Sie sind auf Seite 1von 27

INTEL BOOK 1/19/0 9:11 AM Page 1

T H E T E C H N O L O G Y G U I D E S E R I E S™
visit www.techguide.com ™

Designing and Implementing a


Virtual Private Network (VPN)

This Guide has been sponsored by


INTEL BOOK 1/19/0 8:56 AM Page 2

Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Choices for Remote Access . . . . . . . . . . . . . . . . . . . . . . . 2
Today: Data over Voice (DoV) Remote Access . . . . . . . . . 2
Tomorrow: Data over Data (DoD) Remote Access . . . . . . 4
Driving Forces for Change . . . . . . . . . . . . . . . . . . . . . . . . 5
Remote Access Choices . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Steps to Implementing VPN . . . . . . . . . . . . . . . . . . . . . 10
Determine the Number of Ports . . . . . . . . . . . . . . . . . . . 10
Classify Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Evaluate User Locations . . . . . . . . . . . . . . . . . . . . . . . . . 12
Assess Data Security Requirements . . . . . . . . . . . . . . . . . 12
Making Hybrid DoV/DoD Work. . . . . . . . . . . . . . . . . . 14
Integrating VPN with Dial-up . . . . . . . . . . . . . . . . . . . . 14
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CASE STUDY: The Nature Conservancy. . . . . . . . . . . 18
The Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
The Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
The Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
The Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About the Nature Conservancy. . . . . . . . . . . . . . . . . . . . 22
Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

About the Editor…


Jerry Ryan is a principal at ATG and the Editor-in-Chief of techguide.com. He is the
author of numerous technology papers on various aspects of networking. Mr. Ryan has
developed and taught many courses in network analysis and design for carriers, govern-
ment agencies and private industry. He has provided consulting support in the area of
WAN and LAN network design, negotiation with carriers for contract pricing and services,
technology acquisition, customized software development for network administration,
billing and auditing of telecommunication expenses, project management, and RFP gen-
eration. Mr. Ryan has been a member of the Networld+Interop Program Committee
and the ComNet steering Committee. He holds a B.S. degree in electrical engineering.

The Guide format and main text of this Guide are the property of The Applied
Technologies Group, Inc. and is made available upon these terms and conditions. The
Applied Technologies Group reserves all rights herein. Reproduction in whole or in part
of the main text is only permitted with the written consent of The Applied Technologies
Group. The main text shall be treated at all times as a proprietary document for internal
use only. The main text may not be duplicated in any way, except in the form of brief
excerpts or quotations for the purpose of review. In addition, the information contained
herein may not be duplicated in other books, databases or any other medium. Making
copies of this Guide, or any portion for any purpose other than your own, is a violation
of United States Copyright Laws. The information contained in this Guide is believed to
be reliable but cannot be guaranteed to be complete or correct. Any case studies or
glossaries contained in this Guide or any Guide are excluded from this copyright.
Copyright © 1999 by The Applied Technologies Group, Inc. One Apple Hill,
Suite 216, Natick, MA 01760, Tel: (508) 651-1155, Fax: (508) 651-1171
E-mail: info@ techguide.com Web Site: http://www.techguide.com
INTEL BOOK 1/19/0 8:56 AM Page 2

Introduction company’s remote access server. The speed of the data


connection varies anywhere from 4.8Kbps to 56Kbps
depending on the modems used and the quality of the
Today, remote access to information is a strategic voice circuit.
corporate necessity. Remote access:
• arms employees with up-to-date information,
Local Inter Local
enabling them to make timely, informed decisions; Remote Exchange Exchange Exchange
Site Carrier Carrier Carrier Corporation
• extends the workplace beyond the office walls (LEC) (IXC) (LEC) T1= 24 calls
E1= 31 calls
allowing employees to be fully productive at home Telephone Voice
Network
and on the road;
Access
Local Local PBX
Switch
• provides an edge in recruiting employees looking Laptop
Voice Voice
Switch Switch
with
for flexible work styles such as telecommuting and Modem
LAN
job sharing; and,
• establishes a competitive advantage by creating Figure 1: Data Over Voice
closer links with customers, suppliers, and employees.

Two complementary technologies can help IS Cost Structure


managers maximize their remote access capabilities Regulations or “tariffs” set forth by agencies such
while minimizing the underlying costs: Dial-up remote as the Federal Communications Commission (FCC)
access via the telephone network and Virtual Private drive the economics of this approach. Charges are typ-
Network-based remote access via the Internet. The ically based on connection time and distance between
combination of these two technologies provides optimal call termination points, not volume of data transmit-
cost, performance, and reliability. ted. These charges vary widely throughout the world
and represent the bulk of remote access costs.
It is worth noting that connection time charges
vary depending on the distance between the remote
Choices for Remote Access user and the corporate network. In the US, for instance,
local calls may be included in a toll-free zone, but the
cost of a long distance call depends upon the service
Today: Data over Voice (DoV) Remote provider’s rate. The geographic spread of remote
Access access users is a key factor in determining the cost
of the service and the economics of VPN. This is
Today’s remote access systems use the existing discussed in more detail in the section entitled Steps
voice infrastructure, as illustrated in Figure 1. Here, a to Implementing VPN, Evaluate User Locations.
remote computer user dials into a corporate location
through the telephone network (Data over Voice). A
dedicated voice circuit then carries the data transmis-
sion from the computer’s modem to a modem in the

2 • Designing and Implementing a Virtual Private Network Technology Guide • 3


INTEL BOOK 1/19/0 8:56 AM Page 4

“Last Mile” Cost Structure


The “last mile” refers to the connection between a The cost structure for DoD services will be different
location and the Wide Area Network (WAN), either the than that for DoV services. Instead of voice tariffs
telephone network or the Internet. The remote user’s based on distance and time, charges will depend on the
last mile connection through an analog phone line— performance and reliability of the connection or on
usually the weakest link in the end-to-end circuit— the amount of information transferred. Thus, while in
limits the available data bandwidth. At the corporate today’s environment, applications are optimized to
site, the call terminates via high performance digital limit connection times, future remote access applications
connections (e.g., T1, E1, and ISDN). These last mile will be optimized to limit amount of information trans-
connections can carry from 24 to 36 high quality, ferred between the remote user and the central site.
64Kbps circuits. However, they are quite expensive and
each remote access session requires a dedicated circuit “Last Mile”
for the duration of the connection. DoV remote access is limited to the use of the tele-
phone network; DoD remote access takes advantage of
any last mile technology that provides connectivity to
Tomorrow: Data over Data (DoD) the Internet. Technologies such as Integrated Service
Remote Access Digital Network (ISDN), Cable Modem, Digital
Tomorrow’s remote access systems will use the Subscriber Line (DSL) and even high speed wireless
Internet, as illustrated in Figure 2. Here, a remote services already offer anywhere from 128Kbps to more
user connects to the Internet (a data network) through than 10Mbps access at low, fixed-rate prices. VPN lets
an Internet Service Provider (ISP). Software on the companies harness the power of these high speed
remote computer creates a secure, virtual circuit or Internet access technologies for DoD remote access
tunnel to the company’s Virtual Private Network applications.
gateway.
Driving Forces for Change
Local
LEC Enterprise
Loop There are three main forces behind the trend
Voice IXC toward DoD networks:
Network
Telephone
Telephone
PBX • The economics of shared, data transport,
DSL
IP • The flexibility and scale of public networks, and
Laptop Data Network
Network
LEC Access
Gateway
• The need for ubiquitous, broadband access.
Concentrator

Data Transport
Figure 2: The Future Data Dial Tone Network DoD remote access delivers more efficient use of
available bandwidth. For example, in the US, a circuit-
based or “channelized” T1 used for voice connections
has a maximum capacity of (24) 64Kbps channels or

4 • Designing and Implementing a Virtual Private Network Technology Guide • 5


INTEL BOOK 1/19/0 8:56 AM Page 6

1.5Mbps. Since conventional DoV remote access mile connections and backbone infrastructure. This
requires a dedicated channel for each connection, a T1 sharing reduces the cost of equipment (per port costs
can accommodate 24 simultaneous user sessions. Each drop), last mile connections (one pipe can support many
user gets a 64Kbps slice of bandwidth whether they users and applications) and long distance transport
use it or not. (as the cost of the DoD service decreases relative to
A packet-based or “clear-channel” T1 used to DoV, service providers can pass these savings on to
deliver data connections has almost no limit to the their customers).
number of virtual circuits it can support. This allows
the same 1.5Mbps pipe to carry a higher number of Higher Bandwidth
user sessions. The magnitude of this increment depends The DoD remote access network delivers higher
on the type and volume of traffic. If there are many bandwidth all the way to the network end-points.
idle or low volume users, then a T1 could support up Performance of 56K modem technology over DoV
to and perhaps more than 200 sessions. networks is determined by the length and quality of
Consider, for example, a classic pattern of remote the analog connection and the number of analog-to-
e-mail usage: digital conversions that take place along the circuit.
1) log in, While 56K modem technology works well over high
quality, local connections (delivering anywhere from
2) check e-mail, 48Kbps to 56Kbps of actual throughput), it degrades
3) send urgent replies, then quickly over lower quality, long distance connections
(delivering from 4.8Kbps-28Kbps over international
4) log off.
circuits).
With DoD networks, every WAN connection is a
This sequence of steps generates a low volume
local connection supporting optimal performance of
of traffic. For example, while a user is reading e-mail
56K modem technology. Furthermore, DoD networks
or composing new messages, no data crosses the link.
are not limited to access through modems. New high-
Data only passes across the link while the user is
speed technologies such as DSL and Cable deliver
actually sending or receiving mail. A DoD connection
from 384Kbps to more than 10Mbps connections to
could, therefore, support a very high number of e-mail
the Internet. A DoD network provides many last mile
users.
options for the networking professional.
In contrast, running streaming applications such
as video or audio over the connection generates a high
volume of data traffic. In this case, a clear channel T1 Remote Access Choices
will handle a much smaller number of sessions, though The basic architecture for all remote access networks
more than the 24 sessions supported by a channelized is a connection from a remote or branch site through
T1. a network to a central or other branch site. This basic
architecture may include two different remote access
Shared Resources implementations: dial-up over the telephone network
A DoD remote access network allows many users (DoV) and VPN over the Internet (DoD).
to share network resources including WAN devices, last

6 • Designing and Implementing a Virtual Private Network Technology Guide • 7


INTEL BOOK 1/19/0 8:56 AM Page 8

The difference between dial-up and VPN is the direct dial solutions, VPNs can reduce the long-distance
data transmission medium. Dial-up involves direct phone charges associated with remote LAN access, and
telephone network connections into the head office or potentially eliminate them if remote users can access
central site. As such, the cost of a dial-up connection is the public IP network with a toll-free call.
dependent on the distance between the user and the
corporate office.
On the other hand, VPN uses the Internet to Access
Equipment

Modem
establish a virtual circuit or tunnel that connects one Direct

LAN
Dial PSTN
location to another. Internet costs are distance insensi- Laptop

tive and usually based on some type of flat-rate tariff. USER


In most cases, the optimal choice for remote access

Modem
WAN

WAN
is a combination of both Dial-up and VPN to best

LAN
VPN IP
PSTN Network
serve the unique needs of each user, while minimizing Laptop

the cost to the corporation.


Figure 3: VPN Versus Direct Dial Differences
Direct Dial
In a direct dial scenario, a remote user dials from
a modem in their laptop through the PSTN, and the Since Internet network access charges are typically
call terminates in a corporate LAN-based modem in flat rates and are distance insensitive, the optimal solu-
an access server. Direct dial allows the IS Manager to tion (based on networking costs) will depend on the
optimize the connections to the PSTN according to geographical location of users.
users’ needs. With this solution, the connection depends
entirely on the voice network. Optimized Remote Access Solutions
VPNs and direct dial are not mutually exclusive.
Virtual Private Networking In fact, a combination of the two technologies usually
A VPN-based remote access connection begins provides the most cost-effective solution.
with a data connection to an Internet Service Provider Leveraging the advantages of dial-up with the
Point of Presence. This is typically a data-over-voice lower costs of VPNs can create the best solution. While
call, but may also be achieved using cable modem, a VPN is most effective for long-distance applications,
DSL or wireless technology. From there, the data flows dial-up is an effective means for local access or backup.
through a VPN session over the Internet (or other IP To facilitate the implementation of an optimal solution,
network) and ends at the corporate network gateway. Intel provides integrated management platforms and
All of the data that traverses the Internet is encrypted authentication tools that let managers reduce the total
and authenticated providing the necessary security. cost of ownership of the combined solution.
The differences between direct dial and VPN are To achieve an optimal return on remote access
illustrated in Figure 3. investment, an IS manager must review data and usage
In essence, with a VPN connection, the Internet patterns, and match this information to the appropriate
becomes an extended private network. Compared to remote access solution. This section examines the
evaluation process.

8 • Designing and Implementing a Virtual Private Network Technology Guide • 9


INTEL BOOK 1/19/0 8:56 AM Page 10

Steps to Implementing VPN Classify Users


Remote users can be segmented into the following
classifications:
Determine the Number of Ports
• Mobile workers/business travelers are the classic
A reasonable starting point for corporations imple- road warriors who need access to the corporate
menting dial-up remote access is to provide one port for network and the Internet while traveling.
every ten users. The connection speed for direct dial
users will be determined by the modem technology • Telecommuters work one or more full days a week
used at either end of the communication connection from home. These workers are also more likely to
(typically 28.8 Kbps, 33.6 Kbps or 56 Kbps). have a higher bandwidth connection such as
For VPN solutions, it is also important to deter- ISDN or Cable Modem.
mine the number of simultaneous sessions or virtual • Day Extenders work from home for short periods
ports required. Again, a 10:1 user-to-port ratio is a of time, such as evenings or weekends, in addition
good starting point. Once the number of virtual ports to their main activity at the work site.
has been determined, the bandwidth per simultaneous
• Branch Offices are small remote offices that
session can be determined by dividing the total through-
require access to a central site or to each other.
put of the VPN server and WAN connection by the
number of ports. This will be the average available
A remote user may fall into different classifications
bandwidth per VPN tunnel. In practice, users get more
at different times:
bandwidth since even though a user may have a session
established, they may not be sending data through the • A home worker who picks up e-mail in the
virtual connection (as described above). This “idle” evenings or weekends,
bandwidth will be available for other users. Therefore, • A mobile worker who travels, or
in practice, the actual bandwidth per connection is like-
• An employee who telecommutes for a number of
ly to be two to five times greater than the average
days, perhaps while on sick leave.
bandwidth calculated depending on the type of traffic.
Figure 4 illustrates a typical distribution of user
types based on a 1996 survey by Merrill Lynch of 100
Average Throughput
US-based LAN Managers and MIS directors.
12Mbps Total Throughput of VPN
24Kbps =
500 Number of Ports

10 • Designing and Implementing a Virtual Private Network Technology Guide • 11


INTEL BOOK 1/19/0 8:56 AM Page 12

Authentication. Is the data really from the stated


Branch
Offices source? Is the source a valid user for this corporate net-
13%
Home Workers Telecommuters work? This is an important issue with all remote access.
13%
42% With VPN, traffic arrives from the Internet; it is there-
Mobile
Workers fore especially important to authenticate the user when
Business 16%
Travelers establishing the connection. Administrators can choose
16%
from a variety of authentication techniques including
user names and passwords, secure tokens, and digital
Figure 4: Typical Users of Remote Access certificates. User names and passwords have the advan-
tage that they are relatively simple and widely deployed
today. Both VPN solutions and dial-up solutions can
easily be integrated with RADIUS, NT Domains, and
Evaluate User Locations
Novell Directory Service user name and password
When planning a DoV and DoD remote access schemes. Secure tokens provide enhanced security over
network, it is important to understand how the geo- traditional user name and password schemes since they
graphical spread of users affects costs. In either case, rely on a random password and hence are not suscepti-
users must dial to a point of presence (POP): a corpo- ble to password guessing attacks. Digital Certificates
rate site for dial-up or an ISP POP for a VPN. are becoming the de facto standard for authentication
Depending on the country and the relevant regulations, and provide stronger authentication than either user-
the distance to the POP determines the per-minute name/passwords or secure tokens and greater reliability.
cost which, when multiplied by the length of access Administrators should balance the need for enhanced
time, determines the total cost. Even when a POP is security with the ease of integration provided by previ-
within a free local calling plan, some proportion of ously deployed authentication technologies. However,
users may be outside the free zone. it is recommended that the same user list and authen-
The U.S. rate for dialed long distance calls is quite tication technique be used for both dial-up and VPN
competitive and can be anywhere from $0.05 to $0.25 services to avoid security problems associated with
per minute depending on the carrier, but relatively administrative errors due to overly complex authentica-
distance insensitive. The U.S. rate for local calls is in tion schemes.
many instances free. Remote users and locations that Integrity. Has anyone tampered with or changed the
are outside the “free” zone, can use VPN to eliminate data? The data session could have been altered as it
the long distance charges by dialing a local service passed through the network. VPN solutions use crypto-
provider POP within their free zone. graphic techniques to verify that the data has not been
altered in transit.
Privacy. Does the data need to be kept confidential?
Assess Data Security Requirements
Some data must be concealed from the view of others.
A key deployment decision is the degree of security This is a more important issue with VPN than direct
required. There are a number of security parameters dial as the data passes through a public and (from the
that should be considered: corporation’s point of view) uncontrolled network.
Privacy is provided by encryption.

12 • Designing and Implementing a Virtual Private Network Technology Guide • 13


INTEL BOOK 1/19/0 8:56 AM Page 14

with encryption is usually not an issue. A typical laptop


Making Hybrid DoV/DoD Work can process the most secure encryption algorithms at
more than 2Mbps meaning that encrypted throughput
is not the gating factor.
Integrating VPN with Dial-up
Implementation. Setting up a VPN at a central location
generally involves less hardware than a direct-dial solu-
Optimizing Your Remote Access Solution tion. A VPN server can, for example, be added behind
To optimize a remote access solution, the IS the firewall on the corporation’s existing Internet con-
manager usually must consider integrating VPN nection. Intel provides an integrated dial-up and VPN
connectivity with dial-up access. VPN and dial-up management platform allowing administrators to
each have their own strengths and weaknesses. deploy a solution using a single-user list with a single-
Cost. As the example in the following section shows, security policy across both the dial-up and VPN. In
the major cost in a dial-up solution is the time and dis- addition, accounting information detailing connection
tance-based charge to use the telephone system. VPN times for direct dial and VPN tunnels are also fully inte-
can greatly reduce long distance charges. However, if grated allowing seamless integration with existing
most of your users are local to the corporate POP, long accounting and charge back mechanisms.
distance cost savings will not apply. Therefore, when
designing a remote access network, the geographic Comparing Costs: An Example
location of your users will determine the optimum How does the IS manager determine the right
solution. In most cases, this will be a combination of remote access solution? Only a detailed assessment of
dial-up and VPN. current needs and viable options can result in the most
Performance. The components limiting performance flexible and cost-effective solution. The example below
in a dial-up connection are the last mile infrastructure illustrates a hypothetical company and an optimized
and the technology used at the remote site, e.g., remote access solution.
33.6Kbps modem over an analog voice circuit. Company X has 900 employees. The nature of the
The components limiting performance in a VPN company demands that a large number of staff (70%)
solution include the last mile technology used at the be enabled for remote access. The following table sug-
remote site (e.g., 28.8Kbps, 33.6Kbps, or 56Kbps gests a typical split of work patterns and geographical
modems, 64K ISDN, or cable modem), Internet spread:
performance, and encryption overhead. VPN allows
companies to take advantage of faster access technolo- Table 1. User and Usage Patterns
gies such as cable modems increasing the speed avail-
able to users. Internet performance is optimized by Number of Average Local Long
User Type Users hours/week Use Distance
selecting a single service provider that offers the
minimum number of router hops between POPs and Home Workers 315 2 5% 15%

high-capacity fiber backbone. By using a single service Travelers 95 2 2% 98%


provider, traffic does not pass through the major Telecommuters 113 8 82% 18%
Internet exchange points and traffic takes the shortest
possible path to your network. The overhead associated

14 • Designing and Implementing a Virtual Private Network Technology Guide • 15


INTEL BOOK 1/19/0 8:56 AM Page 16

Extrapolating these patterns of usage gives a total The hybrid solution uses VPN for long distance and
remote access time per month of almost 8,000 hours. direct dial for local calls. This increases hardware costs
However, the critical measure is the split of local to but reduces the ISP bill. In addition to the cost benefit,
long distance minutes: this approach allows the use of direct dial for mission
critical applications, or as a backup to Internet problems.
TABLE 2: Company X Weekly Remote Access

Percentage of remote access


Local users 74% Summary
Long distance users 26%

Remote access to corporate data resources has


Company X has a user port ratio of 10:1. It feeds T1 become a staple of modern business. Telecommuters,
lines into an access concentrator and uses an 800 service road warriors and remote offices count on timely access
to reduce long distance call charges. Amortizing the to mission critical information in order maintain com-
capital costs over 36 months and allowing for mainte- petitive advantage in the marketplace.
nance and help desk costs, the remote access costs are: This increased use of remote access has driven
demand for higher capacity connections from end-users
and increased IS costs, primarily in the form of long
TABLE 3: Company X Access Costs with/without VPN distance telephone charges.
A combination of dial-up networking and Virtual
COST/MONTH ($)
Private Networking allows IS managers to satisfy the
All Dial-up All VPN Hybrid increased demand for remote access services while
Item (DoV) (DoD) DoV/DoD
reducing costs. Dial-up networking provides the optimal
Monthly hardware costs 875 438 615 local access solution; VPN provides the best solution
(Capital amortized over 36 mos.)
for long distance. VPN also allows network administra-
Monthly maintenance 263 131 184
(Technology protection and
tors to take advantage of new access technologies such
support plan costs for hardware) as Cable and DSL. Furthermore, the combined VPN
Monthly central telco costs 2,231 669 1,511
and dial-up solution is more robust than either is alone,
(T1 lines) each serving as a back-up for the other in the case of
Monthly long distance costs 10,765 0 0 over-flow traffic or network failure.
(800 number) Intel has a remote access solution that provides the
Monthly personnel costs 16,667 16,667 16,667 best of both worlds: dial-up remote access for local
(Help desk etc) connections and VPN for long distance connections.
Monthly ISP costs (Staff accounts 0 15,750 4,007 Both using the same management and security infra-
with local ISPs, $30/account) structure to reduce the overall cost of ownership and
Total direct dial remote $30,801 $33,655 $22,984 mitigate security issues attributed to administrative
access cost errors.

16 • Designing and Implementing a Virtual Private Network Technology Guide • 17


INTEL BOOK 1/19/0 8:56 AM Page 18

CASE STUDY: Area Network,” Barker said. “Where they’re at is


necessitated by the work we do. We’re working to save
The Nature Conservancy the world’s Last Great Places. If you look at where the
last great places on the planet are, they’re not concen-
“VPN enables us to get complete, cost-effective, trated in big metropolitan areas.”
secure connectivity for all of our staff.” Doug Barker, The Conservancy’s ambitious conservation agenda
Vice President and Chief Information Officer of The into the next millennium calls for a dramatic increase
Nature Conservancy in its work with local communities. Working with
community partners, the organization will conduct
hundreds of large-scale conservation projects to stem
The Company the tide of species extinction and preserve a high quali-
A virtual private network is helping The Nature ty of life for future generations. To succeed, the group
Conservancy save the world’s Last Great Places. knows that it must overcome the barriers to communi-
The Nature Conservancy, the world’s largest cation and information-sharing among a widely
conservation organization, protects plant and animal dispersed network of conservation professionals, as
species by conserving the lands and waters they need well as partners across the land.
to survive. The organization owns and manages more Because the organization devotes 88 percent of its
than 1,400 preserves — the largest network of private resources to on-the-ground conservation, the non-profit
nature sanctuaries in the world. Since 1951, the Conser- group had limited start-up funds to invest in full-time
vancy has protected more than 11 million acres of connections via a Frame Relay network. Fifty-eight of
ecologically significant land in the U.S. and helped its worldwide offices were provided connections, leaving
protect another 60 million internationally. 250 offices and about 1,000 staffers relying on expensive
dial-up connectivity to access corporate resources such
as e-mail, the intranet, and mission critical systems.
The Challenge For leadership in this area, the Conservancy
The very nature of the Conservancy’s on-the- turned to Intel’s WAN Systems Operation, formerly
ground conservation mission takes it to some far-flung, known as Shiva Corporation. “We’d done our home-
remote places. As a result, its staff of 2,700 works out work on VPN technology. Their VPN solution could
of more than 300 offices in all 50 states as well as meet the Conservancy’s challenge of providing remote,
throughout Latin America, the Caribbean, Canada, traveling, international, and telecommuting staff with
Asia and the Pacific. affordable, secure, and reliable connectivity to our
“One of our biggest challenges was to get these internal network resources — all while reducing our
remote staff members connected into the network,” existing and future WAN costs,” says Barker.
said Doug Barker, Vice President and Chief Information
Officer for The Conservancy.
“About half of our staff work in very remote
The Solution
places that do not have local area networks or have Thanks to a gift from Intel, The Nature Conser-
prohibitively high costs of connectivity to our Wide vancy received three of Intel’s LanRover™ VPN
Gateway Pluses, Shiva® VPN Client software for

18 • Designing and Implementing a Virtual Private Network Case Study • 19


INTEL BOOK 1/19/0 8:56 AM Page 20

1,000 users, Shiva® Access Manager management soft- The Benefits


ware, Shiva® Accountant software, and service and Full connectivity
training on these new products. In other words, the Today, 450 of The Nature Conservancy’s remote
organization received a complete VPN solution. employees are connected to the network via dial-up
“VPN enables us to get complete, cost effective, VPN. When the project is complete, more than 1,000
secure connectivity for all of our staff,” Barker said. employees will use VPN to access the network.
The organization still maintains its Frame Relay “The VPN solution enables us to achieve
network with major Frame hubs connecting the regional complete connectivity, both very cost effectively and
offices in Massachusetts, New York, Colorado, Florida, securely,’’ Barker said.
North Carolina, Minnesota, California and Hawaii.
This network connects 58 offices fulltime at a through- Cost savings of up to $480 per month, per
put of 256k between hub locations and 64k between employee
the others. Before the VPN, remote workers and traveling
In the first phase of the project, The Nature Conser- staffers gained access to the computer network by
vancy is connecting its remote staff to the network via dialing into a remote access server or a remote access
VPN. In the past, remote staff were never connected to concentrator.
the network or they were connected to the network “In some cases we had individuals with phone bills
part-time via a direct dial, remote access solution as high as $500 a month or more,” Barker said.
which usually required a long distance phone call. Today, workers dial into a local Internet Service
In the second phase of the project, the organization Provider and gain access to the corporate network via
plans to implement a LAN-to LAN VPN connection VPN. This costs $20 to $30 per month per employee, a
for smaller offices with Peer-to-Peer LANs where full- savings of between $470 and $480 per employee per
time Frame connection would be cost prohibitive. In month, Barker said.
the third phase, the Conservancy will upgrade Frame
Relay lines with VPN connections where appropriate, Outstanding security
according to Barker. They plan to look at the entire One of the Conservancy’s major concerns is keep-
Frame network and address the high-cost connections ing confidential information confidential. Its systems
as well as the low-bandwidth connections first. The store highly sensitive corporate assets on the amount
VPN solution opens up new options for connecting and exact location of rare and endangered species, as
staff, including DSL, cable modems and ISDN. well as information on more than one million Conser-
“The savings are in orders of magnitude,” Barker vancy members, and other sensitive financial information.
said. “The wonderful thing about VPNs is we’re not “The encryption features of the Shiva solution
talking about 10, 20 or 30 percent savings. We’re talk- give us a strong level of confidence in our security,”
ing about hundreds of thousands of dollars in savings.” Barker said.

20 • Designing and Implementing a Virtual Private Network Case Study • 21


INTEL BOOK 1/19/0 8:56 AM Page 22

Quick, easy access to information The Conservancy is engaged in a major initiative


“In a highly distributed organization, it’s important to dramatically advance local conservation in the
for people to feel that they’re part of the whole,” context of global information. Technology is the key to
Barker said. this effort, empowering multi-local work by providing a
One way to make them feel like part of the common ground for collaboration, information exchange
organization is to give them quick and easy access to and the sharing of best practices and knowledge.
each other, common resources and tools via corporate For more information call 1-800-628-6860, or visit
network services such as e-mail, the organization’s the Conservancy’s web site at www.tnc.org.
intranet, and other key applications.

Ease of use and management


Through Intel’s Shiva® Access Manager, network
management software, the information systems staff
can manage the VPN products and users from a
central location. In addition, the VPN client software
is very easy to install and to use.
“End users are able to install this and get going
on their own,” Barker said. “Importantly, this is not
something that requires the expense and effort of IT
professionals going out and visiting our distributed
staff.”

About the Nature Conservancy


The Nature Conservancy is the world’s largest
conservation organization working to protect plants,
animals, and natural communities by conserving the
lands and waters they need to survive. The Conservancy
maintains an on-the-ground presence unparalleled by
any other conservation organization. It has program-
matic chapters in all 50 states, and works internationally
with like-minded conservation partners. Increasingly, its
presence is growing in communities near high-priority
conservation sites. These smaller offices of one and two
staff members — who interact daily with community
leaders and are concerned about the ecological,
economic and cultural health of a place — represent
a trend for the future.

22 • Designing and Implementing a Virtual Private Network Case Study • 23


INTEL BOOK 1/19/0 8:56 AM Page 24

Glossary of Terms Backbone Network—A high-capacity central net-


work that connects a number of networks, usually of
lower capacity.
10BaseT—A type of cable used for LAN connections.
Also known as Unshielded Twisted Pair. Bindery—A database that stores a server configuration
that includes users, passwords, and groups on a
Accounting Record—A record that contains call NetWare server.
accounting information. Network administrators can
use accounting records to track calls and to bill clients. Black—In the context of information security, any
Generally used with the RADIUS protocol. information which has been cryptographically secured,
or any region of hardware or software which is respon-
ACK—Positive acknowledgement signal confirming sible for handling secured data. Black has the opposite
receipt of data packet. meaning (trusted network) in the context of firewall
Application-Programmer Interface (API)— security.
This term is used in a general sense to mean a detailed Black Network—The network portion that is not
software interface. Included in an API would be routine secured by encryption. (The untrusted network.)
declarations, data structures, tasking structure, etc., and
detailed documentation describing each item. Block Cipher Encryption—System which works on
blocks of data. DES is a block cipher which works on
Asymmetric Key (or “Public Key”)—Refers to 8-byte blocks at a time.
cryptographic systems that use a key to encrypt (private
key) and a second but related key to decrypt (public Bridge—A device that connects two network segments
key). Similarly these systems are used to sign (private) which use the same communications protocol: Bridges
and verify (public) a message. operate at the datalink layer (layer 2) of the OSI model.
When two LANs are successfully bridged together, they
Authentication Header (AH)—A security measure can filter transmitted data to contain local traffic so that
in IPSec, used to authenticate packets, ensuring data the rest of the network is not involved. This boosts net-
integrity and authenticity. work performance and is useful for security purposes.
Authentication Header/Encapsulating Security Broadcast Address—The address used to send pack-
Payload (AH/ESP)—Two standards for IP security ets to all devices on the network (to broadcast).
from the IP Security Working Group of the IETF.
Brute-Force Attack—Typically an attack that uses no
Auto-disconnect—A feature which automatically insight into the cryptosystem. Usually accomplished by
releases the connection between a client and a remote searching entire keyspace in order to discover a crypto-
access server when a set period of time has elapsed and graphic key.
the unit has not been used. Auto-disconnect can be
controlled through the client or management software, Call Interface—The interface where a remote access
depending on the products involved. device can make or receive calls. It consists of the
UART ports and the WAN interface.

24 • Designing and Implementing a Virtual Private Network Glossary • 25


INTEL BOOK 1/19/0 8:56 AM Page 26

Callback—Allows a device user to request a return assure different outputs for identical inputs. This mode
call from a remote site. Bills are calculated on one line, also offers a mechanism of self-synchronization for data
which can mean discounted tariffs. Also used as a secu- loss.
rity feature. Also called dial-back.
Circuit—A logical or physical connection between two
Certificate—A package of information, digitally points on a WAN, between one router and another, or
signed by a trusted authority (usually referred to as a between a router and a remote access server. There are
CA or Notary) which binds a public key to an owner. many properties associated with circuits, which can vary
The package usually consists of an identifier field, a with the type of connection required, but which would
public key field, serial number (of the certificate) activa- typically include phone numbers, authentication details,
tion and expiry date as well as a signature field. CCITT bandwidth-on-demand, compression, encryption, and
X.509 defines a standard format for these certificates the types of protocol that can be carried over the cir-
(in ASN.1). cuit.
Certificate Authority (CA)—A trusted entity that Clear channel—A channel that places no restrictions
has the capability of creating and revoking public key on the type of data or data patterns that it can carry.
certificates for users and network elements.
Client—A computer that requests services from a server.
Challenge-Handshake Authentication Protocol
Compressed Serial Link Internet Protocol
(CHAP)—Part of the PPP suite, an authentication pro-
(CSLIP)—A method for compressing the headers of
tocol that provides additional network security so that a
TCP/IP datagrams, to improve performance over low
remote access device can authenticate users. It is more
speed serial links.
secure than PAP because it uses a cryptographic hand-
shake to transmit and receive password information. Compression—By eliminating redundancies, data
compression increases the amount of data that can be
Chosen Plaintext Attack Situation—Where an
carried across WAN connections in a given time.
attacker can select plain-text to be encrypted and
StacLZS compression can improve ISDN performance
observe the output. The encryption is broken when the
by as much as 400%.
attacker can derive the key from some number of
input-output pairs. Customer Premises Equipment (CPE )—A
general term for communications equipment at the
Cipher-Block Chaining (CBC)—Refers to a mode
customers’ site.
built around DES (or any symmetric algorithm). This
mode uses the algorithm in its purest form with plain- Cyclic Redundancy Check (CRC)—A CRC error
text being encrypted directly by the key. This adds a means that the contents of the packet do not match
chained Initialization Vector to eliminate the problems the checksum received. This shows that the packet is
Electronic Codebook (ECB) damaged.
Cipher-Feedback (CFB)—Refers to a mode built Data Carrier Detect (DCD)—Hardware signal
around DES (or any symmetric algorithm). This feeds defined by the RS-232-C specification that indicates
the cipher data back into an initialization vector to that a device (such as a modem) is on-line and ready for
transmission.

26 • Designing and Implementing a Virtual Private Network Glossary • 27


INTEL BOOK 1/19/0 8:56 AM Page 28

Data Circuit-terminating Equipment (DCE)— DES (Limited)—The same as 56-bit DES except that
The signal-conversion device which translates a digital 16 key bits are fixed, reducing the effective key space to
signal from data terminal equipment (DTE) into a form 40 bits.
acceptable to the particular communications medium. DES (Triple)—An enhancement to DES which uses
A modem is an example of DCE. Also called data two DES keys (112 bits to encrypt, decrypt, then
communications equipment. encrypt) in three successive rounds for added security.
Data Encryption Standard (DES)—A method of Dial out—The process of initiating a call from a net-
encrypting and decrypting data by using a secret 56-bit worked device, using dial-out client software and a
key. A symmetric key cryptographic system that has modem to attach to a remote service.
been standardized by NIST.
Dial-in—The process of initiating a call from a device,
Data Link Connection Identifier (DLCI)—Value using dial-in client software and a modem to attach to a
that specifies a Permanent Virtual Connection (PVC) or remote network.
a Switched Virtual Connection (SVC) in a Frame Relay
Digesting (or hashing)—Techniques of computing
network.
a strong cryptographic “checksum” of a block of data.
Data Terminal Equipment (DTE)—Equipment The word “strong” implies that it is not feasible to
at the user end of a user/network interface, which con- create or modify data to result in a specific digest.
nects to a data network via DCE devices. DTE includes
Digital Signature Standard/Algorithm
both terminal and computer ports which use the RS-
(DSS/DSA)—This is US standard for digital signatures
232 interface standard to communicate with DCE.
and competes with RSA.
Data Transfer Speed—The rate of data transmission
Dynamic IP Address Allocation—Allows a user to
across the network, measured in bits per second (bps).
be assigned an IP address which is dynamically selected
De-militarized Zone (DMZ)—A network or section from a list of available addresses. See Dynamic Host
of network between an untrusted and trusted network Configuration Protocol (DHCP) and IP Network
that has some degree of security (usually provided by a Control Protocol (IPCP).
packet screen) where application public information Encapsulation Security Payload (ESP)—A security
and application relays can be located. The DMZ is part measure in IPSec, used to encrypt the payload to
of the untrusted network. ensure privacy for sensitive data.
Decrypt—A process that changes encrypted data into Encryption—Transformation of data into unreadable,
a readable state. Using a decryption key you can take in meaningless data through a cryptographic transforma-
encrypted information and translate it into decrypted tion using a key. Decryption is the process of reversing
information. the unintelligible data into meaningful data using a key.
DES (3DES)—An enhancement to DES which uses Encryption Control Protocol (ECP)—Used to
three DES keys (168 bits to encrypt, decrypt, then negotiate the use of encryption on PPP links.
encrypt) in three successive rounds for added security.
Federal Information Processing Standards
(FIPS)—US federal standards body.

28 • Designing and Implementing a Virtual Private Network Glossary • 29


INTEL BOOK 1/19/0 8:56 AM Page 30

Filtering—Allows the administrator to specify which Internet Protocol (IP)—Part of the TCP/IP suite, a
types of packets will be allowed access and which will protocol which provides a connectionless internetwork
be rejected. service.
Firewall—A firmware function which protects an Internet Protocol Security (IPSec)—A collection
Intranet (for example, a corporate LAN) from unautho- of IPsecurity measures that define data privacy, integrity,
rized access over the Internet. authentication, key management, and tunneling methods.
This is used to provide a secure VPN over the Internet.
Gateway—A device used to interconnect networks,
subnets, or other network devices. Gateways allow Internet Service Provider (ISP)—A communica-
networks using different communications protocols to tions company that provides access to the Internet.
transfer information: Equivalent to a router, a gateway
Internetwork Packet Exchange (IPX)—The main
is an intelligent device used to connect two or more net-
communication protocol within the NetWare environ-
works at the upper protocol layers of the Open Systems
ment. IPX defines a particular method of addressing
Interconnection (OSI) reference model. The networks
used by all NetWare nodes and networks, and it is used
can use different protocols and different physical media.
to communicate within and between (routing) NetWare
A gateway has its own processor and memory.
LANs.
Hashing—See “Digesting.”
IP Address—A 32-bit address assigned to every host
Home Gateway (HG)—A device located on a corpo- that wants to use TCP/IP to communicate across an
rate LAN that accepts authorized user tunnels over the internet: The address consists of a network and a host
Internet. field. IP addresses are written in dotted decimal nota-
tion. For example, 123.45.67.89.
Hop—A measure of distance between networks within
an internet. One hop typically consists of a passage to a IP Network Control Protocol (IPCP)—Part of the
router or a host. PPP suite, IPCP controls the use of IP on PPP links,
negotiating, for example, IP addresses and the use of
Initialization Vector (IV)—This is used for input or
header compression.
chaining for all DES modes but Electronic Codebook
(ECB). IP Network Mask—A number that describes which
portion of the device’s IP address represents the network
Internet—A collection of networks and gateways that
address and which portion of the IP address represents
use the TCP/IP protocol suite and function as a single,
the host address.
co-operative network. When the term “Internet” is cap-
italized, it specifically refers to the world-wide, intercon- LANs (red/black)—The LanRover VPN Gateway
nected group of networks and gateways that use the uses two LANs: one unsecure (red) and one secure
TCP/IP suite of protocols to communicate. (black). The Red LAN is the portion of the network
that is not secured by encryption, but may be secured
Internet—Any interconnected group of networks. An
physically. The Black LAN is the portion of the network
accepted substitute for the word internetwork. This
that is secured by encryption.
should not be confused with Internet.

30 • Designing and Implementing a Virtual Private Network Glossary • 31


INTEL BOOK 1/19/0 8:56 AM Page 32

Layer 2 Forwarding Protocol (L2F)—A VPN Multihoming—Allows a device to use more than one
protocol by which tunnels are established and terminated address on the same physical network.
over the Internet. Alternative to L2TP and PPTP
Name Resolution—When a device is named, the s
tunneling protocols.
ystem determines the appropriate IP address. This is
Layer 2 Tunneling Protocol (L2TP)—A VPN done using a name server and/or a host table file.
protocol by which tunnels are established and terminated
Name Server—A host on the IP network that runs a
over the Internet. Alternative to L2F and PPTP tunnel-
program to translate host names into IP addresses.
ing protocols. L2TP is also designed to operate over a
non-IP environment. Net Mask—An IP address (such as 255.255.0.0) that
specifies how much of the address to reserve for sub-
Link Quality Monitoring (LQM)—Part of the PPP
dividing networks. The mask contains 1s for the bit
suite, one of the methods used by PPP Link Control
positions in the 32-bit address used for the network and
protocol to detect that a link is functioning properly.
subnet parts, and 0s for the host part. The mask should
Link-State Advertisement (LSA)—Broadcast packet contain at least the standard network portion. See IP
used by link-state protocols (such as OSPF) that contains network mask.
information about neighbors and path costs. LSAs are
Network Access Server (NAS)—A RADIUS term
used by the receiving routers to maintain their routing
that refers to the network point of access for remote
tables. Sometimes called a Link-State Packet (LSP).
dial-in users. NAS is the hardware that answers remote
Local Loop—A twisted pair of wires that connects a user calls and routes traffic to the local network. In
telephone company network to a customer site. A copper VPN, NAS tunnels traffic to the HG.
wire local loop must not exceed 18,000 feet (approxi-
Network Address Translation (NAT)—A mecha-
mately 5.5km) when used for an ISDN-BRI line.
nism for reducing the need for globally unique IP
Management Information Base (MIB)—A set of addresses. NAT allows an organization with addresses
defined variables that are accessed through SNMP. that are not globally unique to connect to the Internet
by translating those addresses into globally routable
Message Digesting (MD 2,4,5)—Algorithms used
address space. DIAT and IPX DIAT are forms of NAT.
to guarantee the authenticity of data. (see “Digesting”).
Network Interface Card (NIC)—Board that provides
Modem—An abbreviation of MOdulator-DEModula-
network communication capabilities to and from a
tor. An electronic signal-conversion device used to con-
computer system. Also called an adapter.
vert digital signals from a computer to analog form for
transmission over the telephone network: At the trans- Network Number—Part of an address which identi-
mitting end, a modem working as a modulator converts fies the network that the device belongs to.
the computer’s digital signals into analog signals that can
Node—This can be a host computer, printer, terminal
be transmitted over a telephone line. At the receiving
server, router or another device. On a LAN, nodes are
end, another modem working as a demodulator converts
able to communicate with other network devices.
analog signals back into digital signals and sends them
to the receiving computer.

32 • Designing and Implementing a Virtual Private Network Glossary • 33


INTEL BOOK 1/19/0 8:56 AM Page 34

Nodes (red/black)—Nodes can switch from red to remote device can authenticate users. PAP is less secure
black and vice versa depending on the type of node. A than CHAP because it sends the password in plain text
PC that contains both Shiva’s encrypting software and across the link.
hardware can switch between a red and black node;
Peer-to-peer—Architecture in which connected work-
however, a Sun Station cannot because it does not work
stations use and provide services such as file sharing.
with Shiva software. A Red Node is a physical terminal
responsible for handling sensitive or unsecured informa- Peripheral Component Interconnect (PCI)—An
tion. A black node is a physical terminal responsible for Intel standard for connecting peripherals to a computer.
handling secured information through encryption. Technically, PCI is not a bus but a bridge, with buffers
to de-couple the CPU from relatively slow peripherals
Open Database Connectivity (ODBC)—The
and allow them to operate asynchronously.
standard for connecting to databases.
Permissions—In a multi-user computer environment,
Open Datalink Interface (ODI)— Industry standard
the ability of a specific user to access specific resources.
interface between Network and Media access layers,
For example, the system administrator grants permissions,
often associated with Novell stacks.
which are stored in a permissions log.
Open Shortest Path First (OSPF)—Part of the
Point-of-Presence (POP)—A dial-access number for
TCP/IP suite, a link-state routing protocol designed for
an Internet Service Provider (ISP) that allows a user to
use over IP networks: Each router maintains an identical
obtain a general Internet connection by dialing a local
database which describes the topology of the network.
(POP) telephone number.
From this database, each router forms a routing table by
constructing a shortest path tree. OSPF is better suited Point-to-Point Protocol (PPP)—A suite of protocols
to large networks than RIP and offers additional features that supports multi-vendor interoperation over point-to-
such as variable-length subnetting support and authen- point interfaces of many types, supporting multiple
tication of protocol exchanges. network layer protocols.
Output Feedback (OFB)—Refers to a mode built Point-to-Point Tunneling Protocol (PPTP)—
around DES (or any symmetric algorithm). This mode Part of the VPN suite, a protocol by which tunnels are
uses the algorithm in its purest form with plaintext established and terminated over the Internet. Alternative
being encrypted directly by the key. This feeds the to L2F and L2TP tunneling protocols.
output of the DES back into the input to produce a PPP Multilink—Part of the PPP suite, a method used
pseudo-random number stream. to sequence packets across multiple links—for example,
Packet Header—The initial part of a packet, which when using aggregation or augmentation.
contains information such as the address, the packet Public Switched Telephone Network (PSTN)—
type and the packet size. General term referring to the variety of telephone net-
Password Authentication Protocol (PAP)—Part works and services in place worldwide.
of the PPP suite, a protocol that provides additional
network security on PPP links. It enables login IDs and
passwords to be transmitted over the link so that a

34 • Designing and Implementing a Virtual Private Network Glossary • 35


INTEL BOOK 1/19/0 8:56 AM Page 36

Remote Access Server—A network device that con- Routing Information Protocol (RIP)—A protocol
nects to analog or digital telephone lines. It allows users in the TCP/IP and IPX suites, RIP allows gateways
to dial into and out of a LAN from workstations with and hosts to exchange information about routes to
analog modems, external terminal adapters, and inter- various networks. Devices use RIP over IP and IPX to
nal ISDN BRI cards or from client routers. exchange routing information with other routers and to
update the information in the routing table.
Remote Authentication Dial-In User Service
(RADIUS)—A protocol that allows centralized authen- Routing Table—A table of information maintained
tication and configuration of dial-in users, details of in each router that lists the next router to which data
which are stored in a central RADIUS server. RADIUS should be forwarded, in order to reach each possible
also allows centralized logging of accounting information. destination network on an internetwork.
Reverse Address Resolution Protocol (RARP)— Secret—Some security services use a secret to encrypt
Part of the TCP/IP suite, a protocol that provides a and decrypt packets or to authenticate packets between
method for finding IP addresses based on Ethernet security servers and remote access devices.
addresses. Secure Data Transfer (SDT) SecurID™ —A
Remote Client—A client at a remote location, such network access security system developed by Security
as a computer at home, that uses remote access soft- Dynamics, Inc. SecurID™ sits between the incoming
ware to dial in to a network. modem and the remote access server that provides
access to the network. When a dial-in client calls in
Remote Network—A network at a remote location to the network, the user must first enter the correct
that is accessed from a local network. SecurID™ information before connecting to the remote
Rivest, Shamir, Adleman (RSA)—Public-Key tech- access server. Security Dynamics, Inc. manufactures
nology based on factoring large numbers. Patents held two security solutions that are compatible with remote
by RSA Data Security Inc. access servers: The first is a multi-port, stand-alone
remote access server that can be inserted between the
Route—The path that network traffic takes to get from remote access server and the modem. The second,
a source to a destination. Security Dynamics ACE/Server, is a system of server
Router—An intelligent connecting device which sends and client software and SecurID™ cards. Once
packets to the correct LAN/WAN segment to take enabled, SecurID™ authentication is used for the
them to their destination: Routers link LAN/WAN following protocols: IP, IPX, NetBEUI, LLC, and ARA.
segments at the network layer of the ISO/OSI model Secure Hash Standard/Algorithm (SHS/SHA)—
for communications. The networks connected by This is a US standard for digesting (or hashing) and is
routers can use either similar or different protocols. an alternative to MD5.
Routing Information Base (RIB)—Containing Secure Net Key (SNK)—Client part of the Digital
detailed routing information about local and adjacent Pathways Defender security system which can be either
routing areas. hardware (a small box) or software (a program than
runs on a PC). SNKs are used to generate a response to
a Defender challenge.

36 • Designing and Implementing a Virtual Private Network Glossary • 37


INTEL BOOK 1/19/0 8:56 AM Page 38

Security Association ID (SAID)— An identifier for Skipjack—80-bit secret key (symmetric) encryption
a security association for a given link, a security associa- algorithm. It is a proposed standard by the US govern-
tion defines security level and keying information. ment and is intended for key escrow. The actual algo-
Sequenced Packet Exchange (SPX)—Part of the rithm is not publicly known.
IPX suite, SPX is a connection-oriented protocol (IPX Socket—An endpoint for network communication,
is a connectionless protocol) and is used primarily for established by software, through which information can
client and server communications. SPX is encapsulated be sent to and received from other parties.
in IPX packets.
Socket Number—All sockets have an identifying
Serial Interface—Hardware for sending and receiving socket number to distinguish them from all other sockets
data one bit at a time. on a network host, so that information sent through a
Serial Line IP (SLIP)—Part of the TCP/IP suite, a socket can be properly attributed, and information sent
protocol that is used to connect PCs, X-terminals and to a node can be sent to the correct socket, and hence
other computers to an IP network. It has been made to the correct application. Socket numbers are usually
largely obsolete by PPP. added to the network address of the host node: with
TCP/IP protocols, for example, socket numbers
Server—Generally refers to a computer (node) on a
become the IP port number.
network that permits other nodes on the LAN to access
its resources. A dedicated server is one used solely for Source Address—The address of a network device
this function; a non-dedicated server means that the sending a packet.
server can be used in other ways.
Spoofing—A technique that allows a network device
Server-based Application—An application that to assume the “housekeeping” responsibilities of a
runs partially on the server, as opposed to running remote terminal. This prevents unnecessary network
entirely on the remote station and using only data traffic from being sent across a dial-in or LAN-to-LAN
stored on the server. connection, and allows a virtual connection to remain
Shiva Password Authentication Protocol suspended whenever actual network access is not
(SPAP)—Part of the PPP suite, an authentication required.
protocol that allows full use of Shiva features. This is StacLZS—A compression algorithm often used on
Shiva’s proprietary network security for PPP links. PPP links.
SPAP is used only for communicating with a LanRover
Access Switch or LanRover. Stream Cipher—Encryption system which produces
a sequence of pseudo-random bytes which can be used
Simple Mail Transfer Protocol (SMTP)— to encrypt a stream of bytes by exclusive ORing each
Internet protocol for electronic mail. byte with each subsequent random byte. Decryption is
Simple Network Management Protocol done exactly the same way.
(SNMP)—Part of the TCP/IP suite, the standard Symmetric Key (or secret key)—Refers to encryp-
management protocol for TCP/IP networks, which tion systems that use a key to encrypt and the same key
enables centralized network management. to decrypt.

38 • Designing and Implementing a Virtual Private Network Glossary • 39


INTEL BOOK 1/19/0 8:56 AM Page 40

Synchronous—A transmission method where there Transparent—Describes computer operations that


is a constant interval between the transmitted bits. take place automatically, performed either by the oper-
This method is faster than asynchronous transmission. ating system or the application, without user intervention
The two computers involved in the interchange must or awareness: In ISDN, a 64 Kbps data transmission
be synchronized for synchronous transmission. This is that does not experience any encoding or decoding
achieved by the use of a clocking signal in both devices within the channel is transparent.
and control information sent within the transmission.
Tunnel—A virtual communication channel established
TACACS+—The TACACS security protocol with over the Internet or other shared medium, by which
enhancements: TACACS+ includes a challenge and encapsulated data packets are exchanged.
response system, and data encryption. When a
Shiva device is accessed, the login request is sent to Tunneling—Technique of encapsulating one protocol
a TACACS+ server on the network. The TACACS+ within another, such as IPX within IP. In the context of
server performs user authentication, and the TACACS+ security it refers to encrypting IP within IP so that the
user profile defines the user’s permissions. traffic may be routed securely.

Terminal Access Controller Access Control User Datagram Protocol (UDP)—Part of the
System (TACACS)—An industry-standard security TCP/IP suite, an Internet protocol at the transport
protocol used by terminal servers: It allows a user to layer of the OSI model that defines a connectionless
log in only if they are authenticated by a third party datagram service. A connectionless datagram service
(a TACACS host). When a user attempts to gain access sends self-contained packets of data that include desti-
(such as a remote user logging on to a network), nation address information.
TACACS forwards the user name and password infor- User List—A list that contains the profiles (names,
mation to a centralized server. This server performs the passwords, and permissions) of all users who can access
necessary verification and sends a response back to the a remote access server.
TACACS system as to whether to allow access to the
network. Van Jacobson Compression (VJ Compression)—
A method of compressing TCP/IP headers to improve
Third Party Validation—An access control system performance over serial lines.
used by terminal servers that allows a user to log in only
if authenticated by a third party host. Examples of Virtual Connection—A connection which is not
Third Party Validation are TACACS and SecurIDTM. actually physical, although it appears to be to the user.

Transmission Control Protocol (TCP)—Part of Virtual Network Access Server (VNAS)—


the PPP suite, a protocol that organizes packets, manages Software that runs on an end-user device to initiate a
their transmission, and ensures their reliable delivery to tunnel to a home gateway device. The function of the
the receiving station. software is sometimes referred to as client-tunneling.
Transmission Control Protocol/Internet Virtual Private Data Network (VPDN)—See
Protocol (TCP/IP)—A suite of protocols used to Virtual Private Network (VPN).
provide a transport service in networks. The Internet
uses TCP/IP.

40 • Designing and Implementing a Virtual Private Network Glossary • 41


INTEL BOOK 1/19/0 8:56 AM Page 42

Virtual Private Network (VPN)—A combination of NOTES


software and hardware components that use public net-
works to create what appears to be a private network.
X.509—Defined structure for a certificate. Main fields
are ID, Subject field, Validity dates, public key and CA
signature.
Zone Access Privileges—In an AppleTalk network,
a feature of a remote access server that lets a network
administrator restrict access to zones.

42 • Designing and Implementing a Virtual Private Network Notes • 43


INTEL BOOK 1/19/0 8:56 AM Page 44

NOTES NOTES

44 • Designing and Implementing a Virtual Private Network Notes • 45


INTEL BOOK 1/19/0 8:56 AM Page 46

NOTES NOTES

46 • Designing and Implementing a Virtual Private Network Notes • 47


INTEL BOOK 1/19/0 8:56 AM Page 48

NOTES

48 • Designing and Implementing a Virtual Private Network


INTEL BOOK 1/19/0 8:56 AM Page 50

This Technology Guide is one in a series of topic-


focused Guides that provides a comprehensive
examination of important and emerging technologies.

This series of Guides offers objective information


and practical guidance on technologies related
to Communications & Networking, the Internet,
Computer Telephony, Document Management,
Data Warehousing, Enterprise Solutions, Software
Applications, and Security.

Built upon the extensive experience and ongoing


research of our writers and editorial team, these
Technology Guides assist IT professionals in making
informed decisions about all aspects of technology
development and strategic deployment.

techguide.com is supported by a consortium of lead-


ing technology providers. Intel Network Systems, Inc.
has lent its support to produce this Guide.

Visit our Web site at www.techguide.com


to view and print this Guide, as well as
all of our other Technology Guides.
Part# WSO135 Rev. 1/00

This is a free service.

produced and published by

visit www.techguide.com™