Information Technology Reference
In-Depth Information
Ta b l e 1 2 -1 1
VPN Protocols
VPN Description
VPN Name
Enables routing and multicast traffic across an IPsec VPN; non-IP proto-
col and QoS support
Cisco GRE-based
VPN
Encryption integration on IP and MPLS WANs; simplifies encryption
management using group keying; any-to-any connectivity
Cisco GET VPN
IPsec comes in two forms: IP ESP and IP AH, which use protocol numbers 50 and 51, re-
spectively. ESP is defined in RFC 2406, and AH is defined in RFC 2402. ESP provides con-
fidentiality, data-origin authentication, integrity, and anti-replay service. AH allows for
connectionless integrity, origin authentication, and anti-replay protection. These proto-
cols can be used together or independently. Most IPsec-enabled clients or routers use IKE
to exchange keys and ESP to encrypt the traffic.
Another type of VPN technology is SSL VPNs, which have become increasingly popular
because of their clientless nature. The client only needs a standard web browser and a con-
nection to the SSL VPN host, usually via the Internet.
Tr a n s m i s s i o n C o n f i d e n t i a l i t y
To e n s u r e t h a t d a t a i s k e p t p r i v a t e o v e r u n s e c u r e n e t w o r k s s u c h a s t h e I n t e r n e t , t r a n s m i s -
sion confidentiality is used. Because the Internet is a public network, ordinary access con-
trol mechanisms are unavailable. Therefore, you need to encrypt the data before
transporting over any untrusted network such as the Internet.
To p r o v i d e t r a n s m i s s i o n c o n f i d e n t i a l i t y, I P s e c V P N s t h a t s u p p o r t e n c r y p t i o n c a n c r e a t e a
secure tunnel between the source and destination. As packets leave one site, they are en-
crypted; when they reach the remote site, they are decrypted. Eavesdropping on the Inter-
net can occur, but with IPsec-encrypted packets, it is much more difficult.
IPsec VPNs commonly use well-known algorithms to perform the confidentiality treat-
ment for packets. The well-known cryptographic algorithms include Triple Data Encryp-
tion Standard (3DES), Advanced Encryption Standard (AES), and Rivest Cipher 4 (RC4).
These algorithms are thoroughly tested and checked and are considered trusted. However,
keep in mind that cryptography can pose some performance problems, depending on the
network's state. That is why it is important to carefully analyze the network before de-
ploying VPNs with IPsec.
Data Integrity
Cryptographic protocols protect data from tampering by employing secure fingerprints
and digital signatures that can detect changes in data integrity.
Secure fingerprints function by appending a checksum to data that is generated and veri-
fied with the secret key. Only those who are authorized also know the secret key. An ex-
ample of secure fingerprints is Hash-based Message Authentication Code (HMAC), which
maintains packet integrity and the authenticity of the data protected.
