a practical guide to the right vpn solution

7/30/2019 A Practical Guide to the Right VPN Solution

1/27

This Guide has been sponsored by

A Practical Guide to

the Right VPN Solution

THE TECHNOLOGY GUIDE SERIES

www.techguide.com


2/27


3/27

The Guide format and main text of this Guide are the property of The AppliedTechnologies Group, Inc. and is made available upon these terms and conditions. TheApplied Technologies Group reserves all rights herein. Reproduction in whole or in partof the main text is only permitted with the written consent of The Applied TechnologiesGroup.The main text shall be treated at all times as a proprietary document for internaluse only.The main text may not be duplicated in any way, except in the form of briefexcerpts or quotations for the purpose of review. In addition, the information containedherein may not be duplicated in other books, databases or any other medium.Makingcopies of this Guide,or any portion for any purpose other than your own, is a violationof United States Copyright Laws. The information contained in this Guide is believed tobe reliablebut cannot be guaranteed to be complete or correct.Any case studies orglossaries contained in this Guide or any Guide are excluded from this copyright.

Copyright 2001 by The Applied Technologies Group, Inc. 209 West CentralStreet,Suite 301,Natick,MA 01760,Tel: (508) 651-1155, Fax:(508) 651-1171E-mail: [email protected] Site:http://www.techguide.com

Ta b l e o f C ont e nt s

Summary...................................................................................4

Introduction..............................................................................5

VPN Overview and Benefits ................................................8

VPN Implementation Alternatives...................................25

Key Features and Cost Elementsfor a VPN Solution ...............................................................30

Selecting the Right VPN Solution.....................................35

Conclusion...............................................................................37

Case Study...............................................................................38

Glossary of Terms................................................................42

Ab o u t t h e E d i t o r

Jerry Ryan is a principal at ATG and the Editor-in-Chief of techguide.com. He is theauthor of numerous technology papers on various aspects of networking.Mr.Ryan hasdeveloped and taught many courses in network analysis and design for carriers,govern-ment agencies and private industry.He has provided consulting support in the area ofWAN and LAN network design, negotiation with carriers for contract pricing and services,technology acquisition, customized software development for network administration,billing and auditing of telecommunication expenses, project management,and RFP gen-eration. Mr.Ryan has been a member of the Networld+Interop Program Committeeand the ComNet steering Committee.He holds a B.S. degree in electrical engineering.

Visit ATGs Web Site

to read, download, and printall the Technology Guides

in this series.

www.techguide.com

The significant problems we face cannot be solvedby the same level of thinking that created them.

Albert Einstein


4/27

I n t roduc t ion

E-business, e-commerce, e-marketplace, business-to-business (B2B), and business-to-consumer (B2C),arenow common business parlance. Every organization isdefining and implementing its e-strategy. The questionis no longer whether to migrate to an e-environment,

but what is the best way to migrate to a Web andInternet-based business model.

The Internet allows businesses to reach their cus-tomers, and vice versa,anytime and anywhere in theworld. A US company need not deploy any resourcesor infrastructure in China, for example, to engage inbusiness in China. A mom-and-pop e-business in anon-English speaking country has as good a probabilityof reaching a customer in the US as an Americanmulti-billion dollar company. A common challenge toboth companies is the use of the Internet to leverage

their business.One of the key technologies for using the Internet

in a secure and private manner is the virtual privatenetwork (VPN). This Technology Guide explains VPNapplications, benefits, and implementation alternatives.More importantly, it provides guidelines for selectingthe right VPN solution.

The Guide focuses on needs of small and medi-um-sized businesses that do not have the technical andmanagement resources to deploy, to maintain, or tooperate their own VPNs. Many large enterprises will

find the VPN deployment model discussed here to bethe most cost-effective answer to their e-business andremote office requirements.

S u m m a r y

This Technology Guide is written for Business and for IT

Managers at small to medium-sized businesses who plan and

implement the network infrastructure for their businesses. T he

Guide is primari ly for IT and networking managers who are

selecting VPN solutions. I t is written to help the reader navigate

the VPN swamp. T his Guide assumes the reader is familiar withthe Internet and with the distinction between intranets and

extranets. I t should help readers understand VPN applications,

benefi ts, and implementation alternatives.

After reading this Guide, the reader should be able to evalu-

ate features of a VPN solution relative to his/ her requirements.

Based on least cost of ownership, the reader will be able to select

a VPN solution from a set of alternatives that is most suitable

for their near- and long-term needs.

4 A Practical Guide to the Right VPN Solution Technology Guide5


5/27

online dealings with financial institutions, etc. Theserequirements make security over the Internet para-mount.

V ir t u a l P r iv at e N e t w o r k T h e N e wSolut ion for E-Business

VPNs have emerged as the key technology for

achieving security over the Internet. While a VPN isan inherently simple concept, early VPN solutionswere geared towards large organizations and theirimplementation required extensive technical expertise.As a consequence, small and medium-sized businesseswere left out of the e-revolution. Recently, VPN solu-tions have become available that focus specifically onthe needs of small and medium-sized businesses.

Historically, the term VPN has also been used incontexts other than the Internet, such as in the publictelephone network and in the Frame Relay network. In

the early days of the Internet-based VPNs, they weresometimes described as Internet-VPNs or IP-VPNs.However, that usage is archaic and VPNs are now syn-onymous with Internet-VPNs.

Fi gu r e 1 a : D a t a f lo w t h r o u g h t h e I n t e r n e t

ISP-4

Data Packets

Internet

ISP-5

ISP-1 ISP-2 ISP-3

Firewall

Technology Guide 7

The Business Problem

Before the popularity of the Internet, large enter-prises were building multi-million dollar private datanetworks (now called intranets), using telecommunica-tions services such as leased lines, Frame Relay, andAsynchronous Transfer Mode (ATM) to communicateamong geographically dispersed sites. These serviceswere often supplemented with services, such asswitched analog or ISDN, to connect smaller sites andmobile users.Small and medium-sized enterprises, whocould not afford the cost of long-distance leased facili-ties, were limited to low-speed switched services.

These intranets were expensive and requiredhordes of support personnel. Intranets also had longplanning, design, and implementation cycles, resultingin tremendous lost-opportunity costs. As the Internetbecame ubiquitous and as ISPs offered high-speedInternet access, enterprises reduced the cost and thetime to deploy their intranets by off-loading them tothe Internet.

As enterprises dabbled in e-commerce,whether asB2B or as B2C, it became clear that the Internet wasthe practical and cost-effective way to connect withcustomers and partners. The concept of connectingwith external users or organizations came to be knownas extranets.

As cost-effective as the Internet is, it introducesone major challengesecurity. Though the Internethas emerged as the network foundation for e-endeav-ors, it is paradoxically a public, shared network of net-works and is not suitable, in its natural state, for securetransactions or private communications.

Enterprises have recognized that e-business is morethan just Internet connectivity or the exchange ofe-mails and files. E-business needs real time exchangeof data. This involves all of the enterprise-procure-ment, supply-chain management, sales and customerrelationship management, online business transactions,

6 A Practical Guide to the Right VPN Solution


6/27

Figure 1b,shows the encrypted flow of packetsreferred to as a tunnel in a VPN. The VPN tunnel isshown graphically as a line connecting the startingpoint and endpoint of the encryption. While the tun-nel is shown in Figure 1b and in other literature as ifthe tunnel is a fixed path, packets associated with thetunnel may take different paths, like the ones in Figure1a. In this example, the endpoints of the VPN tunnel

are a client at the user station and a server or gatewayat a central site. We need software or some otherdevice at each end of the tunnel to initiate, authenti-cate, and terminate a VPN tunnel. In addition toencryption, VPN also allows for user- and data-authen-tication.

VPN App l ica t ions

A VPN can be used for just about any intranetand e-business (extranet) application. Examples on the

following pages illustrate the use and benefits of VPNfor mobile users and for remote access to enterpriseresources, for communications between remote officesand headquarters, and for extranet/e-business.

Remote Access

In this application, when not using a VPN, mobileand remote users often use analog (dial-up modems) orISDN switched services to connect to a headquartersdata center.This is shown in figure 2a.These connec-tions are used to access e-mail, to download files and to

execute other transactions. This type of connectionwould also be used by small offices that do not have apermanent connection to the enterprise intranet.

Technology Guide 9

VPN Overv iew and Benef i ts

Protec t ion Beyond the F i rewa l l

A firewall is an important security feature forInternet users. A firewall prevents data from leavingand entering an enterprise by unauthorized users.

However,when packets pass through the firewall to theInternet, sensitive data such as user names, passwords,account numbers, financial and personal medical infor-mation, server addresses, etc. is visible to hackers andto potential e-criminals.Firewalls do not protect fromthreats within the Internet. This is where a VPN comesinto play.

A VPN, at its core, is a fairly simple concepttheability to use the shared, public Internet in a securemanner as if it were a private network. Figure 1ashows the flow of data between two users over the

Internet when not using a VPN. As shown by the dot-ted lines, packets between a pair of users may go overnetworks run by many ISPs and may take differentpaths. The structure of the Internet and the differentpaths taken by packets are transparent to the two users.With a VPN, users encrypt their data and their identi-ties to prevent unauthorized people or computers fromlooking at the data or from tampering with the data.

F i g u r e 1 b : V P N o v e r t h e I n t e r n e t

ISP-4

VPN Tunnel

Internet

ISP-5

ISP-1 ISP-2 ISP-3

Firewall

8 A Practical Guide to the Right VPN Solution


7/27

Figure 2 b: Remot e access using VPN

New costs for VPN include:

Installation, support, and maintenance of a VPNserver at the central site and of VPN clients forremote users.

Studies show that the cost savings in long-distancecharges alone pay for the VPN setup costs within a fewmonths, and substantial recurring savings follow.

Branch-to-Branch or Branch-to-Headquarters

In Figure 3a, a business has an intranet connectingremote locations with headquarters.Each campus has arouter connecting the campus to a backbone router overa LAN or WAN link (smaller networks may not needbackbone routers).A single router may be connected to

both the campus LAN and to the other campuses with aWAN link.WAN routers are typically mesh-connectedusing leased lines or a Frame Relay service.

Primary cost elements for a branch-to-branchintranet include:

Routers,both campus and backbone.

Telecommunications services, in particular longdistance. The cost of the intranet backbone,

Data Center

Remote Officeswith

VPN Gateways

Remote Users(VPN Clients)

VPNServer

Firewall

Internet

VPN Tunnel

Technology Guide 1 1

Figure 2a : Remot e access using sw i tched serv ices

The cost elements for such an application include:

Dial-up connection charges, especially for usersmaking long-distance connections.

A remote access server (RAS) at the central site tohandle incoming calls.

Technical personnel to support remote users andto configure, maintain, and support a RAS.

With a VPN, as shown in figure 2b, remote usersand branch offices set up dial-up connections to localISPs and connect via the Internet to a VPN server atheadquarters.

VPN benefits include:

Elimination of the RAS, of associated modems,and of technical support costs to install, configure,and maintain the RAS.

Replacement of long-distance or 800-numberservices with local ISP connections at remote sites.

Access to all enterprise data and applications (notjust e-mail or file transfers) over the Internet.

Data Center

Dial-upDial-up

Remote OfficesRemote Users

RAS

Firewall

1 0 A Practical Guide to the Right VPN Solution


8/27

elimination of long provisioning cycles for long-distance service and for international telecommu-nications services.

Most likely, better performance than an intranetdue to higher speed facilities inside the Internet.

The migration to VPN could pay for itself in a fewmonths. There would also be substantial recurring sav-ings.

Fi gu r e 3 b : B r a n ch - t o - b r a n c h a n d b r a n ch - t o -

headquar ters over VPN

B2B, B2C, and Extranet

Before the availability of the Internet and VPNs,electronic transactions and communications betweenenterprises were particularly difficult since there was nostandard or common way to enable these communica-tions.

As shown in Figure 4a, there were numerous net-works and architectures to enable inter-corporate com-

merce. For example, the banking industry has a longhistory of electronic transactions among banks andwith central banks. The brokerage industry, similarly,has special systems for communicating with stockexchanges, with settlement bodies, and with depositorycompanies. In addition, there were several custom-made networks with proprietary transaction formatsfor electronic data interchange (EDI). In some cases,

Campus-4

Campus-1

Campus-3

Campus-2

Internet

VPN Gateway VPN Gateway

VPN GatewayVPN Gateway


depending on the traffic volume and geographicalreach, can run from tens of thousands of dollars amonth to hundreds of thousands of dollars amonth. These costs are especially onerous formulti-national organizations.

Fi gu r e 3 a : E n t e r p r i se i n t r a n e t w i t h o u t V PN

With a VPN, the intranet backbone WAN isreplaced by the Internet. This is shown in Figure 3b.The new costs for this configuration include the deploy-ment and maintenance of VPN gateways at remotecampuses and the deployment and maintenance of aVPN server at the headquarters site. In addition, eachlocation pays for an Internet connection.


Elimination of backbone routers.

Elimination of system administration, configura-tion, and technical support for routers and elimi-

nation of the need to design and maintain routingtables.

Elimination of long-distance services; as with theremote access case, this results in substantial sav-ings. The amount of savings depends on the sizeof the intranet.

Reduction in lost-opportunity cost due to the

Campus-4

Campus-1

Campus-3

Campus-2

BackboneWAN



9/27

Internet.Figure 4b shows an example of the new envi-ronment.


Open interfaces; anyone can use it without amajor initial investment.

Fractional cost compared to proprietary networks.

Worldwide ubiquity built in; reach any customeranywhere without adding infrastructure at thosesites.

Low entry cost, narrowing the opportunity gapbetween large and small enterprises.

Rapid deployment, flexibility, ease of modification.

Choice of vendors in selecting a solution.

Extensive availability of technical personnel andexpertise.

Figure 4b: E-Business and ex t ranet s w i th VPN

The three examples discussed in this sectionexplain the benefits and versatility of VPNs for e-busi-ness. VPN has become a prerequisite for secure com-merce or for secure communications over the Internet.In the following section, the Guide explains technolo-gies underlying VPN and the applicable security stan-dards for VPNs.

Enterprise-3

Enterprise-1

Enterprise-6

Enterprise-4

Internet

VPN Tunnels

Enterprise-2 Enterprise-5


corporations or government agencies set up their ownstandards to execute transactions with their businesspartners and suppliers. Many organizations had to con-nect with multiple EDI networks because of the diversenature of their business.

These historic approaches had numerous draw-backs:

Very expensive to develop since everything istailor-made for one industry.

Long design and deployment time.

Inability to adapt to new requirements.

Lack of qualified personnel for narrowly usedproprietary systems.

Could not be easily extended to new locations andcustomers.

High entry cost for new customers/members and

lost opportunity cost for not being able to partici-pate in e-commerce with non-members.

Fi gu r e 4 a : E - Co m m e r ce b e f o r e t h e I n t e r n e t a n d VP N

The Internet, of course, has changed all that.Now, any organization or individual can engage inbusiness transactions or other communications in asecure and private manner by using a VPN over the

Enterprise SpecificEDI Network

Banking Network(s)

Brokerage/FinancialNetworks

Other EDINetworks

SuppliersHQ



10/27

single ISP that can provide an adequate SLA for net-work performance, and then select the most cost-effec-tive, manageable, and flexible VPN solution separately.

The Scope of Encapsulat ion andEncryp t ion

Figure 5 shows general layout of an IP packet.

Each part of the IP packet has security exposures ifsent in the clear over the Internet.

Fi gu r e 5 : I P p a ck e t a n d se cu r i t y t h r e a t s

1. IP Header: Among other information, it

includes addresses of the source and destinationof the packet. By capturing these addresses, ahacker can learn the addresses of target serversand try to set up unauthorized communicationswith them. A hacker can also learn the addressesof authorized users and use these addresses toact as an authorized user.

We can encrypt the addresses but that creates aproblem on the Internet because routers look atthese addresses to route packets to their correctdestinations.We will see how encapsulationsolves this problem.

Tunnel Mode: When the IP header above isencrypted and is encapsulated in another IPheader, the mode of transmission is referred toas the tunnel mode in the IP Security (IPSec)standard.

Source anddestinationaddresses,

other information

Passwords, user IDs,credit card information,confidential information,

all other data

Informationuseful to hackers

IP Header Other Header User Data

Technology Guide 1 71 6 A Practical Guide to the Right VPN Solution

VPNTechnical Concepts and Enabling

Technologies

A VPN is essentially a software technique tosecurely route private, un-routable traffic on the publicInternet. Three functions form the basis of a VPN:

1. Packet encapsulation (tunneling)

2. Encryption

3. Authentication

(This section provides an overview of encapsula-tion, encryption, and authentication techniquesused in a VPN. Knowing some basic VPN con-cepts will help the reader later understand trade-offs in selecting the right solution.)

People sometimes consider network Quality ofService (QoS) as another VPN requirement. This func-tion refers to network performance, response time, avail-

ability, packet loss, etc.However,the implementation ofthe network QoS is a responsibility of the ISPs, and theuser will have to monitor and manage QoS for anyVPN that spans multiple service providers. Attainingend-to-end QoS is a complex task for the ISPs and,besides technology, also requires agreements among ISPson QoS parameters.While there are some VPN prod-ucts that claim QoS implementation through the cus-tomer-premise equipment, these devices have no impacton the network QoS.They essentially manage trafficpriorities through queuing mechanisms that control the

release of packets to the network. While this may be animportant consideration for some customers (withunder-capacity routers and low-speed links), this QoShas nothing to do with end-to-end network level QoS.Instead, if QoS is an important criterion for VPN selec-tion, its often best to actually separate the QoS require-ment from the VPN requirements, thus obtaining themaximum flexibility while still guaranteeing the servicelevels needed.For example, if QoS is important,select a


11/27

Keys

A key is a secret code that is used by the encryp-tion algorithm to create a unique version of the cipher-text. One way to think about it is that the encryptionmethod is like a combination lock that is purchased atthe hardware store and the key is the combination thatcomes with that lock. Even though many buyers eachpurchase the same lock, it doesnt mean that they have

access to each others tool shed.So security is no longer dependent upon keeping

the encryption algorithm a secret; it now depends onkeeping the key a secret.

Key Lengths

When working with well-known encryption algo-rithms the security strength depends on the length ofthe keys used.An 8-bit key provides 256 combinations(two to the eighth power). A 16-bit key provides 65,536combinations (two to the sixteenth power). And so on.

With a 16-bit key, someone could make 65,536attempts before finding the combination that wouldunlock his/her cipher-text.With people, this would beimpractical, but with computers, it wouldnt take longto run through the possible combinations. Many VPNproducts use 168-bit keys to encrypt data. A 168-bitkey creates 374,144,419,156,711,000,000,000,000,000,000,000,000,000,000,000,000 possible combinations.Even fast computers would take years to try all these.

Still, its not enough to use long keys. As with theencryption algorithm, once someone has the key,

he/she has access to all the information that has everbeen encrypted with it. Fortunately, with keys, one canroutinely change the key so that even if someone hasthe key, it would only be useful for cipher-text encrypt-ed with that key. The length of time a key is used iscalled a crypto-period.


2.Other Headers and User Data: Other headerscontain information used by hackers to attack anenterprises Web sites and, therefore,must beencrypted before traveling over the Internet.

The User Data part of the packet, of course,contains not only all of an organizations busi-ness data but also its user IDs and passwords.

Thus, we need to encrypt the entire packet whentransmitting packets over the Internet.

Encrypt ion Concepts

Virtual private networks ensure the privacy ofinformation by using encryption. Encryption is a tech-nique for scrambling and unscrambling information.The scrambled information is called cipher-text andthe unscrambled information is called clear-text.

In a VPN, when information is sent from one loca-tion to another, the VPN Gateway at the sending loca-tion pulls information off the LAN and encrypts theinformation into cipher-text before sending theencrypted information on the Internet. The VPNGateway at the receiving location decrypts the infor-mation into clear-text and puts the decrypted informa-tion on the LAN.

It used to be that encryption was made secure bykeeping the encryption algorithm a secret. The prob-lem with this approach is that once someone cracks thealgorithm,that person has access to all the informationthat has ever been encrypted with that algorithm.Furthermore,since the encryption algorithm is asecret, its hard to tell how good the algorithm isbecause only a few people test it.

Today, encryption algorithms are published so thateveryone knows how they work. Popular publishedencryption algorithms include the Data EncryptionStandard (DES) and Blowfish. If the algorithm isntsecret, how are secrets kept? The answer is keys.



12/27

Authent ica t ion Concepts

Authentication answers the question

Are you really who you say you are?There are two types of authentication:

User/ System authentication and data authentication.User/ System Authentication: This is the way of

verifying that the person or system is indeed who theperson or system claims to be. A common techniquefor authentication is for each side to challenge theother side by sending a random number. The chal-lenged side returns a value to the challenger byencrypting the random number using a key that shouldonly be known to the challenged side. The challengerdecrypts the returned value and if the decrypted valuematches the original random number, the challengedparty is treated as authentic.

Data Authentication: This verifies that a packethas not been altered during its trip over the Internet. Atypical technique is for the sender to calculate a num-ber, called a hash, based on the data content and toappend the hash to the data packet. This is done priorto encryption. The receiver decrypts the packet. Thereceiver then calculates the hash independently andcompares this receiver-calculated hash with the hashappended to the data. If the two hashes do not matchexactly, the data was altered and the receiver rejects it.The hash is calculated using a mathematical functioncalled a hash function. Hash functions have the proper-ty that they spit out a unique number (hash) for eachunique bit string that is fed into them.

En cr y p t i o n Al go r i t h m s

The Data Encryption Standard (DES) is a com-monly used and thoroughly tested encryption algo-rithm.The DES system uses 56-bit symmetric keys toencrypt data in 64-bit blocks. The 56-bit key provides72,057,594,037,927,900 possible combinations.A per-


Symmetrical or Private Keys

When the same key is used both to encrypt and todecrypt information, the key is called a symmetricalkey. Symmetrical keys require users of a VPN to pos-sess (share) the same key at each end of the connec-tion. Because the key is shared, symmetrical keys arefrequently referred to as shared secrets. As the namesuggests, these keys work as long as it is only the

authorized parties who know the key. These partiestake the appropriate steps to keep the key secret. Oneof the problems with secret keys is distributing them toauthorized users. Obviously, these keys cannot be sentover the Internet because of the public nature of theInternet.

Asymmetrical or Public Keys

Another class of keys allows information to beencrypted with one key and decrypted with a differentkey. Information encrypted with the first key cannot be

decrypted with the same key and vice versa. These key-pairs are called asymmetrical keys.

With asymmetrical keys, one key is called the pub-lic key and the other is called the private key. The pub-lic key is made available to anyoneit is not secret.The private key is secret and it is only known by itsowner. If someone wants to send information that onlyan intended person can see, the information is encrypt-ed using the targets public key. That private key hasthe property that only it can decrypt the cipher-textcreated using the public key!

On the flip side, if a user wants to be certain thata message was from a known person, the messagewould have been encrypted using a private key. Themessage is then decrypted using the public key. If themessage decrypts correctly, it must have come fromthe originator.

Asymmetrical keys get us around having to distrib-ute and manage secret keys.



13/27

VPN Pro toco ls

This Guide has referenced the IPSec protocol asthe Internet standard protocol for tunneling, encryp-tion and authentication. IPSec is widely supported asthe protocol for VPN implementations. There are twoother protocols,available as alternatives to IPSec.These two protocols were developed as tactical solu-tions while the IPSec protocol was being developed.IPSec is widely available now but the other protocolsare still used. Each of the three protocols is discussedbelow:

1. IP Security (IPSec)IPSec is the security standard for the Internet. It

allows for encryption and authentication. The generallayout of IPSec-encoded packets is shown in Figure 8.

Figure 8 : Encryp t ion mod es for IPSec

As shown in Figure 8, IPSec defines two modes ofencryption: transport mode and tunnel mode. In trans-port mode, the original source and destination address-es of the header are used and are not encrypted.Thismakes transport mode appropriate for use over a LAN.Tunnel mode is more appropriate for use over theInternet. In particular, tunnel mode permits the rout-ing of normally un-routable private addresses over thepublic Internet. In both cases, the IPSec header con-tains authentication information and other informationneeded to decrypt the packet.

Encrypted Payload1. Transport Mode:

IP Header IPSec Header TCP/UDP...

Encrypted Payload2. Tunnel Mode:

Outer IP Header Inner HeaderIPSec Header TCP/UDP...


sonal computer would take about 20 years to runthrough this many combinations. However,an organi-zation with millions of dollars worth of computerscould run through this many combinations in about 12seconds.So DES makes information safe from casualattacks by hackers, but not from a focused attack by awell-funded organization.

Fi gu r e 6 : D E S w i t h 5 6 - b i t k e y

Triple-Pass DES is a DES system that encryptsinformation multiple times. With triple-pass DES, thedata is encrypted once using a 56-bit key. The resultingcipher-text is then decrypted using a second 56-bit key.This results in clear-text that doesnt look anything likewhat was originally encrypted. Finally, the data is re-

encrypted using the first key. This technique ofencrypting, decrypting and encrypting is referred to asEDE. It effectively increases the key length from 56-bits to 112-bits.

3DES is an encryption algorithm that providesbetter security than triple-pass DES.With 3DES, thedata is encrypted,decrypted and encrypted again(EDE),but with three different keys. This results in aneffective key-length of 168-bits.

Figure 7 : 3DES w i th 5 6 -b i t key y ie ld ing e f fec t ive key

l e n g t h o f 1 6 8 - b i t s

56-bit key #1

Clear-text Encrypt EncryptDecrypt

56-bit key #2 56-bit key #3

Cipher-text

56-bit key

Cipher-textClear-text



14/27

VPN security setting. These businesses often prefer asolution that shields them from the internal operationof encryption algorithms and key structures.

With expanding business relationships, even small-er companies want to have e-business links with thebroadest set of partners. And they want an easy way todo this. The solution these businesses pick should notrequire them to have certain types of network equip-

ment (like firewalls and routers) and should not specifythe type of Internet connections they use or requirethem to use a particular ISP.

V P N I m p l e m e n t a t i o nAl ternat ives

There are many VPN solutions available. They

cover a range of price-performance, of capacity, and ofinstallation and configuration complexity. Since VPNsare relatively new, the way of comparing products andsolutions is not mature either. To provide a frameworkfor evaluating VPNs, this Guide divides VPNs into thefollowing categories:

1.Traditional or legacy VPN products

2.Outsourced VPNs

3.Low-end VPN/ firewall products

4.Point-and-Click VPN services

Trad i t iona l o r Legacy VPN Products

Most first generation VPN products fall in this cat-egoryThe VPN function is typically an add-on to arouter, to a LAN switch,or to a firewall. These includeproducts from vendors such as Lucent, Cisco, Nortel,and Checkpoint. These products are optimized for


2. Layer 2 Tunneling Protocol (L2TP)

L2TP was developed to merge two earlier proto-cols, the Layer 2 Forwarding (L2F) protocol and thePoint-to-Point Tunneling Protocol (PPTP). L2TP is aprotocol for putting a wrapping on non-Internet proto-cols such as IPX, SNA and AppleTalk, in an IP enve-lope, for encryption purposes. By itself, L2TP does notprovide an encryption function and L2TP depends on

IPSec (or some other scheme) for encryption.

3. Point to Point Tunneling Protocol (PPTP)

PPTP is a Microsoft proprietary encryption andauthentication protocol. PPTP was supposed to havebeen replaced by L2TP, but Microsoft retains PPTP asits way of supporting VPNs in Microsoft Windowsproducts. PPTP uses RSA instead of DES or 3DES forencryption. RSA is a weaker security algorithm thanIPSecs 3DES.

Of the three protocols, IPSec,besides being the

Internet standard for tunneling, encryption andauthentication, has the most industry momentum andis implemented by the greatest number of vendors.There are numerous IPSec implementations availablefor all Windows environments. This Guide recom-mends IPSec as the preferred protocol for implement-ing VPNs.

W h a t i t a l l M e a n s

While selecting and implementing a VPN solution,

a user may get involved in selecting keys and encryp-tion algorithms. At a minimum, they know the keytypes and encryption algorithms supported by a prod-uct. Some products require great involvement andgreat expertise in security details. Large businesses havecomplex security requirements and they benefit fromthe ability to customize and set every detail. Most smalland medium-sized businesses do not have the need, themoney, the skills, or the time to tweak every possible



15/27

An important issue here is the availability of themanaged VPN service in all the geographic areaswhere a customer wants to deploy their VPN. Forexample, regional Bell companies typically limit cover-age to their operational and high-speed accessproviders. This may impose technological limitations.A DSL-based provider would exclude cable-users andvice versa.For example,AT&Ts broadband access-

services are based on cable-TV and most regional tele-phone companies and other providers are based onDSL. These restrictions could force one to use multipleservice providers, each with its own systems administra-tion, configuration,ordering, provisioning, and techni-cal support. The customer would be responsible foridentifying and resolving interoperability. For example,if one goes with a DSL-based ISP, how do employeeswith cable modems access the VPN? And with multipleISPs one has to manage interoperability among theservice providers.

Given the internal cost structure of these serviceproviders, their services tend to be on the high end ofthe VPN price range and their services tend to focuson large customers. ISPs and NSPs are not known forrapidly adopting new technologies or for rapidlyresponding to changing customer needs.

Managed VPN Service from a Reseller/Solution Provider

These solution providers package services frommultiple service providers to provide a solution cover-

ing all geographical areas. While these providers offermore flexibility than a single ISP/ NSP solution, thefact remains that no single solution provider covers allpossible geographic locations, covers the broad rangeof access technologies and maintains reasonable cost.Cost, availability in all desired locations, and technicalsupport are the criteria for evaluating these total serv-ice solution providers.


large businesses. When such a customer adds VPNfunctionality it often means an upgrade to a newrouter/ switch/ firewall model that supports VPN as anadd-on feature. Once the customer buys the rightmodel, the customer then physically installs and logi-cally configures the router/ switch/ firewall. The cus-tomer then configures VPN configurations at centraland at remote sites and for mobile and remote users.

The legacy VPN products category includes PC-based (Windows and Linux) software solutions targetedat smaller users. For these, a user installs the operatingsystem and the networking support and then installsand configures the VPN support. Configuring the VPNsupport means defining security policies and key struc-tures for VPN gateways and clients for mobile andremote users.

These VPN solutions need significant expertise todesign, install, operate, support, and maintain.

Out sourced VPNs

There are three subcategories:

1.VPN service from an ISP or NSP

2.Managed VPN service from a reseller/ solutionprovider

3.Consultant/Systems IntegratorsVPN implemen-tation services

VPN Services from an ISP or NSP

More and more ISPs and network servicesproviders (NSPs) are providing VPNs as a service. Witha managed service offering, the service componentsinclude installation of servers, installation of clientsand ongoing technical support. The customer isinvolved with defining security policies and with theoverall VPN design.



16/27

and require less technical support. The recurring-costsmodel for appliances is similar to the cost model fortraditional VPN products. Many appliance designs arebased on proprietary chips and could run into futurescalability problems due to the high cost and longdevelopment cycles for new chips.

Point -and-Cl ick VPN Serv icesThis is a relatively new category among VPN solu-

tions. This solution is independent of the ISP andallows customers to use existing equipment or genericPCs as the hardware. One example of a serviceprovider who delivers such solutions is OpenReach.

The key characteristic of this solution is that thecustomer does not have to get involved in designing,configuring, and supporting the VPN.

To deploy a VPN with this approach, for example,the customer simply logs onto the service providers

Web site and registers basic information about eachsite that is to be part of the VPN (such as site nameand IP address).The Network Operations Center thenautomatically creates appropriate VPN configurationsbased on the user-provided information and downloadsthis information to a floppy disk that can be installedon a PC at each location. The user simply plugs thediskette at each site in a standard PC, reboots, and nowhas a VPN gateway that automatically registers itselfwith the Network Operations Center.The VPNadministrator or user can then simply use a Web

browser to point and click the connections amongthe registered VPN gateways, thereby creating secure,transparent IPSec tunnels among each remote location.In addition, the solution provider uses a Web-basedcontrol center that monitors the health of VPN gate-ways and provides technical support for the customer.The customer data does not flow through the vendorsnetwork control center, but directly between the remotelocations as needed. The customer billing is based on


Consultant/ Systems Integrators VPN

Implementation Services

An enterprise may build their own VPN buyingprofessional services from systems integrators and con-sultants. There are three phases in VPN deployment:

1. Needs-analysis, product evaluation and selection

2. Initial VPN design, configuration and rollout

3.Ongoing technical support

A business may outsource one or more of thesephases. The cost of doing this and the number of newemployees needed depends on the number of tasksoutsourced. Small and medium-sized enterprisesshould contract all three phases. This could lead tohigh recurring charges for VPN deployment. There isalso the challenge of finding the right consultant/ sys-tems integrator for the technology to be implemented.

Low-end VPN/Fi rewal l Appl iances

Low-end VPN firewall appliances are designed forsmall and medium-sized businesses and are purpose-built (dedicated to VPN gateway function). Theseappliances may use PC processors or specializedprocessors. Operating systems may be MicrosoftWindows, Unix/ Linux or a proprietary operating sys-tem. These appliances may incorporate co-processorsfor off-loading the encryption function to a separatechip.

These devices are called appliances due to theirstandalone nature. However, these appliances still haveto be configured and maintained with the same level ofresources as traditional VPN devices. These appliancesmay include additional functions such as a firewall,increasing their complexity. Appliance VPN boxes aresimpler than router or firewall-based VPNs and, there-fore, may be less prone to problems, easier to diagnose



17/27


the bandwidth required for the VPN connection (i.e.,cable modem, DSL, T1,etc.) Since this type of solu-tion uses standard PCs and free software, there isessentially no up-front investment required, and thusthe potential risk is significantly less than many othertypes of VPN solutions. In addition, unlike most out-sourced VPNs, point and click VPNs are not tied toa single service provider,allowing customers to mix

and match Internet access types and ISPs (cablemodems and DSL, for example).

Key Features and CostElements for a VPN Solut ion

There are two sets of criteria for evaluating VPNsolutions: basic VPN functions and total cost of owner-

ship (TCO). The basic VPN functions are for compar-ing products based on current technical requirements.However, the TCO criteria show long-term cost differ-ences of one solution over the other.

Funct ional Evaluat ion

Table 1 lists criteria for functions of a VPN solution.

Security

IPSec Support: Is IPSec the primary security pro-

tocol supported? If IPSec is not supported, there maybe future difficulties interoperating with locations andbusinesses using Internet standard protocols. Attentionshould be given to future locations and e-business part-ners.

Ease of Key Management: Are the types of keys,authentication techniques used and their managementcompatible with the customers security objectives? If auser has to deal with design and management of key


distribution, the solution may require technical person-nel to support it. 3DES should be considered the mini-mum acceptable encryption level.

Performance

Packet Throughput Capacity: This is the capacityand performance data for the device. Another numberoften included in product specifications is the number

of tunnels handled by the device. The theoretical num-ber of tunnels handled by a device is typically verylarge but is not very useful in assessing the perform-ance of the device. Packet throughput capacity, ratherthan the number of tunnels, is the true measure of adevices performance.

Availability and Reliability:The device or serviceshould be reliable enough to provide 99.9% or higheravailability.

Hardware vs. Software Encryption:Encryptioncan be performed either through software or through

hardware. While this is often considered important, itdoes not provide a direct measure of a products per-formance. Look instead at the products packetthroughput capacity.

Solution 1 Solution 2 Solution 3

Security

IPSec Support

Ease of Key Management

Performance

Packet Throughput Capacity

Availability/Reliability

Interoperability

Access/Connectivity

Service Coverage

continued next page


18/27

Platform Type

Hardware/ Appliance: Is the internal hardwarearchitecture transparent to the user? PC-based networkappliances are not the same as an ordinary PC. Do notassume, for example, that one could employ a genericPC as a backup device for a PC-based network appli-ance. Also, the economies of scale of a generic PC arevastly different from that of a PC-based VPN appliance.

Add-on Feature to Router/ Switch/ Firewall: IfVPN is an add-on feature to an existing platform, thereliability and the performance record of the platformshould be known to the customer.This option allowsthe use of an existing device for the VPN. However,asdiscussed under TCO considerations, this may not bethe optimal choice for a customer.

Operation and ManagementThe operation and management of the VPN is

certainly the customers responsibility for build-it-your-

self VPNs. Even for an outsourced solution, customerswould certainly want to monitor the health and per-formance of their VPN. Certain outsourced solutionsmay require significant customer involvement withconfiguration details. This would add to the TCO ofthe solution.

A Web-based management and monitoring systemis preferable over non-Web-based systems since it canbe accessed from anywhere on the Internet. However,not all Web-based interfaces have equal ease of use. Acustomer certainly should go through a demonstration

of the management system.The quality of the reports from the management

system is important. The reports should be easy to cre-ate, customize, and understand.

Tota l Cost of Ownership (TCO)

As pointed out, the functions discussed in the pre-vious section provide a short-term view. Use TCO to



PlatformType

Hardware/Appliance

Add-on Feature to Firewall orRouter/Switch

Operation and Management

Web-based Management System

Management Reports

Table 1 : Funct iona l cr i t e r ia fo r se lect ing

a VPN so lu t ion

Interoperability

Does the solution interoperate with any existingfirewall that a customer might have? This will providea secure mechanism for interoperating with currentand future business partners.

Access/ Connectivity: Does the solution handle avariety of connectivity choices, including dial-up,

leased line, T1/E1,DSL, and cable to meet a cus-tomers current and future needs? For many customers,wireless access is already important as well. The solu-tion chosen must be flexible enough to support thetypes of Internet connectivity technology a customerneeds at each location, and whatever type of connec-tivity technology the customer envisions deploying inthe future.

Service CoverageThis issue applies to VPN as a service from

ISPs/ NSPs, and total service solution providers. Is theVPN service available in every location where the cus-tomer is conducting business or plans to conduct busi-ness, and in every location where the customer haspartners or potential partners? The service levels andthe time that it takes to make additions and changes tothe service should be consistent with the customersbusiness objectives.



19/27


Annual personnel/professionalservices cost for ongoingmanagement and maintenanceof VPN

Interoperability and Flexibility -Opportunity cost for not beingable to connect with customersand business partners in atimely manner

Reliability and AvailabilityOpportunity cost for downtime(planned and unplanned)

Table 2 : Tot a l Cost o f Own ersh ip for a VPN

Interoperability and Flexibility:These costsinclude the cost of lost business if one cannot connector interoperate with customers,business partners,andtheir systems in a timely manner.

Reliability and Availability:These are costs ofunproductive employees and of lost transactions due tosystem unavailability.

Selecting the Right VPNSolution

The range of VPN solutions frustrate customerstrying to compare the solutions. This is especially true

for customers in small and medium-sized businesses.These businesses have neither the resources nor thetime for a drawn-out evaluation. By focusing on thelong-term IT and networking strategy and by using aTCO framework, customers can simplify and rational-ize the evaluation and can eliminate the theoreticalpossibilities.

Technology Guide 3 53 4 A Practical Guide to the Right VPN Solution

select a solution from a set of products with similarbasic VPN capabilities. Table 2 lists the important ele-ments for calculating TCO.

Basic Costs:These are calculated based on vendorfee and on equipment price. One item that warrantsdiscussion is the additional cost of a hardware and soft-ware upgrade if the VPN is an add-on feature to anexisting in-house router/ switch/ firewall. When an

administrator adds another function to an existing plat-form, the complexity of maintaining that platformincreases and the performance degrades. Multi-func-tion platforms also are prone to more crashes andglitches. Make sure you account for these costs underadditional costs for personnel, flexibility, and reliability.

Additional Costs: These include indirect costs butform the major part of the TCO.

Personnel costs should include loaded salaries andinfrastructure (office space, furniture, telephone, desk-top,and networking) and recruitment costs for techni-

cal people and management.


Basic Costs

Annual fee

License fee, if hardware/appliance or software solution

Service fee, if outsourced

Annual software license/rental fee

Cost of additional hardware

and hardware upgrade (if add-on to firewall/router/switch)

Additional Costs

Personnel/professionalservices cost for initial designand deployment

continued next page


20/27

For a more specific and detailed cost/ benefitsanalysis of implementation alternatives, a user shoulduse Tables 1 and 2.

Conclusion

The ability to use the Internet in a secure manner

is the foundation of e-commerce. A VPN is the key toattaining that objective. Not only do VPNs providesecurity across the Internet, they can eliminate expen-sive intranets and EDI networks.

There are numerous solutions available for imple-menting a VPN. Small and medium-sized businesseswill find that, more often than not,building their ownsolutions, even as add-on features to existing in-housesolutions, will be more expensive and less compatiblewith their business objectives in the long run.

For the outsourced solutions, managed VPN serv-

ices from network services providers are no longer theonly option for customers. Customers should compareemerging services such as point-and-click VPN servicesand network service provider VPN solutions. A point-and-click solution may not only cost less than the alter-natives, but also provide greater flexibility and morescalability to reach customers and business partnersworldwide.


Build vs. Outsource

Before developing a detailed list of technical, func-tional, and other requirements, a customer must decidewhether they want to build their own VPN solution orthey want to outsource it. This needs to be answeredeven when customers have in-house installed firewallsand routers for which a VPN is available as an optionalfeature.

A build-your-own solution has the followingcharacteristics:

More control and customization

Capital investment

In-house IT and networking personnel andresources

Long development cycles and greater lost-opportunity cost

An outsourced solution has the followingcharacteristics:

No capital investment

No in-house personnel and other resources neededto manage the technology

Ease of expansion and changes

Ease of migration to new technologies

For small and medium-sized businesses and,

increasingly, for large businesses too, the IT trend istowards outsourced services. Businesses want to focuson the business-of-the-business and providing inter-nal IT services is becoming a distraction.

For VPNs, if a customer can find an outsourcedsolution that meets his/her functional requirementsand is flexible enough to support their future needs,outsourcing is a better solution than a build-your-ownsolution.



21/27

Case St udy: In t egra t ingRem ot e Offices How NETSCANUsed OpenReach to Become anE-Business

Overv iewNETSCAN iPublishing Inc. provides legislative

and regulatory news feeds to its customers and hasbuilt its business by delivering timely news via the web.With increased demand on their resources and a morecomplex IT infrastructure, the company was facing anumber of challenges fulfilling its promise to deliversecure, timely information to its customers.As a smallcompany with limited IT resources and offices in threestates, NETSCAN was forced to use a less-than-idealsystem for communicating important documents and

information between offices.

NETSCAN Needs To Connect

To meet its customers needs, NETSCAN deliversthe latest news on legislative happenings within 12hours of the activity, using a combination of peopleand software. This tight schedule makes it imperativefor NETSCANs data collection,creation, and deliveryprocesses to be efficient and infallible.However,with35 employees located in three different states (Florida,

Pennsylvania, and outside Washington,DC), the com-pany was struggling to maintain its short productiontime. Since providing timely information for breakingnews stories is critical to the success and reputation ofNETSCAN, the company realized it could no longerbet its business on email and unsecured FTP, the cur-rent methods for transferring files between separatelocations.

Case Study 3 9

NETSCAN was also facing a number of chal-lenges integrating its offices. Each office uses a differentservice to connect to the Internet and has its own sepa-rate local area network (LAN) environment. This envi-ronment highlights a number of inherent problemsthat were putting NETSCANs business at risk:

Searching for the Right Solut ion

Many small companies face the same dilemmathat NETSCAN did. They need to adopt a moremature and robust IT infrastructure but lack the inter-nal resources (both money and staff) needed to imple-ment one of the solutions on the market. The standardsolution for connecting multiple locations of a compa-ny, a virtual private network (VPN), is traditionally tar-


The Prob lem

Separate OfficesNETSCAN has 3 separate physical locations,eachwith different types of connections to the Internet,that need to communicate and collaborate

Unreliable Existing Connections

The existing method of sharing files and informationvia email and FTP is unreliable

Limited IT Resources

There is no dedicated IT staff at any location, so anysolution has to be straightforward, easy to imple-

ment, and self-managingLimited IT Budget

NETSCAN cannot afford a costly standard VPN orWAN solution

Need for GrowthNETSCAN needs to find an alternative to its currentmethods to prevent potential loss of business and toposition itself as an e-business for future growth


22/27

Conclusion

Without making a substantial investment or havingdedicated IT staff at each location,NETSCAN hasbeen able to create what it never thought possible:anaffordable and robust VPN for its entire business.Employees at the various NETSCAN offices, especiallythose who travel between offices, are delighted at theconnectivity and privacy that OpenReach provides.NETSCAN has been satisfied with the initial perform-ance of OpenReach VPN services. The ease of instal-lation, affordability, and immediate deployment haveenabled NETSCAN to become a connected e-business.

For a complete copy of this case study, visit the

OpenReach website:www.openreach.com

OpenReach, Inc.660 Main StreetWoburn, MA 018011.888.783.0383

Case Study 4 1

NETSCANs Virginia office was able to proactivelyresolve the issue before it caused problems forworkers in Pennsylvania.

geted at larger companies that can afford the invest-ment required for such a solution.NETSCAN knewthat it needed to solve its current file transfer issues, butit also knew that a traditional VPN was not a feasiblesolution. With the three different Internet connectionsand no internal IT staff to handle the complex tech-nology that is part of a VPN, as well as the reality thatoutsourcing to a large managed service provider was

far too expensive for the company, NETSCAN was leftlooking for some other way to meet its needs.

Once NETSCAN found OpenReach, it realized itcould securely connect its multiple offices without hir-ing additional IT staff or purchasing expensive andproprietary equipment. With a point-and-click VPNsolution designed for small-to-medium businesses,OpenReach provided secure and scalable LAN-to-LAN connectivity over the Internet while addressing allthe problems that NETSCAN faced when consideringa traditional VPN solution.


The Solut ion

Fast, hassle-free installation.

NETSCAN went live with OpenReach VPN serv-ices the same day that the services were down-loaded onto the companys dedicated PCs.

Immediate secure, seamless communication.Within a matter of hours, NETSCAN was trans-mitting files and information securely via theInternet with OpenReachs services between itsVirginia and Florida offices.

Proactive monitoring and alerting.

NETSCAN has already benefited fromOpenReachs monitoring services. Shortly afterinstallation, OpenReach actually alertedNETSCANs Virginia office to a problem with itsInternet connection at the Pennsylvania office,which was unrelated to the OpenReach solution.


23/27

EDI standards pre-date the Internet and are not basedon the Internet standards.

EncryptionThe use of a mathematical algorithmand keys to scramble and unscramble information sothat it is not translatable by the naked eye.

ExtranetThe extension of a private corporate net-work to allow connectivity with partners and customers.

FirewallA device or piece of software whichemploys rules to specify that communication from aspecific location or individual, or of a specific protocol,can or cannot enter the network.

IntranetAn organizations private network typicallybased on TCP/ IP protocol.

Internet Protocol (IP)The routing and addressingpart of the TCP/ IP protocol suite.

IP Security (IPSec)The name of the standard for

secure communications over the Internet. Definesframework for authentication, encryption and manag-ing encryption keys.

ISPInternet Service Provider

LANLocal Area Network

Layer 2 Forwarding (L2F)An earlier, proprietaryCisco protocol for secure communications over theInternet, replaced by L2TP.

Layer 2 Tunneling Protocol (L2TP)An amalga-mation of two proprietary protocols, L2F and L2TP,PPTP, for secure communications over the Internet.Proposed as an alternative to IPSec,but IPSec remainsthe dominant protocol for secure communications overthe Internet.

Mesh-connected (fully meshed network)A net-work whereas every entity in that network can accessany other entity within that network.

Glossary 4 3

Glossary of Terms

Asymmetrical KeysThe use of a key pair.Onekey is used to encrypt the information, the other is usedto decrypt it.

AuthenticationVerification of the identity of spe-

cific users or systems.B2BBusiness-to-Business transactions over theInternet.

B2CBusiness-to-Consumer transactions over theInternet.

CertificatesA unique private key which identifies auser or system to another user or system which alsoholds its own unique certificate.

Crypto Period (encryption period)Length oftime for which the encryption keys are held valid.

Data Encryption Standard (DES)A commonlyused standard for encrypting data over the Internet.DES,or Standard DES,has a 56-bit key length.

3DESA variation of the DES algorithm which uses 3keys. One to encrypt, a second to decrypt, and a thirdto encrypt again. The result is effectively a 168-bit keylength.

Digital Subscriber Loop (DSL)A digital tele-phone link to the user premises, which allows very high

speed connections, 10 to 20 times greater than the56 Kbps modem,to the Internet.

EDEEncrypt, Decrypt,Encrypt. Method used in theTriple-Pass DES and 3DES encryption algorithms.

Electronic Data Interchange (EDI)A techniquefor exchanging transaction-related and other databetween businesses based on formats and standardsdefined by an industry group or a corporation. Most



24/27

Triple-Pass DES (Triple DES)A variation of theDES algorithm which uses 2 keys. The first keyencrypts the data, the second decrypts the data, and thefirst is used again to re-encrypt the data. The result iseffectively a 112-bit key length.

Tunnel ModeMode of IPSec which enables thesecure transfer of data across the wide area networkinside a tunnel.

User Datagram Protocol (UDP)An unreliableprotocol for application-to-application communicationsover the Internet.

Virtual Private Network (VPN)The use of theInternet as if it were a private network through the useof encryption and authentication techniques such asIPSec.

WANWide Area Network

Glossary 4 5

Network Address Translation (NAT)Used toconvert, or translate, an address on one network to anaddress which will be usable on another network.

Network Services Provider (NSP)Differs froman ISP in that it also provides services other thanInternet access.

Packet EncapsulationThe placement of one

packet into another packet, thereby hiding the originaladdressing information and data.

Point-to-Point Tunneling Protocol (PPTP)Aproprietary protocol used by Microsoft as an alternativeto IPSec for secure communications over the Internet.

Public/ Private Key PairThe public key in a keypair is not kept secret.The private key, held by oneindividual, is kept secret.

Quality of Service (QoS)Defines or measures thequality of expected Internet connectivity or services.

QoS specifications typically include parameters such asnetwork availability, restoration time, number ofdropped packets, end-to-end delay.

Remote Access Server (RAS)A device to supportdial-in connections from remote users.

Symmetrical keysThe use of the same key toencrypt information and decrypt that same informa-tion.

Total Cost of Ownership (TCO)Includes, inaddition to initial purchase price of hardware and soft-ware,additional one-time and recurring costs such asinstallation, support, loss of productivity and opportu-nity costs. Reflects the true cost of product or serviceover a period of time.

Transmission Control Protocol (TCP)A reli-able protocol for application-to-application communica-tions over the Internet.



25/27

NOTES

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Notes 4 7

NOTES

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



26/27


27/27

This Technology Guide is one in a series of topic-

focused Guides that provides a comprehensive

examination of important and emerging technologies.

This series of Guides offers objective information

and practical guidance on technologies related

to Communications & Networking, the Internet,

Computer Telephony, Document Management,

Data Warehousing, Enterprise Solutions, Software

Applications, and Security.

Built upon the extensive experience and ongoing

research of our writers and editorial team, these

Technology Guides assist IT professionals in makinginformed decisions about all aspects of technology

development and strategic deployment.

techguide.com is supported by a consortium of lead-

ing technology providers. OpenReach has lent itssupport to produce this Guide.

Visit our Web site atwww.techguide.com

to view and print this Guide, as well as

all of our other Technology Guides.

This is a free service.

produced and published by

a practical guide to the right vpn solution

Documents