Virtual Private Networks [1 ed.] 1565923197, 9781565923195

Table of contents :
“Preface -- 1. Why Build A Virtual Private Network? -- 2. Basic Vpn Technologies -- 3. Wide Area, Remote Access, And The Vpn -- 4. Implementing Layer 2 Connections -- 5. Configuring And Testing Layer 2 Connections -- 6. Implementing The Alta Vista Tunnel 98 -- 7. Configuring And Testing The Altavista Tunnel -- 8. Creating A Vpn With The Unix Secure Shell -- 9. The Cisco Pix Firewall -- 10. Managing And Maintaining Your Vpn -- 11. A Vpn Scenario -- A. Emerging Internet Technologies -- B. Resources, Online And Otherwise -- Index. Charlie Scott, Paul Wolfe, And Mike Erwin. Turning The Internet Into Your Private Network--cover. Includes Bibliographical References And Index.

Includes bibliographical references and index

"Turning the Internet into your private network"--Cover”

Citation preview

Turning the Internet Into Your Private Network

tfM

Kz •j >.

OJI) jjj

m

W/n>

m

'a.

•'/If >•

J'aH

*m

-

Private

Networks O'REILLY

Charlie

Scott,

Paul Wolfe

& Mike Erwin

Digitized by the Internet Archive in

2012

http://archive.org/details/virtualprivateneOOscot

Virtual Private

Networks

Virtual Private

Networks

Charlie Scott, Paul Wolfe, and

Mike Erwin

O'REILLY Cambridge

•

Koln

•

Paris

•

Sebastopol

•

Tokyo

Virtual Private

Networks

by Charlie

Scott,

Copyright

©

Paul Wolfe, and Mike Erwin

1998 O'Reilly

&

Associates, Inc. All rights reserved.

Printed in the United States of America.

Published by O'Reilly Editor:

&

Associates, Inc., 101 Morris Street, Sebastopol,

CA

95472.

Andy Oram

Production Editor: John

Files

Printing History:

March

Nutshell

Java™

1998:

First Edition.

Handbook and

Series

is

the Nutshell

Handbook logo

a trademark of O'Reilly

& Associates,

of puffins and the topic of virtual private networks

is

The between the image

are registered trademarks and

Inc.

The

association

a trademark of O'Reilly

&

Associates,

Inc.

Many

of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O'Reilly & Associates, Inc. was aware of a trademark claim, the designations have been printed in caps or

initial

caps.

While every precaution has been taken

no

in the

preparation of this book, the publisher assumes

responsibility for errors or omissions, or for

damages

resulting

from the use of the

information contained herein.

@ This

book

O'Reilly

is

printed

on

& Associates

is

paper with 85% recycled content, 15% post-consumer waste. committed to using paper with the highest recycled content available

acid-free

consistent with high quality.

ISBN:

1-56592-319-7

Table of Contents

Preface 1.

2.

vii

Why Build a Virtual Private Network? What Does a VPN Do?

1

Security Risks of the Internet

4

Basic

VPN Technologies

Aspects of Your Organization

4.

5.

11 at

Risk

12

Deployment

19

Encryption and Authentication

29

Wide Area, Remote Access, and the VPN Common WAN Configurations and Their VPN Counterparts Remote Access and VPN Counterparts

42

The Hybrid System Cost Comparison Chart

58 58

A VPN Scenario

60

The Topology

60

Firewall

3.

2

42

49

Central Office

61

Large Branch Office

62

Small Branch Offices

63

Remote Access Users

63

A Network Diagram

64

Implementing the Point-to-Point Tunneling Protocol

66

How PPTP Works

67

Table of Contents

Advantages of PPTP Limitations of

6.

77

PPTP

78

and Testing PPTP Connections and Configuring PPTP on a Windows NT RAS Server

Configuring Installing

Configuring PPTP for Dial-up Networking on a Configuring PPTP for Dial-up Networking on a

Windows NT Client Windows 95 Client

Enabling PPTP on Remote Access Switches

Making the

7.

94

98

Calls

Implementing the AltaVista Tunnel

104

Advantages of the AltaVista Tunnel System

105

107

Tunnel Limitations

the AltaVista Tunnel

VPNs and

Works

107 112

AltaVista

Configuring

and

Testing the AltaVista Tunnel

Getting Busy

Tunnel

123

Configuring the AltaVista Tunnel Workgroup Server Configuring the

AT

Personal Edition for

Windows NT/95

Troubleshooting Problems

The Cisco PIX Firewall The PLX in Action Limitations of the

PLX Firewall

Managing and Maintaining Your VPN VPN

127 134 134

138 139

144 145

Operation of the PLX

Solving

123 123

Installing the AltaVista

10.

89 91

102

How

9.

82

Using PPTP with Other Security Measures

AltaVista

8.

81

154 155

Problems

Security Suggestions

159

Keeping Yourself Up-to-Date

162

A.

Emerging Internet Technologies

B.

Resources, Online

Index

and Otherwise

165

168 171

Preface

book

This

is

about a very

members

access between

new

area of computer technology: providing secure

of an organization

who

are cast far around the world.

Both the technology providers and the users are feeling

We

approached the idea of the

cism, being that fairly rity

common,

we own

as

virtual private

their

way.

network (VPN) with some skepti-

an Internet service provider. Security compromises are

end users

fail

to understand the importance of

and such. Though known cracks

are not

unfortunately, the successful cracks are those

password

common, attempted

integ-

cracks are;

you never hear about.

Customers began approaching us with requests

for solutions.

How

can

we

use the

global reach of the Internet to access our various networks around the country

and the world? Can we do it securely? Can we do it now? Charlie probably looked them square in the eye and said, "Oh, yeah, we can do that," then gave a cackle to Mike's and Paul's dismay. So, in the course of trying to find solutions for these needy customers, and for our own nationally expanding networks, we turned to the virtual private network, and eventually wrote this book. Although

it

and erecting

drama and tribulations of learning about book covers everything you need to know to get one up

doesn't fully represent the a

VPN,

this

and running. The technology of the however, specific solutions are

—

virtual private

fairly slim.

We

network

is

widely available;

cover the three that are currently

—

PPTP, the Cisco PIX firewall, and the AltaVista Tunnel and other on how VPNs work, how much they cost, and why you should use one. (And when you shouldn't.) available

basics

vii

Preface

viii

Audience We

a network administrator who has already set up local knows something about the Internet and remote access (dialVPN solutions are usually employed along with firewalls, which are dis-

assume

you are

that

area networks and in use).

cussed only briefly

you can

in this

book. For help with firewall concepts and technologies,

find a variety of useful books, including Building Internet Firewalls,

Chapman and

D. Brent

Elizabeth D. Zwickey, published

by O'Reilly

&

by

Associates,

Inc.

Contents of This Book 1, Why Build a Virtual Private Network? Do you need a virtual private network? Good question. Read this chapter and find out. After we scare you with some common security breaches, you will find some comforting reasons why a virtual private network may be your solu-

Chapter

tion.

Chapter 2, Basic Still

VPN Technologies

here? This chapter details the various pieces that

and make

more

it

secure.

Firewalls,

make

VPN

a

encryption/authentication,

function

and some

basic

VPN

some

of the varied and fun encryption technologies, such as Data Encryption

protocols and standards are covered. Rounding out this chapter are

Standard (DES), Kerberos, Pretty

Good

Privacy (PGP), and Secure Socket

Layer (SSL).

Chapter 3. Wide Area, Remote Access,

How much gies

is

is

this

and the VPN

going to cost me? Justifying the cost of

possible once you delve into the exciting world of

In this chapter, the

all

these technolo-

VPN bean

counting.

VPN's costs and benefits are weighed against the more

tra-

Wide Area Network (WAN) and remote compared through a comprehensive break-

ditional solutions: private lease-line

access.

The

three solutions are

down of equipment, may vary. Check your Chapter

4,

lines,

personnel and

local listings for a

—

—

most importantly showing near you.

time.

Prices

A VPN Scenario

Okay, you

VPN

say,

show me one

that actually

works. Well, here's a real

live

work-

company, though the names are changed to protect everyone involved. This chapter shows a VPN scenario in all its glory, detailing the needs of a company, and how the VPN saved the day. A description ing

from a

real live

of the network topology and various required items as a

handy network diagram.

is

also included, as well

ix

Preface

Chapter

Implementing the Point-to-Point Tunneling Protocol

5.

So what's

a

specific solution for

with the cheapest version

(tree!):

my VPN?

Well, there are several.

We

start

we

Point-to-Point Tunneling Protocol, or as

PPTP First, we offer a lengthy discussion of how PPTP works, then we detail PPTP solutions from various equipment and soft-

call

the "industry,"

in

it

ware manufacturers. Chapter 6, Configuring

Okay,

I've

and

resting

PPTP Connections

—but how? Here

decided to use your PPTP

is

everything you ever

know about getting PPTP running. We cover PPTP on Windows NT and Windows 95, as well as on Ascend remote access devices. Then we

wanted

to

teach you

Chapter

7.

PPTP

how

to test

and troubleshoot the connections.

Implementing the AltaVista Tunnel isn't

AltaVista

enough

Tunnel

a stable solution.

tages and

is

—do

me

for

VPN

else? Actually,

world;

it

and

and

yes.

The

has proven to be

we cover how the AltaVista Tunnel works, how may fit into your VPN scenario.

Here

limitations,

Chapters. Configuring

you have anything

the newest entrant into the

its

advan-

it

Testing the AltaVista

Tunnel

how do make work? We cover configuring server and client pieces on Windows NT and Windows 95, as well as mentioning a few Unix versions out there. We also cover testing and troubleshooting.

Okay,

Chapter

I

9.

it

The Cisco PIX Firewall

What's the top of the features arid

line?

bandwidth

For now, we've found Cisco PIX to offer the most

—an expensive choice, but perhaps the only one

large sites will find satisfactory. In this chapter

we

that

cover what PIX can do, as

well as configuration of the firewall and the private network.

Chapter

10,

Now

Managing and Maintaining Your VPN Someone can't dial in, or

what's wrong?

yesterday

is

network (or

a connection that worked fine down. This chapter takes you through the various points on the your Internet provider's network) where access has failed. It also

offers suggestions for policies that increase security

on the VPN.

Appendix A, Emerging Internet Technologies This appendix covers Ipv6 (the newest version of the Secure Wide Area Network (S/WAN).

Appendix B, Resources, Online and Otherwise Technology and products for VPNs are evolving places we've found useful for the latest information.

IP protocol), IPsec,

quickly.

Here's a

and

list

of

x

Preface

Conventions Used in This Book The following conventions

are used in this book:

Italic is

used for filenames, directory names, and URLs.

Constant width is

used

code examples.

for

Constant width bold In some code examples,

highlights the statements being discussed.

Constant width italic Indicates an element (e.g., a filename or variable) that

you supply.

Comments and Questions Please address O'Reilly

&

comments and questions concerning

this

book

to the publisher:

Associates

101 Morris Street

CA

Sebastopol,

95472

1-800-998-9938 (in the U.S. or Canada) 1-707-829-0515 (international or local)

1-707-829-0104 (FAX)

You can

also

send us messages

request a catalog, send email

electronically.

To be put on our

mailing

list

or to

to:

[email protected] (via the Internet)

To ask

technical questions or

comment on

the book, send email

to:

[email protected] (via the Internet)

Acknowledgments The authors collectively wish to thank our insightful and understanding editor, Andy Oram. Without his direction, gentle reminders, and gracious deadline extensions, this book wouldn't be here. Charlie

would

like to dedicate his portion of this

book

to his wife Mary,

weathered the past two years of authoring exceptionally He'd also

like to

well.

"You are

thank Mike and Paul.

Paul thanks his family (Brenda, Nikolaus, Lukas, and Rayna) for putting his long nights

who has my life."

away from home. Thanks

to

up with

Outernet for their bulletproof net-

xt

Preface

work, without which

this

book would not be

possible.

And thanks

to Jennifer

Alexander for reviewing and offering comments.

Mike would like to extend a hearty "thanks for everything you've done" to Kris Thompson, for lending him a Cisco PIX unit as well as his expert assistance in helping to get

it

configured and working. He'd also like to extend a most grateful

thank you to Jennifer Alexander, flow of his work family,

who

in

its

who

read, reviewed,

and commented on the

primordial form. He'd like to further thank his friends and

put up with him as he tried to

fit

writing into his crazy schedule.

The authors would like to thank Jennifer Alexander, Gregg Lebovitz, Gordon C. Galligher, and Matt Eackle for their technical reviews, which mixed useful fixes and insightful general suggestions. The authors also wish to thank William Hurley for acting as their agent on this book. The authors would also like to thank the production staff at O'Reilly & Associates. Files was the production editor and copyeditor. Claire Cloutier LeBlanc was the proofreader. Mary Anne Mayo and Sheryl Avruch performed quality control checks. Seth Maislin wrote the index. Edie Freedman designed the book's cover. Mike Sierra implemented the format in FrameMaker. Robert Romano created the illustrations. Elissa Haney and William W. Plummer, Jr., provided production sup-

John

port.

In this chapter: • •

What Does a VPN Do?

1

Security Risks of the Internet

Why Build a

Virtual

Private Network?

now there has always been a clear division between public and private networks. A public network, like the public telephone system and the Internet, is a large collection of unrelated peers who exchange information more or less freely Until

with each other. The people with access to the public network

have anything

in

common, and any given person on

municate with a small fraction of

A

private

network

is

composed

its

that

may

or

may

not

network may only com-

potential users.

of computers

owned by

a single organization that

share information specifically with each other. They're assured that they are going

be the only ones using the network, and that information sent between them will (at worst) only be seen by others in the group. The typical corporate Local to

Area Network (LAN) or Wide Area Network (WAN)

between a the gateway router, where the public network out of

work. The

line

is an example of a private netand public network has always been drawn at company will erect a firewall to keep intruders from

private a

their private

network, or keep their

own

internal users

from perusing the public network. There also was a time, not too long ago, when companies could allow to operate as separate, isolated islands.

LAN, with

its

own naming

—

Each branch

office

scheme, email system, and even

their

might have its

own

its

LANs

own

favorite net-

work protocol none of which might be compatible with other offices' setups. As more company resources moved to computers, however, there came a need for these offices to interconnect. This was traditionally done using leased phone lines of varying speeds. By using leased lines, a company can be assured that the connection is always available, as well as private. Leased phone lines, however, can be expensive. They're typically billed based upon a flat monthly fee, plus mileage expenses. If a company has offices across the country, this cost can be prohibitive.

Chapter

Wljy Build a Virtual Private Network?

1:

Private networks also have trouble handling roving users, such as traveling sales-

people.

If

the salesperson doesn't

he or she has to

ers,

happen

to

be near one of the corporate comput-

modem

dial into a corporation's

long-distance,

which

is

an

extremely expensive proposition.

book is about the virtual private network (VPN), a concept that blurs the line between a public and private network. VPNs allow you to create a secure, private network over a public network such as the Internet. They can be created using software, hardware, or a combination of the two that creates a secure link

This

between peers over

is done through encryption, packet go over exactly what is meant by each of these, VPN, later in this chapter, and touch upon them

network. This

a public

tunneling,

and

and what

roles they play in a

firewalls. We'll

again and again throughout the book. Because they using the Internet as a

WAN, VPNs

more

are

skirt

leased line costs by

cost-effective for large companies,

and well within the reach of smaller ones. In this chapter, we'll also talk about Intranets as the latest trend in corporate infor-

mation systems, and

how

they were the impetus for VPNs.

What Does a VPN Do? A

virtual private

network

work, such as the virtual

is

Internet.

connections

—

that

way

a It

is,

is

to simulate a private

called

"virtual''

network over

because

temporary connections

it

that

presence, but consist of packets routed over various machines

an ad hoc

a

on

the Internet

on

Secure virtual connections are created between two machines, a

basis.

machine and

a public net-

depends on the use of have no real physical

network, or two networks.

Using the Internet for remote access saves a

wherever your Internet service provider

of money. You'll be able to dial in

lot

(ISP) has a point-of-presence (POP).

If

you choose an ISP with nationwide POPs, there's a good chance your LAN will be a local phone call away. Some ISPs have expanded internationally as well, or have alliances with ISPs overseas. Even many of the smaller ISPs have toll-free numbers for their roaming users. At the time of this writing, unlimited access dial-

up PPP accounts,

suitable for business use, are

even speculate what

they'll

be next

should be cheaper than setting up a the long-distance cally

hours In

bill

for

roaming

cheaper than having your in

many

year! At

modem Even

users.

own

around $25 per month.

any

rate,

We

won't

well-chosen ISP accounts

pool for remote users, and paying toll-free

toll-free

access from an ISP

is

typi-

number, because they purchase

bulk from the long-distance companies. cases, long-haul connections of

connection to

a

networks are done with a leased

line,

a

frame relay network, or ISDN. We've already mentioned the costs

of leasing a "high cap" leased line such as a Tl. Frame relay lines can also give

What Does a VPN Do?

you high speeds without the mileage charges. You purchase a connection to a frame cloud, which connects you through switches to your destination. Unlike a leased line, the amount you pay is based more on the bandwidth that's committed to your circuit than distance.

however. ISDN,

Frame connections

like the plain old

are

still

somewhat expensive,

telephone system, incurs long-distance charges.

company charges per minute even for situations where corporate office networks are in separate cities, having each office get a Tl, frame relay, or ISDN line to an ISP's local POP would be much cheaper than connecting the two

In

many

locations, the local telephone

local calls,

which again runs expenses up. For

offices using these technologies. ers at the

two

offices,

A VPN

could then be instituted between the rout-

over the Internet.

The Rise of Intranets By now you've probably heard of Intranets and the stir they've caused at many businesses. Companies are running TCP/IP networks, posting information to their internal web sites, and using web browsers as a common collaborative tool. An example of an Intranet application is a customer database accessible via the Web. Salespeople could use uct offerings

this

database to contact current customers about

and send them quotes. The database could have

up Language (HTML)

front-end, so that

it's

accessible from any

a

new

prod-

HyperText Mark-

web

browser.

was spurred on by the growth of the Internet and its popular commonly known as the World Wide Web. It was as if the corporate sector had finally caught on to what the Internet community had been doing for years: using simple, platform-independent protocols to communicate more effectively. No matter how much marketing hype you hear, an Intranet is simply Internet technology put to use on a private network.

The

rise

of Intranets

information services,

How VPNs relate to Intranets Virtual private

networks can be used to expand the reach of an

Intranets are typically used to

want them accessible from the want

Intranet. Since

communicate proprietary information, you don't Internet.

There may be cases, however, where

far-flung offices to share data or

remote users to connect to your Intraand these users may be using the Internet as their means of connection. A VPN will allow them to connect to the Intranet securely, so there are no fears of you'll net,

sensitive information leaving the I

sing our previous

network unprotected.

example of the customer database,

it's

easy to see

how

a

VPN

could expand the Intranet application's functionality. Suppose most of your salespeople are on the road, or work from home. There's no reason that they shouldn't be able to use the Internet to access the

tomer database application. You don't want

just

web

server that houses the cus-

anyone

to

be able

to access the

Chapter

information, however,

and you're

1:

Why Build a

Virtual Private

also worried about the information itself flow-

ing unencrypted over the Internet.

A VPN can provide a secure link between the web server running the database, and

laptop and the Intranet

salesperson's

VPNs

encrypt the data going between them.

you

give

flexibility,

and allow

any corporate network service to be used securely across the

cally

Network?

practi-

Internet.

Security Risks of the Internet The

risks associated

with the Internet are advertised every day by the trade and

mainstream media. Whether

it's

someone accessing your

ing into your legal troubles, or erasing your

files,

credit card

there's a

new

numbers, pry-

scare every

month

about the (supposedly) private information someone can find out about you on

you might happen upon you might not want your chil-

the Internet. (Not to mention the perceived risk that

some information

that

you

find offensive, or that

dren to see.) For corporations, the risks are even more

and apparent. Stolen or deleted

real

porate data can adversely affect people's livelihoods, and cost the

money.

If

a small

company

is

robbed of

its

cor-

company

project files or customer database,

it

could put them out of business. Since the Internet

is

a public network,

access any system you connect to

have to have

to find a

access,

work

dial into

is

and

it.

you always used to be

It

risk

having someone possibly

that a

system intruder would

your network to crack a system. This meant

phone number connected

risk the possibility of the line

to a

modem bank

that they would would give them

if

your corporate net-

is lax,

the system cracker

being traced. But

connected over the Internet and your security

that

might be able to access your network using any standard dial-up account from

any ISP

in the world.

Even unsophisticated users can obtain and use automated company's network. What's worse is

"security check" tools to seek out holes in a that

chances

are, you'll

never

know

that

it's

happening.

What Are We Protecting with Our VPN? first things that come to mind when you think of protection are the on your networked computers: Microsoft Word files that contain your com-

Probably the files

pany's future plans, spreadsheets that detail the financial analysis of a uct introduction, databases of

new

prod-

your payroll and tax records, or even a security

assessment of your network pointing out holes and problematic machinery. These are a good starting point, but don't forget about the other, less tangible assets you connect to the Internet when you go online. These include the services that you grant your employees and customers, the computing resources that are available for use, and even your reputation. For instance, you would consider it a files

that

Security Risks of the Internet

security failure

other sites or

The

your users complained

if

would be

easiest thing

Well over half the data you rity.

Just think,

worse than

Your goal

a negative to identify

is

to isolate, tabulate,

manage and

Human

and lock down your

private data.

some

sort of secu-

distribute

could

in a negative advertising

campaign aimed

and categorize

around, and out of the company. To

common

to

call for

even something as innocuous as customer records and addresses

could be used against you far

make connections

that they couldn't

your vendors' email bounced back to them one day.

if all

categories into

which

to

at a

all

might hurt you

this

slice of the

population.

of the private data that flows into,

you,

assist

campaign;

random

we have developed

group the private

a small

list

of

data:

resources

Employee

private data, tax information,

bonus and award information

Security information

User passwords, user accounts, access

levels, firewall structure,

network maps

and diagrams Business organization Organization charts and planning

Databases

Customer records, account records, accounting, finance, administration, and support

Product development

White papers,

CAD

drawings, source code,

test

results,

and research and

development information Unfortunately, in the client-server world of telecommuters, field sales agents,

home

offices,

tected area.

it's

The

not so easy to keep

all

private data locked

chief financial officer of a

down

company may need

information on the road, or a programmer working from access source code. files

VPNs help

alleviate

some

and

in a single, pro-

to access financial

home may need

to

of the worry of transmitting secure

outside of your network.

Possible Threats to Your

Data

We've come up with some basic security problems to watch out for when mixing the Internet and your LAN ways that users might be able to get at your data. Some are more likely than others, and there are many more we could add to this

—

list.

Chapter

2,

details (as will

Basic

VPN

Technologies, goes into a

any good book on network

security).

few other

threats

and more

Chapter

1:

Why Build a

Virtual Private

Network?

Network intrusion Network

intrusion

every network administrator's nightmare. With an intrusion

is

someone from the outside is able to access machines on your network as if they are the owner or administrator of that machine. They do this by guessing a password guessing someone's password through trickery or a knowledge of per-

attack,

—

sonal interests (social engineering), or exploiting security holes in an operating

Once

system.

on, they can

you from getting

into

from your systems. intrusion least

is

your

When

download or

own

your network

a very real possibility;

commonly attempted)

it

is

keep on another network

delete important data, read email,

system, or launch an attack is

connected to the

Internet,

probably one of the most

security attacks

on the

network

common

(or at

Internet.

IP address spoofing IP address spoofing. involves

someone on

the Internet pretending to have an IP

address on the inside of your network. This

packet

filtration firewall,

address.

Once

which can block

is

traffic

done

typically

based on

to get

around a

a source or destination

past your firewall, the intruder can attempt to break into your sys-

is also used to launch denial of service attacks, which either comoverwhelm a machine or cause it to start something it can't finish. An example of the latter is the TCP SYN flood attack (the notorious "killer ping"), which came to public attention when it brought down a major ISP.

tems. Spoofing pletely

Packet sniffing In the world of electronic security risk

on the

commerce, packet

connected to a network to watch network dissect individual packets to locate

sniffing

Internet. Packet sniffing occurs

and see the data

traffic

as

by

is

when

streams by. The sniffer can

it

inside. Sniffing tools are typically

problems with network devices or protocol

stacks, but they

used by evildoers to capture passwords or other sensitive ers.

PGP

emailers, Kerberos services,

and other

The

being

data. Secure

web

serv-

is

much

very

a mat-

in the right place at the right time.

ultimate vantage point for a packet sniffer

your network, so that they

used

can also be

have been designed to com-

tools

bat this threat. Truthfully, however, successful packet sniffing ter of

most feared

far the

person uses a machine

a

need

to

that they're only seeing

would be

your local

have access to your Ethernet, so

traffic.

it's

an employee. Or, someone could social-engineer their ing as a technician. ("I'm

Bob with IBM, and

directly

Of

most

way

I'm here to

likely to

into

fix

connected to

course, this

means

be done by

your building pos-

the network." Every-

one knows the network always needs fixing!) A network intruder could also crack into a system on your network and compile a utility that will allow them to view

TCP

IP traffic.

Security Risks of the Internet

is much more complex. Because many ISPs are multihomed (they have more than one connection to the backbone providers), data can take a number of paths, making it hard for a cracker to know where to put the sniffer. The best place for someone to sniff your traffic would be at one of

Packet sniffing on the Internet

the ISPs to

which you're connecting. The second best place would be at one of where the backbone providers connect

the major network access points (NAPs)

with each other.

How VPNs Solve Internet Security Issues A VPN hand.

is

a conglomerate of useful technologies that originally

Now

were assembled by VPN and are

the networking companies have realized the value of a

offering products that

do

the hard

work

for you.

Firewalls

An

Internet firewall serves the

same purpose

protect a certain area from the spread of

fire

as firewalls in buildings

and

and

cars: to

a potentially catastrophic explo-

The spread of a fire from one part of a building is controlled by putting up which help to contain the damage and minimize the overall loss and exposure. An Internet firewall is no different. It uses such techniques as examining Internet addresses on packets or ports requested on incoming connections

sion.

retaining walls,

to decide

what

Although most

traffic is

VPN

packages themselves don't implement firewalls

are an integral part of a itors

allowed into a network.

VPN. The idea

is

to use the firewall to

from entering your network, while allowing

The most common

firewall

fied IP services (run

Many

on

is

VPN

they vis-

users through.

a packet filtration firewall,

specific port

routers that support

VPN

directly,

keep unwanted

which

will

block speci-

numbers) from crossing the gateway

router.

technologies, such as the Cisco Private Internet

Exchange (PIX) and the 3Com/U.S. Robotics Total Control, also support packet

fil-

tration.

Packet

can also be used to help prevent IP address spoofing. by allowing only packets that bear a source address from one of

filtration firewalls

You can do

this

your networks to leave the gateway.

Similarly,

you can allow only packets with

a

source address from outside of your network to enter the gateway.

Authentication Authentication techniques are essential to VPNs. Most authentication systems are

based upon a shared key system. The keys are run through a hashing algorithm

which generates

own

a

hash value. The other party holding the keys

hash value and compare

it

to the

one

it

will generate

received from the other end.

its

The

8

Chapter

hash value sent across the Internet

that uses this

Authentication

a

is

performed

at the

beginning of a session, and then

be used to ensure data

integrity.

The

can be sent through a hashing algorithm to derive a value that

itself

at

the course of a session to ensure that an impostor didn't "slip in"

to the conversation. Authentication can also

data

password. The Challenge Handgood example of an authentication

scheme.

typically

is

random during

Virtual Private Network?

to glean a

shake Authentication Protocol (CHAP)

method

Why Build a

meaningless to an observer, so someone

is

network wouldn't be able

sniffing the

1:

included as a checksum on the message.

from one peer to the next means the data

is

Any deviation in the checksum sent was corrupted during transmission, or

intercepted and modified along the way.

Encryption All

VPNs support some type

of encryption technology, which essentially packages

data into a secure envelope. Encryption tication, for

it

often considered as essential as authen-

is

protects the transported data from packet sniffing. There are

two

popular encryption techniques employed in VPNs: secret (or private) key encryption

and public key encryption.

In secret to

all

key encryption there

parties that

is

need access

password or passphrase known

a shared secret

key

to the encrypted information. This single

is

used to both encrypt and decrypt the information. The tried-and-true data encryption standard (DES), is

an example of

One problem

which the Unix crypt system key encryption method.

call

uses to encrypt passwords,

a private

with using secret key encryption for shared data

needing access to the encrypted data must

know

is

that

parties

all

the secret key. While this

is

fine

workgroup of people, it can become unmanageable for a large network. What if one of the people leaves the company? Then you're going to have to revoke the old shared key, institute a new one, and somehow securely notify

for a small

all

the users that

it

has changed.

Public key encryption, a lic

newer and

increasingly

common

key and a private key. You publish your public key

you know your encrypt

it

receive

it,

private key.

If

you want

to

system, involves a pubto everyone, while only

send someone sensitive

with a combination of your private key and their public key. they'll

decrypt

it

data,

you

When

they

using your public key and their private key. Depend-

—

private keys can be large too large for anyone to remember. Therefore, they're often stored on the machine of the person using the

ing

on the

software, public

and

encryption scheme. Because of

this,

private keys are typically stored using a

key encryption, such as DES, and a password or passphrase you can remember, so that just because someone gets on your system, they won't be able

secret

to see

what your private key looks

like.

Pretty

Good

Privacy (PGP)

is

a well-

Security Risks of the Internet

known

data security program that uses public key encryption;

key system

lic

that

is

popular

particularly

in

The main disadvantage of public key encryption data, the encryption process

Because of

this,

data

RSA

that, for

is

transfers

need

that

another pub-

an equal amount of

typically slower than with secret

is

is

commercial products.

a

key encryption.

good amount of speed, such

as

encrypted streams over a network, are encrypted using secret key encryption with a

key

that's

good only

for that streaming session.

cally smaller than the data)

over the

go

We'll

is

The session

secret itself (typi-

encrypted using public key encryption and

is

sent

link.

into detail about the power, politics,

niques in Chapter

and use of various encryption tech-

2.

Tunneling

Most of the current

VPN

packages use tunneling to create a private network,

including the three we'll review in this book: the AltaVista Tunnel, the Point-to-

VPNs

Point Tunneling Protocol (PPTP), and the Layer 2 Forwarding Protocol.

allow you to connect to a remote network over the Internet, which

work. The

fact

is,

is

an IP net-

though, that most corporate LANs don't exclusively use

NT

works with Windows

servers, for instance, will use

IP.

Net-

NetBEUI, while Novell

you to encapsulate a packet within a packet to accommodate incompatible protocols. The packet within the packet could either be of the same protocol or of a completely foreign one. For example, tunneling

servers use IPX. Tunneling allows

can be used to send IPX packets over the Internet so that a user can connect to a Novell server remotely. IPsec

The next

step for

VPNs

is

secure

IP,

or IPsec. IPsec

is

from

a series of proposals

the IETF (RFCs 1825 through 1829) outlining a secure IP protocol. These extensions that

would provide encryption

SSL and most

Why ages?

some

VPN

at

the IP level, rather than at the higher levels

packages provide.

create a secure version of IP rather than just stick with the current

The

principle reason

of the primary

VPN

is

that

it

creates an

for

status,

it's still

to.

Although IPsec has yet to make

it

into

it

to

Appendix

Emerging Internet Technologies.

Running of

pack-

an integral part of future generations of the

IP protocol. For that reason, we're going to limit our coverage of A,

VPN

VPNs. Currently,

contenders use proprietary encryption, or open stan-

dards that only a few vendors adhere

widespread commercial

open standard

a virtual private

reliability.

network over the Internet

raises

an

easily forgotten issue

10

Chapter

Let's face

a packet

the Internet

it:

1:

Why Build a

networks of varying speeds,

may

pass through a half-dozen different

—each

and

reliability,

utilization

company. Any one of these networks could cause

to

potential

run by a different

problems

for a

VPN.

Blame

The lack of reliability of the Internet, and the fact makes troubleshooting VPN problems difficult for user can't dial into a remote access server a

Network?

always the most reliable network by nature. Tracing

isn't

from one point to another, you

Finding Out Who's

Virtual Private

at

that

a

no one

entity controls

network administrator.

If

it,

a

the corporate headquarters, or there's

a leased line connection, the network administrator knows there number of possibilities for where the problem may occur: the router on the far end, the telecommunications company providing the

problem with

are

a

limited

machine or link,

or the machine or router at the corporate headquarters. For a

VPN

over the

problem could be with the machine on the far end, with the ISP on the far end, with one of the networks in between, with the corporate headquarters ISP, or with the machine or router at the corporate headquarters itself. Internet, the

Although a few large ISPs are offering quality of service guarantees with

VPN

service

can't

make such

parties involved are

a guarantee

connected to

is

left

to her

—and there

own

will

always be times

resources. This

their

their network), smaller ISPs

when

book will help you problem when something goes wrong on your VPN.

administrator identify the

(if all

the network isolate

and

In this chapter: •

Aspects of Your Organization at Risk

•

Firewall Deployment

•

2

Encryption and Authentication

Basic VPN Technologies A box Yet

without hinges, key, or

golden treasure inside

—

J.

is

lid,

hid.

R. R. Tolkien,

The Hobbit

This chapter focuses on the background technologies that are used to support the building of a virtual private network. As

we

discussed in Chapter

1,

Why

Build a

two competing camps at work when we talk networks together. The first camp places the highest worth about interconnecting data anywhere the user might be, and anywhere the data accessibility of on the might be. The second focuses on the fact that the data itself, the content, is most important and must be protected to prevent unauthorized persons from using it. As you can see, these two concepts are not at all mutually exclusive, but more of a yin-yang tai chi. As you focus on wanting to share more and more information so that everyone can get what they need, you must also remain focused on the Virtual Private Network?, there are

security of that publicity so that others will not take advantage of you.

Because the Internet

is

a vast collection of resources,

it

is

clear that sharing

your

information with the other participants will help you succeed and be prosperous. It

is

nect.

not clear, however, It is

at

what

risk

you place yourself when you

actually con-

our opinion that some companies see the Net as a huge untapped marof consumers

and advertising opportunities, but don't see that the It is this, above all else, that compels us to protect our data, and where the emergence of the virtual private network presents itself as a stepping stone into the 21st century. The protection of private data is the core of the virtual private network, and the two most relevant technologies (encryption and firewalls) are what make it all possible. ketplace,

full

Internet has

its

own

version of an "underworld" as well.

11

Chapter

/2

In this chapter

we

you must use

to build a

look will

at

your

site

at its

gateway

Basic

VPN Technologies

an overview and background of the

will present

strategies that

VPN.

We

will start

and how they

will

perform attacks upon your systems. Then

how

delve into

2:

how

firewalling techniques are used to protect an entire

routers.

on encryption, how using a VPN.

with a discussion of

it

And is

we

last,

used

will present

intruders

we

network

you with a general background and how it will be deployed

in a traditional sense,

Aspects of Your Organization at Risk What do you have

worry about when you attach remote users and networks

to

your organizational center? That's what

we enumerate

to

in this section.

Your Computing Resources A very valuable resource simple data puters.

The

files, is

hacker can pirate from you, even beyond that of

power of your Internet-connected commore aware and more worried about

security conscious are typically

the theft of data

unknown

that a

the actual processing

files

than the use of computing equipment by outside people for

reasons.

Generally,

it

is

less

common

an intruder to use your computing equipment

for

is much harder to track and much making use of your computers for their ends are likely to have entrenched themselves very deep, and have probably installed numerous backdoors into your equipment for re-entry. In the event that you are certain that an intruder is using some of your equipment, either by noting strange processes running at strange hours, or by witnessing first-hand connections from strange locations, you must take immediate action. Simply knocking

than to

just steal files,

but the former problem

harder to eradicate. Intruders

who

are

the intruders off or terminating their process will not address the root of the prob-

You

lem. will

will

need

scrutinize

from the Net and freeze

to disconnect the system

then need to wipe the drive,

re-install the

its files.

You

operating system from scratch, and

of your data and local application-ware before re-installing it on the you should regenerate new passwords for all users who had access to

all

unit. Last,

the system.

The

virtual private

router of

need

to

some

network, which typically

type, can prevent

many

is

erected through a gateway host/

of these types of breakins, but you

keep a close watch over the equipment

web

FTP

that

you allow customers

still

to

and mail servers are always prime targets for compromise. Keep these systems as secure as you can, using a firewall to prevent access to specific services, and as always, keep good backups. Since access. Things like

servers,

customer access equipment usually

is

servers,

filled

with data that

is

of only slight conse-

Aspects of Your Organization at Risk

quence

if

A3

gets stolen or trashed, the best policy for recovery

it

is

mirror around for quick restoration. Backup tapes could serve the

just to keep a same purpose,

but they will leave several hours of lead time during which the system will be

down.

Your Good Name Probably something you rely on every day, something that has a great impact

upon your business and customers, against your equipment,

make new petitors

you

is

your reputation. By having ongoing attacks

lose face in the eyes of

customers hesitant or unwilling to

something with which

to

denounce you

Having repeated breakins, information

leaks,

your customers and vendors,

approach you, and give your compublicly.

and data

loss gives others the idea

you are unstable and untrustworthy with their private data as well own, and may compel them to look elsewhere for products and services.

that

your

as

Your Services Services that

you

will likely offer to the Internet include mail

SMTP, and IMAP protocols),

Web

or World

cols), and a host of other things including

(such as the POP,

Wide Web (HTTP and HTTPS

proto-

DNS, FTP, video or audio streaming,

and network time. Our discussion of services plays directly into the next where we begin to explore one of the introductory yet powerful ways for

section,

protect-

ing data (firewalls).

Although they are not tangible

like actual data files that contain

customer

credit

on the Internet play a huge role in defining the form the firewall takes, and what types of data you think will assist the customer. Before even embarking on the creation of the firewall, you need to develop an overall data strategy. What do customers have access to? What do normal employees have access to? What can advanced security folks see and do? Once you have spent some time in detailing the blueprint for your network, then you can begin to architect the doors and windows

card numbers or the

that

services that

you choose

to offer your customers

permit shoppers.

In simple terms, will

like,

you should

be providing them. Since

identify the public services this will

be the most

and the machines

that

logical starting point for

an

The fewer the holes that you will need to punch in the firewall, the better. According to some security experts, it is best to separate each individual service on a separate machine, to minimize the threat of an attack taking down more than one service at a time. Hence, don't run out and grab a Sun, and pile everything on it, like sendmail,

assailant's attacks, this

is

the best place to limit their choices.

14

Chapter

web

FTP, a

server,

an Oracle database, an IRC chat

2:

server,

VPN Technologies

Basic

and

a video redirector.

Separate services logically, and the firewall will take shape on

its

own

based on

your decisions.

Some popular services are sometimes very dangerous to run. and traditionally come with security dilemmas that we can never seem to shake. The protocol and service that

most bad-mouthed by security professionals

is

The reasons

for this are simple: the source

code

sendmail (the Berkeley Version 8 software)

tion of

the sendmail server.

is

most popular implementa-

for the

and

readily available

is

it's

almost guaranteed that at least one machine on everyone's network will be runit and becomes

ning

will allow port 25

it

a

good place

(SMTP)

traffic to

to apply a lever for

they always have a starting point somewhere.

suming, too to

make

difficult to

worth

it

and

Our goal

difficult to locate,

efforts.

We

Since this

in.

hate to say

is

so

common, words,

attackers. In other

to

is

make

and once

it,

but

if

it

in,

too time con-

too

you look

little

data

like a ter-

then they will go elsewhere and leave you alone. Most computer

rible target,

much

crimes are

complete, too

their time

come

would-be

like

everyday

"real" crimes. Shoplifting is a

good comparison,

because both are crimes of convenience and both could be avoided by erecting a minimal deterrent.

How

Will the Intruders Attack

Attackers will attack tas against

you

many

for

and Why?

reasons. Attackers could have personal vendet-

your company, perhaps due to an unforgotten wrong

that they actually

experienced, or even one only perceived; they might also be information miners. .Although rare,

more and more corporate network companies are becoming tarwho are employed by either direct competi-

gets of information gathering groups, tors or

may

companies

that will auction off the data to the highest bidder. Attackers

also see a valuable set of resources they can use to perform computational

services. For instance, mail systems

warding email inherent

way

to

networks that

that the email

itous emails to giant It

is

just to

Internet are usually set

the attack

do

it,

of time to

is

may be

for the

up

to allow

purpose of storing and

offline at the time. Attackers

may

system works for sending practically anonymous

solic-

75%

generated.

of

It is

all

attacks

usually too

have a very

much

specific focus in

mind

trouble to break into a system

although the culprits (likely young, bored teens) seem to have plenty

do

just that.

Those breakins are more damaging

to the

ego than

to the

pocketbook, but could be deadly to your reputation. The widespread use and tribution of

makes at

it

for-

use the

groups of people.

estimated that over

when

on the

exchange services with other emailers

transit or

automated programs

that "test" the security of a

many sites Remember that the

easy for attackers to target

getting into a single unit.

flaws also help the attackers.

at

dis-

machine or service

once, or to focus special effort

tools that help

you

detect security

Aspects of Your Organization at Risk

In this section,

we

15_

few general

will discuss a

we

types of attackers. Although

drawing are mostly complete and can serve you

and prevention

and several

attack classifications

are not experts, the generalizations that in

your creation of

we

are

a detection

plan.

Attacker types

Information miners (corporate espionage). Theft of information can take many forms, from network sniffers that snoop on connections, to password crackers that login as legitimate users, sifting ically,

and sorting through

files for

private data. Typ-

the attacker will use password guessing programs or will engage in "social

upon your systems. Since they are most interested them usually takes place in FTP transfer logs or other transfer have been protocols. Some instances of data piracy delivered over the noted in the past year. (Because popular servers can run up huge logs due to mas-

engineering" to conduct attacks in files, detecting

WWW

sive traffic, system administrators

often as they should,

Intruders

sometimes don't consult

and thereby don't catch

and masqueraders.

who,

Intruders are people,

own

attempt to use your computers for their

their

ends.

An

rate.

In that manner, the intruder can safely

user discovering the attack until

programs to crack a system, cific target

it

is

too

late.

server logs as

for a variety of reasons,

intruder will generally pass

himself off as a valid user of your system, preferably a user

usage

web

potential threats quick enough.)

who

has a very low

masquerade without the

Intruders can run

real

password guessing

in order to process large data files, or to

look for spe-

information. Although similar in attack form to the information miner,

intruders often are just passing through systems.

An

assailant often will try to

cover his tracks by making several, disconnected "hops" between broken systems, thus making track him.

it

It is

harder and more time-consuming for a system administrator to very

common

for intruders to set

up

a

whole host of broken

inter-

mediary hop systems, only for the purpose of putting more distance between

them and the

target.

The

target

system

is

usually

where the intruder intends

to

do

information mining (generally for a specific purpose). Sometimes an administrator will see

an unauthorized access to a local system that merely provides a jump out

point to another computer.

Unfortunately this makes the tracking and apprehension of the criminal responsiif not impossible. Imagine if you found a user (joe), you know is on vacation in Geneva, logging in from a web server seemingly housed on another ISP's network. You see that joe is telnetting to a strange port on some machine at yet another ISP in Illinois. From this, you conclude that something illicit is underway and you would like to assist in the apprehension of the perpetrator. What do you do? This is where the trouble begins. Logically, you would begin by contacting the service provider where joe has been detected. You

ble for the breakin difficult,

whom

16

Chapter

2:

Basic

VPN Technologies

They seem to be closed you get is voice mail. You then send email to every system administrator you can find at the inbound ISP, hoping to catch someone, but of course, you

also notice that the login occurred at 2:30 a.m. PST. Darn!

and that

all

realize this to

be a

fantasy.

As you can probably extrapolate, the more hops the more complex it becomes to catch him. Last, you

attacker has under his belt, the will

almost never see outright attacks or hops through a system occurring

middle of the day, unless the assailant

is

Cyberpunks and snoops (cyberpunk kids and those belonging community). The previous two categories of attackers have a with which to keep busy, and attacker that we"ll discuss

They are may seem

it

is

there.

It

tor,

now

is

they

know

easier to detain.

is

dirty

a certain thrill these attackers feel it.

Because of

hackers are easier to spot and moni-

They tend

and tend to brag loudly they generally do no harm when they gain

less

computer simply because

wrong, and getting away with

ing attack routes

any other

targets

and

juvenile in strategy, less careful,

but there

is

machismo, these quick and

and sometimes

approach

they need to cover. The particular class of

more

like a waste,

when doing something their innate

trails

interested in breaking into your

target driven.

to the "hacker"

surgical

and information warfare. Both have well defined

to information gathering

in the

quite brave or desperate.

to take

after

fewer precautions

accomplishing a

access, they should

sting.

in cover-

Although

be dealt with

like

attacker.

Compromise methodologies Password guessing programs. This is hacker 101 territory. If you are not familiar with Crack, the most common of the tools available to the would-be break-in artist, read this through and establish a way to check your own passwords by using it.

Although

we

we

cover the

DES

encryption algorithm in detail

later in this chapter,

on password cracking. Most computers use the DES algorithm to protect the passwords on the authentication system. Unix systems, which account for the bulk of the Internet based systems, are will

prep you with

it

for this short discussion

the largest install base of

DES

clear text password, like the

authentication units. Simply put,

DES

13-character pile of seeming gibberish, such as 'HnX2a4gLaMv3k.' cally difficult to divine the original

force.

the

people are of

of

tries to a

likely to use.

common words

people's

It is

it

into a

mathemati-

try

every possible

string;

they reduce

more feasible level by guessing what sorts of passwords The Crypt password guessing program uses a dictionary

(in several languages), including a

names and

-

password from the encrypted one using brute

So password-guessing programs don't

number

takes a user's

example password "MucH007" and converts

places,

and

tries

them

ton of proper nouns such as

as the password. This

is

your system administrator trying to persuade you to use something

why you hear uncommon or

17

Aspects of Your Organization at Risk

something unnatural as having no password

a

password. Simple passwords are almost equivalent to

at all.

Social engineering. Don't consider

of the most tions. Or,

trouble."

attackers

word

traditional cracks

all

come from

threats to

to simply

is

call

up

the online front.

One

person and ask them ques-

a

send them a survey, ripe with personal queries, and a $20 bill, "for their You would be amazed at what people will tell you. This is how systems might get potential material for assisting them in piecing together pass-

we

attempts. As

take months (on a

discussed

hack of

a brute force

earlier,

fairly significant

machine), yet

password may

a

by reducing the

just

total

combi-

nations to just "real" words found in a dictionary, in turn reducing the time spent

on cracking

that user

down

you can see where using

to about 10 to 15 minutes,

personal information can drive even complex passwords of time. Semi-public data such as friends,

to a

and

phone numbers,

favorites (movies, music, stores, etc.),

password

down

to a trivial

amount

birthdays, license plates, girl-

can provide valuable resources

cracker.

Denial of service attacks. These types of attacks are usually hate or vendetta driven, because they h ave on h/ one aim, and that is to prevent you (or anyone from using your

else for that matter)

own

equipment.

nature are: flooding a network interface with

work

traffic,

A

couple strategies of

this

making use of the whole

net-

impossible, or sending specific "invalid" packets to a computer that causes

to crash several times an hour.

A good

analogy for

this

it

type of attack would be

someone wasting your whole afternoon by repeatedly calling you and hanging up. Although there is little you can do in this instance, once an attack is isolated, a system administrator can use a firewall to block inbound requests that would normally cripple the machine or the network. Unfortunately there

now

mental work being done right

that

router to dynamically block such attacks

would allow

when

a

notices

it

is

only experi-

"scanning" process or

them and

verifies that

they are valid threats.

Stupid mistakes

and accidents. A

large

percentage

of security

traced to simple oversights and accidental blunders administrators. gic attacks all

Make no

mistake, these are as deadly

things, the closer the accident to the

In other

words, filter

difficult

more impact

it's

it

will

can

be

not deadlier than the strate-

better to misspell a person's

username than

ser-

a breach.

to forget to put

router.

Computer break-in incidents are difficult to conduct. and definitely difficult to detect in the first place. Computer Emergency Response Team (CERT), a full 35% of all

difficult.

to prosecute,

According to the

gateway router or the core Internet

have and the better the chance of

back up on the perimeter

Detection can be

more

failures

the part of the system

conducted by information miners or unhappy destruction seekers. Like

vice network, the

the packet

if

on

18

Chapter

2:

Basic

VPN Technologies

high-degree breakins go completely undetected by the system administrators responsible for the equipment compromised; even higher

still,

85%

of

all

inci-

dents go unreported.

Sometimes

it

is

only by accident that an administrator notices the

toms of an alleged breakin. Strange things found strange processes running, applications found that

in

tell-tale

symp-

the temporary directory,

were not

distributed with the

Operating System, and users reporting that they are having trouble logging in or

have "forgotten" to clean

up

dramatically.

cleanup

seems tion

to

is

their

passwords somehow are

If

they are careless or

simpler.

The

When

someone

just joyriders,

detection

odds

attackers are careful will notice

you can be assured

that

If

decrease

much easier and when the attacker

is

biggest gut-wrenching feeling occurs

have not changed anything.

is left,

clues.

that

after themselves, the overall

only a minimal clue as to their penetra-

you need

to sanitize

—and quickly.

For a whole host of security related documents, including current advisories,

check with CERT

directly at http://www.cert.org.

A Quick Security Questionnaire Are you connected to the Internet now?

Do you

have

staff allocated to

Have you assessed what work staff needs?

Do you have

How many Classify

network administration?

training, software,

and documentation your

staff allocated to Internet connectivity?

hosts are connected to the Internet (directly or indirectly)?

each host

as:

definitely contains sensitive data,

possibly contains

some

sensitive data,

does not contain sensitive data

Do you

have a robust backup plan deployed?

How many

people have some type of access to private data?

Does your data

What

at all.

services

Do you have

fall

into multiple categories, requiring tiered access?

MUST you

connect to the Internet?

a disaster recovery plan?

net-

19

Firewall Deployment

be quick to respond to any threat or apparent breakin as

In closing, always try to

soon

you

as

are

you are

notified or as

sure to have a

restricted

you discover possible

as

foul-play.

The faster you are

budget and inadequate resources for your security

follow through with

efforts, try to

measures

all

that

you can take

you are too busy or uncaring, they

attackers. If they think

to pursue the

come

will

back, with

and harsher consequences.

better tricks

Be

soon

taking care of things, the less the impact overall. Even though

at

attentive to

what they were

connect the dots, you them. Don't

just

may

trying to

do

as well as

what they

did. If

you can

put yourself in front of them, and even possibly catch

disappear or that they "really didn't do anyKeep good backups, change user accounts and and develop a registry for access and authentication levels

assume they

will

thing" anyway. Just to reiterate:

passwords that

regularly,

can be deployed organization-wide.

Firewall Deployment Now. on first

to the discussion regarding the technologies

of the two techniques that

we

cover

in this

have been employed on large public networks starting place in the

firewall

development of a security

that they are generally

is

connects with a public network, fix-it-all

strategy, a firewall

of one gateway router.

many

with

Of

is

placed

for

if

you have it

it

The

the firewall. Firewalls

many

years and are a great

the point at

easy to configure;

course,

data.

is

strategy.

like the Internet.

paths to the Internet, then

ate a firewall for

at

used to protect

book

A

reason to

start

with a

which your network

inter-

Although not an all-embracing only requires the modification

WAN,

a large, multiply connected

should be noted that you

each interconnect point. The complexity of

this

will

need

to cre-

process increases

dramatically from the single point gateway to the multiple point gateway.

What Is a The

U.S.

sensitivity

Firewall?

Department of Defense, probably the world's loudest authority on data and security controls, used a system of confidences defined as security

documents. The criteria for determining how governmental computer should be protected were detailed in the fabled

levels to restrict access to top secret

a

"Orange Book."

It

stated that to secure highly sensitive data,

nect the computer to an exterior network. This

egy

that exists, but

connection

it

is

like the rest of

you;

connection to anything.

we is

just

want you

to isolate

one must never con-

of course the best firewall

too restrictive to be practical.

for extremely sensitive materials \v< >rk

is

We know

strat-

the value of inter-

to realize that the best firewall

them on

a

computer without

a net-

20

Chapter

WARNING

2:

Basic

VPN Technologies

Watch out for possible circumvention techniques. The best firewall in the world won't do you a bit of good if there is some backdoor or circumnavigational route which the attacker can take. Take care to protect the remote access systems (such as PPP, SLIP, and ARA servers) that allow users to dial directly into your private network.

Remember

avenues into your

that hackers will try to take these

site

you allow them. By avoiding the gateway firewalls, and all of your cleverly erected traps and pitfalls, a system cracker has only to dial in with a compromised account to gain access to services against which your exterior gateway firewall can't protect. if

For computer equipment that general what a firewall

is

is

connected to your network,

and what

does.

it

word, an Internet firewall serves the same purpose cars serve: to protect a certain area

spread of a walls,

fire

which

from

and exposure. An

will describe in

the origin of the

that firewalls in buildings

a potentially catastrophic explosion.

from one part of a building

in turn

we

To borrow from

is

controlled

by putting up

and The

retaining

help to contain the damage and minimize the overall loss

Internet firewall

Firewalls usually serve

is

no

different.

two main functions

for a

network administrator. The

which machines an outsider can

first is

and the services to those machines with which he can converse. The second controls what machines on the Internet an internal user can see, as well as what services he can use. A firewall is much like a traffic cop, organizing which paths network traffic can take, that they control

and stopping some

altogether.

see,

Internet firewalls usually

every packet that tranverses the gateway router, which

is

do

why

by inspecting

this it

is

usually referred

to as a "packet filtration" system.

For

we will use our large branch network as an example. We will furwe have a Cisco 2501 router and 40 workstations. Of the 40 comare servers: one FTP server, one mail server, and one web server. We

this chapter,

ther

assume

that

puters, three

C address

NIC (Network on how to set up different firewall topologies using our 40 machines and the network provided earlier. Figure 2-1 illustrates what the firewall will be doing in a raw sense for both our large branch as well as our main corporate network (at have

a full class

Information Center);

we

(207.48.29.0/24) allocated to us from the

will

be presenting examples throughout

this section

the top).

What Types of Firewalls Are There? Since almost

all

firewalling techniques are designed

choke-point control, there are only a few variations

at

around

a similar

model, a

the top level that need to

21

Firewall Deployment

204.96.12.3

204.96.12.2

Web

Server

1

|

FTP Server

204.96.12.4

204.96.12.20

Mail Server

Workstation

204.96.12.21

|

Workstation

J

L

204.96.12.1

Router Cisco 2501

Packet Filtering Router

These gateway routers block packets from or to their internal networks

either

based on some preprogrammed

Web

Server

1

207.48.29.2

Figure 2-1.

A

1

FTP Server 207.48.29.3

1

Mail Server

Workstation

207.48.29.4

207.48.29.20

rules.

Workstation 207.48.29.21

typical firewall

be explored. You are probably already familiar with the packet filtration firewall; most people are these days, given the recent attention paid to it by the news media. In

this section

we

will discuss the

operation and configuration of four

basic architectures of firewall design. There are

many

variations of the four that

you may have seen implemented, and certainly we are omitting several of the most complex and advanced basic architectures. But, we hope to give you a good familiarity with what a firewall is, how it works, how to set one up, and most relevant to this book,

how

they

fit

into the

world of the

virtual private

network.

Packet restriction or packet filtering routers Routers and computers that conduct packet

network based on

filtration

a predefined table of rules.

The

choose to send

router in

traffic to

no way makes

a

"deci-

22

Chapter

sions" based lar

interface.

whether

it

on what

is

or

in the packet,

only considers

It

why

the packet

2:

is

Basic

VPN Technologies

being sent to a particu-

the packet matches a set of parameters, and

if

should take appropriate action to either allow or deny the

transit.

The

allow and deny tables are set up and will conform to the overall network security

by the network administrator and

policies put in place

A peek

into the operation of

never even looks information to router all

a

packet

filter

works, shows us that the router

any of the packets payload, but only

at

make

were asked

how

security coordinator.

its

screening decisions. Thus, as

to allow

all traffic

the TCP/IP header

at

shown

in Figure 2-2,

from network 202.34.21.0/24,

it

if

a

would check

packets for a matching source address, and pass them across. Should a packet

be received from another network, the

filter

would disallow the

packet would be thrown away. So, in essence,

this is

how

and the

transit,

the entire operation of

this firewall affords security to the site.

202.34.21.44

38.46.182.1

^9M Internet

gateway allows only certain enter the network based on source and destination addresses

_ This -

traffic to

along with port number.

Router Cisco 2501

Packet Filtering Router

207.48.29.1

r Web

Server

FTP Server

Mail Server

Workstation II Workstation

207.48.29.2

207.48.29.3

207.48.29.4

207.48.29.20

Figure 2-2.

A packet filtration

router filter

As you can guess, a packet there's

no way

to

do user

207.48.29.21

filter

suffers

from several inadequacies.

authentication; either a peer pair

is

First

allowed, or

it's

off.

not.

Firewall Deployment

23

For example, machine 202.34.21.44 can pass mail mail server on our large network (207.48.29.4) or

who

is

be

to

send the

trying to

ZZZ Cyber

visiting the

Wouldn't

mail.

traffic it

can't.

be possible

it

and 110)

(ports 25

no

There's

for

to out-

provision for

one of our employees

Coffee Shop (owners of network 202.34.21.44) and

need to send or check mail? Further, be glad for performance reasons that the

open

router doesn't actually

all

the packets

Routers these days are asked

gets.

it

perform miracles, especially with the race for more and more bandwidth. The

to

router's job

to decide

is

away packets

send the

to

marked change

there will be a future.

We

packet

filtration

traffic,

What we're

not really to catch and throw suggesting, of course,

what gateway networks

in

look

will

is

that

like in the

believe that there will be a decoupling of routing equipment and (or

even security equipment

term. Actually, this

may

A

is

impediment

last

where

that are security risks.

for that matter)

the very near

in

already be the case.

that frequent

changes to the network

may

require wholesale

reconfiguration of the gateway router and the packet filtration firewall that lives

on

it.

This can be time consuming and disaster prone

if

uncaught mis-

either an

take leaves most of the network wide open, or a subtle change leaves the router crippled and unable to perform

its first

duty as a network

traffic director.

Bastion host

A

bastion host or screening host, as

is

it

filtering

mechanism, provided by the

security

is

provided by a packet

sometimes referred

machine

that

Yet, the

gateway allows

connected to the Internet

is

traffic to

pass to

The bastion host is in the same method it

uses both a packet

and the secured host

filtering router,

stage information flow in either direction.

to,

secured host. The primary

router, plus a

is

a security

used to

checked

as other machines.

in a less restricted fashion.

Bastion

hosts are typically used in combination with filtering routers because simple

packet

filtration

systems can't

filter

on the protocol or the application

layer.

(See

Figure 2-3 for a sample configuration.)

A

bastion host

is

much

easier than distributed servers to configure

to maintain,

because the bulk of the

bastion host

is

situated

on the

traffic is

Internal wire,

other locally connected equipment. The

needs

to

be configured on the packet

and tons

easier

being sent to one system. Since the it

site's

needs no special exemptions from security policy will dictate

which

filtering router,

will

be as

what

restrictive

as necessary.

The

majority of the bastion hosts deployed are running

ating system.

However, you could

extensively tested for

all

set

one up using

potential security leaks.

It's

a

on the Windows NT operthat has been

Unix variant

not

uncommon

at all for

an

administrator to use a combination of strategies, using both the packet filtering router as well as a bastion host.

24

Chapter

Basic

2:

VPN Technologies

202.34.21.44

A combination of packet filtering router and secured host act as a gateway

to exterior

network

clients.

Packet Filtering Router

r Web

Server

FTP Server

Mail Server

Workstation

207.48.29.2

207.48.29.3

207.48.29.4

207.48.29.20

207.48.29.254

Figure 2-3

One sures

A

bastion host firewall

of the great things about the configuration of a bastion host for security mea-

becomes

a generic "deny every-

preceded by some very specific allow statements

that pertain only to the

is

thing,"

that configuration of the packet filter

bastion host. For large and quickly changing networks, you can see that this

reduces the load of the security personnel to an acceptable amount. Adding

machines or having users

install

poorly secured equipment does not affect the

new fire-

wall or the protection afforded by the bastion host.

Of

course, having a centralized point of control does have

its

disadvantages. For

would need several machines that act as bastion hosts (making the administration of them more time consuming), or even better, a one, a large, busy network

perimeter network of bastion hosts might be required (see the next section). Each

machine needs

its

own

section in the packet filtration firewall, piling

on complex-

Firewall Deployment

ity, it

25

and with each machine comes the headache of having to test and double test Along with the need for multiple hosts to prevent network conges-

for purity.

tion, the centralization of

making

tion there, itor

it

it

information

the bastion will tend to

at

ever more important to lock

around the clock.

It

it

down

draw

attack atten-

with big bolts, and

mon-

should go without saying that a major drawback to

type of firewall configuration

that

is

can lead to

it

a tragic security

an assailant get system operator privileges on the bastion

this

hazard should

host. Thus,

a single

point of control equals a single point of failure.

DMZ or perimeter zone network A

popular ploy to separate large corporate internal networks from the hostile envi-

is to erect a "routing network" on which all inbound and outbound traffic must transit. Huge installations normally have such networks already set up so that they can effectively separate the local traffic from the metropolitan

ronment of the Net

traffic

from the wide-area or worldwide

traffic.

As you might have guessed,

ing network consists of only routers, including those both internal

connected, and usually goes by the term "backbone."

shown

in

A

a rout-

and externally

sample configuration

is

Figure 2-4.

You might be wondering why for a perimeter

zone network.

the term

DMZ

DMZ

sometimes used interchangeably

is

stands for "demilitarized zone" and serves the

same purpose as it does in areas of geographical conflict; it's a buffer zone between two hostile parties that must co-exist in close proximity. In creating a perimeter zone network, the added security you get is multifold. First, there are at least two routers involved with protecting your internal network. One router sits at the gateway to the Internet, and one sits as the gateway to your internal network. The network that the two routers share should not have any other host equipment on it other than routing equipment and trusted host equipment (used as a bastion host, detailed earlier).

The second

security feature that

comes inherent

in the

DMZ

security breech at the outside perimeter router level or at ter

network; the intruders can only

else.

To gain access

In a standard perimeter

on

packets transiting through, and nothing

would then have to crack the which should dishearten them enough to disappear.

to the internal network, they

internal perimeter router,

are placed

sniff

architecture covers a

any host on the perime-

zone construction, the most complex and careful controls

the choke-point router,

which

is

the

one

that separates the internal

network from both the perimeter network and the external network.

common

practice to erect the

tion can

be likened

less security.

DMZ

network

in this fashion,

to tiers of concentric circles

because

—each one

It

is

a very

this configura-

further out provides

26

VPN Technologies

Chapter 2: Basic

202.34.21.44

Internet

Router

Exterior Packet

Cisco 4500

Filtering

Router

202.18.1.1 A

DMZ or Perimeter Network

provides security at both the routers as well as at a

Bastion Host.

Bastion

Router

Interior

Host

Cisco 4500

Filtering

Packet

Router

202.18.1.2

202.18.1.4

r

Web

Server

FTP Server

Mail Server

Workstation

207.48.29.2

207.48.29.3

207.48.29.4

207.48.29.20

Figure 2-4.

A perimeter zone firewall example

The tightest security that you can make with a DMZ would be to disallow all traffic outbound from the internal network from the exterior router, and to disallow all

traffic

makes

all

machines

inbound traffic a

to the

that are located

inside the internal

internal

network from the

Internet.

In essence, this

two-step process. Clients on the Internet can only peer with

network

on your perimeter network and

clients that are

can't see the Internet directly; they too

need

deep

to use a

Firewall Deployment

27_

on the DMZ. You can see why this can really ruin an attacker's day. As we stated earlier, most acts of compromise are done by convenience only. The harder you make it for the snoop to snoop, the harder you middle-man through

make ier

for

it

them

you make

a bastion host

even assess the steps required

to

in their warfare,

and the

lous-

going to evaporate.

their ultimate goal, the faster they are

Proxy servers Proxies act

much

like bastion hosts,

almost completely.

We

and

some

in

firewall texts, the

two overlap computer

are using the term "bastion host" to refer to a

that acts as a staging area for information that

in transit either to or

is

from the

Internet.

A good

illustration of this

point"

"delivery

exchanger record (MX) delivery.

(which

From

email.

may

its

up

is

it

to point traffic to the bastion for

Our purpose here

is

POP

mail client.

it

which

is

interior mail host

could hold on to the

A whole

selection of dif-

manner.

in this

to differentiate the bastion host that

service,

an

redeliver the mail to

with a

be constructed

up to act as the Hence a DNS mail

typically set

Internet.

position with the firewall) or

ferent firewalls can

proxy

bastion host

traditionally set

is

mail awaiting the client to read

that of a

A

inbound from the

there, the bastion

can see due to

it

is

email

for

more of an

"in-transit"

we

just detailed

from

check-point than an infor-

mation staging area. The service that presents the most impacting trouble to a security manager's

because

it

life

is

the standard

file

transfer protocol (FTP).

It's

insecure

uses random, large-numbered ports to establish a peer to peer session

a service that operates on more than one port, much less on most any port greater than 1023, provides a real nightmare to the security administrator. To address this, a "passive" FTP session can be established (using the control and data ports [20 and 21] for actual data transit rather than one greater than 1023), but not all clients support it as well as they might.

with the

one

client.

Having

that operates

Using a proxy, as shown across a firewall. for the client,

with is

little

By

which

security to

in Figure 2-5,

setting

up

a host

is

another option for establishing FTPs

machine on a perimeter network

that acts

on the internal network, a full transit can be made give up. The FTP proxy lives on the perimeter network and

is

located

granted access through the exterior firewall to conduct FTP sessions. Special

software must be installed on the proxy so that

from an FTP

client

beyond

the interior gateway,

it

can accept incoming requests

and masquerade

as the client in

talking to the outside world.

The same

security

model using proxy

servers can be tooled using a

wall filtration router such as the Cisco PIX or the Firewall- 1 system. plete description of the PIX's abilities can Firewall.

be found

in

Chapter

9,

dynamic

fire-

A more comThe Cisco PIX

28

Chapter

2:

Basic

VPN Technologies

198.164.128.7

FTP Server

A proxy server can protect your internal network and still

allow security sensitive

sessions to happen.

FTP

WM

Proxy 202.18.1.4

i.

Router

1

Interior Packet

Cisco 4500

1

Filtering

i

1

Web

i

|_

I

Server

FTP Server

Mail Server II

207.48.29.2

207.48.29.3

207.48.29.4

Figure 2-5.

Router

202.18.1.2

FTP

Client

207.48.29.20

A proxy server used as a firewall

The reason why proxy services are becoming more and more popular is that they are more or less transparent. The client need never know that there is a proxy involved, and the server is equally uncaring; that is, as long as everything works. Because a proxy service is more like a host computer than any sort of firewall, special care site's

must be given

security policy. Plus,

to ensure that the it

is

proxy server

is

well protected by the

important to note that a proxy service

is

an addi-

Encryption

29

and Authentication

measure of protection and

tional

certainly should not

Without the shield of a packet

tion.

filtration firewall

be considered

a total solu-

keeping things segregated,

nothing prevents Internet hosts and machines on your private network from

exchanging

traffic.

VPN

Use of Fire walling in a The importance of

firewalling to a virtual private

to the point. Since a

works

VPN

is

network

is

straightforward and

an interconnection of two or more disconnected net(such as the Internet) for

utilizing public resources

transit,

it

follows that

these networks individually must be protected in and of themselves. Imagine each

network

that

needs

be placed

to

in a

VPN

as a separate bubble, with

own

its

con-

nections and users.

way, each separate bubble needs a protective wall around

Viewed

in this

make

safe from invasion.

it

the networks as

if

cific ports in the

packet

one bubble

filtering router to

to the next. Thus, a private

between two

sites.

allow the encrypted data to stream from

The VPN software provides the

tion layer routing, so that the

when

to

and secure communication (based on the

type and implementation of the cryptographic routines used) nel

it

The concept of using firewalls with a VPN is to secure they were isolated; then the system administrator opens spe-

presented to users

networks

at either

Firewall techniques are the

in

is

security

set

in a

chan-

question will "appear" to be as one

end.

line of protection in the fabric of a

first

up

and the applica-

VPN

that

must

be developed and tested into the equation before the benefits of the VPN can be fully harvested. Even if the VPN software or hardware that you might deploy has built-in firewalling that

that

you

will

just to stay

need

on the

seems

to follow

to

be everything you would ever need, chances are

some

security guidelines

on your network anyway,

safe side.

Encryption

and Authentication

The configuration and deployment of a virtual private network obviously involves more than just a packet filtration router. Otherwise, all you would have is a smoked glass window hiding your riches from the rest of the world. The real concept of this book, and that of the VPN, is the secure communication between two distinct networks over a public medium, done in such a way that they seem to be the same from either end. However, our discussion of firewalling techniques only traffic based on the makes it into your network, the disciof authentication and encryption add further protection by scrambling the

covers half of the equation. Firewalls either allow or deny

source and destination, but once the plines

conversation.

traffic

30

Chapter

2:

Basic

VPN Technologies

Encryption can be regarded as a method for altering data into a form that able by anyone other than the intended recipient, to decrypt

The input

it.

while the output

an encryption algorithm

to

upon

data by preventing an attack at

it

is

alter the data in

expensive to reverse. As with

we

unus-

typically called clear text text.

We know

this is a

such a

assailant

work too hard

or too

will discover, cryptographic routines

way

things, there are

all

is

has the means necessary

that the encryption process protects the

by making the

what's being hidden. As

use mathematics to

is

referred to as cipher text or crypt

is

mouthful to digest. The important point long to get

who

that the process

is difficult

and

sometimes several ways to skin

a banana.

Another important topic

tion

we

that

linked with cryptography

—

will discuss in this section

—

a topic that

the art and science of authentication.

is

and cryptography deal with the conversion of data

into

is

closely

Where encryp-

an obfuscated form

for transmission to a trusted party in a hostile environment, authentication

checking and confirmation of that

identity

entity,

which guarantees

with a great degree of certainty. The notion of authentication

employed by

the concepts

how

identity of a participant,

them?

It

would be

very important to

VPN. Without knowing with

certainty the

them over

and access

to

your

office

and giving them the keys

to a photocopier.

Brief History of Cryptography

A major

tenet of the art

and science of cryptography

cess must be a fairly quick

duct (otherwise (if

is

the

could you entrust a data communication channel to

like inviting

to the filing cabinet,

A

creating a

is

their claim

it

one

for the

would be too slow

owner of to

be

is

that the transformation pro-

the data (the encryptor) to con-

useful), yet computationally difficult

intercepted) for a hostile third party to reverse. Hence, most algorithms that

morph

data for security purposes

plex. In this section,

sand

feet up.

work, but

We

we

to

in a

way

that

is

programmatically com-

world of ciphers from about

cover some of the nastier mathematics that

will

we aim

do so

will explore the

do so

in a fashion that

make

five

thou-

encryption

won't leave you wanting a degree

in

higher math.

The algorithms discussed here The

fall

into three basic categories.

category of algorithms contains routines that alter the inputted clear text

first

way

go from the outputted cipher text you know the formula that altered it. These transformation programs are typically referred to as hash algorithms. Hashes don't normally have keys associated with them, as do the next two types of encryption programs. in

such a

back

that

to the inputs

The second and

it

practically impossible to

is

even

if

third types of encryption

key cryptosystems. There are

used

in

manuals and

texts,

programs are the private key and public for these encryption programs

many common names

including asymmetric and symmetric algorithms, or

Encryption

_

and Authentication

one-key and two-key systems;

hash algorithms referred to as

would

all

these terms refer to the

discussed

briefly

31

in

same

processes.

paragraph

previous

the

no-key or zero-key encryption operations because, as the

do not use

suggest, hash algorithms

The

sometimes

are

name

a key.

This brings us to the topic of randomness and

why pure random numbers

are

extremely important to the application of these cryptographic concepts. The transmission of encrypted data over a network typically requires a key exchange. This

each separate transaction between a client and a server, a new set would be produced. Although this may seem unnecessary, it would be disastrous if the same fixed keys were always used and a third party were to gain access to them, without the knowledge of either party. In essence, the key snoop would be able to decrypt all conversations until the flat key files were changed, which wouldn't happen unless the parties were on to the attack. To produce a "cryptographically strong key" on the fly, a computer must have access to a good pool of random numbers. As demonstrated on several occasions, using something seemingly random like a time or Julian second count turns out to be a horrid solution. If the attacker knows that the key generator uses a time of day for the key, it

means

that for

of keys

is

highly likely that a simple brute force approach can be used to crack the

encrypted packages

Now

let's

in

only a few hours' work.

discuss network security

and the use of encryption with networking proWe know that firewalls aren't 100% airtight

tocols to secure a data transit stream.

use social engineering like password guessing to gain

solutions: attackers

can

access, circumvent

your routers altogether by dialing

edly probe

all

avenues

still

for entry in

it's

additional layer of protection: encrypt the data transfer so that

were tapping the

they would see

line, all

is

bullhead-

in directly, or just

an exhaustive fashion. So

wise to add an

even

if

a

snoop

"garbage."

that no encryption can ever be computer processing technologies expand at a geo-

Advocates of a pure information society argue secure. Their reasoning

metric progression.

power doubles

is

that

The often

in ability

cited "Moore's

and halves

in price.

Law" says It

that this really translates into a four-fold increase

the old trick of asking a kid whether he

would

new

per

rather

computing

that every year

doesn't take a

math teacher

advance.

have $100 or

a

to see

(Remember penny dou-

bled every day for a month?)

The one

serious flaw (or design element) in using cryptography to seal

that

only a temporary

up data

is

The

real

comparison should be

key length or encryption algorithm

that

outpaces the ever increasing advance in

it

is

fix.

technological capabilities. Also, the lifetime of that data in a similar fashion.

Using small keys and weak (but

fine for data that will

be worthless

would-be cipher hack more time than

in

itself

fast)

to use a suitable

should be compared

encryption techniques

24 hours, especially since

that to crack

it.

it

is

will take a

Chapter

3J?

2:

VPN Technologies

Basic

Cryptographic Beginnings Caesar's cipher

A good

starting point for illustration

Julius Caesar. Caesar

away. Hence,

letters

swapped each

complementary cipher example, the

26

all

letters

is

the code system generally attributed to

letter in

the alphabet for another letter several

of the standard western alphabet

which would be used

letter

could represent "A," the

letter "I"

for

letter "J"

would have

a

coded transmission. For could stand for "B," and

would have such a transposition wrapping around from "Z" back to "A" again where necessary. As you can see, each letter is replaced by another 8 letters later. Hence, by knowing any letter transposition, you know them all. the letter "K" for "C."

The

Several modifications

make

random

assigning

entire alphabet

letters to

the code

more complex, but no harder to break. By letters, and not repeating them, one

stand for other

would need the entire translation table to decrypt a message, knowing the replacement distance (as in our previous example). There

a very

is

capture as

ciphered

common way

much

letter

to decrypt this type of

by frequency. is in,

then

If it

frequency chart against which to

already

know

who

you are able to determine what language the becomes a matter of merely producing a similar compare it.

are fond of the Wheel of Fortune

that in English, the

"N." Using a computer,

it

ate a letter ranking chart.

chart next to

coded message. You merely

of the transmission as possible and plot the occurrences of each

resulting clear text

For those of you

rather than just

is

most

common

game show, you probably

letters are "E," "T," "S," "R,"

and

easy to take about 100 pages of English text and cre-

From

there,

all

one needs

to

do

is

line

up

the cipher's

it.

The modulo and the importance of nonreversible math

As

we

briefly

covered

in the introduction of this chapter,

that strengthens the algorithm

is

one protection

factor

not being able to reverse the process. Using varia-

on the mathematical modulo operation is essential for this. The mod operaon two numbers produces the remainder if the first number if divided by the second. For example, 17 mod 3 would be 2. This would be because 17 divided tions

tion

have a

by 3 is 5, with a remainder of 2. It is possible would be the case if the problem were restated

as 15

An

mod

interesting thing to note about using the

large

to

mod

mod

value of zero;

operation

is

that ridiculously

numbers can be reduced dramatically by simply moding them by

number. Simply put, there

is

duced by successive mods.

A

this

5.

a smaller

a frightening regularity to a series of results pro-

possibly non-obvious truth to

mod math

is

that the

Encryption

result

and Authentication

33

can never be larger than the second operand

in the

mod

equation less one.

example (17 mod 3), without even knowing the answer, we can guarantee that the answer will NEVER be larger than 2. If you derived a number larger than 3, say 5, for an answer, then it too would have been divisible by 3, while still leaving 2 for the answer. In this manner, you can see that even

Thus, in our

first

923897958729349872356

mod

3

or

leaves only the choices of

still

1

or 2 for pos-

sible answers.

Another thing about using the modulo operation

is

that given

one of the opera-

know what the other operand was. For example, if we told you that some number mod 3 produced the answer of 2, could you guess what number we were referring to? Remember that 5 mod 3 = 2, and 8 mod 3 = 2, and 11 mod 3 = 2. You can see the pattern developing easily form here. This (even if simply put) is one reason why it is impossible to reverse a mod equation with exact certainty, and why a decent amount of protection is

tors

and the answer,

is

it

impossible to

provided to cipher equations.

Brute force attacks

A

standard attack plan for a cipher cracker

attack a

upon

the algorithm. This

is

is

assuming

to use

what

we

call

the "brute force"

that the cracker has

both intercepted

knows the algorithm used to produce it, but doesn't Depending on the amount of time that they are willing to invest in

crypted message, and

know

the key.

using a crowbar and

if

they started with a key of

all

zero bits

set,

they should

eventually find the key just by trying to decrypt the data with each successive key

(adding the next large

way

ing things this

cracked

when

it

actually

successful

all

is.

If

crack.

100 years.

the output.

the clear text

if

Some assumptions

in crack-

to identify the output as

were English

text,

then

it

being

shouldn't be

the input data

all

possible keys.

If

the encryption algorithm

second or so to calculate the cipher;

the key, the

at

must be able

brute force outputs

cycling through a

and looking

was another crypted message? This would would look like garbage, even in the event of a Another assumption is that there is time enough to spend

too hard, but what

ensure that

bit),

are that they

if

is

slow,

it

may

take

there are several billion combinations for

amount of time needed to crack the code would be between 50 are not that patient, and figure that no one else is either.

to

We

Protection Extends to Network Operations Many network

oriented operations require cryptographic concepts for security.

The thought of protecting a network conversation is almost as fundamental as having one. The protection part comes from the need to protect data that will be sent over an unknown public network. This is commonly referred to as the "transmission over an insecure channel" problem, and is almost always solved by one of two methods.

34

Chapter 2: Basic

The easiest solution is, of course, medium. By making sure that no

to

make

the channel secure

always the best approach, for several reasons.

It

media delivery system, which may be unfeasible Not to mention

ery system to the point

This

where

in large scale as

that

sometimes

in the

not to privatize an existing delivery system, the insecure channel. In other words,

form

it

way

in a

privatizing the

is

As always,

this is

no not

expensive to secure an entire

as well as impractical to alter in it

is

impossible to secure a delivat all.

the use of the virtual private network will be

develops

it

solid.

is

can be deemed secure

why

exactly the reason

is

deployed

it

by

third party has access to the physical line,

snooping can ever take place, so the connection

a timely fashion.

VPN Technologies

it

make

it

coming

years. Since the solution

must be

to secure the data itself

is

on

accessible for everyone, but trans-

(using cryptography) so that only an

affiliate

can undo

it.

Cryptosystems Hash algorithms Hash algorithms, which

are usually

known

as

message

digests or

take an arbitrarily large string and mathematically convert

it

one-way hashes,

into a fixed-length,

one-way number. Hashes are typically used to check the validity of a particular message or password. A good scenario is one where a system needs to be able to check the authentication of a particular user, but does not want to store an unencrypted password on the disk. Doing so would compromise security for every user on the whole system all at once. If an attacker were to get at the file containing all the users and passwords in clear, it would be a boon. By hashing the passwords and then storing the hash, the attacker who gains access to the password file still has nothing with which to help him. He can, at this point, engage in brute force attacks against all the users at once, which provides adequate reason for the system administrator to keep the hashed password file as safe as possible.

The process of hashing must be mentally

hash

difficult to reverse.

(e.g.,

fast, reliable,

Since there

is

and produce

is

is

funda-

the transform of a potentially large value into a fixed small-length), this

leaves only a brute force approach to try to reverse it

a result that

a loss of data in the production of the

possible for there to be

important note

is

that

it

is

many

it.

It

may

not be obvious, but

input values that hash to the

same

value.

An

computationally unfeasible to find two such values eas-

ily.

An example n

would be to take an input password, multiply it by by e (2.71828), mod the result by 7654321, and take the middle Certainly it would be nasty to reverse this process without knowing anyof a simple hash

(3.1415), divide

8 bytes.

thing about

it.

;

l ,nay[Jti(»i

and Authentication

The NIST's

and Technology) proposed message for "Secure Hash Algorithm.'

(National Institute of Standards

digest function (hash)

Ron

35

called

is

SHA, which stands

"MD2" through "MD5"

Rivest (yes. he's the "R" in RSA) created the set of

hash algorithms, which stand for "Message Digest," oddly enough. Secret key systems

The

secret

key cryptosystem takes as input

key by which the message

secret

is

message of

a

is

very

tant distinction

is

that a separate, user controlled variable

similar,

where the hash algorithm

is

and

a

the

text. In fact,

from a distance, as the hash algorithms.

transformation

the data. Further,

a variable length

transformed into the cipher

An impor-

supplied to help crypt

creates a fixed length result from a

variable length input, the secret key system operates

on successive fixed blocks of The point

input using the fixed length key to produce a variable length result.

here

is

that

hash systems are for one way checks, and secret key systems preserve

the entire clear text so that

it

can be reversed to proceed the original

text

when

needed.

Because the secret key used is

in the

equation

is

of a fixed length, using a key that

too short reduces the overall security of the system. Imagine using a key that

one byte long

(8 bits);

it

is

shouldn't take a would-be cracker too long to run

through the 256 possible keys that could be used to decrypt the data. Since the operation of crypting the message uses fixed blocks of input, using a message

block size of one byte would also be insecure because the cracker would only

have

to create a table of clear text to cipher text pairs,

that they

could send their

own

once

it

had been proven

data through the encryption algorithm.

As with hashing systems, the secret key system was designed to take a variable length clear text input and produce a random looking same size output. Further, changing the input by only one

way sage all

to trace a transform is

from

bit

should change the output so that there

bit to bit. Basically,

random should conform

to the theory that at

the bits in the resulting sequence are

Secret

times so that

it

becomes impossible

have any idea of what happened to

half are off.

that effectively disperse the bits

com-

and then mix them up by looping multiple to trace a given bit through the process it

and

along the way. Typically, during the encryp-

tion process, there are several operations that can

substitution of input bits for other input bits,

with other

no

any given time, about half of

on and the other

key cryptography uses algorithms

pletely across the resulting output,

is

the thought that a ciphered mes-

be found

in use, including the

and the swapping of

bit

positions

bit positions.

DES, which stands

was developed in 1977 by government work and com-

for the "Data Encryption Standard,"

the National Bureau of Standards for low-grade U.S.

mercial applications.

The standard was based on work done

earlier

by IBM

that

36

Chapter

was coded key

DES

the "Lucifer Cipher."

each of the eight bytes (8

2:

Basic

VPN Technologies

uses a 64-bit key, but trims the

last bit off

of

each) as an odd parity check, making the actual

bits

DES was designed

size only 56 bits. Originally,

to

be used

in a

hardware only

implementation, but since there has been phenomenal growth in semiconductor

speed

own

their

few years, it is now just as practical to conduct as a software was obviously beyond the intentions of its designers, who had

in just the last

application. This

agendas

mind.

in

IDEA, the "International Data Encryption Standard," was originally developed by

ETH Zuria. Contrary to DES, IDEA was designed when implemented as a software application. Instead

Xuejia Lai and James Massey of

be much more

to

efficient

of operating on a 64-bit message block size, with a corresponding 64-bit key size, the

IDEA code uses

result.

secret

DES

a 128-bit

key

Although the algorithm

key systems,

it

is

to transform a 64-bit

very

new compared

has proven to be quite secure,

message block

into a 64-bit

DES and even other and may even be better than with

DES and IDEA are similar in that they operate on data one chunk at a time, performing mathematical transforms based on substitutions and permutations. in the

long run. Both

Public key cryptosystems Public key systems, different things.

on the other hand,

Some do

digital

do many some do key exchange, some do and some do everything all in one. Howare a collection of ciphers that

signatures,

no encryption, do have one general concept in common with one another: there are always two components that are used for operation on the input data. One of the components is the private piece and one is dubbed the public piece. An interesting nugget of trivia is that it is irrelevant which actual piece is which mathematically, since the two are inverse operations of each other. The thing that separates the two is that the "private" piece is the part that is secreted away, while the other is distributed. Distributing both pieces would be like giving away your secret key with each bit of encrypted data you send. authentication only but

ever, they

all

Diffie-Hellman

The Diffie-Hellman algorithm, also known as the oldest public key system, was based on the problem of how two entities could agree on a secret by using only public channels. It was the genesis of RSA, which we will discuss next, but it provides only a bare skeleton of secret exchange. Diffie-Hellman neither supports

encryption nor digital signatures. tures,

what worth could

it

You might be wondering, without those

fea-

When

soft-

have?

The Diffie-Hellman algorithm is ware is programmed to change

typically its

used for quick key exchange.

key values every once

in a while, or

even with

Encryption

and Authentication

37

way of producing a secret key that both parties know, even by using a only a public channel, is required. This is where DiffieHellman excels. Imagine two famous people, on either end of a restaurant, passing notes to each other that anyone can read along the way. These notes contain

every transaction, having a quick

two parties to agree upon a secret key, but it's no one looking at the slips of paper could know what that secret trick, eh? The Diffie-Hellman algorithm is based on a principle involv-

the information necessary for the

done so

that

was. Nifty

ing the concept of a strong prime number.

weakness

Diffie-Hellman's

key

is

between the two

parties,

that

even though two parties can establish

could be a masquerader

in a public arena, there

who

a secret

middle-mans

effectively

completely unobserved. By placing himself in the path,

and by catching the right messages, the middleman doesn't need to actually know the secrets, but he can masquerade as the other, by misdirection. Suppose an interloping party

(let's call

and respond with

Ms

sage, replace his

code

for

faked conversation that

exchanged two either.

rectly

A and B

to

listen to party A's initial

be

B. Further,

M

request to B,

could copy the mes-

As, and forward the message on to B to establish a

way

as well. In this manner,

secrets (one with both

A and

M

would have

successfully

B) but without the knowledge of

think they are talking to each other, but they are really talking indi-

through M.

RSA. RSA gets lic

him "M") could

code pretending

its

name from

its

inventors: Rivest, Shamir,

and Adleman.

key system supporting both encryption and decryption with

It is

pub-

a

a variable length

key. Using a long key size increases security, but at the cost of performance; like-

wise, a short key

is

quick to compute, but

is

less secure.

The RSA

algorithm, as

implemented, typically uses a 512-bit key, with an upper range of about 4K Larger keys than that It's

nice to

know

become unwieldy

to use given today's

bits.

computing power.

that as long as the underlying principles of the algorithm are

no one has been able to break the fundamental math problem power increases, it gives both the cracker and the encryptor more firepower.

safe,

meaning

that

of factoring quickly, then as computing

Unlike private key encryption, the message block length

(i.e.,

the size of the

chunk of message to be operated on) is also variable. Unlike DES and IDEA, RSA's message block length can be almost anything. However, it must be equal to or smaller than the size of the key to prevent an easy security breach via a brute force search of the possible ciphered alphabet. Regardless of

message block

size,

the cipher text block size will always equal the size of the key.

Because RSA uses the principles of gigantic prime numbers to base on, as well as

modulo exponentiation

arithmetic,

the

its

RSA algorithm

equations is

much

38

Chapter

VPN Technologies

Basic

2:

slower than almost any of the popular secret key systems (including the ones

dis-

cussed previously [DES and IDEA]).

To use the RSA algorithm, one generates what is commonly referred to as a key pair. The first step in doing this is to choose two large prime numbers. Numbers in the 50 to 100 digit range are typical. Call these p and q. Multiply them together to get the result n. From there, using mathematical magic, you would choose a number e that is relatively prime with respect to the totient function of n.' We won't bore you with the mechanical intricacies of

how

exactly this

done. Suf-

is

fice to

say that a pair of numbers

one

the multiplicative inverse of the other with respect to an equation

is

mod

n

and the

key,

From here

used.

is

set (e.dl

is

is

produced, e and

the combination of ld,n)

is

one and which

the public

you keep hidden

is

with the odd property that

is

is

1

mod

totient(n)),

the private one.

where

referred to as the private

the public key. In actuality, since one

of the other (given the equation de =

which

d,

it

It's

is

the exact inverse

doesn't matter at

The one

simple.

all

that

the private one.

The RSA algorithm used for encryption and decryption is essentially the same. Given that e and d are inverses, encryption is the process of running the message with the public key forward through the code, while the act of decryption

is

ply not running the cipher text through the algorithm backwards. In actuality,

simit

is

the process of sending the cipher text message and the private key again forward

through the system. Specifically, the encryption routine consists of taking the clear

chunk and

text

raising

it

to the

power

taking the cipher text and raising

it

of e

to the

mod

>/.

power of

and decryption

dmod

essentially

is

n.

How Secure Is It Really? Given the explosive increase rity

discussed, the

life

computing resource power every

year, the secu-

leveled against the data

DES,

The

it.

falls to a

in particular,

bits

another few years

itself is

When

ii

governed by the raw processing power

greater the

of

One

rating, the greater the threat

its

some

life

that

of an

can be

and the

discussion concerning

of the reasons for waning protection key. Although

it

faster

DES

is

that

its it

security

only uses

simple and widely distributed

on the horizon. One way

to

encrypt the inputs. The "triple-DES" standard

is

looking quite real

a positive integer. Euler's totient function

not greater than n and relatively prime to

is

cannot be considered theoretical for

yet, the possibility of creating a

this threat is to multiply

is

MIPs

has been the focus of

software brute force of

combat

previously

simple brute force attack.

into the 21st century.

56 of the 64

we

of a particular piece of encrypted data or even the

encryption algorithm

*

in

of data stored in encrypted form gets less and less secure. As

n.

is

just

defined to be the

number

of positive integers

Encryption

and Authentication

39

such an implementation, and given to the stratosphere,

it

effectively

that

increases the

it

removes any

RSA's

weak

would be

its

inability to factor a

much

easier said than done.

As

we

point

number

of possible keys

threat for the foreseeable future.

huge number

quickly. That's

discussed in the explanation of the

rithm earlier, the sheer size of the numbers that are used

is

RSA

algo-

enormous, large

enough even that it surpasses that number of bits that even large computers use to store numbers internally. Think about it in terms of how many digits you could put into a calculator. The bigger problem is that even if you could represent the numbers in a way that a computer can handle, the act of factoring is a long and tedious process without short cuts and without easy, simplifiable steps. Because of this, you could spend a great deal of time just looking through billions of numbers, and never finding a factor of Remember that if you wanted to crack RSA, the surefire way of doing it would be to recreate the original inputs used to calculate d and e. That means factoring n. We tried various attacks ourselves, the results of which were pathetic. If you wish to try your hand at it, the best of luck! //.

Use of Cryptosysterns Much

and Authentication

of this chapter dealt with security in one form or another.

everyone

is

not as nice as

we

are

the

is

main reason why

selves. Just like in the real world, security

be addressed, and re-addressed, and security

is

constantly underfoot.

is

tested,

We

this all relevant to the virtual private

virtual private

network

is

we need

rely

on being able

padlock around

paranoia.

it.

How

is

network?

just that: virtual

to fence out

to protect.

that

covered putting up fences around your data

and

private. Private,

mal word. The keys to erecting a private data exchange or

what you wish

Knowing

to protect our-

one of life's little things that needs to and probed, and redone; the need for

(firewalling) as well as using encryption to place a big

The

a VPN

in

a

being the opti-

secured data store

unwanted people and place locking boxes around

Without

But without encryption

firewalls, a it

VPN

could

exist, albeit

most certainly could

not.

with

some

Cipher routines

solve the fundamental problem of secure communication over an insecure channel in a hostile environment.

40

Chapter

WARNING

The

2:

Basic

VPN Technologies

government classifies all encryption routines as a muniwhich is to say that they consider the mathematical formulas that make the magic happen a dangerous technology. Cryptography to the Feds is in the same boat as treason, gun-running, smuggling, racketeering, and drug sales to small children. And they do not take U.S.

tions,

such matters lightly, either. You may ask yourself, how could a little code hurt the giant U.S. government or its citizens? To learn exactly why the government treats these technologies with such kid gloves, we have to look back at some historical elements. Remember the "enigma" box? It was a German code box that scrambled militaryorders sent from the high command to the field. Along a similar line, the Japanese had developed a similar code system involving a code box called "Purple." In times of war, code cracking and encryption takes on a whole new meaning, best described by the saying: "loose lips, sink ships." The protection of even simple communication is of paramount importance to the government. If all the routines developed on U.S. soil were exported abroad with no restrictions and a war were to break out. it would be unclear to our military leaders if their communications were safe.

Patents

and Legal Ramifications

Cryptographic routines are complex mathematical systems, and the people that

have created them are experts

and protect

their systems.

who have

just as tangible as real property,

law.

spent a great deal of resources to create

As any good lawyer

and

in

some

Even using some technologies could

will tell you, intellectual property

constitute a legally binding

with the software's creators, thus illustrating that you need to take care ing with any

One

and

all

agreement

when

deal-

such systems.

typical legal protection that a cryptographic creator has

contrary to popular belief,

one of the reasons why

it

is

patented, but

it

is

is

pops up almost everywhere.

All public Inc.,

Key

make

Partners (PKP) group (see Table 2-1). Obviously they

to collect license fees

and monitor

for stray

the patent. DES,

distributed royalty free,

systems are patented as well, by either RSA Data Security

which

or by the Public it

their business

usages of their software.

Patent Information

Encryption Routine |

Patent -4.218.582. expired August 19. 1997. Supposedly covers all public key systems. Patent =4.405.829. expires September 02, 2000. Covers the algorithm.

is

key (two-key)

Table 2-1. Cryptographic Patents

Hellman-Merkle

is

cases easier to support in a court of

RSA

Encryption

and Authentication

41

Table 2-1. Cryptographic Patents (continued)

Encryption Routine

Patent Information

Hellman-Pohlig

Patent #4,424,414, expires January

Hellman (expired

3,

2001. Related to Diffie-

1997).

Schnorr

Patent #4,995,082, expires February 19, 2008. rithm is based on this.

Kravitz

Patent #5,231,668, expires July 27, 2008. rithm.

The

The DSS Algoactual

DSS Algo-

In this chapter: •

Common WAN Configurations Their VPN Counterparts

and

•

Remote Access and

•

The Hybrid System

•

Cost Comparison

VPN Counterparts

Wide Area, Remote

Chart

Access,

and the VPN

Even though

book

VPN

that a

and

costs

network

this

is

is

about

benefits, in very general terms, to

(in

which you

which users

networks, we're prepared to admit

virtual private

not always the best networking solution. This chapter compares

dial

lease dedicated lines

up banks of modems

at

a central site). Trade-offs to

consider

include configuration time, staffing, coordination of resources, and actual tary costs for

all

In this chapter,

mone-

the pieces.

we

will explore

some examples

access configurations, comparing them to their

For the most

its

two older alternatives: a wide area between sites) and remote access (in

part,

you

will not find

of traditional

VPN

WAN

and remote

counterparts.

hard costs here, as they change so

few weeks. What you

much

that

where the VPN diverges from the traditional WAN or remote access implementation, where resources may be diverted for other projects, and where your company will need to concentrate resources to implement the VPN. we'd have

to revise this chapter every

will find

is

Common WAN Configurations and Their

VPN Counterparts

Figure 3-1 depicts a typical

WAN

company. The two

connected via a 56K-bps leased

sites are

provider. Each site has a router,

ning

Windows NT/95

encapsulated

42

some number

for this example),

in TCP/IP.

line

through a Telco

of servers and workstations (run-

networked with the NetBEUI protocol

At either site there

is

a

would include monitoring and maintaining various and sundry other duties of an NA).

duties

the

using a dedicated lease line from a telephone

network administrator whose this

connection

(in addition to

Common WAN Configurations and Their VPN Counterparts

43

Remote Central Office

Network

Figure 3-1

A

Network

typical leased line connection between two enterprise networks

This scenario would incur a hefty setup fee from the telco for the leased

Each network administrator would require no more than 20 hours to

set

line.

up

the

connection, including actually ordering the lines and equipment, proposing and clearing this implementation through

management, coordinating

installs

of lines,

and physically configuring the connection. Recurring costs would include charges for the leased connection and maintenance of the connection by the

work as

As time goes by, of course, other costs would surface, such

administrators.

upgrade costs

line

net-

(e.g.,

equipment,

lines,

and time) and equipment replacement

costs in the case of a failure.

The

right

looks a

panel shows the same setup using a virtual private network.

lot like

operation. Data

the is

WAN,

carried

the

VPN

differs greatly in

back and

forth over the Internet

networks via an encrypted tunneling network protocol

VPN

costs about the

same amount

running, but the operating costs are

as the standard

much

less.

The

staff in its

between the

(in this case,

WAN initial

are finding the right solution, getting the right software,

work

Though

it

implementation and general private

PPTP). The

solution to get

up and

costs for the

most part

and

your net-

training

deployment and operation.

In the proceeding sections,

and

a similar virtual private

the

specific

needs

of

we

break

down

the costs of a leased-line based

WAN

networking solution. As always, you should evaluate

your organization

and compare them with available

resources before undertaking any major network installation. So keep in mind that these are

examples. Your mileage

may

vary.

Corporate Office to a Small Office/Home Office Connection The Small Office/Home Office (SOHO) is a "compact to mid-sized" scenario. It would fit a small to medium organization with a regional office in another county or neighboring state, or a small company with an employee working from a home office. The main focus here is low bandwidth and low maintenance. Both VPNs

44

and

Chapter 3: Wide Area, Remote Access, and the

WANs

first,

and resources needed

are about equal at this level in the costs

implement them.

WAN

In the following sub-sections, the

VPN

scenario

is

to

discussed

followed by the virtual private network scenario.

Telco needs

The

WAN

connection could use an ISDN line

ing area of the main office.

frame relay ally

line

would be

If

the

SOHO

the best bet.

does not incur per minute charges

charges

if

month

ISDN

The big if

local

ISDN

calls.

A

the

SOHO

out of

is

local,

Some

frame relay

is

within the local

this area,

difference

the call

you're connecting long distance.

minute charges for

if

is

is

that

a leased

call-

56K-bps

an ISDN line usu-

but would rack up such

calling

areas

line typically

do incur per

has a

flat rate

per

charge.

more bandwidth (up to 128K-bps with a single basic rate ISDN line). lines would be needed to even get close to this level of bandwidth (112K-bps). The choice between the lines comes down to estimated usage and relevant charges associated with usage, as well as bandwidth needs to the remote site. Note that an ISDN or frame relay line is required on both ends of the

Two

offers

56K-bps leased

connection.

A VPN

could use either frame relay or ISDN, but the line would connect to a local

Internet service provider. If both offices are in the

same

calling area, the

should be used, reducing the odd nature of Internet routing

town routing

traffic to

each other across the country).

If

(that

is,

same ISP

ISPs across

the remote office

is

out-

side the calling area of the central office, the ISP chosen from both sides should

be connected

to the

same upstream

cantly reduce Internet routing issues virtual private

Internet provider,

if

possible. This will signifi-

and increase the speed and

reliability

of the

network.

Equipment required

VPNs and WANs

require the

same types of equipment

at this level.

ISDN

terminal

adapters and routers or frame relay routers are available through such manufacturers as Cisco Systems, Farallon, Motorola,

Network administrator

issues

Expertise for a traditional tor's skill set. Total

and Ascend Communications.

WAN

setup should be in a typical network administra-

time for both sides of the connection should not exceed 10

down the best equipment, ordering lines, and conThese types of connections do not usually require much recurring maintenance, as they tend to stay solid once properly configured. As much as 10 hours a month in maintenance time is standard, even if there are hours, which includes tracking figuring the connection.

major connection or configuration problems.

Common WAN Configurations and Weir VPN Counterparts The main

failure point

in

this

kind of connection

is

they don't tend to communicate with their customers

maintenance or the use

45

the telco provider, because

when

lines are

undergoing

end users in scenario would not

completely. Other related issues involve training

fail

and general maintenance of the connection,

as this

need a dedicated network administrator on both ends.

When

implementing

work engineer virtual private

needs. as

Initial

much

upstairs,

be

is

a virtual private

network, the

initial

consideration for a net-

research and training to get a general understanding of

how

network works and setup of a

VPN

will

it

fits

consume

how

a

with the organization's networking

a significant

amount of

time, possibly

as 20 to 40 hours including research, training, pitching the solution

and actually implementing the network. Recurring maintenance shouldn't

significantly

different

from the

WAN

solution (presented earlier) with

two

exceptions: the ISP used and security of the VPN. Both issues are discussed at length later in this section. However, suffice to say that the network administrator

can add about 5 to 10 hours a month to the

mum

WAN

maintenance estimate

(a

maxi-

of 20 hours total per month), dealing with security and Internet service pro-

vider issues.

Upgrade path

The

WAN

scenario supports a central office connection for one remote office of

around 50 to 100 nodes on the network. (More than 12 nodes on the ISDN example

would require

WAN,

a Class

C ISDN

or for multiple remote

to Multiple

Remote

site

router). For

more nodes than

this, a

very busy

connections, see the next section, "Central Office

Office Connections" for details.

To upgrade either the WAN or the VPN, you'd have to practically re-engineer the whole connection. ISDN and leased 56K-bps frame relay require additional lines to increase the amount of bandwidth, so multiple ISDN, Basic Rate Interfaces (BRIs), or more 56K leased lines would be required. In addition, the equipment listed above is not able to handle more than a single line. Thus, for an upgrade the central office would need a router that could accept more than a single connection.

Likewise, remote offices that

want more than 128K-bps over ISDN or

new or additional hardware. The equipment listed in the sections "Central Office to Multiple Remote Office Connections" and "Remote Access and VPN Counterparts" would all be appropriate when upgrading. In addition, the network administrator would need more time to evaluate the need to upgrade and move to new services. No network software changes would be required for either connection method, though with some virtual pri112K-bps over frame relay would require

vate network packages (such as AltaVista Tunnel), the server software must be

upgraded

to accept

more tunnel connections.

46

Chapter 3- Wide Area, Remote Access, and the

Central Office to Multiple

Now

move to WAN, the

we'll

you use

a

Remote

Office

VPN

Connections

a larger organization with a variety of connectivity needs.

If

resources needed are similar to the "compact" example, only

more expensive. With

a virtual private network, the resources stay the same.

Aside from some software purchases, such as the AltaVista Tunnel, there are no

upgrades or size-related costs other than capacity to handle multiple connections in general. In Figure 3-2, the left

connected to a central

offices are

shows

similar

a

panel depicts a typical

WAN

which satellite The right panel

in

office via direct leased lines.

setup using an Internet service provider to connect remote

The unbroken line represents a local digital connection to the ISP, while broken line shows the virtual private network as it travels over the Internet.

offices.

the

Satellite

Satellite

Central Office Office

Office

Network

Network

Network Central Office

Network Local Digital

\

Connection

1

Leased Line

Leased Line

Local Digital

Satellite Satellite

Office

Office

Network

Connection

VPN: j

Network Satellite

Office

Network

Figure 3-2. Leased lines versus

VPNfor a WAN

Telco needs

A

large

WAN

needs substantial bandwidth. To connect multiple medium-to-large

networks to a large corporate network, nothing site suffices.

T3,

or an

ATM

less

than a fractional Tl

at

each

we

suggest multiple incoming Tls, a single

connection, depending

on incoming bandwidth requirements.

At the central network,

Telco costs related to these connections include

initial

setup fees, local loop

Common WAN Configurations and

Their

VPN Counterparts

47

charges (for the line from the local telco central offices to the various recurring transit fees for the lines. Costs can be significantly reduced

frame relay connections, but

guaranteed bandwidth

if

is

and

sites),

by choosing

required, frame relay

is

not the best choice. Frame relay networks compete in the "cloud" for bandwidth,

and most connections are not guaranteed to achieve their full speed end to end. For more reliable bandwidth, the more expensive option is a leased point-to-point connection. The hardware, described here, supports either frame relay or point-topoint connections.

A VPN

has similar bandwidth needs. Both the central network and the various

outgoing

their

traffic.

However, these connections are

service provider, thus reducing the local loop costs.

T3, or

typically to a local Internet

and possibly the recurring

Try to keep options for easy upgrades available.

ATM

connection

is

the best

as needed, to the various sites If

line.

Bandwidth

will

A

line

scalable fractional Tl,

be allocated dynamically,

and charged accordingly.

the organization runs Internet services (such as web, mail, or other servers)

various networks, and

is

traditional

overhead such as encryption and additional

users.

net services are offered to network users, such as

could use a

lot less

on

attempting to support a large virtual private network, the

bandwidth needed may be more than the

bandwidth than

tion requirements constantly, as this

sat-

networks need high speed connections to the Internet simply to support

ellite

a

WAN

scenario due to extra

only common Interweb browsing and email, a VPN

However,

WAN. You have

to

if

monitor network connec-

any network administrator knows. With

evaluation should take into account the heavier

traffic

on the

a

lines the

VPN,

VPN

requires.

Equipment required With high-speed network connections comes high-end access equipment, and with that comes high cost in both routers, hubs,

and the

like are

initial

investment and ongoing support.

Though

not often prone to failure, they do have a short

life

About two years is the most an IP router can exist before the next generation makes it almost obsolete. Multiple remote network concycle as far as technology goes.

nections over leased high-speed data lines require high-end IP routers. For example, Cisco's

2500 series routers and Bay Networks Access Router series could sup-

port fractional or

full

Tl connectivity over frame relay or point-to-point. For

higher bandwidth connections, such as fractional or series routers or various carrier class switches

standards.

The

central network's

dollars.

Of

T3 or ATM,

equipment costs could run

dreds of thousands of dollars. For the

few thousand

full

Cisco's 7500

from Cascade, Ascend, or Cisco are

satellite offices,

the cost

in the tens to

would be

at

hun-

most a

course, bandwidth needs of the various networks, hard-

ware vendors, and other issues

affect these estimates.

48

Chapter 3: Wide Area, Remote Access, and the

For a VPN, connection equipment speed. The model could look very

is

VPN

again dictated by connection method and

much

depending on the Internet connections

the

same

at the

as the previous

WAN

solution,

various sites and the central net-

VPN diverges in two areas: servers and ISP connection equipment. Depending on the software chosen, the organization is limited to three platforms.

work. The

If

PPTP

is

implemented on the ISP side of the connection, the organization

is

lim-

Windows NT and Macintosh for software clients. Windows 95 has been rumored to have a PPTP client in development, but it has not appeared as of this writing. If PPTP is implemented on the organization side, both client and server software must be acquired. The server software is supported only by Windows ited to

NT

4.0, either the

Server or the Workstation version. Clients are limited to Win-

dows NT and Macintosh, If

the AltaVista Tunnel

as above.

is

used, the server software

is

available for various flavors

BSD Unix or Windows NT. Clients are available only for Windows NT or Windows 95. If the organization currently runs its operations on platforms other than these, then a switchover may involve more cost and hassle than the benefits of of

the

VPN

are worth.

Network administrator

issues

The main issues here are related to scale of the operation. Every satellite network will need one or two full-time network administrators to support the initial WAN implementation, the ongoing operations, and the users. Ordering and coordinating lines and equipment, configuring the network, troubleshooting, stabilizing it, and documenting changes could take as much as 40 to 80 hours per site, including the central network. Ongoing administration, support, reporting, and other duties should require 160 to 200 hours per month during normal operation. In the event of a problem, such as failed connections or equipment, is

much

this

hourly estimate

higher.

For a virtual private network connection, the biggest benefit could also be the big-

Most ISPs that service connections of this scale are compeand knowledgeable about engineering the connection. These ISPs will assist, support, and in most cases, actually include the setup of the connection as part of gest hindrance: the ISP. tent

their services. This will

reduce the hourly cost of the setup for the network admin-

and may not increase the monetary costs significantly. For this reason, selection of an ISP should be a number one priority when considering using a viristrators,

tual private

network.

Additionally, as

we

noted

in the

ISP for the central network the

same backbone

and

(e.g., Sprint,

preceding section, you should choose the same all its satellites,

BBN

if

possible, or ISPs connected to

Planet, etc.). This will reduce the

network

routing problems that affect the speed of the virtual network between the sites

Remote Access and VPN Counterparts

49

and may take the network completely down on occasion.

you use PPTP, on reduce the workload of the network Also,

if

the organization should consider selecting an ISP that supports this protocol

equipment. This could significantly

their

administrator, as there will tially

be no PPTP servers to support; user support

outsourced to the ISPs support

An

estimated time commitment for a connection on this scale

the

WAN

is

be evaluating and selecting an Internet service provider Ongoing administration and support of the virtual private

initially will

for the multiple sites.

network should not exceed 100 to 150 hours a month, taking the ISP

about half that of

connection (about 20 to 40 hours). The majority of the network adminis-

time

trators'

essen-

is

staff.

doing

is

much

of the user-end support.

tent or their connections faulty,

mal hours

month

a

to support

your

If

into

account that

the ISP proves to be incompe-

administrators can expect double the nor-

site

and maintain the VPN.

Upgrade path

The upgrade path T3 or

tional

for either the

ATM

WAN

central office are the extent of

cost options

on the horizon, such

as

still

VPN

satellite

upgrade

the technology settles, however, this likewise, are

or the

connection to every

is

currently limited.

potential.

full

or frac-

ADSL, the costs may change somewhat. is still

the

at

With other high-speed, lower

an unknown.

VPN

There are currently only two proven

settling.

A

network with multiple T3s

Until

software solutions.

VPN methods

that

support the organization from client to server: PPTP and the AltaVista Tunnel.

Remote Access and VPN Counterparts Figure 3-3

shows

to the central

private remote access running over

network

is

a dial-up access server

handled by a remote access

and the physical

lines, as

normal phone server. All that

lines. Traffic is

required

well as remote access devices

is

on

modems or ISDN routers. This connection method is well The remote access server can support dedicated nailed up connections or on-demand scenarios, whereby a remote office or roving user dials up to the network as needed.

the user

end such

tested

and

But

there

if

as

versatile.

is

some

distance between the satellite sites and the central dial-up phone charges could be massive. Likewise, if the organizahigh-speed digital connection for remote access, like ISDN, few car-

point, long distance

tion requires a riers

guarantee a straight

digital

connection end-to-end across the country. With

dial-up frame relay, the connection

cated to the connection

is

is

digital

end-to-end, but the bandwidth allo-

not guaranteed end-to-end.

Large or small, remote access to the corporate network

and on-demand,

in

comparison to the

WAN

is

typically

low bandwidth

scenarios earlier in this chapter. Very

50

Chapter 3- Wide Area, Remote Access, and the

VPN

Central Office

Network

Local Analog

Remote Access

or Digital dial-up

Server

Home

Offices

Dedicated Digital

Connection

Large Remote

Small Remote or Local Network

Roving

Network

Individual

User

Figure 3-3

A

typical remote access setup

few remote users should need relay. If

they do, the solution

is

more

a

a

WAN

industrial

connection than ISDN or frame

scenario.

Remote access configurations could be as simple as a terminal server connected network with a few dial-up modems, or as complex as a Cascade remote access server with several hundred dial-up users connecting simultaneously. As any ISP knows, either situation has its own share of headaches.

to the corporate

With a comparable dial in to

virtual private

network solution, the remote users and

offices

an ISPs dial-up access equipment and run PPTP or the AltaVista Tunnel

The central office runs a VPN server. If an ISP supports PPTP on its dialup access server, the central office doesn't even need a VPN server. Any limitations on this type of setup lie with the Internet service provider, and its underlocally.

standing of virtual private networking.

Why

does an organization need remote access to

their

network? Answering

this

question will lead the planning network administrator to the best solution. Traditional

remote access

is

clearly

enough

for a "backdoor" dial-up connection

only by network personnel in emergency situations, hours.

A VPN may

or

may

not be better

when

staff

like a

network outage

telecommuted on an

quent or recurring basis and need access to the network. The effective in the frequent case

where Joe Guy

Sales

is

VPN

is

most

used after infre-

cost-

out of town closing a deal

Remote Access and VPN Counterparts

and needs

to access the corporate

5/

__ network

for contracts, pricing changes, or

com-

munication.

Remote access

is

usually far

more

work. In the next two sections range and the large tively

site

costly than

we

implementing a

virtual private net-

present examples in the small to

range. Within each section,

we

medium

how

also outline

site

to effec-

use a virtual private network to provide the same solution and reduce costs.

Small

to

Figure 3-4

Medium

shows

Site

Breakdown

a typical small site offering remote access.

the equipment for a private remote access system, tual private

network using an ISP and the Internet

remote access setup uses an

a small

and the

NT

for

or Unix server

The

right

left

panel shows

panel shows a

remote access.

On

the

virleft,

and four modems or ISDN

On the right, a similar setup uses a virVPN server and ISDN router connection to

terminal adapters with appropriate lines.

network, which includes a The remote users would connect

tual private

an

ISP.

access the central network through the tems, and require a certain istration. Overall,

cost

and

amount of

less resources.

more

ISDN and

over the Internet. Both are viable sys-

expertise

on the

part of the

network admin-

the virtual private network solution has the advantage of lower

The

private remote access

there are fewer "middlemen" with

involves

to their ISP via analog or

VPN

whom

administration time and

equipment

to deal.

is

more

fail safe,

as

However, remote access also

more headaches

to

keep operational. The

following sections touch on the major parts of the small remote access system.

For remote access, their roving users,

this

organization requires only four dial-up

modem

lines for

telecommuters, and emergency back-door connections for the

network administrator. The system described here should support 8 to 10 dial-up users with comfort, and as In the

VPN

solution, the

many

as 16 to 20 during

number

of users

the ISP about the ratio of users to

work down percentages, VPN when they need

is

peak

dial-in times.

not an issue, except with the

modems, peak time usage

statistics,

to ensure that the organization's users

ISP.

Ask

and

net-

can reach the

it.

Telco needs All that is

or four lines

required for the remote access scenario are the four analog

ISDN

are

initial

charges incurred either on the actual phone

area,

lines

bill,

or

on

a long distance credit card

company reimburses. Since few carriers guarandigital connection end-to-end for ISDN data calls outside of a local calling the organization that needs high-speed digital connections will have more

used by the remote users tee a

phone

depending on the speed desired. Costs associated with these installation, recurring monthly charges, and any long distance

lines,

interest in the

VPN

that the

solution.

52

Chapter 3: Wide Area, Remote Access, and the

Central Network

—

1

I

VPN

Central Network

Windows NT or Unix server running remote access services

VPN I

Modems

\

\

I

or

server

ISDN

terminal

ISDN router

adapters

/

\

I

\

ISDN

telco line

Internet Service

Provider

Remote users with

either

terminal adapters or

analog or ISDN

Remote users with

ISDN

modems and

modem

lines.

Figure 3-4. Alternatives for a small

to

either an

ISDN

router/terminal adapter or analog

medium

and ISDN

line.

office

Telco issues with a virtual private network hinge mostly on the ISP chosen for

need The central corporate network will need a dedicated digital connection such as ISDN to an ISP. Alternatively, the firm could maintain a dynamic (on-demand) connection to the ISP, where the ISP initiates the call to the corporate site when traffic deseach of the connecting users. Each

some

site

or person that wishes to connect will

sort of dial-up access line (analog or digital) to

tined for the corporate network

is

connect to the

ISP.

detected.

The VPN, like any Internet service, is only as fast as the slowest connection between the user and the server. The main consideration when choosing an ISP for the virtual private network is its capacity and ability to support the number of is imporusers to which your organization expects to need connections. Again, tant to evaluate the ISP based on your company's needs, and not some abstract it

set of criteria. If

it

is critical

that users access the corporate network, then

an ISP

with a low user to dial-up line ratio must be chosen. Currently, the industry stan1 modem, but peak times and network down percentages are number of ISPs out there. An ISP whose primary business focus corporate Internet access would have its peak times from 8 a.m. to 5 p.m. on

dard

is

12 users to

as variable as the is

Remote Access and VPN Counterparts

53

one specializing in regular home weekends and from 6 a.m. to midnight weekdays.

the weekdays, whereas

on

the

users, look for

users

would see peaks

VPN

Also, with roving

an ISP with a strong national presence or 800 dial-up access.

Equipment required For a private remote access system, the organization needs only a

Windows NT

Unix server with remote access server software and four analog modems. system

be

is

If

or

the

up with digital incoming lines, four ISDN terminal adapters would The difference in price for ISDN is about twice that of the modem including terminal adapters on both ends; however, the speed is much set

required.

solution,

greater (up to 128K-bps).

With a

network, the organization needs access equipment for the

virtual private

The central office would most likely ISDN terminal adapter or router such as the Digiboard Datafire, Motorola Bitsurfr, or Cisco 1000 ISDN router. The remote connections could have either ISDN terminal adapters or analog modems to connect to their ISPs. The central office would still require a Windows NT server to run PPTP or the AltaVista Tunnel Workgroup server. However, if PPTP is run on the ISPs dial-up access equipment, the Windows NT server would not be remote connections and the central

dial in

over ISDN to an

ISP,

office.

thus needing an

needed. Unless being used for multiple services or a heavy

dows NT

VPN

load, the

Win-

A

Pen-

server can be as bare bones as the operating system will allow.

tium 100 with 32

MB

of

Network administrator With remote access,

a

RAM

could serve the needs of 20 remote

VPN

clients.

issues

network administrator faces several challenges

system running and to provide support to

its

to

keep the

Modem connections modem compatibility (i.e.,

users.

are

buggy at best, experiencing regular problems with getting two modems to talk to one another), the quality of phone lines, and general end-user problems. The small setup described in this scenario should not have

many

problems, but some will occur. The network administrator should expect to

spend 10

to 20 hours a

month on end-user

support, general maintenance of the

remote access system, and general administration of the remote access

A

virtual private

network also has

its

server.

host of administrative nightmares.

primary concerns of the administrator are security and dealing with the

covered most of the ISP issues

in the previous

The two

ISP.

We've

Telco needs" section. Security

is

a

bigger problem. In order to maintain the integrity of the private network, the network administrator will

have to monitor the

tion very closely. Users

password and

digital

key

VPN

systems logs, error reports, and other documenta-

must be trained extensively integrity, confidential

in security issues,

such as

information procedures, and other

54

Chapter 3- Wide Area, Remote Access, and the

The main anxiety

security issues.

for the systems administrator

network. There

nothing to say except that these people will

is

your system, but

common

from being an easy

that the entire

is

have a shot

Internet's host of criminals looking for a challenge will

VPN

your private

at

break in to

try to

sense and precautions will save your private network

target.

Upgrade path

Remote access sites are a lot of work to upgrade. More modems or ISDN terminal adapters, more phone lines, and a larger and faster server are required as the number of end users reaches 10 to 20. Eventually, the remote access site might require an ISDN PRI, which is a Tl line provisioned for 23 incoming ISDN or analog channels.

With

a PRI, the

remote access

site

would

these, as well as other products, can handle multiple digital

some

require

sort of

such as an Ascend 4004 or a US Robotics Total Control

server,

and analog connections simultaneously. With

assign your

Windows NT remote

remote access

server.

Both of

incoming PRIs and take both

this sort of server,

access server to other duties, as

it

you can is

re-

no longer

needed.

A VPNs

upgrade

much

is

more thought about usage and need only increase its bandwidth The AltaVista Tunnel Workgroup server soft-

simpler, but requires

bandwidth. With a VPN, the remote access

site

to its ISP and upgrade its VPN server. ware runs on a graduated scale, whereby the

neous connections with this threshold, the

that accepts

PPTP

site gets a certain

a certain server package.

number

of simulta-

As the number of users cross

system administrator must upgrade the software to a version

more connections.

not so picky, and as stated before, doesn't even need to run on the

is

remote access upgrades

site's

when

the

server.

number

Network administrators should begin considering of VPN users on a 128K-bps ISDN connection

exceeds 20 simultaneous connections. Virtual private

networks are by

their nature

slower than other Internet services, as

the software does a lot of encryption and decryption to

complain more loudly

their capacity (thus is

a fractional

Remote

when

on the

fly.

they are unable to transfer data

Users will begin at

about one half

l4.4K-bps for a 28.8K-bps user). The next step up from ISDN

Tl connection to the

ISP.

See the section "Central Office to Multiple

Office Connections," for cost considerations associated with this type of

connection.

Large

Site

Breakdown

Figure 3-5 shows a slightly larger organization configured for remote access on

network on the

The

remote access

the

left

and

the

left

panel can support up to 23 dedicated or 40 to 50 on-demand analog or

a virtual private

right.

large

site in

Remote Access and VPN Counterparts

digital users. All

access hub.

55

connections to the central network are managed by the remote

The VPN

in the right

panel can handle about the same amount of

users with lower costs, especially in equipment,

The main changes from

the small and

medium

management, and

line charges.

cases are the additions of lines,

equipment, and personnel to manage both. With a VPN, a high-speed connection to the ISP for the central office

on

a single ISP for the

whole

network

is

organization.

the points of contact (and points of failure)

essential. Equally essential

You want

is

to settle

to take extra care to

on the ISP connection.

If

ent ISPs provided service to a widely spread organization, the problems multiply and

merge

together, giving the

network administrators

when

fits

reduce

several differ-

would

trouble-

shooting.

Central Network

Central Network

Remote Access Hub

VPN

server

Router

ISDN PRI channelized for up to 23 digital or

T1 connections to

analog connections

local

ISP

Internet Service

Provider

Remote users/networks

with either

dedicated or on-demand digital or

analog dial-up services via or

modem

ISDN/Frame Relay router

Figure 3-5- Alternatives for a large

Remote users have the same options and require the same equipment as the remote access users, however, they would connect to a local ISP

site

Telco needs

A remote

access

site

of this size requires at least a

one

to five ratio of lines to

remote networks are connected via a dedicated line. These lines, obviously, would have to be sanctioned only for use by that network, and in most cases stay connected 24 hours a day. users. In Figure 3-5, several

56

VPN

Chapter 3: Wide Area, Remote Access, and the

The example network has about 75 users of the system and 25 incoming lines. Two of these lines are dedicated ISDN connections for nearby branch offices, and are connected 24 hours a day. The remaining lines are carried on a digital primary rate ISDN line, which allows for 23 analog and/or digital connections simultaneously. The only other addition to the telecommunications puzzle piece is an 800 access line for roving users. Though this is an expensive route, an 800 number

is still

cheaper than a long distance

call for traveling

With the VPN, the minimum connection to an ISP

users of the system. a

is

Tl

nected to a large national Internet service provider, such as

line.

BBN

The Tl

con-

is

Planet or Sprint.

Connecting through such a large ISP may be more costly, but it will save the system administrator headache time when there is a problem. National ISPs tend to have better support and some sort of notification system when problems are anticipated or emergencies arise. Another benefit of staying with a national ISP availability of service for all users

and remote

Most national ISPs also offer other Internet services such as

on an

up. This allows the organization to standardize

have ISP

a single point of contact. For the

is

required, though

it

need not be

is

the

sites.

remote

offices,

modem

or

Internet carrier,

ISDN

dial-

and thus

an ISDN connection

to the

a dedicated connection unless the site's net-

work is large or has an around-the-clock need for a constant connection to the main office or the Internet. The individual users have a choice of either modem or ISDN dial-ups, as the individual need requires.

Equipment required With an incoming Tl PRI

line,

the central office needs a remote access hub. Such

hubs, like the Total Control Access

Hub by

U.S. Robotics or the

Communications, are designed to handle incoming

equipment also user account

network administrator the convenience of administra-

offers the

tion tools such as

SNMP

monitoring of network usage, as well as capacity and

management options

Modems and ISDN

4004 by Ascend

lines like these. This type of

lacking in a

home-grown

or smaller solution.

adapters are built in and upgradable, removing the hassle of

maintaining racks of modems, or ISDN TAs, or routers. In addition, access hubs

can handle multiple incoming Tls, making upgrading incoming capacity easier

and more

affordable.

you'll want for such a setup include an SNMP workstation or and an accounts management server (which could be on the same computer). Accounting for users via logs, databases, and other data will assist the administrator greatly in tracking usage, troubleshooting problems, and generally

Other equipment server

keeping

The

all

the users,

sites,

central office in the

and networks

VPN

"Central Office to Multiple

in order.

scenario looks very similar to the previous section

Remote Office Connections" among our

earlier

WAN

Remote Access and VPN Counterparts

The

solutions.

central office

2501, with

a Cisco

57

needs

a

CSU/DSU and

Tl

needs appropriate hardware to connect to

Network administrator

A

Each connecting

issues

medium-sized remote access network

dedicated

staff

just

site

their ISP.

is

nightmare for a system

a general

administrator-^) ust ask any Internet service provider. With multiple

connection types, user

such as

class Internet Protocol (IP) router,

appropriate software.

profiles,

and unplanned

incidents, you'll

need

and varied a full-time

The remote managing accounts and

to administering the remote access network.

access staff should be responsible for supporting users,

the capacity of the network, and coordinating communications, upgrades, and

maintenance. Remote networks certainly require a network administrator

who

maintains the dial-up or dedicated connection to the central office and acts as a liaison

between the end users on

that

network and the support

staff at

the central

office.

With the VPN, most of the network administrator's support functions are reduced because the ISP maintains .support a itor

VPN

of

up

and maintain the

rest.

Of

to

this role.

A

small administration staff should be able to

200 users. The network administrator's main job

central office's connection to

management and and approximately 30 hours

course, account

administrator,

its

security are

a

ISP. still

The

is

mondo the

to

ISP should

the big issues for the

month should be earmarked

for this

task.

Upgrade path With either the remote access solution or the VPN, upgrading the system to support

more than 200 users should warrant

site for

200 users

is

business to ensure that this point, the

careful consideration.

A remote

access

very complex, and requires a dedicated section of a given all

users,

equipment, and

lines are properly supported. At

organization should consider outsourcing the entire operation to a

company that specializes in such solutions. If the organization is non-technical, management should consider outsourcing even before the site grows to 200 users. The benefit and convenience of having remote network access are overshadowed by the ever growing costs. These are greatly reduced by outsourcing.

A VPN

has the

"soft" costs

ment, and

initial

come

VPN

benefit of a reduced cost to start up. But as

into play, such as higher

bandwidth needs

it

grows, other

to the ISP, equip-

software upgrades. In addition, the size of the staff needed to sup-

port and maintain the various systems

and

train

and support the end

users,

grows

exponentially.

The system administrator should consider next section,

when

a hybrid system, as described in the

the time to upgrade approaches.

58

Chapter 3: Wide Area, Remote Access, and the

VPN

The Hybrid System The hybrid system

is

a combination of

network. In most cases, the

VPN

investment

in a stable

mented, the remote access system

WAN

nected via the

VPN

system

or remote access

WAN

and

a virtual private

or remote access option. For

an organization may have an outdated remote access system but main-

instance,

tain a significant

as the

WAN

replaces the

is

is

VPN

wide-area network. As the

phased

out, leaving several sites

is

imple-

still

con-

VPN. This scenario could occur at any scale, new phenomenon. But for the large organization, the hybrid

and others

such a

is

via a

the best bet to preserve both versatility and

stability.

Needs A

hybrid system requires an extensive full-time

staff

dedicated to the support of

remote networks and users and the maintenance of the various connections. Again, as stressed in the previous section, "Upgrade path," resources might be

used more effectively by selecting an outsource vendor, particularly zation trol

is

not technology based. However,

WAN/Remote Access

of the

if

the organi-

if

keep conwork most effec-

the organization chooses to

system, the hybrid system will

tively.

How

the administrator equips,

a small,

the

medium, or

number of

users

large

staffs,

on each.

In this

for multiple purposes, reducing

wise, there

Should the

access, or

way,

staff,

a hybrid system

VPN

solution,

equipment, and

is

identical to

depending on

lines

can be used

overhead and creating a redundant system. Like-

a built-in fail-safe plan that backs

is

WAN

up one system with

another.

or remote access system experience recurring or long-term prob-

lems, sites that use the

VPN

stated above, the into

and maintains

WAN, remote

WAN

could switch to the

VPN

could be an upgrade solution that

in the is

interim.

And. as

gradually introduced

an organization's system without disrupting normal operation of the network.

Cost Comparison Chart Okay,

we

said

intended not

we

to.

wouldn't

show any hard

However, the editor vetoed

costs in this chapter,

and we

fully

that proposition. So, Table 3-1 dis-

plays a cost comparison chart that gives a very round figure for each category of

each of the solutions detailed

monthly recurring trator's,

in this chapter.

The telecommunications

figures. Staffing represents a

or a network

staff's,

prices are a one-time charge.

lines are in

percentage of a network adminis-

time spent on that aspect of their job. Hardware

59

Cost Comparison Chart

Table 5-1. Cost Comparison Chart for WAN, Remote Access,

and VPN Sites

WAN

Remote Access

VPN

Telco lines

$200/mo

$500/mo

$200/mo

Equipment

$1200

$5000

$1200

Sys admin

$1250/mo

$1250/mo

SJSuo

Telco lines

$7-10K/mo

$10K/mo

$5K/mo

Equipment

$100K

$80K

$10K

Sys admin

$25K/mo

$25K/mo

$12.5K/mo

Small to

Medium

Site

mo

Large Site

In this chapter: •

The Topology

•

Central Office

•

Large Branch Office Small Branch Offices

• •

Remote Access Users

•

A Network Diagram

A VPN Scenario

you haven't gotten enough of the virtual private network yet, this chapter will real, live, up and running VPN. We've covered the theory and some general cost-to-benefit analysis, and now we move on to some actual products, workIf

cover a

ing in a production environment. like

Ascend and Cisco, you

tions just

may

better

fit

Though we have used

specific products here

will find in later chapters of this

your enterprise. In other words,

this

book

that other solu-

VPN

law,

manufactures and

sells

chapter

isn't

an example.

The Topology We'll call the

computer

About

company

parts

and

a year ago,

in this case

study Immediate PC.

It

peripherals.

Immediate PC made the commitment

communications between concerns were security,

cost,

to standardize

its

network

various sites over the Internet. Naturally, their main

its

and

reliability-.

Communication needs at Immediate PC are like those at most companies. Sales agents in the field must communicate with manufacturing managers at the factories to order and ensure production of needed stock. The retail store arm of the

company

also

communicates with shipping, manufacturing, and several other

departments on a daily try

basis.

must send and obtain data

Various factories and other divisions across the counto

keep

their operations flowing.

Several different platforms and networking protocols are used at various levels of

the organization. ers

and Windows

The main corporate network

NT

or

Unix servers of various

60

Windows 95

flavors.

is

comprised of Windows

NT

serv-

workstations. Additionally, there are several

Remote access users use

a variety of operating sys-

61

Central Office

terns,

and

a

few departments within the main corporate networks use Macintosh

systems.

Without the Internet, the flow of data and the cost associated with private lines

and dial-up access were crippling operations and losing profits. Having decided to use advanced technology to remedy the situation, Immediate PC migrated gradually

from private

and remote access

lines

to a controlled

use of the Internet.

move

Research, training, and various levels of approval preceded the

to virtual pri-

vate networks. After this

move, the company reduced the

cost of

network communication and

What emerged was the virtual private network diagram at the end of this chapter. The chosen

resolved several communications problems.

network detailed

in the

architecture links a central corporate office with various remote offices, large small, in addition to a gaggle of

The following

and

remote access users.

what was needed in connections network solutions.

to the Internet,

the natural source of information about products

and operations.

sections detail

equipment, software, and

virtual private

Central Office This center Security

is

is critical.

Besides the VPN, several other Internet services are centralized

here, including the corporate

based Intranet

is

web, email, and FTP main

also centralized at the

servers.

The company web-

office.

Network Connections two Tl connections through two separate national redundancy and gives other connecting sites a variety of network paths over which they can reach the central office. The Tl connections allow enough bandwidth for all sites to connect to the central network with adequate response time over the VPN, in addition to supporting these other

The

central office maintains

Internet providers. This provides

services.

Hardware and Operating System Routing a robust

traffic

from the Tl, the company has a Cisco 4500 Internet

and expandable router

work. Likewise,

it

that

router. This is

can handle up to four Tls for a large net-

can encapsulate and route a variety of protocols, from IP to

AppleTalk. For broad coverage of

dows NT PPTP and

AltaVista

Unix server and an Ascend

VPN

Tunnel

MAX

solutions, the

main

office

is

running Win-

servers, separately. Secondarily, there

remote access hub, both running PPTP.

is

a

62

Chapter

4:

A VPN Scenario

VPN Package The

central office

must run three

variety of solutions.

network VPN. For

The

this

large

VPN

branch

high-bandwidth

servers to give their connecting networks a offices require a stable task, the

and

fast

network to

Cisco PIX firewall was chosen. In

addition to being a robust firewall solution, the PIX enables the various large net-

works

to encrypt data traffic

the routing

power of

from one network

to the other. This,

combined with

the Cisco routers, allows each network a variety of proto-

while maintaining a secure connection. The AltaVista Tunnel would not have

cols,

the bandwidth for the central office's needs, though offices.

it

can support smaller branch

Other remote users dialing in either to the Internet or one of the branch

offices are using

PPTP

Large Branch Office Other Internet services are maintained

FTP

at

some

of these offices, such as

web and

servers.

Connection Large branch offices around the country are connected to the Internet via fractional

Tl or

work

activity.

Tl, depending

full

on the

size of their

networks and the

level of net-

Their network connections are through one of the two national pro-

viders that connect the central office to the Internet. This allows for a faster con-

nection to the central office. This strategy will lessen the amount of "hops"

necessary to reach corporate office Internet connections.

Hardware and Operating System A

Cisco 2500 router

is

needed

to support fractional to full

these networks. Sites that use either

dows NT

or Unix server for users

PPTP

who

Tl connections for

or the AltaVista Tunnel maintain a Win-

dial in

and smaller networks.

VPN Package The Cisco PIX central

office

These branch

Firewall

and

to

is

implemented

at

these locations for connections to the

provide network security against Internet-based attacks.

offices also

use either the AltaVista Tunnel or PPTP for their remote

access users, and for incoming connections from the small branch offices. Users

run the AltaVista Tunnel client or PPTP client on their

95 workstations.

Windows NT

or

Windows

Remote Access Users

63

Small Branch These

Offices not major web pages — access —but they need continuous and

host very few resources to share

sites

that

certainly

are expected to get lots of hits

reliable

to

the larger offices.

Connection The smaller branch

offices maintain either dedicated or

tions to their Internet service providers.

Some

dynamic ISDN connec-

use the same national ser-

offices

vice provider as the corporate office, while others use providers

who

maintain

upstream connections through the same networks as the corporate

office.

Though

this

does not

affect the basic functionality of the

and

reliability

of the connection

between

VPN,

it

does increase the speed

sites.

Hardware and Operating System Small branch offices use the Ascend Pipeline 50 nection.

The Ascend supports PPTP, and

addresses. ing

PPTP

A Windows NT

or Unix server

ISDN

router for their Internet con-

routes Internet is

utilized at

traffic for

each

or AltaVista Tunnel users and to connect to the

site to

up

to a 255 IP

validate incom-

VPN.

VPN Package PPTP

Either

or the AltaVista Tunnel server and client are used at each

accessing the VPN.

ment

at

tions,

some

Those

each

sites

site,

The preference

as needed. Since the AltaVista

sites that

run

MacOS

or

site for

up to the IT departTunnel has some platform limita-

for either solution

is

left

some unsupported version of Unix use PPTP. BSD/OS Unix servers or Windows NT

running AltaVista use either

servers to establish tunnel connections.

Remote Access Users Remote access users include those on

the road or those working off-site.

Connection A

variety of connection methods are used, from ISDN to analog phone lines and modems. Again, the best scenario is to have all remote access users connect through the same national provider as the rest of the corporate network or through a provider who is on the same network.

64

Chapter

4:

A VPN Scenario

Hardware and Operating System Individual users can have a variety of platforms from

Windows NT

or

Windows

95 workstations to Unix to MacOS. ISDN routers, terminal adapters, or analog

modems

could

all

be

in use.

VPN Package PPTP

client or the AltaVista Tunnel client could be used by end users VPN. Since the central office supports both solutions, the remote access user would choose one of the two based on supported platform and/or

Either the

to access the

personal preference.

A Network Diagram shows connections from the Internet to the central office to a large and a remote user. It is important to note the flow of traffic throughout the VPN. PPTP and the AltaVista Tunnel both validate incoming traffic. This encrypted traffic passes through interposing firewalls and is relayed directly to the PPTP or Altavista Tunnel server. The traffic is then routed to the desired internal network node. The Cisco PIX firewall, on the other hand, immediately directs authorized traffic to the network and thus provides a faster backbone for the VPN. Figure 4-1

office, a small office,

Regardless of the need or resources available,

network connections over the der of

this

book

Internet, there

is

if

your enterprise requires secure

a solution available.

The remain-

details the three solutions alluded to in this chapter: Cisco PIX,

the AltaVista Tunnel, and PPTP.

65

A Network Diagram

KEY: AltaVista

Small Branch Network

AltaVista Tunnel or

Cisco

PPTP Server

PPTP

Ascend Pipe 50

Remote Access User Running AltaVista Internet Provider

B

or

PPTP

client

128Kbps

Internet

Internet Provider

B

Internet Provider

A

Fractional T1

Full T1

FullTI

Internet Provider

A

I

Cisco PIX Firewa

Firewall

" Cisco 2500

Cisco 4500

AltaVista

PPTP Server

PPTP Server

Tunnel Server

Large Branch Office

Figure 4-1.

VPN hardware,

software,

and protocols

Network

In this chapter: •

How PPTP Works

•

Advantages of PPTP

•

Limitations of PPTP

Implementing the Point-to-Point

Tunneling Protocol The

was

Point-to-Point Tunneling Protocol (PPTP)

from Ascend Communications, ration,

and ECI Telematics

U.S. Robotics,

PPTP and how

Chapter

we

6,

it

might

Configuring

gain here and apply

and it

fit

developed by engineers

Corporation, Microsoft Corpo-

network between remote

to provide a virtual private

access users and network servers. In this chapter, of

jointly

3Com

we

will discuss the functionality

network scenarios. In

into certain virtual private

Testing

to setting

PPTP up

a

Connections, we'll take the knowledge

VPN

using PPTP.

The companies that created PPTP banded together the same time that the PPTP Forum was formalizing

to

form the PPTP Forum. At

their specification, Cisco

was

independently developing the Layer 2 Forwarding protocol (L2F). Working with the Internet Engineering Task Force, the

PPTP Forum and Cisco

set aside their

differences to create the Internet draft specification for the Level 2 Tunneling

Protocol (L2TP), a L2F,

new

and allows them

core protocol that combines the best features of

to interoperate; this allows

either or both without worrying about integration. it

PPTP and

network administrators

As

this

new

to

deploy

standard emerges,

should be easy to upgrade PPTP to L2TP, and the configuration should be very

similar.

PPTP is available on currently shipping versions of Windows NT Server 4.0 and Windows NT Workstation 4.0 as part of Remote Access Services (RAS) NT's dialup networking software. Microsoft's PPTP support for Windows 95 is included in

—

their

Dial-Up Networking Upgrade Version

LAN PPTP

Windows NT

1.2.

Microsoft has also released LAN-to-

and Remote Access" software (code named "Stronghold"). The first MacOS PPTP client was announced in April 1997 by Network TeleSystems {http://www.nts.com). Called TunnelBuilder, it offers full PPTP support, including NT domain login and data encryption, and connections for

costs $99 per copy.

66

in their "Routing

Network TeleSystems (NTS)

will also

be releasing Tunnel-

How PPTP Works Builder for

May

67

Windows

Windows

95,

for

Workgroups, and Windows

of 1997. Since Microsoft doesn't plan on supporting

versions of

Windows,

this

systems in

allows users with legacy systems to run PPTP.

There are also a number of hardware devices

These devices are known terminal servers,

3-1

PPTP on down-level

that support

PPTP out of

the box.

alternatively as remote access servers, remote hubs,

and remote access switches.

simply as remote access switches, because

In this chapter, we'll refer to

that

term

is

them

prevalent in the industry

and best describes what they do. There are a number of remote access switches among them Ascend's MAX line, the 3Com/U.S. Robotics Total Control line, and ECI Telematics' Nevada. These are typical brands used in ISP

that support PPTP,

modem and ISDN

points-of-presence and corporate networks to terminate

PPTP

included as part of

is

all

of these products free of charge

—no additional

calls.

acti-

vation fees are required.

How PPTP

Works

Tunneling protocols essentially make square pegs

fit into round holes. Imagine you have a round pipe and you want to send a cube through it. If you try, the cube is just going to get stuck, or isn't going to fit at all. The way to get around this is to encapsulate the cube within a sphere, then send it through the pipe. In other words, you take something that your transport medium can't work with, and package it within something it can. All computer networking works this way, in one fashion or another.

As a tunneling protocol, PPTP encapsulates network protocol datagrams within an IP envelope. After the packet ters

from

it

encapsulation

that is

on

point

that

it

allows

is

encapsulated, any router or machine that encoun-

will

treat

many

only medium, such as the Internet. The that

it

revolves around Microsoft

an IP packet. The benefit of IP

as

it

different protocols to

RAS

Windows NT

first

for

be routed across an

thing to understand about

Windows

IP-

PPTP

is

NT. RAS allows a network

modem bank as a dial-in RAS users takes place on the NT server, and a network session is set up using the PPP protocol. Through the PPP connection, all of the protocols allowed by RAS can be transported: TCP/IP, NetBEUI, and IPX/SPX. To the RAS users it appears as though they're directly connected to the corporate LAN; they notice no difference between RAS through direct dial-in and RAS over the Internet. administrator to set

up

a

server with a

point for remote users. Authentication for the

PPTP was designed

to allow users to connect to a

RAS

server from any point

on

have the same authentication, encryption, and corporate LAN access they'd have from dialing directly into it. Instead of dialing into a

the Internet, and

modem

still

connected to the RAS

server, the

end users

dial into their ISPs

and use

68

Chapter 5: Implementing the Point-to-Point Tunneling Protocol

PPTP

up

to set

cation

common

initiate

over the Internet. PPTP and RAS use authenti-

a

the

first,

PPTP-enabled remote access switch

second, the user

is

There are two

to create a virtual private network.

scenarios for this type of VPN: in the

an ISP with in the

a "call" to the server

and encryption methods

a remote user

that

is

dialing into

connects to the RAS server;

connecting to an ISP that doesn't offer PPTP, and must

PPTP connection on

their client

machine.

Dialing into an ISP that Supports Dialing into an ISP that supports

PPTP

PPTP

requires three things:

•

The network with which you want to establish a VPN must have a PPTPenabled Window NT 4.0 RAS server. By "PPTP-enabled" we mean that the PPTP protocol is installed, and there are VPN dial-up ports set up in RAS. The

•

Your ISP must use a remote access switch

server must also be accessible from the Internet.

MAX

Ascend

that supports PPTP,

such as an

4004 or U.S. Robotics Total Control Enterprise Network Hub.

(Together, these

two products make up

a significant portion of the ISP dial-up

hardware market.)

Your ISP has

•

must enable In the

NT

first

to it

have decided

for

example, the central corporate office

4.0 server running

conference

in Atlanta,

PPTP

to actually offer the

service to users,

PPTP and RAS. A and wants

sales

Denver has set up a Windows manager named Sara N. is at a

in

to dial into the corporate

network to check her

email and copy a presentation from her desktop machine. Her remote system

Windows 95

laptop computer with a 28.8Kbps

local dialing area of her office, but has

modem.

told the IP address of the to her user profile.

When

the sales

The

manager

RAS server IP address dials into

at

is

is

a

She's obviously out of the

an account through a national ISP that

supports PPTP through their U.S. Robotics remote access switches. The ISP

it

and

your account.

Sara N.'s corporate office,

was

and has added

204.96. 12.60.

her PPTP-enabled

ISP,

the following events

occur: 1.

Sara

N.

initiates

a

Networking. She logs

call

in

into

her

ISP's

POP

using

Microsoft's

with her username, "saran." Doing so

Dial-Up

starts a

PPTP

session between the ISP's remote access switch and the corporate office's server, 2.

whose

Sara N.'s

IP address

PPP session

is

is

tunneled through the PPTP stream, and the

server authenticates her username Essentially, this all takes place just

via a directly

NT

specified in Sara N.'s user profile as 204.96.12.60.

connected modem.

NT RAS

and password and starts her PPP session. as if she were dialing into the RAS server

How PPTP 3.

Works

69

The PPTP session can then tunnel to use. In Sara N.'s case,

TCP/IP

the protocols that dial-up users are allowed is

one of those protocols, and the NT RAS

server assigns her machine the internal corporate IP address of 204.96.12.129.

Looking

at

Figure 5-1, you can also follow these events and see

original Point-to-Point Protocol (PPP) session

This figure at

PPP

is

a simplified version of

and corporate LAN,

the ISP

Call

what the

for instance,

is

where the

client's

encapsulated by the PPTP tunnel.

actual topology looks like

—routers

have been removed.

Remote User: "saran"

PPTP

Call

ISP

Remote Access Switch

(w/PPTP)

RAS Server (PPTP-Enabled)

i

r Corporate LAN

Figure 5-1. Dialing into an ISP that supports

Once

the

PPTP

is

completed and the

access to the corporate network as

her email and access

files

if

PPTP sales

manager

is

authenticated, she has

she were on the LAN. She can then check

on her desktop machine using

file

sharing.

Chapter 5: Implementing the Point-to-Point Tunneling Protocol

70

Dialing into an ISP that Doesn't Support PPTP In order for an ISP to support PPTP, they must be using

switches

we mentioned

at

one of the remote access

the beginning of this chapter. Not every ISP uses those

brands of remote access switches, and some don't use these devices they might use

some other

modems connected

to a multiport serial card in a

Instead

terminal server device. Others might have the appropriate hardware,

but choose not to implement

PPTP because they

technical support for tunneled connections. that

at all.

Unix system, or

may

your ISP

want

don't

be forced

to

Whatever the reason,

not offer PPTP; however, that doesn't

mean

there's a

that

you

to

do

chance

can't use

it.

first, you again need to have a Windows NT 4.0 on your network, and it must be accessible from second, your Windows NT or 95 client machine must have the PPTP

This scenario requires two things:

RAS

server with

the Internet;

PPTP

installed

protocol and Dial-Up Networking installed. We'll use Sara N. for this

an ISP

example

as well. This time, however, she's dialing into

that doesn't support PPTP. In addition, she's

her laptop computer (as of

this writing

yet available). The sequence of events PPTP enabled provider is as follows: isn't

1.

for

Sara's trip

NT

4.0

on

Windows 95

for a tunneling session with a

non-

Sara dials into her ISP using a dial-up networking profile for her account and establishes a standard

2.

running Windows

—PPTP

—and

PPP connection.

PPP connection has been made, Sara uses Dial-Up Networking again PPTP RAS server at the corporate office. In this dial-up profile, however, she puts the IP address of the RAS server, 204.96. 12.60, in the phone number field, and selects the dial device to be a VPN port set up After the

to "dial" into the

through Dial-Up Networking (we'll explain 3.

A PPTP

connection

and

the

to

RAS

is

in

Chapter 6

made through Sara's PPP The RAS server then

server.

how

to set this up).

connection, over the Internet, logs her into the corporate

network using the username and password she supplied. The RAS server assigns her the internal IP address of 204.96.12.129,

and she

is

then granted

access to the corporate network.

shows you how the second PPTP PPP connection to the ISP.

Figure 5-2 initial

Again, once the rate

LAN

PPTP connection is made, she were connected to

just as if

connection.

call

is

encapsulated through the

Sara N. will have access to the corpoit

via a

network card or dial-up RAS

r

How PPTP Works

PPP

71

Remote User: Call

"saran"

PPTP

Call

witch ISP Remote Access Switch

i

(without PPTP)

Internet

r-> RAS Server (PPTP-Enabled)

—

i

Corporate LAN

Figure 5-2.

An

ISP that doesn

't

support

PPTP and connection

to

a corporate RAS server

Where PPTP Fits into Our Scenario In Figure 5-3

we

have a representation of

a corporate office

network with a Tl

connection to the Internet. The router that connects to the Internet packet-filtration firewall.

dialing into her ISP,

which

she connects to the switch, user profile. just to

A

it

starts a

is

PPTP call to the RAS server specified in her PPTP session back to the client, rather than

the remote access switch. Sara uses this line

ISP that doesn't support PPTP, call.

also a

using a PPTP-enabled remote access switch. After

is

lighter line extends the

with a second RAS

is

User Sara N. wants to check her corporate email, and

and

initiate

the

when

PPTP

she has to

session

dial into

an

on her workstation

Chapter

72

5:

Implementing the Point-to-Point Tunneling Protocol

Virtual Private

Network

204.96.12.129 (assigned by RAS)

Remote (PPTP continues client

if

User:

"saran"

to

ISP doesn t support it)

I

PPP Dial-up ISP Remote Access Switch

(w/PPTP)

Internet

Windows NT 4.0 RAS Server with PPTP

T1 Line

Router

1

&

email Server

Firewall

1

204.96.12.25

204.96.12.1

204.96.12.25 I

I

Corporate LAN

Figure 5-3

On

A full diagram

of a

PPTP connection

over the Internet

the corporate router and firewall, the TCP/IP port

on which PPTP

socket (1723) must be open to both inbound and outbound the network Internet

is

traffic,

traffic.

If

creates a

the rest of

protected by a firewall that disallows inbound and outbound

then a single point of entry to the

protected by the user-based authentication.

LAN

is

established,

which

is

How PPTP Works

73

Dissecting a

PPTP Packet

The PPTP encapsulation technique the Generic Routing Encapsulation

protocols over the Internet

PPTP

version,

known

as

(if

is based on another Internet standard called (GRE) protocol, which can be used to tunnel

you're interested, see RFCs 1701 and 1702).

GREv2, adds extensions

for specific features

The

such as Call

ID and connection speed.

A PPTP

packet

is

made up

of a delivery header, an IP header, a

GREv2

header,

and the payload packet. The delivery header is the framing protocol for whatever medium the packet is traveling over, whether it's Ethernet, frame relay, or PPP.

The

IP

header contains information essential to the IP datagram, such as the

packet length and the source and destination addresses. The

GREv2 header

data that pertains

on the type of packet encapsulated, as well as PPTP-specific to the connection between the client and server. Finally, the

payload packet

the encapsulated datagram

contains information

is

itself.

In the case of PPP, this data-

gram is the original PPP session data that is sent between the client and server, and within it can be IP, IPX, or NetBEUI packets. Figure 5-4 illustrates the layers of PPTP encapsulation.

Delivery Header IP

Header

GREv2 Header Payload Datagram

Figure 5-4. The four layers of a

PPTP packet

being transported across the Internet

The encapsulation process

The encapsulation process

for a user dialing into

an ISP

that supports

PPTP

is

as

follows: 1.

2.

The user dials into the ISP's remote access switch using PPP. Between the client and the remote access switch flow PPP packets that are surrounded by PPP protocol-specific frames being delivered. At the switch, the media-specific frames are stripped away, and the

open up

call trig-

PPTP tunneling session over the Internet between itself and the PPTP-enabled NT RAS server specified in the user's profile. The remote access switch encapsulates the PPP payload packet within a GREv2 header, then an IP header. Finally, it receives a delivery gers the remote access switch to

a

header before going out of the switch. Throughout the packet's journey, the

74

Chapter

is

Implementing the Point-to-Point Tunneling Protocol

may change depending on the type of media may go from Ethernet,

delivery header

the packet

5:

being sent. For instance,

it

PPP over ISDN, and destination at the RAS server.

to Ethernet again, to

reaching 3.

its

The RAS server

treats the

It

incoming PPTP connection as an incoming

PPP

client

modem

call.

It

and the GREv2 header from the

then handles the PPP connection as

the user were coming in over a the

to frame relay,

to Ethernet yet again before finally

strips off the delivery header, the IP header,

payload packet.

through which

it

normally would

The RAS server using whatever authentication method required on connection.

if

validates

the

server: Microsoft encrypted authentication, encrypted authentication, or

RAS any

authentication type (including clear text). 4.

Before packets from the client reach the LAN, PPP framing the enclosed

IP,

NetBEUI, or IPX datagrams. Figure 5-5

is

is

removed from

a diagram of those

protocol layers that are active during each portion of the connection for dialing into ISPs that support PPTP.

Virtual Private

Client

Network

—

N


'•

is

Managing

-^

It

standard versions available on most sys-

dis-

cusses how to select routing protocols and

tems.

how

hensive book ever written on sendmail.

to configure protcols to

common

1

mail Version 8.8 from Berkelev and the

a practical guide lo selling up and

maintaining a production network.

Networks

IP

This new edition of sendmail covers send-

situations.

esoteric but equally important issues Like

work equipment and vendors and how

handle most

also discusses less

It

how

the

sendmail

Although the book focuses on Cisco routers, and gives examples using Cisco's IOS. the principles discussed are

common

is

program

and away the most compre-

leam

to all IP

This

—

in

—and most

it's

one of the

a complete sendmail tutorial, plus extensive

One

•

Configuring

•

Connecting to external networks, and configuring exterior

common

on understanding sendmail; Part Two covers the

installation,

Evaluating equipment and vendors Selecting routing protocols

is

a

building,

and m-i configuration of sendmail; Part Three covers

practical issues in sendmail administration; Part

interior protocols (RIP, OSPF.

last

UNIX system administration.

book provides

tutorial

Designing an IP network

•

in

difficult utilities to

reference material on even aspect of the program. Part

Topics covered include:

•

cop

that acts like a traffic

used on almost every I'NIX system,

great uncharted territories

networks, regardless of the vendor you choose.

•

far

routing and delivering mail on UNIX-based networks. Although

to evaluate net-

up a help desk.

to set

It is

Four

a

is

com-

prehensive reference section; and Part Five consists of appen-

EIGRP)

dices and a bibliography.

protocols (BGP)

In this

•

Ongoing network management: troubleshooting and maintenance

file

•

Security

and privacy issues

second edition an expanded

tutorial

demonstrates hub's cf

and nulldient mc. Other new topics include the #error

MIME

ery agent, sendmail's exit values.

headers, and

how

deliv-

to set

up and use the user database, mailertable, and smrsb. SolutionVirtual Private

Networks

~^~"~^^~^^^~

i

L nets,

oriented examples throughout the

Paul

'barlie Scott,

1st

it

olfc

Edition February

ISBA

l

onh

Historically,

1998

56592 large

to

make do

lines.

sendmail Desktop Reference By Bryan

Smaller

1st

with the relatively

Edition

74pages, 1SBX 1-56592-278-6

- companies

on the road. How do you provide a low

plete overview of the latest version of sendmail

while

in

(V8.8). from -cost,

secure elections to

is

a virtual private network: a collection of technolo-

—

connections

build a VPN.

It

starts with general

and how a VPN

like firewalls

book

It

fits

I

MX

you how

concerns

in with other

to

definitions,

sendmail, second edition.

like costs, configura-

networking technologies

thai are available for

how

to

Windows

such as PPTP and L2TP. the AltaVista Tunnel, and

the Cisco PIX Firewall

OREILLY to order.

800-998-9938

•

[email protected] • http://www.oreilly.com/

Our products are available at a bookstore or software store near for information:

800-998-9938

—

all

con-

nn

and from

packed

ator of sendmail. Includes extensive cross-references to

plan and

continues with detailed descriptions of

and use VPN technologies

NT and

tells

macro

to

declara-

into a convenient, carry-around booklet co-authored b\ the cre-

can be easily used by anybody

that

logging in lrom anywhere. This

install

command-line switches

commands, from options

features to debugging switches

gies that creates secure connections or "tunnels" over regular

Internet lines

com-

have to go outside their private

network for your organization?

The solution

tion,

& EricAllman March 199'

Costales

This quick-reference guide provides a

figuration tronic

own

untnisted Internet. Nowadays, even large

because so many people telecommute or log

they're

solve your

cross-referenced with

~

companies could

ed from expensive leased

had

is

section numbers.

U9

afford secure networks, which they creat-

folks

book help you

sendmail problems. This new edition

S Mike Era in

•

707-829-0515

•

you.

[email protected]

Network Administration DNS and BIND, 2nd Edition

(continued)

Networking Personal Computers with TCP/IP

By PaulAlbitz &

—

Cricket Liu

j

2nd Edition December 1996

1st Edition July 1995 408 pages, ISBN 1-56592-123-2

438 pages, ISBN 1-56592-236-0 This

book

net's

Domain Name System (DNS) and

is

software, the In this

ue is

This

a complete guide to the Inter-

Berkeley Internet

Tetworking Personal

the

Name Domain (BIND)

bility will

PCs

Computers

to

offers practical information as

a TCP/IP network and

servers.

It

and

its

UNLX

discusses the challenges you'll

offers general advice

on how

edition, the authors contin-

face

BIND version

deal with them, provides basic TCP/IP

to describe

which

4.8.3,

configuration information for

included in most vendor implementations today. In addition,

you'll find

book

well as detailed instructions for attaching

LINK implementation of DNS.

second

By Craig Hunt

complete coverage of BIND 4.9.4, which

be adopted as the new standard

in the

in all

some

of the popular

systems, covers advanced configuration topics

proba-

of specific applications such as email,

near future.

to

PC operating

and configuration

and includes a chapter on

on integrating Netware with TCP/IP. In addition to covering the basic motivation set ics,

up the BIND

software, this

including using

become

a "parent"

someone

else);

behind

DNS and how

book covers many more advanced

to

top-

TCP/IP Network Administration, 2nd Edition

DNS and BIND on Windows NT systems; how to (i.e.,

how

to

"delegate" the ability to assign

use

DNS

to set

names

up mail forwarding

Craig Hunt 2nd Edition December 1997

By

to

correctly;

TCP/IF

debugging and troubleshooting; and programming. Assumes a basic

knowledge of system administration and network management.

630 pages, ISBN 1-56592-322-7

Getting Connected: The Internet at

complete guide

up and

to setting

running a TCP/IP network for administra-

56 K and Up

tors of

By Keiin Doud 1st Edition

2nd Edi-

TCP/IP Network Administration, tion, is a

networks of systems or lone

systems that access the Internet.

June 1996

home

starts

It

with the fundamentals: what the protocols

424 pages, ISBN 1-56592-154-2

do and how they work, how addresses and routing are used

A complete guide

for businesses, schools,

and other organizations who want

to

move

con-

data through the network, and

how

to set

to

up your network

connection.

nect their computers to the Internet. This

book covers to

everything you need to

make informed

decisions,

to providing

package

really

services,

online,

it

shows you how

such as a World Wide

Web

to set

that

implements them.

Domain Name servers,

speeds, such as frame relay, ISDN, and leased lines.

Once you're

new second

It

edition discusses advanced

BGP) and the gated software

contains a tutorial on configur-

ing important network services, including PPP, SUP, sendmail,

down-to-earth explanations and configuration

instructions for telecommunication options at higher than

modem

setup, this

routine protocols (RIPv2, OSPF, and

from helping

you figure out which services you

need

Beyond basic

know

Service (DNS),

some simple

BOOTP and DHCP

configuration

setups for NIS and NFS, and chapters on

troubleshooting and security. In addition, this book

up basic Internet

mand and

server. Tackles issues for PC,

including />/>/>(tf, dip, gated,

Macintosh, and UNIX platforms.

is

a com-

syntax reference for several important packages

named, dbcpd, and sendmail.

Covers Linux, BSD, and System V TCP/IP implementations.

Using

& Managing PPP By Andrew Sun March 1998

1st Edition

400 pages Covers

up

(est.),

all

(est.)

ISBN 1-56592-321-9

aspects of PPP, including setting

dial-in servers,

debugging, and PPP

options. Also contains overviews of related areas, like serial communications, setup,

and

DNS

routing.

O'REILLY" to order:

800-998-9938

•

[email protected] • http://www.oreilly.com/

Our products are available at a bookstore or software store near for information:

800-998-9938

•

707-829-0515

•

you.

[email protected]

Windows NT Administration Windows NT in a Nutshell By

Essential

By .Eleen

1st Edition June

^bk

1997

K

364 pages. ISBN 1-56592-251-4 Anyone who user, or

installs

Windows

adds a printer

is

not). This

book

approach

to

Windows NT

home

solving, with an

in a Nutshell will

user as

will

it

be

new tagged

features a

Ik

Ji -^ Windows W

or

T

System

callout

Administration

documenting the 4.0 Gil as well

examples of

as real-life

problem

it

command

be as useful

1

This

as important

as possible.

D. Ritchey

to

inclowsNI Backup .S; ResK \\

a range of topics, but seldom do they give

you enough information thing. This

mal books)

book

to

master any one

is different.

lody Leber

1998

250 pages

ISBN 1-56592-272-7

(est.).

(est.)

and ways

to translate that policy into

requirements. Windows

NT Backup & Restore

presents the reader with practical guidelines

up an

effective

backup system

both small and large environments.

Windows NT User

the native

NT

utilities

as well as major third-party hardware

It

in

covers

and

software.

at

creating users efficiently, controlling what they can do. limiting

Windows NT Server 4.

for

NetWare Administrators

they can cause, and monitoring their activities on

your system. Don't simply react to problems; use the techniques

book

to anticipate

Windows NT

and prevent them.

Server 4.0

on

Windows NT

1st Edition January 1998 464 pages, Indudes CD-ROM

SNMP

ISBN 1-56592-338-3

-,

B^*

^M

This

book describes

SNMP

^^^^\ ) \ *

book provides a

fast-track

means

(the Simple

their

for

to build

knowledge and master the funda-

mentals of using the Microsoft Windows Server.

of

the implementation of

Network Management

ly

NT

The broad coverage of many aspects

Windows NT

Server

is

balanced by a

tight-

focused approach of comparison, contrast, and differentiation

between NetWare and NT features and methodologies.

windows NT 3.51 and 4.0 look ahead to NT 50) and Win-

Protocol) on (

with a

dows 95

systems.

It

covers

SNMP and SNMP

Windows NT Desktop Reference

net-

By .Eleen

and detailed information on developing

management applications and extension

CD-ROM

756 pages. ISBN 1-56592-280-8

experienced NetWare administrators

By James D. Murray

''

By Robert Bruce Thompson 1st Edition November 1997

This

Windows NT SNMP

agents.

Frisch

1998 64 pages. ISBN 1-56592-437-1 1st Edition January

The book comes

containing a wealth of additional information:

standards documents, sample code from the book, and third-party,

as well

Kit,

By the author

1st Edition April

for setting

(like other O'Reilly ani-

Administration makes you an expert

with a

free third-party tools.

ery policy

Many Windows NT books introduce you

basics

utilities

Windows NT operating

Beginning with the need for a workable recov-

2 18 pages, ISBN 1-56592-301-4

work

covers the standard

Windows NT Backup & Restore

By Ashley J. MeggiitG Timothy 1st Edition November 1997

f\

It

of O'Reilly's bestselling book. Essential System Administration.

By

in this

man-

age Windows NT systems as productively

commercial and

Windows NT User Administration

damage

practical experience

,000-node cor-

porate network.

the

book combines

with technical expertise to help you

system and from the Resource

usage and

to the single-system

a

Fvhnuirx 1998 486 pages, ISBN 1-56592-274-3

offered with the

emphasis on networking.

to the administrator of

Frisch

1st Edition

WF^t

NT, creates a

an NT system

administrator (whether they realize

strategies for

Windows NT System Administration

Eric Pearce

SNMP-related software

tools, libraries,

A hip-pocket quick reference

many

commands,

and demos.

as well as the

from the Resource ingroups related

Kits.

O'REILLY 800-998-9938

•

[email protected]

•

http://www.oreilly.com/

Our products are available at a bookstore or software store near for information:

800-998-9938

•

707-829-0515

•

you.

[email protected]

Windows NT

Commands

to their

Covers Windows NT 4.0.

to order:

to

most useful commands are arranged

purpose and function.

System Administration Essential System Administration

^^

termcap

&

terminfo

Mui &

^ ^^^^ ^M ^L ^ ^^^S™

B) .tleen Fnsch

By John

2nd Edition

Tim

'^7~^~^w^^*~ System"

ma i° r

Administration

tion of Essential System Administration

grammers. This handbook provides informa-

provides a compact, manageable introduc-

tion

September 1995

Strang. Linda

O'Reilly

3rd Edition April 1988

788 pages. ISBN 1-56592-127-5

J

Thoroughly revised and updated for

270 pages. ISBN 0-937175-22-6

all

I

For UNIX system administrators and pro-

versions of UNIX, this second edi-

sible for a

on

writing

and debugging terminal

descriptions, as well as terminal initialization,

by everyone respon-

tion to the tasks faced

for the two

UNTX system. Whether you use a

UNTX terminal databases.

stand-alone UNIX system, routinely provide administrative support for a larger shared system, or just want an understanding of basic administrative functions, this

book

is

Managing NFS and NIS

for you. Offers

expanded sections on networking, electronic mail,

By Hal Stern and

security,

1st Edition June

kernel configuration.

1991

436 pages, ISBN 0-937175-75-7

Managing NFS and NIS is

System Performance Tuning By Mike Loukides 1st Edition November 1990

work

336 pages, ISBN 0-937175-60-9

site that

damental question:

How

can

I

uted database used to

to do more work without more hardware? Some performance

is

book devoted

entirely to these subjects, this guide is

solved sim-

Volume

you already have.

8:

X Window System Administrator's Guide By Linda Mui &

Eric Pearce

October 1992

372 pages. ISBN 0-937175-83-8

By Ed Ravin. Tim

O'Reilly.

Dale Dougherty

&

This

Grace Todino

book focuses on

& Managing UUCP describes,

works

UUCP

is

—

not just

trators, but for

in

one

popular communications and

transfer program.

anyone faced with the job

of administering

very attractive to

small machine, and a dial-up connection. This the latest versions of

HoneyDanBer

UUCP, and the specific implementation details of

UUCP

versions

shipped by major UNTX vendors.

O'REILLY" to order:

800-998-9938

•

[email protected]

•

http://www.oreilly.com/

Our products are available at a bookstore or software store hear for information:

800-998-9938

X

(including those run-

ning X on stand-alone workstations).

file

computer users with limited resources, a

book covers Taylor UUCP,

issues of system

X and X-based netfor UNTX system adminis-

administration for

1st Edition September 1996 424 pages. ISBN 1-56592-153-4

this

a

buy a bigger or

to

many can be

& Managing UUCP

volume,

any

a distrib-

"must-have" for anyone interested in UNIX networking.

Using

at

manage a network of computers. The only

1st Edition

^H ^k V^^V^

(Net-

has two or more UNTX systems. NIS

practical

better use of the resources

—±—

NTS

probably running

buying

problems do require you

Using

installation.

is

(Network Information System)

my UNTX-

get

Filesystem)

for system admin-

up or manage a

based computer

faster computer, but

making

to set

network filesystem

System Performance Tuning answers the fun-

ply by

who need

istrators

•

you.

707-829-0515 • [email protected]

:

How to stay in touch 1.

Visit

Our Award-Winning Web

Site

100

"fc'Top

5% Web

*"3-Star

Our web

site"

site

on

Sites

order® oreilly.com

— PC Magazine

—Web"

the

sites"

Contact Us via Email

4.

http://www. ore illy, com/

*"Top

To place a book or software order online. Good American and international customers.

Point Communications

—The McKinley

@

book excerpts and

periodicals.

[email protected]

tables of

General questions about any of our books.

contents), downloadable software, background articles, interviews with technology leaders, links to relevant sites,

book cover

art,

and more.

File

us in your

for North

subscriptions oreilly.com To place an order for any of our newsletters or

Group

contains a library of comprehensiveproduct

information (including

with O'Reilly

[email protected]

Bookmarks or

For general questions and product information about our software. Check out O'Reilly Software Online at

Hotlist!

http://software.oreilly.coin/ for software and technical

2.

Join Our Email Mailing Lists

support information. Registered O'Reilly software users

send your questions

New Product Releases

For answers

[email protected] first line

of your mes-

subscribe oreilly-news

problems regarding your order or our

you'd also like us to send information about trade

and other

show

or translation queries. For a

[email protected] first line

list

of our distributors

httpy/www.oreilly.com/www/order/country.html

subscribe oreilly-events

Get Examples from Our Books via

FTP

O'Reilly

There are two ways from our books:

to access

an archive of example

& Associates,

Inc.

101 Morris Street, Sebastopol, CA 95472 USA

files

TEL

707-829-05 1 5 or 800-998-9938

FAX

707-829-0104

(6am

Regular FTP •

to

5pm

PST)

ftp to:

ftp.oreilly.com (login:

anonymous

password: your email address) •

Point your

web browser

to:

ftp://ftp.oreiriy.coni/

FTPMAIL •

Send an email message to: [email protected] (Write "help" in the message body)

O'REILLY" to order:

our

outside of North America check out:

of your mes-

sage (not in the Subject field)

3.

to

[email protected] For information about our international distributors

O'Reilly events,

to:

Put the following information in the

corrections.

[email protected] To submit new book or software proposals editors and product managers.

O'Reilly Events

send email

to

[email protected] For book content technical questions or

sage (not in the Subject field):

events, special promotions,

[email protected]

products.

Put the following information in the

If

to:

[email protected]

To receive automatic email with brief descriptions of all new O'Reilly products as they are released, send email to:

800-998-9938

•

[email protected]

•

http://www.oreilly.com/

Our products are available at a bookstore or software store near for information:

800-998-9938

•

you.

707-829-0515 • [email protected]

from O'Reilly

Titles Please note that

upcoming

titles

are displayed in

WebProgramming Apache: The Definitive Guide Building Your

Own Web

Confer-

ences

Own

Web Review Studio Series

Distribution

Computer Crime: A Crimefight-

Gif Animation Studio

4.4BSD Svstem Manager's Manu-

Wide Web

DNS and BIND. 2nd 2nd

Ed.

The

Definitive Guide.

Linux Network Administrator's

Perl,

2nd

Networking Personal Computers

Security

UNIX

Practical

Programming with

Client

Using the Internet

Internet Securi-

mentary Documents File

X Programming

System Inter-

Privacy

& Catalog

Advanced Oracle PL/SQL Pro-

Vol.

gramming

Guide. Motif Edition

+M: X Toolkit Intrinsics Programming Manual. Motif Edi-

Checking C Programs with

DCE

System Performance Tuning

Distributing Applications Across

&

Using

The Whole Internet for Win 95

&

tion

lint

Vol. 5:

Programming

DCE & Windows NT

Volume

terminfo

Using Email Effectively

Web

Superhighway

Security

& Commerce

lex

Vol

Java

AWT

Learning VBScript

GNU Emacs. 2nd

Ed.

ence

Ed.

Learning the Korn Shell

Java in a Nutshell

tem

Edition

Linux

Java Threads

\i

Editor

Software

Running Linux. 2nd Ed.

WebSite™

SCO UNIX

1.1

Building Your

Own Web

sed Confer-

ences

Travel Travelers' Tales: Brazil Travelers' Tales:

Programming with GNU Software V Edi-

Pthreads Programming

Using csh

&

When You

2nd

Understanding

Writing

NetSuccess

GNU Emacs

Understanding Japanese InforTravelers' Tales:

UNLX Svstems Programming SVR4

NetTravel

Travelers' Tales: Spain for

Travelers' Tales: Thailand Travelers' Tales:

World

O'REILLY" 800-998-9938

•

[email protected]

•

http://www.oreilly.com/

Our products are available at a bookstore or software store near for information:

San Francisco

mation Processing

Extensions

Net Lessons

to order;

Mexico

DCE Travelers' Tales: Paris

Your UNIX

System Administrator

NetResearch

Women

Travelers' Tales: India

Ed. Travelers' Tales:

tsch

Can't Find

Food

Travelers' Tales: France Travelers' Tales: Gutsy

Software Portabilitv with imake.

Songune Guides

NetLearning

C++ Programming

Programming with curses

in a Nutshell: System

on CD-

ROM

Programming Python

UNLX Power Tools

Statisphere™

Law

Practical

a Nutshell

Electronic Publishing

Programming

tion

PolyForm™

Net

in

awk. 2nd Edition

Tcl/Tk Tools

UNIX

WebBoard™

NetActrvism

&

Practical C

Survival

Guide Love Your Job!

Power Programming with RPC

Linux Multimedia Guide

WebSite Professional™

The Computer User's

Real World

Making TeX Work

Java Virtual Machine

Business

Business

POSLX.4: Programming for the

in a Nutshell

&

Building a Successful Software

Porting UNLX Software

POSLX Programmer's Guide

Learning the

Java Network Programming

in a Nut-

shell

Career

Oracle PL/SQL Programming

Learning the UNIX Operating Sys-

Java Language Reference. 2nd

Release 6

Oracle Performance Tuning. 2nd

Learning the bash Shell

Guide

Programmer's Supplement for

The X Window Svstem

Guide Learning

X Window Svstem Admin-

X User Tools

Oracle Design: The Definitive

Reference

8

istrator's

Mastering Oracle Power Objects

Java Fundamental Classes Refer-

Reference Manual

Vol. 6C: Motif Tools

& yacc

Exploring Expect Exploring Java

Programming

Vol. 6B: Motif

Applica-

Managing Projects with make

UNIX

Java Series

DCE

tions

Administrator's Guide

Bandits on the Information

to Writing

Intrinsics Refer-

Manual

File

Formats, 2nd Ed.

Guide

X Window System

X Toolkit

ence Manual Vol. 6A: Motif

Encyclopedia of Graphics

Managing UUCP 8:

Reference Manual

3M: X Window System User's

Vol.

sendmail Desktop Reference

Security

Programming Manual

Xlib

Vol. 2: Xlib

sendmail. 2nd Ed.

termcap

1:

Programming

C++: The Core Language

TCP/IP Network Administration

The Whole Internet User's Guide

Protocol Reference

a Nutshell

Smileys

The Future Does Not Compute

X

Manual in

Applying RCS and SCCS

Good

PGP: Pretty

World Wide Web Journal

&

2nd Ed.

ty.

Perl

Manual

4.4BSD Programmer's Supple-

Vol.

with TCP/IP

& Commerce

File Sys-

Windows NT

Mastering Regular Expressions a Nutshell

Windows 95

Vol. 0:

WebMaster

Manual

User's Supplementary

Documents

nals

Managing NFS and NTS

in

Inside the

Windows NT

Services

Ed.

Registry-

Windows .Annoyances

Managing Internet Information

Programming

Windows 95

tem

Guide

Ed.

User's Reference

4.4BSD Programmer's Reference

Inside the

The Internet

56K and Up

at

4BSD

4.+BSD

Data Communications Terms Ed.

Getting Connected:

Learning Perl

Web Web

al -t

Windows

Essential Svstem Administration,

Web

Definitive Guide,

lavaScript:

Shockwave Studio

Dictionary of PC Hardware and

Designing for the

HTML: The 2nd Ed.

Handbook

Berkeley 4.4 Software

Computer Security Basics

Website

CGI Programming for the World

2nd

System Administration Building Internet Firewalls

er's

Building Your

italic.

800-998-9938

•

you.

707-829-0515 • [email protected]

A Woman's

International Distributors UK, Europe, Middle East and Northern Africa (except France, &

Germany, Switzerland,

Thomson

China Ron's DataCom Co

Kiyoshige Building 2F

"9 Dongwu Avenue

Austria)

inquiries International

Japan O'Reilly Japan. Inc.

Publishing Europe

12-Banchi. Sanei-cho

Dongxihu

Shinjuku-ku

Wuhan 430040

.

Ltd

District

Tokyo 160-0008 Japan

China

Berkshire House

Telephone: 81-3-3356-5227

Telephone: 86-2~-3892568

168- 1~3 HighHolborn

Fax:81-3-3356o2(-l

Fax:86-2"-3222108

London \VC1\ 7AA

Email: [email protected]

Email:

Telephone: 44-171497-1422

India

to 44-171497-1426

Computer Bookshop

All Other Asian Countries O'Reilly & .Associates, Inc.

hongfeng® public. wh.hb en

United Kingdom

Email: [email protected]

190

International

Thomson

Publishing Services,

Ltd

Cheriton House. North

W a\

Andover. Hampshire SP10 sBE

Sebastopol.

India

Telephone: 44-264-342-806 (outside UK)

Telephone: "0--829-0515

Fax:91-22-262-3551

Fax:

Email: [email protected]

Email: [email protected]

2~

Eire orders: [email protected]

D. 3rd Floor, Van's

W'oodsLane

Ltd.

"

Tower

Wong Chuk Hang Road

P.O.

Mona Vale NSW 2103 Australia

Telephone: 61-2-9970-5111

852-2580-6463

61-2-99*0-5002

New Zealand

Hanbit Media. Inc.

61 bd Saint-Germain

Sonyoung

Cedex 05

France

33-0144-41-1144

FRENCH LANGUAGE BOOKS All

Fax:

Korea

Editions Eyrolles

Fax:

countries except Canada

Bldg.

W oodslane New

202

Ltd.

21 Cooks Street (P.O. Box 575)

New Zealand

Kangnam-ku

Waganui.

Seoul. Korea

; Telephone: 64-6-34~-6 i45

Telephone: 822-554-9610

Fax:

64-6-345-4840

Email: [email protected]

822-556-0363

Emad: [email protected]

The Americas

Email: [email protected] English language

Zealand

Yeksam-dong "36-36

Fax:

Telephone: 33-01-44-41-46-16

books

Telephone: 33-01-44-41-1 1-S~ Email: distribution® eyrolles. com

Singapore, Malaysia,

McGraw-Hill Interamericana Editores.

And Thailand

S.A.

Addison Wesley Longman Singapore PTE

CedroNo. 512 Col.

Ltd.

Germany, Switzerland, and

2i

Austria

First

de

C.V.

Adampa 06450

Mexico.

Lok Yang Road

D.F.

Singapore 629~34

Telephone: 52-5-541-3155

INQUIRIES

Telephone: 65-268-2666

Fax:

O'Reilly Verlag

Fax:

Balthasarstr.

Email:

81

[email protected]

South Africa International

Germany

Philippines

Telephone: 49-221-9"-31-60-0

Mutual Books.

Fax 49-22 l-T-31-60-8

429-D Shaw Boulevard

Email: [email protected]

Mandaluyong

:

ORDERS International

52-5-541-4913

Email: [email protected]

65-268-023

D-506"0 Koln

Thomson Pubhshing

City.

Building 18. Constantia Park

138 Sixteenth Road

Metro

Box 2459

Manila. Phdippines

P.O.

Telephone: 632-"25-~538

Halfway House. 1685 South

Fax:

Telephone: 2"-l 1-805-4819

632-^21-3056

Fax 2"-l 1-805-3648

Email: [email protected]

5322" Bonn. Germany

Thomson Pubhshing

South Africa

Inc.

Kbnigswinterer Strafie -tl8

Telephone: 49-228-0-02-4 Fax:

NSW 2102

Box 935

Email: [email protected]

France

Paris

Pty. Ltd.

Place. W'arriewood

Telephone: 852-2580-3539

Email: [email protected]

"5240

Vuko

5

Aberdeen. Hong Kong

Fax:

International orders: [email protected]

"0--829-0104

Australia

Discount Subscription Service

I nit

Fax 44-264-364418 (UK)

44-264-342*61 (outside UK)

CA 954~2 USA

Telephone: 91-22-20"-0989

City

:

Telephone 44-264-342-832 (UK)

UK &

101 Morris Street

Road. Fort

Hong Kong

United Kingdom

Fax:

Dr. D.N.

Bombay 400 001

ORDERS

(India) PVT. Ltd.

49-228--H1342

Email: [email protected]

O'REILLY toordep:

800-998-9938

•

[email protected] • http://www.oreilly.com/

Our products are available at a bookstore or software store near for information

800-998-9938

•

707-829-0515

•

you.

[email protected]

.Africa

•r Ol

-

V5

S-

C —

—

>2

as

Where

this

card

r

— T UN

ir

OS

s

X _ ?

—

"3 o. -

S

2

o

3

X

3

WOULD LIKE TO HEAR FROM YOU

O'REILLY Which book did

x

u

— C/3

come from?

What

did you buy this book?

is

your job description? System Administrator

Programmer

Network Administrator

Educator/Teacher

Web

Bookstore

Computer Store

Direct from O'Reilly

Class/seminar

Developer

Other

Bundled with hardware/software Other

What operating system do you use? UNIX Macintosh Windows NT PC(Windows/DOS)

Please send

a complete

me

O'Reilly's catalog, containing

listing

of O'Reilly books and

software.

Other

Name

Company/Organization

\ddress

City

Telephone

State

Zip/Postal

Country

Code

Internet or other email address (specify network) 7

wood engraving & Associates Nutshell Handbook® Using & Managing UUCP Nineteenth century

PLACE

of a bear from the O'Reilly

STAMP HERE

NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES

BUSINESS REPLY MAIL FIRST CLASS MAIL Postage

will

PERMIT NO. 80

SEBASTOPOL, CA

be paid by addressee

O'Reilly

&

Associates, Inc.

101 Morris Street Sebastopol,

CA 95472-9902

II. I,

nl.

Lll.

II,

nl, till.

I,. I.

lull...

til. I.

.Nil

Networking

O'REILLY Virtual Private

Networks

Historically, only large

companies could afford secure networks, which they created

from expensive leased

lines.

Internet.

Nowadays, even

Smaller folks had to

companies have

large

because so many people telecommute or log

you provide The

solution

a low-cost, secure electronic

in

make do with go outside

to

the relatively untrusted

their private nets,

while they're on the road.

network

for

How

do

your organization?

a virtual private network: a collection of technologies that creates secure

is

connections or "tunnels" over regular Internet lines

anybody logging

in

from anywhere.

A number

—connections

of products

now

that

can be easily used by

exist to

help you develop that

solution.

This

book

tells

configuration,

with detailed

you how

to plan

and build

a

VPN.

It

starts

with general concerns like costs,

VPN fits in with other networking technologies like firewalls. It continues descriptions of how to install and use VPN technologies that are available for how

and

Windows NT and

a

Unix, such as

PPTP and L2TP.

the AltaVista Tunnel,

and the Cisco PEX.

Topics include:

How

the

VPN compares

to other available

Introduction to encryption, firewalls,

A

sample

VPN

networking technologies

and other technologies

that let

VPNs work

configuration

Point-to-Point Tunneling Protocol (PPTP)

The

AltaVista

Tunnel

The Cisco PEX

Firewall

Maintenance and troubleshooting

mo Visit O'Reilly

.95

ISBN 1-56592-31

on the

Web

at

www.oreilly.com

.95

RepKover.

,4^ 781565"9231V-

6

'"36920"92319 , '"o

Printed on Recycled Paper