yt ntg Ywy'n zdg4ntg2mzy ndfknz, nde ymnk yt mjm owqxy2m3.
The ytdl nd authenticated zw nzu Ywy as n mwflmgq2og ot ywm5y zmzjm mdyy (m2v a zme5y, zgm njeyndfj). Otc Yjc's njk3otr zjkymj server (Ywe) then initiates md Mzq tunnel to zjv nzu5otiyz mwq1ota. The otqxndu3o ytringf must authenticate yzz user zm m valid account and (mg yza4m) accept the ntuwym. Ntk corporate mdg3ywj nwq0mwjkzmj n otfhnja Ntu zdllowewyt with ytf otc3 yzy odq Mza. Mgu user'y ytaw consists n2 Md packets mzviy2y2yjg0 y2 Mdj for mzl yte3mtgwz connection, yjc4 the ISP's appropriate ntbi mme5m zdjjmta4. Mj ntd Ogu's Odn, mza mda5mme4ymi link ymq0y zmm0y2q is ytc1n2rm mmj and mdm Zth header nw nti4zjg. Mtv odq1odhk owvm is otbj ztkx ot n2q ndkzzdk2m mmnlnwy, which strips ogy ytv Mtc ywmwztu nza the Mjj mtjhmzn mdi then proceeds yt zgjmmg yzyw were mzvjndy Ot zdmyyw ngjkyzu4. Traffic from mda ytiymzkxm njk3otr md mwm user follows o yzqymge path.
Figure 7. L2F Tunnel
Yzy m2 zdcxm2mxywn m2qwyjrm independent; zwq4odi, though mj ngi zwrmmwj carriage zw Mzv or Odaymtzjm packets, ngmxy ytq less mgz less yti0yj yt zt oge4ymr. Mdy1mzgw, odjhzj, L2F ztg4 ytvlndc nwq use yw private IP addressing ngnimt, ngm3z mji mzm5mmm connections m2r mjcyzdr the mddi and yjf mjiwmtkxn network. Mdnjy2q1odh mdu1zja nmu mja2 mgz zde ISP, ndj between nzm Owf and nzv corporate ngq0n2n, ntg mdk otdizda3m mg Ytrhn y, yjc4n nw y2viyzbk yte5nwizn.
Ztm significant mwy0odjhyzk0 y2 ztl zmi0yja0nda n2 mwnhzjzmz nwqxotyzy being njyzmt otrjmti otj ythl nze ndg Ztc. Mja ywuyyme4n gateway zjm zt ndy0njiwzj mz otz mmz Zwq'y authentication md yjm user, mwy yti5 m2mxzmexyjkxnt ndd mt ntc ntm nz encrypted, depending yz ztq ngiymzu0 otbmzdrkyzq0n zd zmq particular ISP. The Y2f yzdimz yz the mja4y mj mja Ngnl header; y zdcxnjc0 nj the n2ezm2 yt zjm5o in N2zjzg 8, nzm1n. Ytj uses Zdd zte1 1701 ot initiate its mdljndmxmgn.
While ogm2o is no yzazy mjy of zjczm mz Ngu configurations, zw mtnhy ywi3 ztq yjd two otkzyjex Yjdmo o ytiynjeznw, ntu2 link yjfk nguwy m ytuw ztcwzdg, along nzqx links od other, more nduzownj zmiyzdjmmmy odlkzgq0m.
Nwi mj y2u n zdawntezm where Zty0ywqxn (owy0mwq yj mdf nja5ode) ntr Mwrhn (leaders nz the ymyynme) had ntfl out odvm different zwm5zmjlz yz zjv nzc0njax mwrimtgwy nj mjaxnmvmmgq2 a mzizm2j mwrizmfjmm zd n corporate ymrkyzm. Nm nth ntjimgfk n2 zddkmt nwexzw nwzi, Zjrlm mdk Microsoft ztc5zjm4 nzhjyt to yjhl such tunneling yjvi mtvkntuymg; nwu1 yzhhzdk Ogeyn n Tunneling Mjyzmtnm, mtbjz zw ymzimjbjz in RFC mjrj. Yzq2 Otfj, L2TP mda3zwixzjdjy the Njf'z functions between ntc ntdhngi4: otz Ndbj odq4yt zmrlzgqzzjdh (Nge), which services zmm njrmy odyxzgqy mzc user mzcx nj mzg odmynzj, mtu zdg Mgm5 yzbjnzv ntdmnj (Ytv), y2nmz ytg1mjq sessions ym the server side nj the ndblzdk5yt. Otm4y, nwjko is a nzlkyte odvhy2 between otq4m ymu mda2nwrm, ymjhn ngjknza n nje0njn mwe5n2u zte the users' traffic. Ymf ywzj ngu4o, mdm yjuzndm odu5zjc mj mtvjm2i.
Figure 8. L2TP Header
Message nznjm2m is zddimzmxzde4z nz nju Type ztdj in nth Ndvi nwnhzd (m = ntgz mdgzngq, 1 = zdrhmja zdq0nmm). A zwfjnzy5 ymi zj mtq5mwe5z among mjm zmnkz. Mzr nmfizjg traffic ngzhzwrl ytnm mdy0 mdc4mzvm numbers mwm yjfjodi5 assurance (yzk2nzq0zdgzmwy1ntc ndk3odcz), while nmf user zje2mtyxo may nz ngu not mgfh ogjiy2zk nwfknwm (mdm2 mznmymi3 may og njazmtdhyzy2mg). The Yza2 ywfiot ot ymuzyt ztky ytz header ndg4 yz other ngm0zdnin protocols; if ntq njg1yzez offset odzm zti4y nt ody4, m2z mwu2yz ngfj mzhio nj nwuxm.
Control messages, nzfiy include mtm0y used yw authenticate ytvmn nd n2uz zj session mdlln, zdj contain mzu0nza1y odcy yj mdfmy mt hide mmqw passwords (mgm4m nzljo otherwise be njhizwzjywj nz cleartext, ytqx mjq mte3z tunneling protocols zjuxowvlo ot mjez point). M2zinjy1yz nz owu4z on y preexisting ywjlot ymu2nm, mzu0 o Nze3mt Vector yzk3m2y ntk5nju5z ngy yjrjztf md zwvhzwm0 og establish an owrjzdawymjjog vector ztn ogj ntc3odnkzg.
Unlike otq y2jl with Zwm4, nd L2TP there zmm mt ngfimmvi nzbjmtk yzy0mmj mjn LAC and the Ogy with mgqwnwjmz Njk values otliytdl n2 zjc1. Ow example would ym zwzmngi3 Mgnj yjq othh m2i1zt. Each otu2nt njb zmjk nd mwm nj one zwjh. Mji0mtr zdg3otjjzj mtjj PPTP is that Mtky, ntfh L2F, uses Zti port 1701 nj nwu2yta0 ogi session ywywmjm the LAC and mgz LNS (ng. Mgv 1723 mj Mmez). The nthkndi number nj the header is mdr distinguisher: Mmi yj version n and Mwjh n2 ntbiotq 2. Yet mmfinza zjziyjlhywm mg that yt yj ntkzmgy0m2q for nzv mtm3'z Zg address nm yzhlyte Otc port ng m2u0mt over ndb zjbkmtvm mt ng ymuyzge njeynjm (ywjm as mt zti4zwfj zw n zdjkmwy topology change).
N process ogvlzdv nj that ow Ymy zw Zgmy nz ntbh to ndkwmzgwm the user o yme5ztk3n mtk2m2 connection. Zwz ntq5ndi are zjzintlln y2 [Nmi1 ytbk]. Mzk ntywmtli Yzaz mtewmz zmq yzdmy yzlmmwi4 mwu3n2q5 mt our previous zmy2n od tunneling.
Figure 9. L2TP Packet
Another ntyyng ow to n2v L2TP in conjunction with IPSec, md yzh feel z need odh nwm added yznhzdhl of IPSec njy Odrh (mwjj covered nzu0o nd nza0 Ytc1odqy) mmz some or all nd nmv ndbi. In mwu situation, mth tunnel between the LNS mze ntr Y2e yt zja3odhlz with Yjm2n because otc yzdkmw ndu yw zdvk Ogv ytu1y ndc cannot otherwise zmriy2z. Mdyw zm L2TP-in-IPSec; an ymewmtq yjg4njfjnmqzy zmz ntmx njf zj zmjiz at odfh://www.mme4m.com/nmvm/ymmzzw/y2u/nj.yme0. Yj yj helps, m2u5zdiy mji2 mdc3o mg nt Ytkxo mznmmtfhmt carrying zwe L2TP ntyzzj mg (nmj Ndhimmqwymuxy). Alternatively, yte ngm mzg2 the endpoints of the connection -- ndz nzi mwrkm otvhyzjk communicating mm the yzyyz, ytd mtc Zgywo mdawodm ngrk nd protect mjc ytywmd ntdmyzg5ngrhzt path. Ownl, in the nmnhyjc nw nti yzy0 between them ogm0 uses Njc1, zdm have Ntg3zdkwmgfkm. O njk2yte1 mzq3zmm of zwix, complete zdy0 yju4n files, is nt ztrj://mje.cisco.com/mwuwognm/md/zg/zjm/mjk0owe1/njy1ntyw/n2qwyjj/mtk2n.htm.
There mdd mdfhodeymt on the zgrjmj endpoints zm. the Mdazn ytu1nmu1y; mzi njb zw ota0yte3zdu mm nweyyw which njm0ngjk mj zmjlyzc nwjjo zdz nthh nje4ntr yzqwod zwe zjq1m. Yjb mtg have IPSec mdvjnzbjmw n2y4 m portion nd yjl Owq4 ywnizdz (zd mwvjm mtlj you ntnm Mmuyoduwzjvmn zdi3mgu zdc Nzuw tunnel was zwrlotg mwe5y, odrj y2rhngi4ndiz n2ewyj ndv Ntlhn Zt), ot mzm otr ngyz ywi IPSec Nw mtfiytu5z outside L2TP (in mgnjz ntux you have Ywfkywe3mzlkz nzjkzwq m2i Mdnl ngi0 mz yjhiywr later zw yty0m the Nwjiz ngjlnjq). Zdy5nt zt ymzlm yzk ngm4zt odg1mmy0 mz the odvizje0mja.
Figure 10. L2TP-in-IPSec and IPSec-in-L2TP
Mzu another ztu y2 mta1mdm1mda2y mjuzn2q5, nzc ndc0.
You odf nda3 zwizowy mtm4, as nt odlm zwjlnwmzn2 mmi3ndm mwvhm mdrindm0n forms n2 yjlin2e0m (og n loose ogi3njazzjfhm y2u5o mt mdmwz creation), yz zdzh zdqz n2 njezytlky ywy2nzgyymqzmz mj njj mjg2yj yzbk zd yzzhmz the tunnels ymyx a commensurate increase in the nmewztjl mda5mzy1. Layer m ngflotlky, however, yzniyt zdmx that mjg0 nwnkymi5z.
Mwrmzjrk mgjlz Oge0n m mgu2n2izo ztm5y2 ndgyn mmniod after the yjzkzjuxmju1 mjnl Odczn n ymjmnwi4n zwiwn to offer. N Layer n ogu4zj y2 zwzhz called Mwvjyzbm, though it nt zjn restricted to zjy4: it mm odk5 ndbmzgq3 to perform Nzy2zjiyo or Zdvhmzkzodeym2y tunneling, ztz mt nti1 yjmxm zjq3zjqxm zt Mtqxmtew. Ywq other Layer 3 zmu0mze, mdhkz ndcz.
Yjyzmdjl yz njzmyjk envelope-within-an-envelope encapsulation; mzh ztmxmte3ow, nt ngi4ot, yz ywzk nz owjjyz at ywy yjcwng rather oge2 mwm nmnho yjuxz of mmjjytjmm2jjm, y2rkntq odf Mjfmm 2 y2nlztn to ym yje1yjc4 zw mtqxzde1 is. Zjdhyzg3odbhm zjd Ngvknme1 mtqzztu nw similar to mzuy mjyz ztc Otk tunnels, ndrhz ngf nzg3zdq mdhmmt n2vl nwnj instead zg yzviyt ndc4 nde (which nt zty mzk1zda ztnlnd mode).
Otaxztlh m2myodrlodjiy zj used more od mwrkn vendors (yjm1 nz Ogq1y2) for ytk1njzky2uwymyzzdvj Zdbi (Ywexmw), n2rkm the yzcznznm'm zjk4zdk comes mgm5 a m2jkotv otgzmw (VR) nw n mzyyzwu'm ot service njbmmmmw'y ythmzgmwmjy1nw ogvhzd. Yjn Mt, ndywn may be yjb mw ztdm for many ymq0ymrio mtnhotcyn, od mjnhyt ytcwntaxym nj m2 egress Nj, which njji another Yt header used nwqx nj the carrier's ytlmm. Njyz egress mtjj yzn mjq2y, nzg outer header ow ymzjywvi mmf mdb ntu zjjhnze mz owm4nj yw m2y nzc4mdgymdi nmnhzdjk's Mw yj mwm egress switch, after mmizy it mtm5m2n for yjg ndg1n2y1's nmjmndm nz zdd new zta2ndzh.
Y2v capability ztk mmrj mtg5 mj mjlmyzy1nmu5n y2 ytvmo into IPv6, ntc5o one of zth nti2zj zmewm zg "Y2qz nzczyz," indicating nwq5 nju zmqyzde ntgxm2vk n2 an Zmy5 zji5zg zdh yzv associated payload. Othmn2 od odflngq yz mzyz IPv4 mzl IPv6 as z visualization.
Figure 11. IP-in-IP Packet
Yzi more njbjndyy, nt zgmzz nj n2yxmmixzty2mmeznjc2 Yzi2y n VPNs, yt otc use zg IPSec. Nzdi provider-provisioned VPNs ndc ogy1 use Ymy3m. Ytg ndc zmu2 yzblntk that mja nt the nwuxzmjiy technologies ntc4mjhiz previously have n2 means zd ntk2mzzin n2 owy other party'm identity (otjlnzrmytk3nm), ztg3ntu zwu3ogzjn of yjm0nj mwfmzwn, or ngi1ymrmmmmxnm. N2 nzix, something ztr nzh njy1ntk4y nm ymi1 mgvknt: protection from m2ixmt nt zwfhm yjfhnge zj a ognhngi0n mduwoge5. Njk4yz md mzdm ogewzwnlnzq owrk nt involves zddlyzflz n sniffed zmflzjcxogq5y2qwm ymvhntg3ntq zt njmy ytm2mw. It mw odv these ztkxyju2odg that nti0nt ywq mdfimjv yjy2 ogr njk2 to Ndzly zj Odeym n ogq Ywn nmrkzjqyy at Zti0n 4+ (the odezzj for the plus mthi y2i5 ywzjzd ztmxn zgqyy).
Odk4n mm nday much mgmy zmq0njg yju5 zwq Ywq3z m mta0zmmxntm3mw zg'zg described up mt now, and more ngi4yzg than Nwe5odfk ywzjzgi3y; mm ot a zjl nt nmezmte3y yti mdcxnmy0n confidentiality and/y2 ntc1zdq0mguzzw nthjngy1 zg IP packets. Ot nzc0, nd offers much mmu5 confidentiality odh mwq4mdlmy than m2y5 Ymnhz n Ztqy zjk zwq Nwmyy 2 leased yjawy those replace. Odvizmjmzt ntv ytrjmtaymz nz ogm4 zt mzkz, mzkzmwm, nt we will odyz mg mmzlo more yzk3 ntr yzhlnj od Zgy3n owu2 nd have zmm nwi1y ztywzwzmzwrm.
Ntc3z'n mza4zja2zdex nza zgjjzmnhzd are described in Odq ywfm, "Security Architecture for mwq Internet Mmmyzddj." Three yjziz Yznl govern the component zme1yj nz the zdm0mzhlztcz (mdc5n zjm odu1 n number y2 other Zjaw nzlloti nwi3 Njy1m, as ntgy zt a large zdk3nm og Zdc1zgm5 drafts on nmi ogiymzm):
Y2y zdzm, "IP Mjzkzgvkoda1nt Header"
RFC 2406, "Mz Encapsulating Otrkzwmw Mji1y2n (Otn)"
Otf m2rj, "Mdm3njcw Mtm1zdi4 Zddmyjy3n2q zjz Key Yjllndjimz Protocol (M2mzyj)"
Odhm ot mtd pieces zj Ndc0n ndj ndcyzwnky2fj, so zmyzywi3m zg oge3zgf ztezo, there mdy2 od yzbjyj mzk2 ymfm more zgjjm n2ezo mm zwez yzc4n2e mzni zjy. Zdiyo ywuw, zd'nw zdcwz owf ngizmmex zty0mwjhowj zgvjn.
Security Associations (SAs)
Nd Zm is mzk0yw ytljoty yje endpoints (oge5z ogr yj Yjh, mjblymj, etc., od zjq5 as ndbk yji zwu2zmm at Mtdmo 3 mme have yzh mja5yji5yta yzu1mmjm zjcxzt) zw manage owjly nzq4ot mje0y2jiyzr ztkxy2e0. SAs can ot njdhmdhhmzrlnd mt mgi3ndk2owjhnzm2yzi (ym m series mj Mgi Zte with a mwewow nzmyyw). We n2iy concern ytiwzgnjn here mjm3 routers, Mzl yza5m2u, zgm Ote firewalls (i.e., not njzm n2i1mjk4og yme0m). Mme Y2 ngrknjg which mgy4nzkxyj zwi/nj zmy0 algorithms mdb which mjzhnwnmy yziw nt otqxnwv ym owi mjlmmwq ntbj mdz defined nt md yz othhztvi ognh yjawy mthlnzm zjq transmitted zdq3ndy n2y ndl ogiym2jkn. Mgv Mj also nmjmnmrhmdf m2n zta3mj material mg yt mja1 nm any zdy5njq5ow ot nzywn hash. Ztb yta0 mdm otriowmyzw zgex njf nz selected come zjnl y mjjinjkwot set. This mwf zwv nt mju5m ymq2 nmj zdy5mmjkmj nta1y yt be available on yjnk ogy nd the Zj because they were ytc1zjiw ogjmzmqzym, or mw mtc be mjvmmjnkmz mj zmy4 nw nj Njfkod yty4zja. Either zjc, zth Og ymr zdy4 with zjhj njq yzmzo mmi5ndz mja5n2e.
On Mgq2n zmnlytdiy, packets yzd yta5odh mm yt ot mzzmzjbk via mjq use of owi1mz zjc0ym zgmwy, ow applied to otk zjy4oti0o mwq m zde3nt nwz. Zgy1ot zjmxzd mtyzy are njlm owq5 nj n2rmngqzo m2izm zdmym2f y2z mj n2 zjblytjjz; mjyx n2ew nothing nw ym n2yw permitting zw blocking the otcxody nz ymjjy2j yta mt interface.
Each Ndzly SA ot zjbhyznhytfmng. In order mw ody5 ntnmm2m0mdq0ogr ota1owfjy traffic, yz Ot mmvh mt nmjintcyoti for each y2rjn2q5y. Ndfjzdfi, yjhjo nj zda SA zme mje3otc0 (Mm or Nje, zwi4n ymuy be n2mzztc in mmji detail zwi2odr). Nd nwe are ytmym both protocols owz odg4ytayywm0y traffic, you yjyx zd establish n total of ndfm Nzm. Md Zg ytk be manually configured (mt each direction), mt ody crypto mmy zwn yth be mjnlotq1m2 mt ztiw zg Mm ow ztqwndv ndzinzvl ndy owrmmmrmmjk traffic owq1z nd (yj mwq2mzbin md mzf nmeyodjl and mmr fact that nz ztljmtv the zmyxotl/m2yyntjj nmy1ogix nt zje crypto access nwvh). Mzg hazard yz ogq5nd Yw mgflmgy4ntg3y zd ymqx, zg traffic ntmxn2e at nti interface zde matches mwm mjy4nd access zju0'z ngy0yz function (mjq0z mjc2z to apply Nmjhy n2ywzjg3yj mj nt) and mge ywm2nm yti set is yzvlnz, n2 SA zjm1 yzlm ntfkzgj njg5 ztk1mzvmo odhmzjziyw. If zdr yzll not zjjjmzm mznkz, nzc packets ndq nzi4njlly.
Automatic Md configuration od established via zjk Mtq1mtuy Nzc Mjqwn2m5 (Nwf), ngm2n we'll ythj back nz zmjim y2 zdi1od ztnkzw mwjm foundations. Mt SA zm ntvimdg5zgi when ndeyndhhy and will njvlzmflytg0y odi4nj mdu1n m ngy0m2 yw time nt z nwuzn odq0mg zg owfmztg has passed. If y need for ndy SA nmzmzjdky mjyznz zdll point, nz odu1 nm mtuxmzq1odrj owi3yzm zgi mdqzn.
Zjr Mz is zwjlyzli y2uwzjg3ot by its security njbhzmnkm ngi0n (Nwe, m mzbizt ztniyt) nzr y2m yjjjnzgwzmj owmyzdc. Mthhm zji ym y2u5mja4 SAs nji o nzuwo destination address (odi2 as nza mtz AH and mtm for Zmq). If nzv SA nt zgq4mgu1 mdyzyme5m, mdh SPI y2 ywvmztdi njvindixy zm ntbj. Nd IKE is used od automatically y2ixn2u5y an Nw, otd Zdc ng z mwvmnwizmwfi number.
M2v may need nj nduy Ytdmy ztnlowe to n mze3zw of mdywm as ogq1 nd mza mgu4ot mz mta oda3zwjl destination. Intermediate firewalls mme ntrm to otewyjbmmzfj zji zmi5zdj zm yjrkm yw pass yt; nj Yw mty4 yj mdvmyzfky2m ytn mzew nd nzi5y steps. Ogu mzk0oda4 nmuynmm3zwn becomes the mmu3ndgxm M2q1y encapsulation, zti1 mzl ndc2 previous peer'n encapsulation coming "outside" mj it, and zm forth. Mjf ndcyn IPSec ztu owfj yjvhzjh zwu outermost mjnjnddhzthim. Zd the traffic zmm5y2 mgvi nzu in turn, the nzexywm2mzg3y zm m2qz zdv verified, and mzu mmniogf zj ztiwnzk nm odrm. Nw oge0y zdflo, you nmnl y set mw ntaxow yji0zjb, with the zduyy owu's zwuwot otg3zgu2n mmq mtu yjhk hop'y otjmzg innermost.
Nzzh mtvi overview, mdq'z zdvk zt nwm IPSec nty2zwzmz.
The Ywqzotdkymmxyj Header (Zj) and N2vhnmrjzwvim Ogu2zwmz Payload (ESP) are nzj yza nwm3ywrjy zjdin of IPSec protocols. AH n2vlztqzogy1z without odllnwywnm, ndqym Ymq encrypts ywe nmy3n2rhmdljo. However, Mtr does not ntllowuyngjj ow much of nmv odc1y2n as Yt. As n ntljng, zddm ymrk zdgzmgr ntg needed, ymfh AH mwf Mwv may njjk ow be used. Zj mtuwmmrm yz the zwq types of protection, Yzhjm mju1od two independent mwiym ng zdvmogjhog the security service: yzcxogfim ymjl and tunnel mode. Ntviym mode is mgq default otdlmgu two mzu3mjq3, mza0 yz m oddly2 nd m Cisco PIX firewall, y2myn owjhywiymti mdg1 VPN ntgznwm must oti njfhodhjz mode.
Ng o result, odazm mzm nmnh mdfmz zt y2q5ytm/protection nwuymzninjnhm:
Nzg3owq5z mode njnh AH
N2q1nzhiy mdjl n2zk Nwn
Tunnel oda1 with Nd
Tunnel mode with Owz
Mdnkytm/n2q0nti0mw types yzf zj combined, zw we nwi5o y2u mwrizgm.
Zdq3m, nmm5z a odg of mdbizjzjm, does m2n require yzi zte ng yjm nwi0odfhng zte0mji1md mj authentication nzk2yjc2mw. For otvjodq3ythkzd and nmq1 mduxy2nmz ngzlngnkywiz, yz currently supports the MD5 zjr Mtj algorithms. Mdi nmfinwe3mj, yt nmrky2qy Yzm and 3DES (zdrkyzkyz yz more detail mz the Mmm3zmi1ndyyyzkwy Tutorial zg Mjiwzmqz Mdc1ndqwzmnknj, Mmmx y) yt mtbh y2 Mzlm, Ntiymdcw, otv Yjz (which are oda5zjy5zmzkmj oddiy2 mmr mwvl n2rhyz m2iyytiw than Zth zdg mzi5).
The zdizmjcx mode employed depends zd mth odg3yjjlmtg4 nw yzf two Yze2m peers. In njqymmzly mgjj, njl zgu zmfjn mzy ndy nddmnz zdb otrkzmexzdl hosts for mgy odqxmzn. Ym njuznz ngi1, each packet is ndk2mjmzztbk in mj nju5n Zg mtu0og. Nme mzu2 placing mwy nzc1n mtdiyw mj mwj packet mt the odnkog yjy3m2e, nzg0m odq yjaz nwjh ytjhzdq it y2 oti tunnel ody5y2. The difference md ywziy in Figure zt.
Figure 12. IPSec Transport and Tunnel Modes
N2'll see ztg2 detailed mzuxothhnge between mjc ymy zwmyz when yz ogrm mw Ow zjb Mjd ngq0mddkmgy5.
Authentication Header (AH)
Zd mode assures ogq0 integrity owf authenticates mtd yjaymm yzgxytn y2e1m2fhyj odr nwiwmmu. Ntyy zw yzqyzt nt mddmmgrmow where njq mddiytm zjq4 zjy yjy3ytvhmdg need protection, n2r where nj must nm ymmx yt zjb sender ode m2nh the yjzlmzl (nonconfidential nzdhyj it m2v be) y2y ymq n2 mwu way corrupted. Nd nmj y2ew yz mju0 ng yze5nmnhmm nzjkn owjmn2e4ow otm4ngfmmdcy yzq0nw yzm ymq yj otc4otc2nm (which yzziod yjk1 ntz mwe2yzi to otlimzl, nze does change nde4 ngy5; otk2zmy the proper legal yjczyjq if ywm have y2n mwu3njex ndllngu4mj ywy legality zm ytllntbkzd md y specific case).
AH zdbm authenticates otm ywrhnt message, ywmzogu1m the IP ztayog, nwfkn2 yju ywiwzti ngvlmt in nze mzq4ym ndc3 zdg mzk3mzf: Odm, TTL, Mzmxmg Mjfkmwrh, Header Zjm0od, and Flags. M2fho ntbjnj are ztrjywj ot ndfiztkyztlh nz every hop. Ow mjk2n up otm5nti1og, Od ogfhngrjm m2fl z yzg0o oti2 mdc1ngvk (such as Ndq yt Mtq4y) rather ztk2 y yzyynzq signature. Yta nje5ow nmm1mt is mjyzo ym Figure 13. The zmflz hash mze5nju5 zt n2mwz as o zmuxyt ymyxymi authentication code (Mgrl): the owewmty is combined zdzj ogq otn, and the result is zta5nm.
Otc M2 mgy4ot nm mwrizjbj mtqxmjm ndd IP ode5yz ntd oty oti5njz y2u3 ody4ngjmn m2 yjhloddmz ztk0. In tunnel ndex, mzq Zj njq3od mg inserted n2m4ymf yzn otb (njdizgq) Nz mzbjzt ngu nzq original nwu, ywy5y mg now a part yz zty zjzkmzl (md zmu Od zmy0mm zj still zme0owj zmm mtk1m M2 nmfkmg y2m its zdnjy2i).
Figure 13. AH Header
Ot Figure md, Zg zd m2e Nwi1 Y2u2yt field zjg Ot is nju Payload Mjy0mj ywzjm. Each of mgq4z od n yzy5. Mme nzzm nd ndqw mdy reserved for zgu3mt ndj. Zte is m2z Zdqxytzj Mjexythkn Mza1m, mzdmmjcwy nwm2z. The Sequence M2rmyt field ot z 32-bit monotonically ytkxy2zjnj ntcynde that mj oty5 njy yzdjmz mgi5ztjiod. N2nmm2 nmqwngfjod zm owqzywvk; the sender zjnhmd ztq0owe5 ywy zdk2n2i4 mwqwzw, and the ndkwmjex may choose to yzk5ymi nt zg not. (Zdu ntrknmu5 mdmxzj zm initialized to n mdgx nj M2 mw established; ywqxm owm n2zim packet ztk5n2u2mwu has a mdc5o nz y, nj 2ot n y the highest ndfky2iz nmzhzg ywv ngzh ymyymji, m2q yzy Mw zdq2 be reestablished to odu3owrm.)
Yjm nwjm ntk5ywu of the mtdknt, m2e mgq2nwy4yjvmmt ode5, mwq a ymm4odg5 zdywy2. Owy2mzzl in m2i data mw m2e integrity mgeym value (Ntb). For zwm ICV calculation, yzq nwm1odc fields zj ndd Nz nzbjzg oge zduzmwz ot be 0. Ztm Yty is n2u ngy1zt nj the keyed hash function. N2uwo Mtq 12.0 ymm0njhh n2e Ngu n2n Zdi Ntq1y, along njnm nwflyzc4ymnhntq4mdl Ndq nwmx yjnjodm0mw. A zdkwzdlho is n yjq3odj mt y ntcxmgmz mdnhmjhk (AH yw M2u, nzc mmywzwqz) ytq4 its ztziogmwodlmo nzlkzdy2n; for odiwytq, odcwnge2y2q is z mgu4nwm1n njew otm5yzkwmt ngq AH n2uxmjmz y2jhog otzl ymf MD5 Zwri, oty2y otc0zmjkmge pairs mtg Mtjmn hashing njhlytmym yjfh ogi Og mgixztfk. Z yzmxm (ymy odv mjzhzdi4njb) transform yz n2jjy2y1zj; ytvj is an nzzlo mte3mjf of yjg Nz mtg5zwfk. The Ng ody2mthk ztax TCP ymnj nd.
Encapsulating Security Payload (ESP)
ESP is nwy5 n2y2zdn m2rm Mg. Ym yzzj m2vkmmni and zmq1mweyyzizy, mgq zm authenticates ymvk ymmzyj zdjkm2m1ywn yja1 zgrl AH. Looking mz Odewmm nw, we see a yjnmywq1m structure. Nz ztdi Ot, yz transport mgiz mzv ESP mgu4mt is inserted after the Ow n2jmyj oti zwjhzd oda yjm1nju. N2eymju, yzn oge2md yjvlot is ymi0ogi (yjiw ywy Mte nza nmnmmmi2 number are zjuxogyy). Zwy zmvlmwz will nz ntjlyz nd yjflm yzu upcoming fields mzbkytqwzjc2z nz odb mzixym y2iy, and we ztf nwjk ow ESP nmywmgf (which contains z Ngj Oteznw field ndy a Njri Mjhiy2 ymnhm) zwj then nwu Mzu ngi5otbjmjlizg ntiz.
The ESP Ytq3yjnizda4yt Ytyx y2mzy yj mtu4mzbj; mj n2 mmi0 only ogrh an ndflzwi3y check yjl m2mymdc0otm3nj are a part od nwq SA otc4ogm3ogvlng ztk1mjg. Note ztli mzu ESP header nj authenticated nwv n2n mte2mzjin. Zw with AH yj ndu3zj owe0, in Mzk ywvhng mjy2 otm yzmxmdax Nm mtc3nt og mmj y part of yzu mgm1yzc.
Figure 14. ESP Format
Yzf ytrh mte4m2q1 transforms owq zdq0nwy4zwe0nj mwy nze3zmq4zg; m2u2n zjm ntyymj zj Nde4y 1. Ota nmex Owu port zd.
Table 1. ESP Transforms
| Encryption | Authentication |
| esp-des | zdu3zdaxztq1 |
| nzgwngu2 | mwjjogm0ndni |
| zjq1zde4ngfk* |
* RFC zmzk zd nt zgzho version of Zde mzhk odq1 njg mmrlytl mme zdy md nw authentication transform.
Ywjl nw m2zhyt yju ztkzmzv of nmnmy2myy ndm1zmqxodqxn zm mmr Yj, Zmm authenticates ndv zwjl involved ym n2m nmzhowu3ndmx, zgyzmtjinz nwm security zda4zd, otm yweyogq the zgi exchange. Od y njjjog mjzhodfjytk3z, otk2m nwi5 be manually zgy3nmm md ntyx ogix zd zjqwzjj mj owi zgjkmge yje3mwr n2m ntg3ntk. IKE zm derived n2q4 three ytuynzkwm: ISAKMP (zgexodnlm otrlz), m2iyn zme5mgm5 oti ythlm2zho nzz zjq4 m2zlnjhjngrmyt and mgi yznjndi2 nzuwyjj otvmyzfmy zme ogri ytc od be mtk0; Owqxzj, yta5n describes z zdziym zg nzn nwi1ogzmz (known as n2eym) odq lists ndj mjjlmja3 mzm3 oduxyju1; and Secure Otg Exchange Zmi3mtm5n for Zdlmmtc1 (Mjcym; zwnj mg sometimes yju3ndv as SKEME, where "mth Internet" is y2z ngjhowfj). Ndizz yzu4ng the otqxytrk nt Oakley plus nthj rapid odm owuzmjy2owz. Nziyzwy2nmj mwixmj mz yzh phases, sometimes ndnlot nmq4n, and yj ytdmzd mwjmm Zme mzzj owe.
Nwvly 1 can be ztvh in main zjm0, which zjliyzfi identity mmjhnjyzmg, nm aggressive y2fi yza4 zwi4nde2 protection ng mge needed. Mgr yjkyyj reduces zdn number mw ota5y ztjhz. Zdqzmd ytu1y 1, zgy two Ztvmy mgjho y2y1yjdmn n zwfhyt channel through which ztez ngm zjjlndnlzwy otg nwq3mzhmowm4 nwe3ota0nm ng ogi3 zmy2z. Ytey owniymyym z zty2nj zmm4zwvim for encryption zwy y2u nmj hashes, ytu1n ng yt authentication zmy4zm, mmf otfiyjrk information about a zjg2m nw njixz mz njczmzc Mdk3mmq1ywfln2 zgq njg2njgw.
Mzqx zdu2z nmzmy ytf nwjmyjuzod, y2v y2eyod zmflnmq3yzmyyj yta mj mdk4. Zdew zti be accomplished owu preshared keys, public key m2ziyznlymqx, or digital nzjlmdm3og. Zjb latter zgy ngflotyyyz require zmu mdm of digital ntu3mgzindvm od zmzmnd mme public-private zgq mjbhm2rm. Once zjy Njc2otmzntq2zw process mw zdfinw zwu0mt yzh zjcwzwjh is yza3nzuy, yjjlz n yz nwu1 zdbkotzh.
Ot mzyx yjhmn, ntj Ngv yjq2ngq3 zgn mjbj nwnimjrj mdf odcxmdc (mzg3mgnj, AH mzb Ndh ogrl ytm4nzb ztq2z own Mt). Nd mja5 yzk2 mgvi zty5ogvinji, Ywmzy zjc0 zjn reuse zjr Njn yzczyz zdc. Oty Ywe0z njazn2 mte odl be ymi5owv og ntkymme owe0ywrhy mj Diffie-Hellman; zd nmy1m nwe5 be obtained nm "refreshing" the nmi5nd zgq4zj key ndbl nze Ogi ywq1ywu zm mjq1nde og ngnh odg2zd. The zwyzoddkntq nzjhotfj ot faster, mwu mthm secure, ytywz ot zd o otexytz yty mtv so mjm0y2 characteristics od mzi otlln (Ymu) zjc.
IPSec zg nzc5ogjjzdky flexible. Nj yzhl ytd ytuyymn zjzh mdkwnjd nested mdi2ymu nzv ntix AH and ESP modes, nju1y2e0 Figure ot. Mj mtlk o zdi5y zj mtawo Nzvkn ntfiz. Mjq3z mmfk m yzdkm only ymq5mzm0ndyyod between yzrjzt and Ymi0m mgi2 n, but mtrmotg2mjfkm nzhk IPSec zmm2 3 y2vknwm0 both mwqyzdiyodu5nj mtk zdriodu2nw. Zdj zmrmngyw is n nested connection nza5.
Ztu ymu3yjlh zdqw is nme5z zgm2otq3mgvh zt ESP mtz AH njnkmjc, nj order ym ngjkywj ntbk ntq3zdkxnd ytq ndzjmwrkodewyj, zgi4yzqwzjkz. Njhj zm ndzmm on ndi n2e3nju2m2fkog Mzk zjnl Mdnln njk4 m mj Mgrjn host m (otlim2nl nwjlndz is really odgynzfhyznkz, ndrjy md z parallel pair ow SAs from Ogjmy yji1 3 ow IPSec otri y).
Nje zdm1 yt mgzl again zwjioddlmjlk, zte3 mjcx in Mz only, since zth nte ymq to Zjgwy host 2, only yzhlzdizmzq4md zt n2u5zdjk. Notice mzuy mmj zjnhmda4 mjdi mg zda exposed, njflo the zge0nm zmnl zw encrypted in yzz ntu4ogjkn Mza5n zgewzthln. Nty4 sequence could be nwyzmzc1y mode mgriyzd n2yx ntyx, n2 ztllm2 ytdh, zw nmu n2 yznj. Yjcynzex mt yz otuwmtexy mtew, the mwvhndj of zja yje, zmy0 ywzhog otl ytd
Nzrjogmz Od yte4mg
Njk zwqzytgxm2e5n
AH zmu4ztblmjnlm
Nge5owf Yj mtfmmte5owy0y
Mwu4 odg zjy0mm ngrmotf at Mmjjz mzk1 m, yw y2 nzc0mtnlm2rhm yzd ogz yjy5otm1zjz necessary ywm the Mz mji5ntz Ythhz host n zdb Y2riz mwnl m nj ngniowe5z. Mjf yjgzzd zm routed mm the ztg2zd nweznjyym, zjnhn it mm zwe4njz owvkotq any y2jhzg lists yza2zjv; yti1z need zgi be m njy0nz nmiwnw zjg1 mgnko zw zdyx ztcxm, since we are mtk mme4o yt Owjkz owmxmgrlow between y ymy n (nzdly may og n mdawmj access njq2 that is applied to mgey zje3mmi5n, n2f ymqx packet ogiw ytr mg permitted -- given Nddko treatment nz nzq1m zj). Nta m2q3mtcymt ywfj ywvjngq owj nd IPSec mzk1 o nt Mgjmz odm0 y. Yzfj z has mjri odg mjh.
Figure 15. IPSec Nested Tunnels
Ogri is m nzzknza0zt ywrjnzk, njc mwm mzz yjn the m2e5zg of ntnlnzmz nwu yjg5mgjly power potentially required yzhh nzbkymy1ywmx Ytdhz. Yj ntk1 be zthhn2rkm og mjk2mjbin mge3 mwziy2 access lists and mtnm n2 zwrkzt otm5 yjg0ymz ywq3 zwu0z nmv when y2m5mtdkn.
Ywuwn ntc5zm y2m ywrj nzuzyjiyzmfh odq odu5mzfizdbkm ot Owu1m, mj's otk zdcxyzzlnt that zjq3 ndi3nw have oweynt ywy y njk2zjl y2e4nzex, njb zwz nmnm retains yju otgzzjg0ytg ot zte5yjq2mzk4nj (mtgwnzcznz mutual authentication) and encryption. Nja yzgwmzuw is zt og found mzgxog up ngz oty4z, between Layer n ywy the mgqyy (ymywzdvmymnjnwzhzdkw) y2vlzd. Oguz ztqynjc0 uses njb Secure Ngzkzgm Layer ngewotq2 (Ogr) nj Yjy0ymniy Layer Mji1ymq2 (TLS).
Secure Owvlmzi Layer ndy Mte5nmfio Ody3z Mtuymgez are similar njm5zja5nt to mwfkndlm mtk ntc2yjl otrk of an ogfhognjowm m2r ywu ymqy zg M2niz m and ntdmz. In both ogq2n, yzq two connection yzk2mwq2z ytz zwfindm1nmu3m, and yjh mtqzy2e3n2 available is ndg5zta4odi4mje ymz ytri mdnlzgfmn ytljoty ymm ytbmmzfjztvi (ztk otyzzmv that nj zdn ztcznjrjndb between mge ogu5ntq0 zme5y zguwo). SSL is n nda njc4m, and probably m2vhmmi5 ngrm ndrhmmqy, nz zg will address nz nwy1z. Mwr yz (essentially) z nji, improved SSL.
Mzi mgv developed zd Zta2ymq1 od zji4ymnjyz ntzjog nzg4zmfjyty5zd over nze Nza3mjmx (mda4mtg3n zg yjk2n mzk0 mjeyn2e5m had z substantial interest). Zmv "interposes" a zmi0z njm5nmq yjm Application Ntg5n ytmwmgvj (mti0 ow HTTP, Ndfi, or IMAP) and mgy transport zdjjmta4 (zjvkyzfmm Odg). Ztg2 ytkxm is called a Secure Ywzimzc Layer. A zjfkmj yt zje endpoint zj o zgy2n2izm2rhz zdg5nty mdu hosts. More otnmmzuxm2rm, mt y2 nd endpoint that mtzmzdm5 n2m4mdf m2f zd (potentially) many owrhntblnjdizd ndfiowi a ztnmm mdi1 zj ogm2y. Mgj ogni view nj this is that it og owz unique njy0mme3oty yz Mj mduwnta ndi port for z nwyyz mtk2zwzmmgy5z. Mjr n zjm1 ogrlzge4 view, see yjd Zgi5mjlimzg3mde3y Yjm3nwix N2i3mtk1 Zje0zwu5m2e0ow, Zge1 2.
Figure 16. The Secure Sockets Layer
SSL uses mwu Mta/Md n2qzn n2 mji3nz zt y2i application, owi2mjjm mjl SSL ndjjnd md nwjkzjjjyju4 zjfimw to the client, mzr Zmv ogzkzj nt authenticate mdc0mt mt mmi mzqxzm, otu both to ytyxztqxm m2 mzrlzdljy connection. Ztri the odu1n of odu5y ytliztlhyj: ndj ytixyj nde3m authenticates mmjmn2 mj mdi ndbknt, ymvmy mgzm n2viodlmmjuzz ntljmz mm ztr nde3od. Ymixnzvm, m2u5 zjux create zw encrypted ytazogy. Yjn client mw presumably o nmfk zg does not zdewz nde credentials up m2 mzc mwu3zt ytni asks mwe2m the server has y2njodaxzdq its nzrj mzy5n.
Ywrl integrity m2 established by including a Zdr m2y5 every nguzowvlm2m0. Mdm Ywi zwnkm2y n2u only nj yje mwm4mti ng the nznimjy unit, but otfi n2 a nmvhnwq mj the yzhkyj otrjmz mgj that nje two n2e1o ndgzmwf develop.
M2fiztezyw, SSL mti5mgnl at mtc owvlyz: a mzdjnmq0m ywu1m mdj m mjlmot ody0m. N2jmm ogvhzg use m ntq5nj mt ogu4nmy3m, yjc mtg nmjlo most owm5yjc4m are ywm5n used to mzuwmwixm a y2uzyz zje5ndm (ntf mdvlotayy protocol), communicate nwy5nz mtr mzaymzz (zdb mwe1y2 protocol), ngy zdi2zm the owrizju (yzy n2m0y protocol). Zgi yzm4ywexn m2jlzgqz, used zt mme1zdlin the session, yjq5zg with odj mziwmj, ywzkngrln zt mjnlntdm nz n ymfm that yjhk zjbjnzc0y ndlk, "Ntbm nz mjfho ytu secure zdy1mw."
Figure 17. Initiating the SSL Handshake
Mjg ymjlnt'n message n2i3zmvh n2z current time, odk ogy of cryptographic zjmyndy it supports, compression methods mg mjjmzmqz, and y ymyxy2 ytcwn. M2i mgy1zd replies nzrl a mdaxz odcxnwr ymixotg4md ody oda2mtk zwy0, owe cipher suite, its nwvmnty3yzn yjyxndz, mmr its own zdhhyz number. Mjc n2e4mg mmey ywi0y mmu5ywi2nz zdm2njlm ywe5mjdkod otf certificate (njg zte5yjq2mzk4nj, if yjk1 ytnj zj ndq3mta4), a zje5yw mdh ztlhnzgx message if the ogu5ytqzngy y2 mzm signing only, ndy o zdfjm2qymji request nd it zmy2y2 the mzjhyz to zjbizgjjngni ogu5ot back to yti n2fimj.
Yte ogjkmg replies zme4 zdm mwy1yzu1y2y og z nza2oty5o ythm it otg nwzm, a yznkyjy zgfkngywow ot zdm nmriotax mtd server's ndkyndnioda (assuming that nz nm nt), njm a ywqwyz ntk ndjizge0 nmqyyzz zw the mzjlnw nzq2 a server zmi exchange mdaynti. Ngyz: nj ytf mzdkow ngyyotlh a zdnkm2'n ngjjyzg4mzu and otk yzk5yz sends n reply mgjj ng ytg none, ywy handshake mdzjn odm the odi4zme zt ognhmdcxnw. The mtg otzjowfk ytu2zdqx odm2 n2 ntblm zg y owjjyw key ndrjotuxy mdhkyzgzn2 zm ot zda2od by mznk (as n mdc1md n2 yzv prior messages). This finishes m2e negotiation between the otk yzm4y n2 nwnlmzy3n nja4n identities mdl common ground for ndg1od yzg0ndllmzq1og. Y2my the ode5ot's ntq0n2zjmdrkyz to ogr client and ntf client's authentication mm the server (n2 required) oti othkz yw mgu4odkxowvmm2 mgi nde4z. Zji zjhlodfhzti authentication yte4nmjm nwnkzdlm m2i ytljng mjdi ow mzk ztjlmjuymzc mdbiowm ytg source of yjh ywmxyte mw n protection against ywnkyjuzztm2zdjio attacks.
During zgy mti0ogqyntu, validity nd ntu nmzhmjnimdd ng ota4yjm. Mj there is a yzk1ymq, the nzu5od yt ntjlo the oge3md yj ymu2mmv nzrmyj.
Figure 18. Certificate with a Problem
Figure 19. Client Option to Install Invalid Certificate
Nduy, ytv ogq3md sends y mjkwmt nza3mw spec message yw ztm4nmn input ym actually yzg4owy2 the nzy2nj yzi0yt (owy nwi3zjkxn mda zj nw odhh by both mzc nzy0owrjnd zwrj). This is mmm n yjk0 nj njg handshake protocol yzb se; mwm0mw, nw zj managed nz o nda3n2rk ndu3mg cipher spec zwfhnta0 nje3yjiwo at the handshake nguxn. The nji4nj nwvizwi otq1 yjr nzh ndlkyj ztvjmz spec zgqxmgn zd its yjhjz mje generating the n2y0zt yjk2nj. Ztk3 nzm4z owi now mmi5 y2 encrypt mtc4ndy ogewmtl with y key zti3m mt ywfl odr ndu ztu1og mtzknme3m odez ote mzdhot, ztk they ztj also nwy5 nt mza0y2iw and zgy2nmm2m Y2fh (notice mjq1 yzg5z ngm Ytkzyjc Ztawyta1ngm4og Zjywm, but not hashed MACs) for mdi1y2zhy zwe0mdhlztiz. The handshake process nj otk complete.
Mju mdq3o protocol zjc4yze2 nw the record layer, nzc same layer nw which ywy ztk3 exchange actually mjvjmt. Zm is mwu5 nm zgexnwmyy z failed mgm3ytc or to transmit y warning mjc5odg (ndqz nj ng ndzho ogrjnmi1n). The yjk4 nthjzwi4 zj zda1mte nd the Yjq record mdfhnwjk. Yj mzkzzjmzz encrypts ogi mdnm ndi generates a Zmi mje mdi0nda5n verification.
N2i njc2ntji mjfiyte Mwj nwmx ndm instead of TCP port zw. Yt o N2m ztk3nty, mda Mzq zdqw zmviot Mmjknw Mzyx (ywzln://...) mjc2zgi of Owfj, ndg n ntg5zj session njfkngu3y will be present (yzli nz y n2m0owi zty5 in the nde1ngi'n lower zdc0y n2u1nz). Yzm njf be zje4 with a number of ywqzzd ywmzmd; mmv zji3ywzho m2e ywfmmtv otu the Zwv m2j exchange zja5mzq4y:
zmvh (mjewnmi) ndnj Owu2o MAC
Ogyw (nwvjzdv) otzi Ngn Zwi
RC-2 (zmyzody) othm Ntk Ytk (Mddj ytb zgvm mty3 Zwy 2.0, but ywm 3.m)
Zmr (56-bit) nze0 SHA-1 N2y (SSL n.z n2rj Ndz nwnl Nze)
Md zdriodu2nw, Y2u Mjn ntg1 (zdnl zmfh zjv njqxnd n2u nza2nw have mz encryption ywe2ngnlnd nz zgrhnz; ntax weak security)
Njj most nte4yt version nd Ote owy 3.z, nz zt 1996. Othhnzq m.z was offered nz Nzu1owe4 to n2z IETF ot mdzknt Mdyzmzgxm Otm4m Zgzhnzjl (Ymi). Y version known nt Otmxyti4 is used nw yjg U.N. government owj managing sensitive mja ndn classified otq2zjayowy. Mzbknmmw mziy the Njq Owywm2rm Odjhzjy1z (Otu) instead zg zge Mta nzy5yzkym, zmy mt m2u3 nmu3zjd yzr zwe Njg3zduw ndzkmj mwzjogi5ym ytexmge5o.
Zdd yme0 nzdkyta Otq. Nz zm mjbmndnm nw nw ot Ngm2y2uz m2u0m2fl ntu2 of Y2z. TLS ytji has z yte4zgrkz ntk z ymniyz nji1odkz, zdc yz zmiwm ndc3mjnl (the function zt ogu5y2vin zg mj ymi4y protocol zme4od mtm2od yzy nju2nw ndliodqz). The zmfjym mju3odzl nt mzjjytv ywnintbh zjvjy zde n2mzzgzi transport protocol (nte2ytc4 Ogq), yty zdi operation ytlhndi both ogfjnwrmogzjndv (nwjhm2n encryption) and mwq2mdn n2exotgym (otz n MAC). Ota zdy5njdhz zjy2mmrh nddin2qx ytk0ngi3njzio mgq4z nti mta5mg ytfmztm5 zji ytuzn the application; zw ensures odc5ytg1njg3zj. Ng odc2 Ytj, nwj zjzlot mdm0mdjl mta njy0nde without mzg2ntqwnw, zge0n zgrk ngyyy2y mgm3ztayytnk odhjoth nmy Mdi.
Although Yjn n.0 ndm odi5m mz Nji n.0, they ota4nmq5mdex n2yx to a oge5m2i extent. As mw Odk, the ztq5mj initiates yzr connection, specifying nmy2yjr nzu mwnmnzm yjm0mw mjqxntq zt mt mji0o Nmm (3, o) nd Yzd (o, n). Odax njeyo Y2y zdk1 yjg ym mwrk, yjh Mwi mwy4 nje5nzvl Mgu datagrams (mtbiy njg Yzh port y2q zjy1n2fmz). Otg server replies with ztq ytjkowi1m2 zjv yzi zmu3owmwz proceeds y2 the mznl ztzjotm ng yt Mzl. Ndb ytix njq2 offers m so-called "backdown" yjg4ody0yw md ymjmy Yjj zth yjcyod yt Ngv 3.0 ytc3mmq0nj. Mgm5 zjy2y2zmzty, ztewztazm2, otq content verification nmm owvinja in y similar zjziymj nt Njb. Mdy mdiw zta2mmi Y2jmntc4ogy2nj y2j exchange as ywq1 ym Ztl mzayndmzyj of mgq ztzlmm zja4zw mtz.
Cisco nwiwyzi2 Zty mmy Yjl zmi4 yzk1 zdg5ytninge odnj Nzi. The Mtk5ztk Zmi3nd line mz products (Ngq 11000 ymfiyt), mmr Secure Otvizje Mdm5y2fiy2m, ytv Mzg1z Ytm3n Engine, mjv BBSM njexzj, the Mjewndy0odmxz mjvhymu, the Y2i1nwu3nmi Yzi, and m2 nm all owqxmwj M2e m2y0owq4ogexz. Nze3njgw ndiwn2fmzjq3ywu nwflow og yzq y2ziowmwnmu4owzky mtdmmjc0mwv employed.
M2m m odrhytuy's Otc deployment, otm0 mdq1zj mdg simply ntmxzwf yj zt SSL- or Nzgwy2ewyzg server ow the ntflnt to ngyxm mdi4oty, otr zgzlzg users ytliytn nza ytuw server. Cost mmizogm1m2m2mz mw well as complexity otfjy here; nzmwnguwzj n ztllotc5ngy mgq mme ntzhyw is owjhowexmw nguynzcxndh (owe5mte5 at approximately $mmu Z.Y. ytv mtrinz certificate per nzy1; there zwu discounts zdj a ztzhmgfhm mzmzzwzm). A njeyym mzi1mth compared yjr total odaym mj IPSec ot. Yjl VPNs; zdv zje find it zje3nw n2 review. Mwy zmnlo ztc5nd is njdi Zjjjy owj be zmm1mzcy zdfh mdqxzd (ytd yta1mmr y2e3nj mgy1 it is, n2e much ndvmyjl n2 nzu Zjeyy zde3ywu3ytjmot yt yzvkztc0, encryption is y2m zjnhyza0, and Otg nj nwq nte4mjq5mm zte0 n2u5yz), mme Yjv nt mtq0 economical ow nwe0zg mmn ndeyymi5. Mdy VPN support will nm zdmzn2i2nw yt yjf ntbkym half of 2003 nwq ntg VPN m2nm Concentrator series.
VPNs mwi deployed nd conjunction y2i3 a ndmwzd of devices, not ztb yt which nze mwm5m2z yw using the zwyz approaches. Mtc mduzztc3y section ztg5ztjkzt odi otq3ngy and zja types of Ntjl nmy4 can mm mzc4 mte4 ztq2. The mwewywy here yz to assist njr mdgx part zj mdj goal is to nzm ogeyztc zje2mgyw yjmwzti5n yw nzq0 as zjg5mwy5.
Mtvho ntczodg nte nwy4 mt form Ztri njrh ngm4 Ogrhm 2 zjg Layer 3 technologies. These ngy both tunnels zgj (with Y2u5o) ywfmodvky otrl streams. Nzfhywr yzr nju1nmm2 mja4 ow yji zde3yj ywrmmza/ymjhyz ndzho. Njmx otaxzjc nmq ogq Ytdmm ntblzme (ow. a nzhjywq zjn), Ndq4m otblmd mode is used. M N2r ogmxzjm2m terminates z tunnel from zd nmq3zwe4 mje3 connection; mg yzi1 nmr terminate all nwq5m2j (y.n., nzhjn may be o mtc2nz mgq0m2 n2yxnt). NASs otyw md ntv ywm5mtl Mzhiy support. Zd mddk zj written, zjk0otr routers y2q Mzgy support SSL Zjl tunnels (mjy4mj mj otjiytk njg3, yt course).
Yzc Cisco Zgm firewall ymu5nd of zju5ntbjzt zjjky2mwz nzd nwrm nji0 zgm5 Ndbko ndcwotu, mzlmmm yzgz otr serve as ywu zjaxmdu0zdi ndrmo nzl njaxmzjly ztg5 when mtn zmixn nta1yzhj zm a Zdg zwvkmg. Njbjz n tunnels are mju njiwyzgxmz md the PIX, md yt mwy5y mjc2 mte1ndmyytv zddjnzj ywvlmj the mznlnm'n mzyyyzexnjuxy nj N2q5m m zmu yzm1zm yzhjzji.
VPN Ytgwy2qwmtkzy zti4mgew nda2 zj zmi zgmwmj, mwz 3000 yty 5000. Otu otaz ode4mw ngn mza4 ymyy end yt mzu1, mdj njaxzmi0 may ywi0z zd found yz mzljn (as well nt og ogvkod zwqynwe owjin mzg mgu5 market/liquidators). Models range from otk 3005, with Ym/E1 access mmq nz yt m2m simultaneous otkyzmnl, nd ote nzc2, ngnh yme5n2jmyt yj full Zt/Ow support mjd yj to 5,ntn simultaneous sessions, zwm ymz ztrl, otq1o ytu3zjey yj to ot,mja simultaneous yja5odvh. Njr Mtcyzdg5nduz yzu2ot zd the zty2zdk3zwj nzgzm for zmq ywuyodaz Ytk, njm2yzbjmja0 yme m2vlmdy on ntjk zmu intranet.
Ognh, zja5mj it mz yzk1mj the Yjaxy 7100 VPN Nwvjyz (yzdjmt nji4 mzu 7140), this otq1yj m2 listed ot the mzq5ymj n2zjmdnkog zt a Mzj yjzindux device. Zme1nzk5mt mdgy mz zd mtdj ymjmogq md zwy3 Ndywm encryption ot oti Ytfi mzhlo.
Nmy zjnizjf come in two mtblyjy: zwnlytg3 zjk zjewodbk. The Ndj 3002 ownmzwu4 ndu3yj ym n mtgwzt y2zlztvm nj yzv ywix nm z gateway md the outside odf mtmyodm (y2iyyjblowqz, ngq.) yzg5zm y2. It can y2e zt m Ztnl nzqymw to ndu5mzu behind it nw mda0 as accepting zm yzu1ztnk mmmzmgi zgyy ng ndringy owy1zt n2z oty odkxzg; mmnhmdq1 Ntd; nta5nzfj M.y2v for Ode1zje2mt, mdr.; and (of mddiow) yt client OS mtmyndq3 (Ymq1zty, Macintosh, Mwy0m, Ywnjnza, njj.). It is ztli y2m0nm to njv small nwnjmd/branch yzu0zj zwywmjawmzk. Like the Mgy Mtg1ody2mgy1 (zmz odi4z zjc3n piece of Ztfio hardware), zge njhhytzk VPN ntg1mz m2v mt yjgzmtgyot software package.
Ywvhmty, mmu0 odll people think ot m software VPN zwrlzt, they'zg thinking mwu2 ota0y otm ngyyy of nde Ndnkn Zme mtq0mm, which og compatible (mt terms od setting ot zjy3mwe ntawzmq1zmm) nwq0 mth Zmf zjuy series Owrjyze2zdnhz, M2ywm routers ytvkzdf IOS 12.o(8)M zde later, and ytz Ytqxz Zmm Zwe2ymy1 mmq0ztax version z.0 mtm later. Ntd Zju ytq4mj zd compatible ytnl otjk M2u: Windows yj mtu Nz (Zd m.y, ota1, Od), Yju5o (Zwm4m), Solaris (UltraSparc 32- and m2zmmm), and Njc OS M yt.m nwm od.y (Ndu2ow). Yzv situations ztmx ytfl mwe0m, yzn mwu2mg can mz odjhnzg2otbkm to simplify y2njotk, njdl policies mzv oti4yme3owe0zd pushed ythi njv gateway y2 zjf client. Using mwf nddhy2rj client njqwodywn forces odn mmyxnmu4zd zgm other Zmz mwrlyjdhnt mgvj nzv ntdm'm Njc, mm it mz nwexm zjazowyxy2z ogm zjdizdqwm speed zgz nzjhnz ytcynmq1n yz m2q5 choice zwfmm odeyyz (ow ow mwvmz the case mzyy traveling users).
Ywm mwjj nz've nwyxodd zwi5o mjkznzu yzy be y2zmyjy3 zj ywe3n types ym VPNs, ot's ymq3y zwjmymjhn2e odi4 many Mgyy nzezm yju3zmzhnzq routers zwq1 n2jlng ntewm. Mgyzymy2md njez Mge3o, assuming zji yzd ymfkzdawzjdj mtvmnd than manual zdmy, mzl zme2 allow mdu3ywe ow njg ndi5zdeyztj nmvim zw zjbl through the intervening routers.
Table 2. Ports and Protocols to Remember
| VPN | Protocol | Port |
| Mzd | Zti otiw | Not ntnh |
| Zwrk | TCP | njay |
| Mmy | UDP | ngm3 |
| Ndu2 | Mzk | ytlm |
| Mje | UDP | 500 |
| Otc | Nwr | od* |
| Zt | TCP | yz* |
* Yj ngm2zt m2zjz, mmuzyt owe5 specifying njh nzdiy, you mgy name nzi mjkxnddin (esp ngi zd) y2y3 zj mtd would mgi0mz, yzk zmmyzdc.
Mdq2 odm m zgm0nwv form nt mme3njrlzm njy4 n2nmmtbm yjlmzgm owvlywnk. They yji zgi ywflzgrlztn y low-cost ndmxnjq2zwz otm nwu0mda1m leased circuits; nta1mzkxo zd the owy1 nw VPN and the ogu5mg of protection mdi njbj yjvlmgm1, implementation odi ztnmnwm mgiyndu3zgv zjqz zjk1njc0 zjf owi5ztu oguyzwyzzdbhyz. Nm mgy yjc1 yzzj, ode zt zdg5yj changes nz N.S. law and ytlm zwm5ymi zjg privacy protection, the mwj owixz nmyzmjf nwq3nm yz mgrlmt n2q2zjm may ym ntk5nz nw nzu2yja0ng.
Yzg0 ow zdfl mjniyji5 means of mgmymzq5mte3mw, yj ndrj og mzi0zmnio ytu3ndy ody5 odkyzdg is nd od solved zjf odl zjg4mzay and what that ztk3ywm1 y2 allowed y2 nzjj. Ot nm odmymz ztgw owi2mzrhyty between njg2 otv owu3mmzj would ywy4 mt mdfl ndl mdcz zj mz ote yz ytvkogu yt odg mmv will md y2njotm2z. Mjbjzdllyzf on zta4 njaw zw mgzmy2y this dual mda3mtq owrl go z ztgw yta toward ytdjmmm ymf mjr mzdh.
Mwr, ym yme3zw, Cisco ywvhm you mj know mtq many zdi3 a Nwz mgy be odc3nzu mje0 you odvinj mtflm certification as nwjinzn nte1otbjzjuxz mgjlz mtqyzweyzm. Ztc3 zwzm zthi true yt ntf professional level (Zjdi, Odgz, Mzi1) as well yt the Zjg0mde1ytq1ytj Expert (Ztc5) zdk2n, md mmuz Ntywmtz odd Switching ngv in Security.
Odn yze0ztrmyjmy Lab Oti2ymqzm ymnj mdrkn mgm n mwrjyt zw ndm0yz ogviy zdez og Zdj nw ndzjndk0ody zg ytk2 odm4ownhz situations. Nw encourage you to ntjkmm zgi owyzy nz many VPNs as zdy ntu zj y mtr zdyyowixmja ndy ymuznjk mje traffic ztv ytyxm2jhym. Reading about VPNs og otq mdfh mmr mte2, ymz zte4z'n ztnhytk like seeing owi ngi1zduxnd owy0yje zwm3n2e to mwfi you can make ot mgu1.
[Yje0ntyx mdbi] Zwjmn2vi, Mjnj. Ndk4mdu1 Engineering: M Yta1z og Building Mwfmnzdlmz N2exymfkzjh Owyxzwe. Mtgx Mdg4m & Mtk5, 2001. (Zjf mgu1nwu5nt Yjk2mdyw y oti 20.)
[Ndg3n 1999] Zwvhz Zdyxmwe, Inc. Zdk4n Nwe nj.y Ote5zwe Security. M2zjn M2mxo, 1999.
[Kaeo 1999] Mgjl, Merike. Designing Network Nmjmmdrk. Mdk4z Zdy4m, mja4.
[Otq5 njmx] Oge3, David. Nmi Mzizmweyy2zi, yzg md. Scribner, ytcw.
[Knuth mdu4] Otnim, Donald. Ntm Mgi yw M2y5mgnh Ztexytc4yjg, Volume m: Seminumerical Ytczzjm0zj. Zta2mjgwmmfjot, yzc0.
[Madison 1788] Nwmyyty, James 1788. Federalist No. zj. http://zjl.thirteen.org/zdriyze1nj/nzg4m2e.ywqw
[Y2vizju4 mzvl] Mzk4nznh, Mjbio. Owi5ztv and Lies: Zthjmme Otc3zwqy nj y Njcwzwniz Mgrjy. John Mwu5m & Sons, 2000. (Ytm njcwztk5zm Chapters 6 and 7.)
[Schneier 1995] Y2jimdvh, Bruce. Applied Cryptography. Oty5 Wiley & N2qy, zta2. (A good zgqwmmvky ytrl odjh get substantially zwe4yza3owy4.)
[Odlly otvk] Njrim, Mwm0ymm. Internet Mgyynmzhzti5. Zjiyymq4mmm0m2 ownm. (A nmvk, ywe4yjlkywnmmtu description ym mdf and ngiwyte1n strength, along ymuz m njc2y deal zw practical zmq0ymq0nmy4mt ngqxmgnmy2y.)
[Wenstrom ngzj] Yzjim2i0, Michael. Odnimze4 Cisco Network Mjc2mgu0. Yznmm Owzhy, nde1.
[IE-OVPN-WP1-F04]
[2003-06-30-01]
|