Virtual Private Networks

Overview

Historically, only large companies could afford secure networks, which they created from expensive leased lines. Smaller folks had to make do with the relatively untrusted Internet. Nowadays, even large companies have to go outside their private nets, because so many people telecommute or log in while they're on the road. How do you provide a low-cost, secure electronic network for your organization?

The solution is a virtual private network: a collection of technologies that ...

See more details below
Paperback (Second Edition)
$30.65
BN.com price
(Save 23%)$39.99 List Price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (33) from $1.99   
  • New (10) from $3.76   
  • Used (23) from $1.99   
Sending request ...

Overview

Historically, only large companies could afford secure networks, which they created from expensive leased lines. Smaller folks had to make do with the relatively untrusted Internet. Nowadays, even large companies have to go outside their private nets, because so many people telecommute or log in while they're on the road. How do you provide a low-cost, secure electronic network for your organization?

The solution is a virtual private network: a collection of technologies that creates secure connections or "tunnels" over regular Internet lines -- connections that can be easily used by anybody logging in from anywhere. A number of products now exist to help you develop that solution.

This book tells you how to plan and build a VPN. It starts with general concerns like costs, configuration, and how a VPN fits in with other networking technologies like firewalls. It continues with detailed descriptions of how to install and use VPN technologies that are available for Windows NT and UNIX, such as PPTP and L2TP, Altavista Tunnel, Cisco PIX, and the secure shell SSH.

New features in the second edition include SSH, which is a popular VPN solution for UNIX systems, and an expanded description of the IPSec standard, for which several vendors have announced support.

Topics include:

  • How the VPN compares to other available networking technologies
  • Introduction to encryption, firewalls, the IPSec standard, and other technologies that let VPNs work
  • Point to Point Tunneling Protocol PPTP and L2TP
  • The Altavista Tunnel
  • The Cisco PIX Firewall
  • Secure Shell SSH
  • Maintenance and troubleshooting


Provide a low-cost, secure electronic network for your organization. With 228 pages of instruction, this concise text teaches you how to build and plan a virtual private network. It examines PPTP, Cisco PIX Firewalls, SSH and the IPSec standard. It also explores practical issues, such as cost and configuration.

Read More Show Less

Editorial Reviews

Booknews
A guide to setting up systems that can utilize the Internet to access and send information from one network to another, yet remain secure from unauthorized viewers. Four specific solutions are treated, including Layer 2 tunneling through PPTP or L2TP, the Cisco PIX firewall, the AltaVista Tunnel, and Secure Shell. The authors also discuss basics on how VPNs work, how much they cost, and when to use them. Annotation c. by Book News, Inc., Portland, Or.
Read More Show Less

Product Details

  • ISBN-13: 9781565925298
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 1/1/1999
  • Edition description: Second Edition
  • Edition number: 2
  • Pages: 230
  • Sales rank: 1,436,729
  • Product dimensions: 7.03 (w) x 9.17 (h) x 0.62 (d)

Meet the Author

Charlie has also coauthored a half-dozen Internet-related books (many with Mike and Paul), on topics ranging from electronic commerce to CGI programming. When he finds spare time, Charlie likes to write (as of yet unpublished) fiction, read, and go to the gym. He also enjoys spending time with his wife, Mary, and their four beautiful felines. Mike Erwin is the president and chief executive officer of OuterNet Connection Strategies, Inc. Mike has served these posts for the last four years, during which he also worked for Apple Computer, Inc., architecting and implementing connectivity, application, scripting, and development support for Apple's Worldwide Support Center. Mike is the coauthor of several other works, including the CGI Bible, Building Web Commerce Sites, and the 60 Minute Guide to VRML. Mike's technology related interests involve encryption algorithms, super computing, Distributed Operating Systems, universe game simulations, and building secondary securities markets on the Net. Before becoming completely immersed in work, Mike used to find that his hobbies included playing hearts, drinking cheap vodka, staying up until dawn, and doodling with oil paints with his left hand. Mike's current favorite things include dabbling with theoretical and particle physics, martial arts training, gambling, securities prospecting, and, of course, sleeping.

Charlie Scott is the senior vice president of OuterNet Connection Strategies, Inc., an Internet Service Provider and outsource company based in Austin, Texas, specializing in innovative and emergent technologies. At OuterNet, he helps create and implement new products for their network operations center and co-location facilities. While an undergraduate at the University of Texas at Austin, Charlie was a research assistant in a cognitive science lab, and planned on going to graduate school in that field. He was eventually able to get his B.A. in psychology. But he always enjoyed working with computers, and his exposure to the Internet at UT deviated him enough to abandon all plans for graduate school and start working with computer networks. The next few years saw him at Texas Instruments, IBM, and Wayne-Dresser before he helped found OuterNet. Charlie has also coauthored a half-dozen Internet-related books (many with Mike and Paul), on topics ranging from electronic commerce to CGI programming. When he finds spare time, Charlie likes to write (as of yet unpublished) fiction, read, and go to the gym. He also enjoys spending time with his wife, Mary, and their four beautiful felines.

Charlie has also coauthored a half-dozen Internet-related books (many with Mike and Paul), on topics ranging from electronic commerce to CGI programming. When he finds spare time, Charlie likes to write (as of yet unpublished) fiction, read, and go to the gym. He also enjoys spending time with his wife, Mary, and their four beautiful felines. Paul Wolfe has done everything from driving M1A1 tanks in Desert Storm to slinging computer chips for Motorola. He now divides his time between his family and OuterNet, as well as writing. He has written four books in the last two years covering such topics as Windows NT Web servers, Internet commerce, VRML, and Virtual Private Networks. He dreams of restoring his 1986 Toyota Tercel to its former glory and racing it on the stock car circuit.

Read More Show Less

Read an Excerpt


Chapter 10: Managing And Maintaining Your VPN

In This Chapter:
  • Choosing an ISP
  • Solving VPN Problems
  • Delivering Quality of Service
  • Security Suggestions
  • Keeping Yourself UPto-Date
Now your VPN is up, and remote users and sites are connecting to it over the Internet. This doesn't mean that you're in the clear and can tuck this book onto your shelf and never think about VPNs again. Now begins the battle to keep your VPN upgraded and monitor its security-not to mention dealing with problems when users call to complain that they can't connect. Some of these problems can be taken off of your hands by using an ISP that will manage your VPN for you. Even if you go this route, a good working knowledge of what can go wrong is essential. That's what this chapter is about.

Unlike a firewall or proxy server, where you may set it up once and not touch it for months, your VPN is a more dynamic security mechanism. The main reason for this is that users rarely realize that they're interacting with a firewall or a proxy, while logging into a VPN server may take some interaction on their part. Users with various types of equipment may access your VPN from any point on the Internet at any hour or day. Anyone who has ever run a remote access server knows the various problems dial-up users can have. Many of the same problems that apply to remote users also apply to remote access VPN users. Remote sites that are connecting to a corporate LAN might require less maintenance, however, because with a LAN you often need to set them up once, have them dial in, and that's it. In this chapter, we'll go over the problems that can occur and look for possible debugging information and solutions, as well as list what you should be armed with when working with an ISP on VPN issues.

While this chapter can't address the specifics of your network, we can give you some general security suggestions. It's important to remember that no level of authentication or encryption can protect you if you don't have a sound security policy in place. We briefly touched on this in Chapter 1, Why Build a Virtual Prive Network? Private Network? And Chapter 2, Basic VPN Technologies.

Finally, you'll want to keep up with the latest trends, standards, and security holes in VPN technologies, so that you can ensure that your VPN is up-to-date. We'll go over a list of resources you can use at the end of this chapter and in Appendix B, Resources, Online and Otherwise.

Choosing An IMP

Choosing the right ISP for your VPN connection may be one of the most important things you do. To provide the most reliable connection you possibly can, you should use the same ISP for each end of the VPN connection. The first thing to take into consideration is geography. You will want to choose an ISP that has points of presence in all of the places you need. Although local and regional ISPs might be perfect for connections within the same city or even the same state, if you need connectivity across the country you should choose a larger, national provider.

Another consideration for a reliable VPN is a quality of service (QoS) guarantee. This is an agreement between a customer and an ISP that guarantees a certain amount of availability and bandwidth on an ISP's network. Typically QoS guarantees a certain amount of latency for your traffic on the ISP's network, typically measured in tens of milliseconds. Most national ISPs guarantee 99.5% availability on their network. QoS guarantees will appear in your ISP's service level agreement (SLA),with you.

There are also VPN services that ISPs are selling, including GTE, UUNET, and others. With these services, they operate and manage your VPN for you, Prices are variable, and are typically based on the number of sites and the total amount of bandwidth used.

Solving VPN Problems

There are numerous points of failure with VPNs. This makes tracking down the cause of a problem more difficult than it might be for a normal WAN or remote access connection. Among the possible problems are connectivity problems, authentication errors, and routing problems.

Connectivity Problems

Anyone familiar with maintaining or dialing into remote access servers-or into an ISP for that matter-is also familiar with the frustration of trying to pinpoint the problem of a bad connection. The main difficulty with connectivity problems is that they have so many causes. Here are a few possibilities:
  • Telco problems
  • Bad lines
  • Busy switch
  • ISP problems
  • Busy signals (probably from a user-to-modem ratio that's too high)
  • Bad modem or router
  • End-user problems
  • Bad modem or router
  • A modem or router that's incompatible with the ISP's
  • Configuration problem
Besides these general communication problems, you may discover problems with port usage on firewalls. As you've seen, several VPN packages use specific TCP or UDP ports in order to communicate (for example, PPTP uses TCP port 1723). If these ports aren't open, you may not be able to make a VPN connection or transport data across the VPN. It's possible that these ports may be blocked at your ISP or on your own routers.

Authentication Errors

Authentication problems are common in the realm of dial-up connections, even when VPNs aren't involved. Here are the two most common authentication problems:
  • A mismatched usemame or password, which occurs when either the connecting machine or the far end thinks that the usemame or password is something other than what it is. This is sometimes caused by a simple typographical error. Likewise, there could be mismatched keys in a public key system.
  • The connecting system and the destination are using different authentication methods. For instance, the connecting machine might be attempting PAP authentication, while the destination system is expecting CHAP.
There is a third level of authentication problems involving public key infrastructures. It's important to use the same key exchange protocol. For example, some IPSec products allow for a number of key exchange options: Manual, SKIP, or IPSec. In a public key infrastructure there could also be problems with certificate authorities and certificates.

Routing Problems

Routing problems occur when you're able to connect successfully to your ISP, but have trouble getting to certain hosts over the Internet, or getting out to the Internet at all. These problems are commonly due to configuration errors. Either the IP address, netmask, or gateway on your system is set incorrectly, or your ISP doesn't have a route for you.

Chances are that any one of the problems discussed in this chapter-authentication, connectivity, or routing-is caused by a configuration mismatch on your equipment, the ISP's equipment, or the equipment on the far end of the connection. The routing problem, however, could also be due to any one of the numerous connection points on the Internet backbone between you and the destination. You, and your ISP, will have little control over these problems, but it's nice to know where the problem is so that you can report it to the proper people.

In Chapter 5, Configuring and Testing Layer 2 Connections, in the section "Troubleshooting Problems," we mentioned two useful utilities for testing routes: ping and traceroute. Both of these tools can be used to troubleshoot problems on other VPNs as well. ping is a utility found on Unix, Windows 95/98, and Windows NT systems. It sends packets to a given destination and awaits a return. It doesn't tell you what route the packets take, but it does tell you if they get there at all and if there's any packet loss. Traceroute is a program on Unix systems. The Windows 95/98/NT equivalent is TRACERT. Traceroute will actually show you the path packets take to their destination. This information can be useful to pinpoint exactly where a problem is occurring.

Traceroute information can sometimes be confusing. Be sure to read up on what the various latencies mean, as well as asterisks, exclamation marks, and other symbols. A good TCP/IP networking book will explain how to read traceroute's output, as will its manual page on a Unix system. Also keep in mind that an ISP or company may be blocking traceroute's UDP packets at their firewall for security reasons, so you -may want to contact them and find out if this is the case. If the problem appears to be with a backbone provider, the best thing to do is still to contact your ISP. They can then contact the backbone provider and see what the problem is.

Dealing With An ISP

Working with an ISP to solve a VPN problem may prove difficult, especially if the ISP doesn't support VPNs. As a network administrator, therefore, you'll want to know your VPN product inside and out. The most important thing to remember when troubleshooting a problem with an ISP is to give them as much information as possible. At a minimum, give them this information:
  • What VPN product you're using.
  • What the IP address of your system should be.
  • What the address of the destination VPN server or router should be (e.g., the address of your PPTP server).
  • The TCP or UDP ports that your VPN product uses, in case your ISP has those ports blocked at a firewall.
  • Any ping or traceroute output you may have that demonstrates the problem.

Make sure your ISP is someone you trust. During the course of the troubleshooting session you may have to give them security information about your network, or set up a test account for them to attempt to dial into. Here are some suggestions for finding a trustworthy ISP, or building trust with your current one:

  • Use a well-established ISP: either a well-known national provider, or a local one that has a good reputation and operating history. Your local Better Business Bureau is a good place to start.
  • If possible, always deal with the same support person. This will not only assure you better service-as they'll be familiar with your past problems-but will also keep the number of people you might give sensitive network information to at a minimum.

Compatibility With Other Products

Other products on your network may interfere with the performance of your VPN. Before investing the time and money to set up a VPN, you should do some research to ensure that your system and network configuration will work with itespecially if you have an elaborate security setup. Here are some caveats when setting up a VPN or adding a new product to your network:
  • Some routers may block certain TCP ports out-of-the-box as a security measure. Find out which ports it blocks and make sure that they're not ports your VPN uses. You can usually turn this filtering off.
  • As we've already said, some VPN products won't work through a proxy server. The Microsoft Proxy Server, for instance, doesn't work with PPTP. If you already have a proxy server and want to implement a VPN, you may want to multi-home the VPN server between the Internet and your LAN, just as you have the proxy server set up. (See Figure 10-1.) VPN-only traffic routes through the VPN server, while all other traffic routes through the proxy server.

Network Address Translation (NAT) is a protocol many routers support that allows machines to access the Internet even though they have internal IP addresses (set aside in RFC 1918) that are not usable on the wider Internet. Essentially, each machine is given a nonroutable address, while the router has a routable IP address. When each of the machines behind the router wants to access the Internet, it pretends to have the IP address of the router.

If you want to use NAT, we suggest a double-router setup, as shown in Figure 10-2. It shows a gateway router to the Internet and a perimeter network with Internet-routable IP addresses. On the perimeter network is a NATcapable router multi-homed to have interfaces to both the perimeter network and the internal network. The machines on the internal network have only non-Internet routable IP addresses. The VPN server is also multi-homed between the perimeter and internal networks, and will route only VPN traffic to and from those networks. . . .

Read More Show Less

Table of Contents

Preface;
Audience;
Contents of This Book;
Conventions Used in This Book;
Comments and Questions;
Updates;
Acknowledgments;
Chapter 1: Why Build a Virtual Private Network?;
1.1 What Does a VPN Do?;
1.2 Security Risks of the Internet;
1.3 How VPNs Solve Internet Security Issues;
1.4 VPN Solutions;
1.5 A Note on IP Address and Domain Name Conventions Used in This Book;
Chapter 2: Basic VPN Technologies;
2.1 Firewall Deployment;
2.2 Encryption and Authentication;
2.3 VPN Protocols;
2.4 Methodologies for Compromising VPNs;
2.5 Patents and Legal Ramifications;
Chapter 3: Wide Area, Remote Access, and the VPN;
3.1 General WAN, RAS, and VPN Concepts;
3.2 VPN Versus WAN;
3.3 VPN Versus RAS;
Chapter 4: Implementing Layer 2 Connections;
4.1 Differences Between PPTP, L2F, and L2TP;
4.2 How PPTP Works;
4.3 Features of PPTP;
Chapter 5: Configuring and Testing Layer 2 Connections;
5.1 Installing and Configuring PPTP on a Windows NT RAS Server;
5.2 Configuring PPTP for Dial-up Networking on a Windows NT Client;
5.3 Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client;
5.4 Enabling PPTP on Remote Access Switches;
5.5 Making the Calls;
5.6 Troubleshooting Problems;
5.7 Using PPTP with Other Security Measures;
Chapter 6: Implementing the AltaVista Tunnel 98;
6.1 Advantages of the AltaVista Tunnel System;
6.2 AltaVista Tunnel Limitations;
6.3 How the AltaVista Tunnel Works;
6.4 VPNs and AltaVista;
Chapter 7: Configuring and Testing the AltaVista Tunnel;
7.1 Getting Busy;
7.2 Installing the AltaVista Tunnel;
7.3 Configuring the AltaVista Tunnel Extranet and Telecommuter Server;
7.4 Configuring the AltaVista Telecommuter Client;
7.5 Troubleshooting Problems;
Chapter 8: Creating a VPN with the Unix Secure Shell;
8.1 The SSH Software;
8.2 Building and Installing SSH;
8.3 SSH Components;
8.4 Creating a VPN with PPP and SSH;
8.5 Troubleshooting Problems;
8.6 A Performance Evaluation;
Chapter 9: The Cisco PIX Firewall;
9.1 The Cisco PIX Firewall;
9.2 The PIX in Action;
9.3 Configuring the PIX as a Gateway;
9.4 Configuring the Other VPN Capabilities;
Chapter 10: Managing and Maintaining Your VPN;
10.1 Choosing an ISP;
10.2 Solving VPN Problems;
10.3 Delivering Quality of Service;
10.4 Security Suggestions;
10.5 Keeping Yourself Up-to-Date;
Chapter 11: A VPN Scenario;
11.1 The Topology;
11.2 Central Office;
11.3 Large Branch Office;
11.4 Small Branch Offices;
11.5 Remote Access Users;
11.6 A Network Diagram;
Emerging Internet Technologies;
IPv6;
IPSec;
S/WAN;
Resources, Online and Otherwise;
Software Updates;
The IETF;
CERT Advisories;
The Trade Press;
Networking and Intranet-Related Web Sites;
Usenet Newsgroups;
Mailing Lists;
Colophon;

Read More Show Less

First Chapter


Chapter 1: Why Build a Virtual Private Network?

In this chapter:

  • What Does a VPN do?
  • Security Risks of the Internet
  • How VPNs Solve Internet Security Issues
  • VPN Solutions
  • A Note on IP Address and Domain Name Conventions used in This Book

Until now there has always been a clear division between public and private networks. A public network, like the public telephone system and the Internet, is a large collection of unrelated peers that exchange information more or less freely with each other. The people with access to the public network may or may not have anything in common, and any given person on that network may only communicate with a small fraction of his potential users.

A private network is composed of computers owned by a single organization that share information specifically with each other. They're assured that they are going to be the only ones using the network, and that information sent between them will (at worst) only be seen by others in the group. The typical corporate Local Area Network (LAN) or Wide Area Network (WAN) is an example of a private network. The line between a private and public network has always been drawn at the gateway router, where a company will erect a firewall to keep intruders from the public network out of their private network, or to keep their own internal users from perusing the public network.

There also was a time, not too long ago, when companies could allow their LANs to operate as, separate, isolated islands. Each branch office might have its own LAN, with its own naming scheme, email system, and even its own favorite network protocol - none of which might be compatible with other offices' setups. As more company resources moved to computers, however, there came a need for these offices to interconnect. This was traditionally done using leased phone lines of varying speeds. By using leased lines, a company can be assured that the connection is always available, and private. Leased phone lines, however, can be expensive. They're typically billed based upon a flat monthly fee, plus mileage expenses. If a company has offices across the country, this cost can be prohibitive. Private networks also have trouble handling roving users, such as traveling salespeople. If the salesperson doesn't happen to be near one of the corporate computers, he or she has to dial into a corporation's modem long-distance, which is an extremely expensive proposition.

This book is about the virtual private network (VPN), a concept that blurs the line between a public and private network. VPNs allow you to create a secure, private network over a public network such as the Internet. They can be created using software, hardware, or a combination of the two that creates a secure link between peers over a public network. This is done through encryption, authentication, packet tunneling, and firewalls. In this chapter we'll go over exactly what is meant by each of these and what roles they play in a VPN; we'll touch upon them again and again throughout the book. Because they skirt leased line costs by using the Internet as a WAN, VPNs are more cost-effective for large companies, and well within the reach of smaller ones.

In this chapter, we'll also talk about intranets as the latest trend in corporate information systems, and how they were the impetus for VPNs.

What Does a VPN Do?

A virtual private network is a way to simulate a private network over a public network, such as the Internet. It is called "virtual" because it depends on the use of virtual connections - that is, temporary connections that have no real physical presence, but consist of packets routed over various machines on the Internet on an ad hoc basis. Secure virtual connections are created between two machines, a machine and a network, or two networks.

Using the Internet for remote access saves a lot of money. You'll be able to dial in wherever your Internet service provider (ISP) has a point-of-presence (POP). If you choose an ISP with nationwide POPs, there's a good chance your LAN will be a local phone call away. Some ISPs have expanded internationally as well, or have alliances with ISPs overseas. Even many of the smaller ISPs have toll-free numbers for their roaming users. At the time of this writing, unlimited access dial-up PPP accounts, suitable for business use, are around $25 per month per user. At any rate, well-chosen ISP accounts should be cheaper than setting up a modem pool for remote users and paying the long- distance bill for roaming users. Even toll-free access from an ISP is typically cheaper than having your own toll-free number, because ISPs purchase hours in bulk from the long- distance companies.

In many cases, long-haul connections of networks are done with a leased line, a connection to a frame relay network, or ISDN. We've already mentioned the costs of leasing a "high cap" leased line such as a T1. Frame relay lines can also give you high speeds without the mileage charges. You purchase a connection to a frame cloud, which connects you through switches to your destination. Unlike a leased line, the amount you pay is based more on the bandwidth that's committed to your circuit than distance. Frame connections are still somewhat expensive, however. ISDN, like the plain old telephone system, incurs long-distance charges. In many locations, the local telephone company charges per minute even for local calls, which again runs expenses up. For situations where corporate office networks are in separate cities, having each office get a T1, frame relay, or ISDN fine to an ISP's local POP would be much cheaper than connecting the two offices using these technologies, A VPN could then be instituted between the routers at the two offices, over the Internet. In addition, a VPN will allow you to consolidate your Internet and WAN connections into a single router and single line, saving you money on equipment and telecommunications infrastructure.

The Rise of Intranets

By now you've probably heard of Intranets and the stir they've caused at many businesses. Companies are running TCP/IP networks, posting information to their internal web sites, and using web browsers as a common collaborative tool. An example of an Intranet application is a customer database accessible via the Web. Salespeople could use this database to contact current customers about new product offerings and send them quotes. The database could have a HyperText MarkUp Language (HTML) front end, so that it would be accessible from any web browser.

The rise of Intranets was spurred on by the growth of the Internet and its popular information services, commonly known as the World Wide Web. It was as if the corporate sector had finally caught on to what the Internet community had been doing for years: using simple, platform-independent protocols to communicate more effectively. No matter how much marketing hype you hear, an Intranet is simply Internet technology put to use on a private network.

How VPNs relate to Intranets

Virtual private networks can be used to expand the reach of an Intranet. Since Intranets are typically used to communicate proprietary information, you don't want them accessible from the Internet. There may be cases, however, where you'll want far-flung offices to share data or remote users to connect to your Intranet, and these users may be using the Internet as their means of connection. A VPN will allow them to connect to the Intranet securely, so there are no fears of sensitive information leaving the network unprotected. You might see this type of connection also referred to as an "Extranet."

Using our previous example of the customer database, it's easy to see how a VPN could expand the Intranet application's functionality. Suppose most of your salespeople are on the road, or work from home. There's no reason why they shouldn't be able to use the Internet to access the web server that houses the customer database application. You don't want just anyone to be able to access the information, however, and you're also worried about the information itself flowing unencrypted over the Internet. A VPN can provide a secure link between the salesperson's laptop and the Intranet web server running the database, and encrypt the data going between them. VPNs give you flexibility, and allow practically any corporate network service to be used securely across the Internet.

Security Risks of the Internet

The risks associated with the Internet are advertised every day by the trade and mainstream media. Whether it's someone accessing your credit card numbers, prying into your legal troubles, or erasing your files, there's a new scare every month about the (supposedly) private information someone can find out about you on the Internet. (Not to mention the perceived risk that you might happen upon some information that you find offensive, or that you might not want your children to see.)

For corporations, the risks are even more real and apparent. Stolen or deleted corporate data can adversely affect people's livelihoods, and cost the company money. If a small company is robbed of its project files or customer database, it could put them out of business.

Since the Internet is a public network, you always risk having someone access any system you connect to it. It used to be that a system intruder would have to dial into your network to crack a system. This meant that they would have to find a phone number connected to a modem bank that would give them access, and risk the possibility of the line being traced. But if your corporate network is connected over the Internet and your security is lax, the system cracker might be able to access your network using any standard dial-up account from any ISP in the world. Even unsophisticated users can obtain and use automated "security check" tools to seek out holes in a company's network. What's worse is that, chances are, you'll never know that it's happening.

Before we put our private data out on the Internet, we'd better make sure a VPN is robust enough to protect it.

What Are We Protecting with Our VPN?

The first things that come to mind when you think of protection are the files on your networked computers: documents that contain your company's future plans, spreadsheets that detail the financial analysis of a new product introduction, databases of your payroll and tax records, or even a security assessment of your network pointing out holes and problematic machinery. These files are a good starting point, but don't forget about the other, less tangible assets that you connect to the Internet when you go online. These include the services that you grant your employees and customers, the computing resources that are available for use, and even your reputation. For instance, a security failure can cause your vendors' email to bounce back to them, or prevent your users from making connections to other sites.

The easiest dung would be to isolate, tabulate, and lock down your private data. Well over half the data you manage and distribute might call for some sort of security. Just think, even something as innocuous as customer records and addresses could be used against you in a negative advertising campaign; this might hurt you far worse than a negative campaign aimed at a random slice of the population.

Unfortunately, in the client-server world of telecommuters, field sales agents, and home offices, it's not so easy to keep all private data locked down in a single, protected area. The chief financial officer of a company may need to access financial information on the road, or a programmer working from home may need to access source code. VPNs help alleviate some of the worry of transmitting secure files outside of your network. In Chapter 2, Basic VPN Technologies, we will examine possible threats to your network and data, and explore the technologies that VPNs use to avoid them.

How VPNs Solve Internet Security Issues

There are several technologies that VPNs use to protect data travelling across the Internet. The most important concepts are firewalls, authentication, encryption, and tunneling. Here we will give them a cursory rundown, then go into more detail in Chapter 2.

Firewalls

An Internet firewall serves the same purpose as firewalls in buildings and cars: to protect a certain area from the spread of fire and a potentially catastrophic explosion. The spread of a fire from one part of a building is controlled by putting up retaining walls, which help to contain the damage and minimize the overall loss and exposure. An Internet firewall is no different. It uses such techniques as examining Internet addresses on packets or ports requested on incoming connections to decide what traffic is allowed into a network.

Although most VPN packages themselves don't implement firewalls directly, they are an integral part of a VPN. The idea is to use the firewall to keep unwanted visitors from entering your network, while allowing VPN users through. If you don't have a firewall protecting your network, don't bother with a VPN until you get one - you're already exposing yourself to considerable risk.

The most common firewall is a packet filtration firewall, which will block specified IP services (run on specific port numbers) from crossing the gateway router. Many routers that support VPN technologies, such as the Cisco Private Internet Exchange (PDO and the 3Com/U.S. Robotics Total Control, also support packet filtration. Proxies are also a common method of protecting a network while allowing VPN services to enter. Proxy servers are typically a software solution run on top of a network operating system, such as Unix, Windows NT, or Novell Netware.

Authentication

Authentication techniques are essential to VPNs, as they ensure the communicating parties that they are exchanging data with the correct user or host. Authentication is analogous to "logging in" to a system with a username and password. VPNs, however, require more stringent authentication methods to validate identities. Most VPN authentication systems are based on a shared key system. The keys are run through a hashing algorithm, which generates a hash value. The other party holding the keys will generate its own hash value and compare it to the one it received from the other end. The hash value sent across the Internet is meaningless to an observer, so someone sniffing the network wouldn't be able to glean a password. The Challenge Handshake Authentication Protocol (CHAP) is a good example of an authentication method that uses this scheme. Another common authentication system is RSA.

Authentication is typically performed at the beginning of a session, and then at random during the course of a session to ensure that an impostor didn't "slip into" the conversation. Authentication can also be used to ensure data integrity. The data itself can be sent through a hashing algorithm to derive. a value that is included as a checksum on the message. Any deviation in the checksum sent from one peer to the next means the data was corrupted during transmission, or intercepted and modified along the way.

Encryption

All VPNs support some type of encryption technology, which essentially packages data into a secure envelope. Encryption is often considered as essential as authentication, for it protects the transported data from packet sniffing. There are two popular encryption techniques employed in VPNs: secret (or private) key encryption and public key encryption.

In secret key encryption, there is a shared secret password or passphrase known to all parties that need access to the encrypted information. This single key is used to both encrypt and decrypt the information. The data encryption standard (DES), which the Unix crypt system call uses to encrypt passwords, is an example of a private key encryption method.

One problem with using secret key encryption for shared data is that all parties needing access to the encrypted data must know the secret key. While this is fine for a small workgroup, of people, it can become unmanageable for a large network. What if one of the people leaves the company.? Then you're going to have to revoke the old shared key, institute a new one, and somehow securely notify all the users that it has changed.

Public key encryption involves a public key and a private key. You publish your public key to everyone, while only you know your private key. if you want to send someone sensitive data, you encrypt it with a combination of your private key and their public key. When they receive it, they'll decrypt it using your public key and their private key. Depending on the software, public and private keys can be large - too large for anyone to remember. Therefore, they're often stored on the machine of the person using the encryption scheme. Because of this, private keys are typically stored using a secret key encryption method, such as DES, and a password or passphrase you can remember, so that even if someone gets on your system, they won't be able to see what your private key looks like. Pretty Good Privacy (PGP) is a well-known data security program that uses public key encryption; RSA is another public key system that is particularly popular in commercial products. The main disadvantage of public key encryption is that, for an equal amount of data, the encryption process is typically slower than with secret key encryption.

VPNs, however, need to encrypt data in real time, rather than storing the data as a file like you would with PGP. Because of this, encrypted streams over a network, such as VPNs, are encrypted using secret key encryption with a key that's good only for that streaming session. The session secret itself (typically smaller than the data) is encrypted using public key encryption and is sent over the link. The secret keys are often negotiated using a key management protocol.

The next step for VPNs is secure IP, or IPSec. IPSec is a series of proposals from the IM outlining a secure IP protocol for IPv4 and IPv6. These extensions would provide encryption at the IP level, rather than at the higher levels that SSL and most VPN packages provide.

IPSec creates an open standard for VPNs. Currently, some of the primary VPN contenders use proprietary encryption, or open standards that only a few vendors adhere to. Rather than seeing IPSec as a threat to their current products, most vendors see it as a way to augment their own security, essentially adding another interoperable level to their current tunneling and encryption methods. We'll go into detail about the power, politics, and use of various encryption techniques in Chapter 2.

Tunneling

Many VPN packages use tunneling to create a private network, including several that we review in this book: the AltaVista Tunnel, the Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Forwarding Protocol, and IPSec's tunnel mode. VPNs allow you to connect to a remote network over the Internet, which is an IP network. The fact is, though, that many corporate LANs. don't exclusively use IP (although the trend is moving in that direction). Networks with Windows NT servers, for instance, might use NetBEUI, while Novell servers use IPX. Tunneling allows you to encapsulate a packet within a packet to accommodate incompatible protocols. The packet within the packet could be of the same protocol or of a completely foreign one. For example, tunneling can be used to send IPX packets over the Internet so that a user can connect to an IPX-only Novell server remotely.

With tunneling you can also encapsulate an IP packet within another IP packet. This means you can send packets with arbitrary source and destination addresses across the Internet within a packet that has Internet-routable source and destination addresses. The practical upshot of this is that you can use the reserved (not Internet-routable) IP address space set aside by the Internet Assigned Numbers Authority (IANA) for private networks on your IAN, and still access your hosts across the Internet. We will look at how and why you would do this in later chapters.

Other standards that many VPN devices use are X.509 certificates, the Lightweight Directory Access Protocol (LDAP), and RADIUS for authentication.

VPN Solutions

A VPN is a conglomerate of useful technologies that originally were assembled by hand. Now the networking companies and ISPs have realized the value of a VPN and are offering products that do the hard work for you. In addition, there is an assortment of free software available on the Internet (usually for Unix systems) that can be used to create a VPN. In this book, we're going to look at some of the commercial and free solutions in detail. Which one you choose for your network will depend on the resources available to you, the platforms you run, your network topology, the time you wish to spend installing and configuring the software, and whether or not you want commercial-level support. We can't cover every vendor and product in this book; they change too quickly. Instead, we offer guidelines you can use on all networks and details on a few stable products that were available when we were writing this edition-we don't mean to imply that there's anything less valuable about competing products.

VPN packages range from software solutions that run on or integrate with a network operating system (such as the AltaVista Tunnel or CheckPoint Firewall-1 on Windows NT or Unix), to hardware routers/firewalls (such as those from Cisco and Ascend), to integrated hardware solutions designed specifically for VPN functions (such as VPNet and the Bay Networks Extranet Switch). Some VPN protocols, like SSH or SSL, gained popularity for performing other functions, but have since become used for VPNs as well.

In addition to products, ISPs are also offering VPN services to their customers. The tunneling usually takes place on the ISP's equipment. If both ends of the connection are through the same ISP, that ISP might offer a Service Level Agreement (SLA) guaranteeing a certain maximum amount of latency and uptime.

Quality of Service Issues

Running a virtual private network over the Internet raises an easily forgotten issue of reliability. Let's face it: the Internet isn't always the most reliable network, by nature. Tracing a packet from one point to another, you may pass through a halfdozen different networks of varying speeds, reliability, and utilization-each run by a different company. Any one of these networks could cause problems for a VPN.

The lack of reliability of the Internet, and the fact that no one entity controls it, makes troubleshooting VPN problems difficult for a network administrator. If a user can't dial into a remote access server at the corporate headquarters, or there's a problem with a leased line connection, the network administrator knows there are a limited number of possibilities for where the problem may occur: the machine or router on the far end, the telecommunications company providing the fink, or the machine or router at the corporate headquarters. For a VPN over the Internet, the problem could be with the machine on the far end, with the ISP on the far end, with one of the networks in between, with the corporate headquarters' ISP, or with the machine or router at the corporate headquarters itself Although a few large ISPs are offering quality of service guarantees with their VPN service (if all parties involved are connected to their network), smaller ISPs can't make such a guarantee - and there will always be times when the network administrator is left to her own resources. This book will help you isolate and identify the problem when something goes wrong on your VPN.

A Note on IP Address and Domain Name Conventions Used in This Book

The notation 1.0.0.01124 is commonly used in describing IP address ranges. It means "start with the address 1.0.0.0 and allow the right-most 8 bits to vary." The 8 is calculated by using 32 bits (the maximum for an IP address) minus 24 (the size specified after the "/"). So 1.0.0.0/24 means all addresses from 1.0.0.0 to 1.0.0.255.

We've elected to use the same IP address ranges and domain name throughout this book. For Internet-routable IP address ranges, we're using the blocks 1.0.0.01.255.255-255 (or 1.0.0.0/8) and 2.0.0.0-2.255.255.255 (2.0.0.0/8), which we subnet to suit our needs. These ranges were chosen because they are designated as Internet routable. but are reserved by the IANA and aren't currently being used. We hope that Using these ranges, rather than random-fly picking some or choosing them from active registered networks, will makes examples and figures easier to understand while protecting the innocent. We found that this helped us maintain our own sanity while writing the book.

For internal networks, we use the IP ranges set aside in RFC 1918 for use on private networks. These ranges are 10.0.0.0-10.255.255.255 (or 10.0.0.0/8), 172.16.0.0-172- 31.255.255 (or 172,16.0.0/12), and 192.168.0.0-192.168.255.255 (or 192.168.0.0/16). We also subnet these as we deem necessary for an example.

The domain name we use for our examples is ora-vpn.com. Within this domain however, we don't have a hostname convention, because we typically create hostname to match whatever solution we are writing about in a given chapter....

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)