- Shopping Bag ( 0 items )
Designed for business professionals, IT managers and network managers, this informed, objective and technically oriented text discusses VPN construction, maintenance and business enterprises. Author Dave Kosiur points out that one of the most confusing aspects of VPNs is that all vendors have their own definitions and ideas of what constitutes VPNs and none of them agree. This publication admirably sorts out VPN technologies, procedures and concepts.
It's true that some of the products covered previously, particularly certain firewall products, are also software-based, in which the buyer gets to select the computing platform. But, these products easily fit into the category of firewalls; whereas the products we'll discuss in this chapter cannot be easily categorized. In many ways, this chapter covers a grab-bag of different software products but ones that may be important enough to play a role in the construction of your VPN.
Different Products for Different VPNs
Two classes of software are worth mentioning here. One is composed of the products that provide VPN services for a LAN, much like the hardware that was discussed in Chapter 11. The second class of products are those that can be used for host-to-host tunneling withoutthe need for a security gateway.
The products that provide VPN services for a LAN cover the full gamut of tunneling and VPN approaches, some offering support for the protocols we've covered in this book, and others using proprietary approaches to tunneling and key management.
The evolution of VPN standards, their requisite infrastructures (for digital certificates, for instance), and the cur-rent networking marketplace have made LAN-centric solutions a higher priority than host-to-host solutions, which has made the choices for host-to-host software rather small in number so far. Although a few shrink-wrapped products can be used for secure host-to-host connections, some commercially available software development kits (SDKs) let developers create their own IPSec-compatible programs.
Earlier in this book, when we described tunneling, we pointed out that tunneling was nothing more than encapsulating one packet inside another. In some cases, like with the MBone, the experimental multicasting backbone on the Internet, no effort is made to protect the encapsulated packets. And, with PPTP for example, the amount of protection offered by encryption is rather weak because of the methods employed. IPSec, on the other hand, creates tunnels by applying strong encryption methods to the encapsulated packets.
Now, with VPN software, we see that encrypting encapsulated packets to form tunnels can be done in other ways as well. Of the products covered in this chapter, four use their own proprietary methods for tunneling. And, of course, not one of the methods is compatible with any of the others.
There's much to be said for standards and interoperable products, such as we're seeing with IPSec. Being able to pick and choose among vendors enables you to purchase the best products for your needs without feeling tied to a single vendor; these days, it's highly unlikely that any one vendor has a lock on the best networking technology. (Of course, you still have to worry about configuring and managing these different devices if you buy from more than one vendor. Businesses often will go with a single vendor to avoid management and maintenance hassles.)
With the strong move to standardize VPNs using IPSec and L2TP (and PPTP, to a lesser extent), is it wise to use proprietary solutions like the ones mentioned in this chapter? In general, little advantage is gained by using proprietary solutions. A few of these products were some of the first ones created for Internet-based VPNs and thus precede many of the standards efforts. Although we'd much rather use standards-based solutions, we're including the proprietary products for the sake of completeness.
Also keep in mind that vendors change their products over time in response to market pressures. At least two of the products covered here-AltaVista Tunnel and Borderguard-are supposed to include IPSec support before long. Starting out with a proprietary product doesn't keep you from being interoperable with other standards later.
It's also possible to use standard protocols other than IPSec and L2TP to create VPNs. Aventail's use of SOCKS v5 is one such example (see Chapter 10). Another example is DataFellows' use of Secure SHell (SSH) in their F-Secure product. SSH is familiar to Unix system administrators for securing communications and has been used on a variety of networks (by NASA and some banks, for instance) for securely transmitting data. Unlike the protocols we've discussed in this book, however, SSH works at the transport layer.
VPNs and NOS-Based Products
Although there will come a time when the authentication and encryption functions of VPNs will be included in each computer as part of the operating system, we're currently forced to rely on using security gateways or remote client software to create VPNs. As a first step to provide VPN support in some of the Network Operating Systems, companies like Microsoft and Novell have started to provide security gateway functions in their NOS software.
We've already mentioned that Microsoft was the first to provide a tunnel server for PPTP in their Routing and Remote Access Server (RRAS) product for Windows NT 4.0. Although RRAS is designed to serve as a tunneling server for PPTP (and eventually L2TP) tunnels, either for LAN-toLAN or host-to-LAN VPNs, it's not a bundling of security services like some other products. For example, RRAS has a very limited packet filtering system-you either pass PPTP packets or nothing at all. To add the security of a firewall to control access with a finer granularity, you need to add Microsofts Proxy Server to your server machine....
Business on the Internet.
Virtual Private Networks.
A Closer Look at Internet VPNs.
SECURING AN INTERNET VPN.
Security: Threats and Solutions.
Using IPSec to Build a VPN.
Using PPTP to Build a VPN.
Using L2TP to Build a VPN.
Designing Your VPN.
BUILDING BLOCKS OF A VPN.
The ISP Connection.
Firewalls and Routers.
MANAGING A VPN.
IP Address Management.
Extending VPNs to Extranets.