11-02-2010, 09:14 PM
[attachment=1938]
ABSTRACT
VPN is virtual private network. It is a private network for voice and data built with carrier services. There are three definitions for VPN Voice VPN, Carrier-based voice/data VPN, Internet VPN. VPN offers a cost-effective alternative for data communication between intra-company offices, inter-company communications and remote access for domestic and international remote user and business partners.
INTRODUCTION
Traditionally, a VPN has been defined as a private network for voice and deter built with carrier services. More recently however, VPN has been defined as a private encrypted tunnel through the Internet for transporting both voice and data between an organizations different site. The different definitions of a VPN are as follows:
Voice VPN : In this scheme a single carrier handles all the voice call switching. The "virtual" in VPN implies that the carrier creates a virtual voice switching network within its switching network.
Carrier based voice data VPN: packet- ftame-and cell-switching networks cam-information in discrete bundles (called packets) that routed through a mesh network of switches to a destination. Many users share the network. Carriers program virtual circuits into the network that simulate dedicated connections between a company's sites. A web of these circuits forms a virtual private network over the carrier's packet-switched network.
Internet VPN: Internet VPN is similar to the carrier based voice-'data VPN excet* that the IP-based Internet is the underlying network.
In today's world, to the industry VPN means only one thing and that is the Internet VPN.
Companies whose facilities are split between two or more locations can connect the locations into single logical network through the use of routers and wide area networking (WAN) technologies. When a circuit-switched network, like the telephone network is used, permanent or switched circuit services are employed to emulate the physical attachment of the two sites for router-to -router packet exchange. Despite the fact that the WAN technologies almost always use shared, "public" communication utilities, the network constructed by such an organization is usually considered "private"
And unlocking the secret to the savings is easy. Just lose the leased lines-and look at the public backbone. By setting up secure virtual private networks (VPN's) over the Internet or other public network, corporate networks can save their company's fistfuls of cash.
Many businesses today use high speed leased lines, Frame Relay Services or dial up digital services (ISDN) to satisfy their data connectivity needs. With the growth of the Internet, a new cost effective alternative has been born.
An Intemet-based VPN uses the public Internet to deliver secure data services for intra-and rater-company communication. VPNs are also a means for companies to take their first step towards Internet-based electronic commerce services (E-commerce).
VPNs offer a cost effective alternative for data communications between intra companies offices (both domestic and international), inter company communications (for Electronic Commerce in the form of file transfer, electronic mail, EDI, web and client server applications), and remote access for domestic and international remote users sand business partners, Industry research estimate that operational cost savings of up to sixty7 percent over equivalent private networks can be realized.
A Virtual Private Network or VPN, is a business-critical wide-area Networking solution enabling an organization to securely and reliably communicate with it offices, business partners, vendors, customers and employees (both local and remote), The flexibility and business critical nature of VPNs enable and organization to scale its business quickly, easily and cost effectively.
VPN REVOLUTION
Virtually: Webster's dictionary defines as "being such practically or in effect, although not in actual fact or name". So for something to be a virtual network, it should act like a network, yet not be one. It's a wonder then that any one could classify only some networks as virtual since all networks are virtual to some extent Perhaps we can make the separation based on physical wiring. If there are real wires among all of the nodes, then network is not virtual. Based on this determination, WANs have been virtual since the Telcos stopped provisioning TI circuit on conditioned copper and started using channelized T3 circuits instead.
Perhaps a better determinant is whether the network connections are on demand or dedicated. An on demand network is made of connections that can be controlled by network administrators, instead of their telecom partners. A network made of connections controlled by a third party like a Teico, ISP or telecom annalist is a dedicated network. At some point in this type of network, administrators lose control of the physical network, sometimes right past the building hubs. Thus, for all practical purposes, on demand networks are built above the network layer because this is the only place accessible to network administrators for their entire network.
Virtual Private Networking technologies provide the medium to use the Public Internet backbone as an appropriate channel for private data communication. With encryption and encapsulation technologies, a VPN essentially carves out of a private passage way through the Internet VPNs will allow remote offices, company road warriors, and even business partners or customers to use the Internet, rather that pricey private lines, to reach company networks.
By replacing expensive private network bandwidth with relatively low cost band width, your company can slash operating costs and simplify communications. You don't need to have 800 lines, run modem pools or pick up long distance charges; employees and business partners simply place local or toll free calls to Internet service providers (ISPs) to make the connection. Setting up VPNs also allows you to reduce in house network management responsibilities. You'll be able to turn much or remote communications burden over to ISPs.
You can also use VPNs to page link remote LANs together or giving traveling staffers, work at home employees and business partners a simple way to reach past company firewalls and tap into company resources. Virtual private networks are flexible. They are point to multipoint connections, rather than point to point links. They can be setup or closed down at the network administrators will, making them ideal for shout term projects.
There's realization that the public, packet-based network is far more cost effective than a leased network because you can share the fixed cost among many organization using the circuit The public network provides greater scalability and leverage at a lower cost
A typical TI leased line between a corporation and a local Internet service provider costs $ 400 to $ 5000 per month. But because TI charges amount as distance increases, a TI connection running across the country can cost thousands of dollars each month.
ADVANTAGES:
Much cheaper for connecting WANs than 800 NO: s of dedicated TI lines.
Provides a encryption and authentication services for a fairly good measure of privacy.
Maintenance of the WAN - to -WAN correction is left to Internet Service Providers.
Highly flexible; can be set up and taken down very easily.
The working definition that will be the basis for the all discussions in this white paper is that a VPN uses a cxmibination of tunneling, encryption, authentication, and access control technologies and services. VPNs use these technologies to ride traffic over the Internet, a managed IP net work or a provider's backbone. The traffic reaches this back bones using any combination of access technologies including TI, frame relay, ISDN, ATM or dial access.
A VPN utilizes a public telecommunications network as a secure channel for communicating data. A VPN connects remote clients, eg.: laptops used by sales persons out in the field, to companies LAN.
Historically, remote access servers, (RASs), or dial-up networking servers, have provided this type of access. In addition, a VPN can perform in the functions of a wide area network (WAN) by interconnecting two or more LANs through the Internet.
Internet providers (ISPs), equipment vendors, and software developers say they can give you best of both words the security, performance availability and multi protocol support of the private network over the inexpensive and pervasive Internet. It's called virtual private network (VPN), or "extranet" and the technology is currently being considered primarily as means of the extending the reach of private networks for dialing access. But connections with business partners and customers are another important application. And to a lesser extent, VPNs may address location ware traditional private network connections cannot be economically justified. Some vendors and services providers are talking up the idea of replacing existing private network links with VPN links.
TYPES OF VPN
DIAL VPNs
Much of the public discussion surrounding VPN thus far has centered around tunneling. Tunneling however is mealy one component of a complete and robust Dial VPN service architecture. In addition to tunneling techniques supported within the service, any disruption of a dial VPN service must contain a service must contain a description of how the service handles security, as well as network management and administration.
Tunneling:
Dial VPNS are built up on the notion of efficiently and securely tunneling data from one point to another. With tunneling the remote access server warps the user data (payload) inside IP packets, which are routed through the carrier's network or even across multiple networks in the case of the Internet, to the tunnel end point where the tunneled packet is unwrapped and forwarded in its original form. Tunneling is used by corporations shifting there remote access traffic from switched, long distance and regional carriers to ISPs and the Internet Tunneling uses point - to -point session protocol to replace switched connections, linking data address over a routed network. This replaces the linkage of telephone numbers over a switched telephone network. Tunneling allows authorized mobile workers and perhaps authorized customer, to reach your enterprise network any time and from any where. In tandem with authentication technique, tunneling also prevents unauthorized access to your corporate network.
ROUTER - BASED VPNs
Most router vendors have added VPN services to their products. Using VPN - enabled routers, IT managers can send traffic between branch offices over the Internet or a service provider's network. Dial - in users can access the corporate network by tunneling in over a provider's network. There are several advantages to a router - based approach that make it attractive to IT managers. First, adding VPN services to a router is usually a software upgrade. Frequently, the IT manager simply has to download some software from the vender's Website or get a disc from the vendor and install it on an existing router. That is usually the case get with older routers.
New routers often come with VPN services built in to the units software set or even in to the routers operating system. Pricing approaches for the VPN services vary greatly among router vendors. Some through it in for free with the operating system; others charee a fee to make use of the VPN features. Typically, the VPN software add -on for routers includes fire wall, encryption and tunneling capabilities. Some venders page link the user authentication to existing authentication servers such as the Remote Authentication Dial - In User Service.
Another advantage of the router - based approach is that there is no need to change the existing network. This can save operational cost, in a couple of ways and thus reduce the total cost of ownership for a VPN.
In some VPN implementations, a dedicated box is needed. This adds to the management task of the IT staff. Installing VPN software on an existing router means no additional Internet working devices are added to the network. Frequently, dedicated VPN devices are not from the same venders that supply routers, switches and hubs. The router based approach where software added means the existing management system can still be used with the VPN. So mere is no need to train IT staffs on new equipment or management system.
While these are all valuable reasons for using a router - based VPN, there are other considerations before selecting this approach.
First, firewall, encryption and tunneling are all done in software, which could cause a problem under heavy traffic loads. A dedicated VPN device or dedicated firewalls would likely delivered higher performance. Of course, it will depend on your specific loads. In many cases, adding software to a router might do the trick.
Software - based VPN services on a router are CPU - intensive - especially when using a high level of encryption such as Triple - DES at high data - transfer rates. If that is what will be doing, hardware add -on dedicated to handling encryption tasks Might be necessary.
The disadvantage to using one of these devices is that it adds to the cost of deploying the VPN, especially if you were looking at a simple software upgrade to start.
Some vendors do not offer add-on encryption hardware devices. In cases where many users or sites are being connection at high - access speeds while using IP Sec tunneling and industrial strength encryption, the VPN tasks may simply use a large portion of the router's processing power.
This can be a major problem. In the extreme, the VPN tasks would consumer so much of the routers processing cycle that there would be a noticeable performance drop. Most IT managers determine in the type of router they need to purchase by specify a certain packet per second performance. If running VPN software on the router cuts the significantly, network response times could suffer as packet quit in queues waiting to be directed to appropriate ports.
This would require the router hardware to be upgraded- So what started out as a relatively economical way to add VPN service to your network-adding software to an existing router-would require the out lay of cash for new equipment
Many IT managers interested in router-based VPNs start with there existing router to prove the concept And as they try pilot project they get a feel for the performance under their user's loads. This will help determine if the existing router is sufficient In some cases it will be. In the others, the IT manager may need to increase the performance of the router.
SOFTWARE - BASED VPNs
Another way to deploy a VPN install is to a straight software-based VPN. Operating system suppliers and several third party vendors offer VPNs applications that perform the encryption, tunneling and authentication services required to page link users over a VPN.
Although this is a similar approach to using a router - based VPN, one advantage to a software based VPN is that it allows an IT manager to use existing equipment. This software is installed on an existing server. This means the network configuration remains intact and the same management skills and tools can be used to administer the VPN. Thus there is usually no additional training or management software required to keep the VPN connections up and running.
Another advantage to a straight software-based VPN is that the programs frequently tap existing network operating system authentication services. This can greatly simplify VPN administration by, for e.g., linking VPN access right to already defined user - access privileges.
There are, of course, a few points to consider before using a straight software-based VPN approach. As in the case of a router base VPN, performance may be an issue. Performing VPN encryption and tunneling tasks takes processing power. One problem in evaluating such a VPN approach is that there are no standard matrix of determining exactly what the processing load would be on a server.
The factors that determine the load include the number of simultaneous VPN sessions that need to be supported, the level of encryption of each session, the typing of tunneling used that the rate at which data in being passed over the VPN.
Obviously, connecting hundreds of branch offices with TI lines to a central sight would require much more processing power in the central site than supporting a few dozen telecommuters dialing in to their service providers over analog phone lines.
The consequences of too heavy a load can vary greatly. An IT manager may have to limit the number of simultaneous sessions that are supported, thus living some users unable to connect.
If the VPN software is nmning on a server that supports other applications, the performance of these other applications may suffer as the VPN services take more and more CPU cycles.
In either case, an IT manager may find that a higher performance server would be required. So similar to what could happened with router-based VPNs, what may seem like an inexpensive way to establish a VPN might required the purchase of a new, high-end server.
IT managers who opt for the software-based VPN approach typically start :using an existing server to get some experience with the technology. Usually a pilot program is established and it is during the pilot that the IT manager examines the VPN performance under varies conditions. Such experience will help determine if the existing server is capable of supporting a more expensive deployment.
FIREWALL-BASED VPNs
Many corporation center their Internet securities activities on firewalls, which are used to keep hackers out Some companies even check for computer viruses and malicious codes at this point in their networks.
For some IT managers, adding the security services of a VPN only makes sense at their firewall. As a result many fire vendors now support VPN services within their fire walls. Most often the VPN services are supported in software.
This makes its easy for and it manager to get started using a VPN. The IT manager simply has to install some new add-on package for the particular firewall. In some cases, the manager can pay an additional fee to have the VPN services supported in the firewall's operating software turned on. Again, the advantage is that the existing network remains the same, so there is no additional equipment to manage. Training is kept to minimum because a VPN services are often managed by the same user interfaces that is used to manage the firewall.
On the other hand, VPN function such as encryption and tunneling are handled by software. Again performance may be an issue as in the router- and server based VPN approaches. Essentially these tasks may take more processing power than the firewall has to offer.
If performance becomes an issue, the IT manager may find that a higher performance firewall is required. Once more, what irntially looked in the low cost
software upgrade to support the cooperate VPN can tern in to a new equipment purchase.
Similar to the two approaches, IT managers will have to determined for themselves whether performance will be an issue for their particular situation. It may be that the existing can usually number of simultaneous session at ever of encryption is required by the IT manager, and at the data rates offered at the particular site.
WHICH IS BEST
For an IT manager, choice of which device to add VPN services to will probably be determined by a couple of basic factors.
The choice of platform might come down to performance. Once an IT manager tries implementing a VPN on one platform, it may be determined that the devise simply cannot handle the loads anticipated for a full VPN development. The IT manager then have to decide if it is more economical to stick with the specific platform type and by a higher-end version, or if it might be better to select a different platform all together.
Unfortunately there is little help in determining before hand what the performance actually be. Some IT manager say the choice of a platform will come down to their corporate network networking philosophy. If a company does not use firewalls, its not likely they will be one just for VPN services. Similarly, if a company has a bridged networking environment big services in most offices, buying a router just for its VPN capability would probably the out of the question.
Conversely, if a company has a huge investment in WAN routes or firewalls and a vendor offers a software upgrade that will add a VPN services, that mightily the deciding factor when selecting a platform.
Managers might also necessary also Desiree to leave their current networking geat unchanged and add on this service by installing a dedicated device that handles
VPNs. And as if those where in enough options for deploying VPNs. Some IT managers and companies may find they have no choice at all when it comes to a VPN platform.
It might be that a service provider simply offers a managed VPN service that includes all of the hardware and VPN software.
F SECURE ARCHTECTURE
Fsecure encrypts TCP/TP packets on the fly for transport over the Internet or an intranet. It works with an any installed base of routers an firewalls. It also furnishers the most powerful encryption available, including triple DES (Data Encryption standard) and Blow - fish...Further, Fsecure compresses data, authenticates other encryption servers, and performs distribute key management.
FSecure VPN is normally placed behind both the corporate firewall and the router (other configuration are also possible). The package includes UNIX and the encryption engine that easy to install in Pentium PC. After some initial key exchange sand authentication between FSecure servers at other sites, the net manager simply removes the keyboard and the machine becomes a security server. Routers must then be configured to forward all TCP/IP packets destined for encryption to the FSecure server while all packets traveling to unsecured sites and routed normally. Net managers must also configure one port on their firewall to let encrypted traffic reach the FSecure server without filtering it.
When it receives packets, FSecure VPN compress and encrypts both the TCP header and the payload. It then encapsulates it in a second packet for tunneling to an FSecure unit at another site. The software at the distention site decrypts the packets and to the retrieves the original header before forwarding it on to the LAN. By compressing and encrypting simultaneously FSecure makes the session even harder to crack and also helps save on valuable Internet band with.
FSecure VPN uses a protocol called Secure Shell (SSH) that has a emerged as a de facto standard for secure Internet communications. The protocol has been used, tested and proved reliable by such security - conscious organization as NASA (Washington, D.C.), as well as several U.S. banks. The standard being developed by IP Security Group (IPSec) of the IETF (Internet Engineer's Task Force) will also be implemented as they become approved.
SECURITY
Several firewall providers include virtual private network as a security feature, a firewall, which can be software for a host system or a router, or combination of software and hardware devices, checks, limits and logs network access. For additional security, firewall can encrypt data at a side before shipping it out over the Internet. The receiving site, which must have a matching encryption scheme, can decrypt the data.
Pilot network Inc is unveiling a virtual; private network service this week that improve security by continually accessing information it collects from potential attack on the network.
Every time someone tries to break in to a network that uses the service, the incident is added to a database, which can analyze the information. The more client and the more attempted break - ins on the network, the better the Pilot service is says Pilot CEO and founder Marketta Silvera.
CryptoCom VPNS is said to provide some of the strongest encryption algorithms available-dual-key, triple DES, 128-bit IDEA, and 56 bit DES integrated with two factor user authentication, packet authentication, automatic short-term key expiration and renewal, and renewal network compartmentalization.
CryptoCom helps insure that users are properly authenticated and packet integrity is maintained. CryptoCom VPN is designed to be easy to use and administer by providing transparent operation to all end users the CryptoCom VPN Gateway hardware and CryptoCom VPN Client software are compatible with existing firewalls routers, network architectures and protocol and do not require network device reconfiguration.
Centralized administration provide network managers with tool for configuration as well as ability to disable and account if an end user device has been compromised. CryptoCom's two-factor user authentication process eliminates the need for authentication product such as key = generating cards and public certificate authorities, which most VPN require to be secure.
According to the companies, CryptoCom VPN does not degrade network performance. As a dedicated VPN hardware server, the CryptoCom VPN Gateway assure high traffic flows while eliminating the need to burden the processing power and throughput of existing firewalls or routers. The client software supports Windows NT, and 95 with major protocols, including IP, IPX, Net BIOS, NetBEUi, or even SNA over major type of network connection (dial -up frame relay, ISDN, X.25 Ethernet, and token ring). The gateway hardware supports most LAN and WAN. Interface.
ENCRYPTION:
Ensuring the privacy of message encryption can be offered in two different forms, private keys and Public keys. Private or symmetric key encryption is based on a key (or algorithm) being shared between two parties. The same key both encrypts and decrypts messages. Kerbores and Data encryption standard (DES) are traditional private-key technologies. A private key mechanism is proven relatively simple method of encryption. The main problem is in sharing the keys: How can key that is used to security be transmitted over an unsecured network the difficulties involved with generating, storing and generating, storing keys (called key management) can limit private key systems, especially over the Internet.
In 1976, two computer scientists, Whitfield Diffie and Martin Hellman, developed a theory of public-key encryption which offered a solution to the problem of how to transfer the private key. Latter, RSA Data Security, Inc. created an algorithm to make public-key Cryptography commercially viable. As illustrated a public-key solution such as Entrust TM from Entrust Technologies, there are two keys - a private key and Public key which is made publicly available. In addition, a one-time symmetric key is generated for each transaction. To send a message, the sender, Alicia, first encrypts it by using the one-time symmetric key. This key is then encrypted, using the Public key of the recipient, Alex. Keep in mind that anything encrypted with a Public key can only be decrypted with the recipient's private key. This means that the symmetric key (and therefore the message that it has encrypted) is now secure for transmission over the Internet or an intranet. When the message arrives, Alex decrypts one time symmetric key using his own private key. Then, using the symmetric key, he decrypts the message.
The main advantage offered by public-key technology is increased security. Although slower than some private - key systems, public - key encryption generally is more suitable for intranets for three reasons: 1) it is more scalable to very large systems with tens of millions of users, 2) it has more flexible means authentication, and 3) it can support digital signatures. Public - key technology also enables non-repudiation enforcement to verify the transmission or receipt of a given transaction.
A VPN is a network tunnel created for encrypted data transmission between two or more authenticated parries. This ensures the data privacy, integrity, authenticity. At its foundation, a secure VPN solution is complete only if the design architecture integrates.
Confidentially authentication automated key management Firewalling tunneling routing remote access remote management and EP Sec Standards.
CONFIDENTIALITY:
Encryption is used to provide confidentiality and data integrity within a networked environment Confidentiality ensures that no one can view the data while it is being transmitted, and data integrity ensures that no one can modify the data undetected. Encryption plays an integral roll in a secure VPN solution, and as such, a solution should include multi encryption algorithms, This will allow the manager to apply the appropriate algorithm depending up on the length of key required (ie : the level of security required).
Over the past several years, a number of studies have been initiated to determine the minimum key length that is required to secure critical information. Resent studies performed by independent scientist conclude that minimum key lengths should be no less than 90-bits. When choosing a secure VPN solution, ensure that it uses a proven encryption method, and that the algorithm supports key lengths longer than the recommended minimum bit length. Processing power is rapidly increasing and the longevity of a secure VPN solution can be shortened if its encryption algorithms are week or the key lengths are too short
PUBLIC KEY AND SECRET KEY CRYPTOSYSTEMS;
There are two major types of Cryptosystems in use today: Public key and Secret key and Cryptosystems. Secret key Cryptosystems, such as DES or Triple Pass DES, use the same key to encrypt and decrypt data and tend to be fast and efficient However, because they use is same key to encrypt and decrypt data, they suffer from a key distribution problem; how to get the Secret key to the other side without any one else intercepting the key. Public key Cryptosystems, such as RSA, use two keys, one to encrypt data and a different key to decrepit data. As such, the problems surrounding key distribution are solved since the encryption (Public key) can be freely distributed knowing that the receiver of the message is the only person who will be able to decrypt message as long as the description keys (private key) is kept secret. However, public key Cryptosystems tend to be solver than Secret key Cryptosystems of comparable strength. Therefore, a good VBN solution will use Public key technology for key distribution and Secret key technology to allow fast and efficient encrypted transfers.
AUTHENTICATION:
The ability to authenticate encryption device and users is a vital aspect of a secure VPN solution, password protection is easily broken and inherently insecure. X. 509 Digital Certificates are the defecate standard for authentication, because they provide stronger authentication over password based solution. In addition, since X. 509 Certification is independent of a central database, then-schema is more reliable and provides enhanced performance. By verifying the digital signature of the Certification authority, any user or network device can easily authenticate the other end of a communication channel before initiating communication with that specific use or device. A secure VPN solution that fully integrates X, 509 Certificates is beneficial because it follows industry standards and will provide an enhanced security over password - only solution.
AUTOMATED KEY MANAGEMENT:
Automated Key Management is an important component of a secure VPN. Automated Key Management defines Crypto periods for session keys as well as digital certificate. Many VPN solutions require administrators to manually enter keys on each device situated on the WAN. This solution is an extremely shortsighted approach and will become unmanageable as the business grows and the number of network devises increase imaging trying to manually changed key on 100 or 1000 devices everyday! It is also relatively insecure because humans tend to generate more predictable keys than what is produced through automation. It is vital for a secure VPN solution to include server - based key generation management, the random number generated that does not reveal keys and a secure operating platform that cannot be modified. The ability to Cryptoperiods is also important to ensure that keys are automatically recycled at set time intervals. This
will greatly inhibit any adversary's ability to break keys, and gain access to proprietary information.
FIRE WALLING:
Fire walls are designed to product Internal network from outside attack and to provide access control to the Internet for all users within your internal architecture. It is critical for a VPN solution to include a firewall that is fully integrated and interoperable with the other components of the solution.
The main security features of a VPN are:
¢ DES and Triple PASS DES algorithm.
¢ Network layer encryption
¢ Tunneling support
¢ Firewall functionality and interoperability with installed firewall technology
¢ Multi-protocol support
¢ Automated Key Management's set Cryptoperiods - adds security against key breaking X. 509 Certificate superior security over passwords.
¢ Secure desktop - to -desktop communication.
ADVANTAGES
Where is a VPN useful
Vans offer a cost effective alternative for data communications between intra company offices (both domestic and international), inter company communications (for electronic commerce in the form of the file transfer, electronic mail, EDI, web and client server applications) and remote access for domestic and international remote users and business partners. Industry research estimate that operational cost savings of up to 60% over equivalent private networks can be realized.
Ease of use:
> Completely transparent to the end user.
> Automatic key management
> Centralized logging Firewalling, bridging and routing functionality.
> Full interoperability with existing network infrastructure and applications remote access.
> Full compatibility with Microsoft Dial-Up networking ensures Desktop Applications compatibility.
> No day-to-day management required.
Significant Cost Savings:
Studies have shown that migrating from private to virtual private networks can generate cost savings of between 20 to 45%, even for relatively small networks.
Strategic Power:
Even more important than the substantial cost savings are the strategic avenues that VPNS open for an organization, a flexible, ubiquitous communications infrastructure enables company to pursue powerful new strategic initiatives and relationships, improve communication with offices and customers, lock in vendors and partners while creating to competition, and develop and deploy new products with improved time- to time- market.
Reinvent the Business:
A flexible, ubiquitous commimications infrastructure provides the companies the opportunity to literally reinvent themselves and their relationship with customers and partners. VPNs provides the freedom and flexibility to scale a business -quickly, easily and cost-effectively.
General Capabilities:
Provide "industrial-strength" security
Accommodates dynamically changing communities of users.
Able to exchange information in various forms (web pages, files,....etc)
Accommodates different users with different browsers, applications, Operating system, etc.
Allows users to join groups or administrator to assign identities in a controlled but simple fashions.
Maintains integrity over time, regardless of administrative turn over, changes in technology or the increasing complexity of the corporate information system.
CONCLUSION
VPNs: The best of both worlds
True VPNS combines the best aspects of both private and public networks: the flexibility, scalability and cost structure of a public network with the security and performance characteristic of a private network. It is this powerful combinations that makes VPNs reliable infrastructure for even the most critical corporate data.
BIBLIOGRAPHY
1. http://ww.vpn.com
2. http://pcwebopedia.com
3. http://altavista.com
4. http://egurukul.com
ABSTRACT
VPN is virtual private network. It is a private network for voice and data built with carrier services. There are three definitions for VPN Voice VPN, Carrier-based voice/data VPN, Internet VPN. VPN offers a cost-effective alternative for data communication between intra-company offices, inter-company communications and remote access for domestic and international remote user and business partners.
INTRODUCTION
Traditionally, a VPN has been defined as a private network for voice and deter built with carrier services. More recently however, VPN has been defined as a private encrypted tunnel through the Internet for transporting both voice and data between an organizations different site. The different definitions of a VPN are as follows:
Voice VPN : In this scheme a single carrier handles all the voice call switching. The "virtual" in VPN implies that the carrier creates a virtual voice switching network within its switching network.
Carrier based voice data VPN: packet- ftame-and cell-switching networks cam-information in discrete bundles (called packets) that routed through a mesh network of switches to a destination. Many users share the network. Carriers program virtual circuits into the network that simulate dedicated connections between a company's sites. A web of these circuits forms a virtual private network over the carrier's packet-switched network.
Internet VPN: Internet VPN is similar to the carrier based voice-'data VPN excet* that the IP-based Internet is the underlying network.
In today's world, to the industry VPN means only one thing and that is the Internet VPN.
Companies whose facilities are split between two or more locations can connect the locations into single logical network through the use of routers and wide area networking (WAN) technologies. When a circuit-switched network, like the telephone network is used, permanent or switched circuit services are employed to emulate the physical attachment of the two sites for router-to -router packet exchange. Despite the fact that the WAN technologies almost always use shared, "public" communication utilities, the network constructed by such an organization is usually considered "private"
And unlocking the secret to the savings is easy. Just lose the leased lines-and look at the public backbone. By setting up secure virtual private networks (VPN's) over the Internet or other public network, corporate networks can save their company's fistfuls of cash.
Many businesses today use high speed leased lines, Frame Relay Services or dial up digital services (ISDN) to satisfy their data connectivity needs. With the growth of the Internet, a new cost effective alternative has been born.
An Intemet-based VPN uses the public Internet to deliver secure data services for intra-and rater-company communication. VPNs are also a means for companies to take their first step towards Internet-based electronic commerce services (E-commerce).
VPNs offer a cost effective alternative for data communications between intra companies offices (both domestic and international), inter company communications (for Electronic Commerce in the form of file transfer, electronic mail, EDI, web and client server applications), and remote access for domestic and international remote users sand business partners, Industry research estimate that operational cost savings of up to sixty7 percent over equivalent private networks can be realized.
A Virtual Private Network or VPN, is a business-critical wide-area Networking solution enabling an organization to securely and reliably communicate with it offices, business partners, vendors, customers and employees (both local and remote), The flexibility and business critical nature of VPNs enable and organization to scale its business quickly, easily and cost effectively.
VPN REVOLUTION
Virtually: Webster's dictionary defines as "being such practically or in effect, although not in actual fact or name". So for something to be a virtual network, it should act like a network, yet not be one. It's a wonder then that any one could classify only some networks as virtual since all networks are virtual to some extent Perhaps we can make the separation based on physical wiring. If there are real wires among all of the nodes, then network is not virtual. Based on this determination, WANs have been virtual since the Telcos stopped provisioning TI circuit on conditioned copper and started using channelized T3 circuits instead.
Perhaps a better determinant is whether the network connections are on demand or dedicated. An on demand network is made of connections that can be controlled by network administrators, instead of their telecom partners. A network made of connections controlled by a third party like a Teico, ISP or telecom annalist is a dedicated network. At some point in this type of network, administrators lose control of the physical network, sometimes right past the building hubs. Thus, for all practical purposes, on demand networks are built above the network layer because this is the only place accessible to network administrators for their entire network.
Virtual Private Networking technologies provide the medium to use the Public Internet backbone as an appropriate channel for private data communication. With encryption and encapsulation technologies, a VPN essentially carves out of a private passage way through the Internet VPNs will allow remote offices, company road warriors, and even business partners or customers to use the Internet, rather that pricey private lines, to reach company networks.
By replacing expensive private network bandwidth with relatively low cost band width, your company can slash operating costs and simplify communications. You don't need to have 800 lines, run modem pools or pick up long distance charges; employees and business partners simply place local or toll free calls to Internet service providers (ISPs) to make the connection. Setting up VPNs also allows you to reduce in house network management responsibilities. You'll be able to turn much or remote communications burden over to ISPs.
You can also use VPNs to page link remote LANs together or giving traveling staffers, work at home employees and business partners a simple way to reach past company firewalls and tap into company resources. Virtual private networks are flexible. They are point to multipoint connections, rather than point to point links. They can be setup or closed down at the network administrators will, making them ideal for shout term projects.
There's realization that the public, packet-based network is far more cost effective than a leased network because you can share the fixed cost among many organization using the circuit The public network provides greater scalability and leverage at a lower cost
A typical TI leased line between a corporation and a local Internet service provider costs $ 400 to $ 5000 per month. But because TI charges amount as distance increases, a TI connection running across the country can cost thousands of dollars each month.
ADVANTAGES:
Much cheaper for connecting WANs than 800 NO: s of dedicated TI lines.
Provides a encryption and authentication services for a fairly good measure of privacy.
Maintenance of the WAN - to -WAN correction is left to Internet Service Providers.
Highly flexible; can be set up and taken down very easily.
The working definition that will be the basis for the all discussions in this white paper is that a VPN uses a cxmibination of tunneling, encryption, authentication, and access control technologies and services. VPNs use these technologies to ride traffic over the Internet, a managed IP net work or a provider's backbone. The traffic reaches this back bones using any combination of access technologies including TI, frame relay, ISDN, ATM or dial access.
A VPN utilizes a public telecommunications network as a secure channel for communicating data. A VPN connects remote clients, eg.: laptops used by sales persons out in the field, to companies LAN.
Historically, remote access servers, (RASs), or dial-up networking servers, have provided this type of access. In addition, a VPN can perform in the functions of a wide area network (WAN) by interconnecting two or more LANs through the Internet.
Internet providers (ISPs), equipment vendors, and software developers say they can give you best of both words the security, performance availability and multi protocol support of the private network over the inexpensive and pervasive Internet. It's called virtual private network (VPN), or "extranet" and the technology is currently being considered primarily as means of the extending the reach of private networks for dialing access. But connections with business partners and customers are another important application. And to a lesser extent, VPNs may address location ware traditional private network connections cannot be economically justified. Some vendors and services providers are talking up the idea of replacing existing private network links with VPN links.
TYPES OF VPN
DIAL VPNs
Much of the public discussion surrounding VPN thus far has centered around tunneling. Tunneling however is mealy one component of a complete and robust Dial VPN service architecture. In addition to tunneling techniques supported within the service, any disruption of a dial VPN service must contain a service must contain a description of how the service handles security, as well as network management and administration.
Tunneling:
Dial VPNS are built up on the notion of efficiently and securely tunneling data from one point to another. With tunneling the remote access server warps the user data (payload) inside IP packets, which are routed through the carrier's network or even across multiple networks in the case of the Internet, to the tunnel end point where the tunneled packet is unwrapped and forwarded in its original form. Tunneling is used by corporations shifting there remote access traffic from switched, long distance and regional carriers to ISPs and the Internet Tunneling uses point - to -point session protocol to replace switched connections, linking data address over a routed network. This replaces the linkage of telephone numbers over a switched telephone network. Tunneling allows authorized mobile workers and perhaps authorized customer, to reach your enterprise network any time and from any where. In tandem with authentication technique, tunneling also prevents unauthorized access to your corporate network.
ROUTER - BASED VPNs
Most router vendors have added VPN services to their products. Using VPN - enabled routers, IT managers can send traffic between branch offices over the Internet or a service provider's network. Dial - in users can access the corporate network by tunneling in over a provider's network. There are several advantages to a router - based approach that make it attractive to IT managers. First, adding VPN services to a router is usually a software upgrade. Frequently, the IT manager simply has to download some software from the vender's Website or get a disc from the vendor and install it on an existing router. That is usually the case get with older routers.
New routers often come with VPN services built in to the units software set or even in to the routers operating system. Pricing approaches for the VPN services vary greatly among router vendors. Some through it in for free with the operating system; others charee a fee to make use of the VPN features. Typically, the VPN software add -on for routers includes fire wall, encryption and tunneling capabilities. Some venders page link the user authentication to existing authentication servers such as the Remote Authentication Dial - In User Service.
Another advantage of the router - based approach is that there is no need to change the existing network. This can save operational cost, in a couple of ways and thus reduce the total cost of ownership for a VPN.
In some VPN implementations, a dedicated box is needed. This adds to the management task of the IT staff. Installing VPN software on an existing router means no additional Internet working devices are added to the network. Frequently, dedicated VPN devices are not from the same venders that supply routers, switches and hubs. The router based approach where software added means the existing management system can still be used with the VPN. So mere is no need to train IT staffs on new equipment or management system.
While these are all valuable reasons for using a router - based VPN, there are other considerations before selecting this approach.
First, firewall, encryption and tunneling are all done in software, which could cause a problem under heavy traffic loads. A dedicated VPN device or dedicated firewalls would likely delivered higher performance. Of course, it will depend on your specific loads. In many cases, adding software to a router might do the trick.
Software - based VPN services on a router are CPU - intensive - especially when using a high level of encryption such as Triple - DES at high data - transfer rates. If that is what will be doing, hardware add -on dedicated to handling encryption tasks Might be necessary.
The disadvantage to using one of these devices is that it adds to the cost of deploying the VPN, especially if you were looking at a simple software upgrade to start.
Some vendors do not offer add-on encryption hardware devices. In cases where many users or sites are being connection at high - access speeds while using IP Sec tunneling and industrial strength encryption, the VPN tasks may simply use a large portion of the router's processing power.
This can be a major problem. In the extreme, the VPN tasks would consumer so much of the routers processing cycle that there would be a noticeable performance drop. Most IT managers determine in the type of router they need to purchase by specify a certain packet per second performance. If running VPN software on the router cuts the significantly, network response times could suffer as packet quit in queues waiting to be directed to appropriate ports.
This would require the router hardware to be upgraded- So what started out as a relatively economical way to add VPN service to your network-adding software to an existing router-would require the out lay of cash for new equipment
Many IT managers interested in router-based VPNs start with there existing router to prove the concept And as they try pilot project they get a feel for the performance under their user's loads. This will help determine if the existing router is sufficient In some cases it will be. In the others, the IT manager may need to increase the performance of the router.
SOFTWARE - BASED VPNs
Another way to deploy a VPN install is to a straight software-based VPN. Operating system suppliers and several third party vendors offer VPNs applications that perform the encryption, tunneling and authentication services required to page link users over a VPN.
Although this is a similar approach to using a router - based VPN, one advantage to a software based VPN is that it allows an IT manager to use existing equipment. This software is installed on an existing server. This means the network configuration remains intact and the same management skills and tools can be used to administer the VPN. Thus there is usually no additional training or management software required to keep the VPN connections up and running.
Another advantage to a straight software-based VPN is that the programs frequently tap existing network operating system authentication services. This can greatly simplify VPN administration by, for e.g., linking VPN access right to already defined user - access privileges.
There are, of course, a few points to consider before using a straight software-based VPN approach. As in the case of a router base VPN, performance may be an issue. Performing VPN encryption and tunneling tasks takes processing power. One problem in evaluating such a VPN approach is that there are no standard matrix of determining exactly what the processing load would be on a server.
The factors that determine the load include the number of simultaneous VPN sessions that need to be supported, the level of encryption of each session, the typing of tunneling used that the rate at which data in being passed over the VPN.
Obviously, connecting hundreds of branch offices with TI lines to a central sight would require much more processing power in the central site than supporting a few dozen telecommuters dialing in to their service providers over analog phone lines.
The consequences of too heavy a load can vary greatly. An IT manager may have to limit the number of simultaneous sessions that are supported, thus living some users unable to connect.
If the VPN software is nmning on a server that supports other applications, the performance of these other applications may suffer as the VPN services take more and more CPU cycles.
In either case, an IT manager may find that a higher performance server would be required. So similar to what could happened with router-based VPNs, what may seem like an inexpensive way to establish a VPN might required the purchase of a new, high-end server.
IT managers who opt for the software-based VPN approach typically start :using an existing server to get some experience with the technology. Usually a pilot program is established and it is during the pilot that the IT manager examines the VPN performance under varies conditions. Such experience will help determine if the existing server is capable of supporting a more expensive deployment.
FIREWALL-BASED VPNs
Many corporation center their Internet securities activities on firewalls, which are used to keep hackers out Some companies even check for computer viruses and malicious codes at this point in their networks.
For some IT managers, adding the security services of a VPN only makes sense at their firewall. As a result many fire vendors now support VPN services within their fire walls. Most often the VPN services are supported in software.
This makes its easy for and it manager to get started using a VPN. The IT manager simply has to install some new add-on package for the particular firewall. In some cases, the manager can pay an additional fee to have the VPN services supported in the firewall's operating software turned on. Again, the advantage is that the existing network remains the same, so there is no additional equipment to manage. Training is kept to minimum because a VPN services are often managed by the same user interfaces that is used to manage the firewall.
On the other hand, VPN function such as encryption and tunneling are handled by software. Again performance may be an issue as in the router- and server based VPN approaches. Essentially these tasks may take more processing power than the firewall has to offer.
If performance becomes an issue, the IT manager may find that a higher performance firewall is required. Once more, what irntially looked in the low cost
software upgrade to support the cooperate VPN can tern in to a new equipment purchase.
Similar to the two approaches, IT managers will have to determined for themselves whether performance will be an issue for their particular situation. It may be that the existing can usually number of simultaneous session at ever of encryption is required by the IT manager, and at the data rates offered at the particular site.
WHICH IS BEST
For an IT manager, choice of which device to add VPN services to will probably be determined by a couple of basic factors.
The choice of platform might come down to performance. Once an IT manager tries implementing a VPN on one platform, it may be determined that the devise simply cannot handle the loads anticipated for a full VPN development. The IT manager then have to decide if it is more economical to stick with the specific platform type and by a higher-end version, or if it might be better to select a different platform all together.
Unfortunately there is little help in determining before hand what the performance actually be. Some IT manager say the choice of a platform will come down to their corporate network networking philosophy. If a company does not use firewalls, its not likely they will be one just for VPN services. Similarly, if a company has a bridged networking environment big services in most offices, buying a router just for its VPN capability would probably the out of the question.
Conversely, if a company has a huge investment in WAN routes or firewalls and a vendor offers a software upgrade that will add a VPN services, that mightily the deciding factor when selecting a platform.
Managers might also necessary also Desiree to leave their current networking geat unchanged and add on this service by installing a dedicated device that handles
VPNs. And as if those where in enough options for deploying VPNs. Some IT managers and companies may find they have no choice at all when it comes to a VPN platform.
It might be that a service provider simply offers a managed VPN service that includes all of the hardware and VPN software.
F SECURE ARCHTECTURE
Fsecure encrypts TCP/TP packets on the fly for transport over the Internet or an intranet. It works with an any installed base of routers an firewalls. It also furnishers the most powerful encryption available, including triple DES (Data Encryption standard) and Blow - fish...Further, Fsecure compresses data, authenticates other encryption servers, and performs distribute key management.
FSecure VPN is normally placed behind both the corporate firewall and the router (other configuration are also possible). The package includes UNIX and the encryption engine that easy to install in Pentium PC. After some initial key exchange sand authentication between FSecure servers at other sites, the net manager simply removes the keyboard and the machine becomes a security server. Routers must then be configured to forward all TCP/IP packets destined for encryption to the FSecure server while all packets traveling to unsecured sites and routed normally. Net managers must also configure one port on their firewall to let encrypted traffic reach the FSecure server without filtering it.
When it receives packets, FSecure VPN compress and encrypts both the TCP header and the payload. It then encapsulates it in a second packet for tunneling to an FSecure unit at another site. The software at the distention site decrypts the packets and to the retrieves the original header before forwarding it on to the LAN. By compressing and encrypting simultaneously FSecure makes the session even harder to crack and also helps save on valuable Internet band with.
FSecure VPN uses a protocol called Secure Shell (SSH) that has a emerged as a de facto standard for secure Internet communications. The protocol has been used, tested and proved reliable by such security - conscious organization as NASA (Washington, D.C.), as well as several U.S. banks. The standard being developed by IP Security Group (IPSec) of the IETF (Internet Engineer's Task Force) will also be implemented as they become approved.
SECURITY
Several firewall providers include virtual private network as a security feature, a firewall, which can be software for a host system or a router, or combination of software and hardware devices, checks, limits and logs network access. For additional security, firewall can encrypt data at a side before shipping it out over the Internet. The receiving site, which must have a matching encryption scheme, can decrypt the data.
Pilot network Inc is unveiling a virtual; private network service this week that improve security by continually accessing information it collects from potential attack on the network.
Every time someone tries to break in to a network that uses the service, the incident is added to a database, which can analyze the information. The more client and the more attempted break - ins on the network, the better the Pilot service is says Pilot CEO and founder Marketta Silvera.
CryptoCom VPNS is said to provide some of the strongest encryption algorithms available-dual-key, triple DES, 128-bit IDEA, and 56 bit DES integrated with two factor user authentication, packet authentication, automatic short-term key expiration and renewal, and renewal network compartmentalization.
CryptoCom helps insure that users are properly authenticated and packet integrity is maintained. CryptoCom VPN is designed to be easy to use and administer by providing transparent operation to all end users the CryptoCom VPN Gateway hardware and CryptoCom VPN Client software are compatible with existing firewalls routers, network architectures and protocol and do not require network device reconfiguration.
Centralized administration provide network managers with tool for configuration as well as ability to disable and account if an end user device has been compromised. CryptoCom's two-factor user authentication process eliminates the need for authentication product such as key = generating cards and public certificate authorities, which most VPN require to be secure.
According to the companies, CryptoCom VPN does not degrade network performance. As a dedicated VPN hardware server, the CryptoCom VPN Gateway assure high traffic flows while eliminating the need to burden the processing power and throughput of existing firewalls or routers. The client software supports Windows NT, and 95 with major protocols, including IP, IPX, Net BIOS, NetBEUi, or even SNA over major type of network connection (dial -up frame relay, ISDN, X.25 Ethernet, and token ring). The gateway hardware supports most LAN and WAN. Interface.
ENCRYPTION:
Ensuring the privacy of message encryption can be offered in two different forms, private keys and Public keys. Private or symmetric key encryption is based on a key (or algorithm) being shared between two parties. The same key both encrypts and decrypts messages. Kerbores and Data encryption standard (DES) are traditional private-key technologies. A private key mechanism is proven relatively simple method of encryption. The main problem is in sharing the keys: How can key that is used to security be transmitted over an unsecured network the difficulties involved with generating, storing and generating, storing keys (called key management) can limit private key systems, especially over the Internet.
In 1976, two computer scientists, Whitfield Diffie and Martin Hellman, developed a theory of public-key encryption which offered a solution to the problem of how to transfer the private key. Latter, RSA Data Security, Inc. created an algorithm to make public-key Cryptography commercially viable. As illustrated a public-key solution such as Entrust TM from Entrust Technologies, there are two keys - a private key and Public key which is made publicly available. In addition, a one-time symmetric key is generated for each transaction. To send a message, the sender, Alicia, first encrypts it by using the one-time symmetric key. This key is then encrypted, using the Public key of the recipient, Alex. Keep in mind that anything encrypted with a Public key can only be decrypted with the recipient's private key. This means that the symmetric key (and therefore the message that it has encrypted) is now secure for transmission over the Internet or an intranet. When the message arrives, Alex decrypts one time symmetric key using his own private key. Then, using the symmetric key, he decrypts the message.
The main advantage offered by public-key technology is increased security. Although slower than some private - key systems, public - key encryption generally is more suitable for intranets for three reasons: 1) it is more scalable to very large systems with tens of millions of users, 2) it has more flexible means authentication, and 3) it can support digital signatures. Public - key technology also enables non-repudiation enforcement to verify the transmission or receipt of a given transaction.
A VPN is a network tunnel created for encrypted data transmission between two or more authenticated parries. This ensures the data privacy, integrity, authenticity. At its foundation, a secure VPN solution is complete only if the design architecture integrates.
Confidentially authentication automated key management Firewalling tunneling routing remote access remote management and EP Sec Standards.
CONFIDENTIALITY:
Encryption is used to provide confidentiality and data integrity within a networked environment Confidentiality ensures that no one can view the data while it is being transmitted, and data integrity ensures that no one can modify the data undetected. Encryption plays an integral roll in a secure VPN solution, and as such, a solution should include multi encryption algorithms, This will allow the manager to apply the appropriate algorithm depending up on the length of key required (ie : the level of security required).
Over the past several years, a number of studies have been initiated to determine the minimum key length that is required to secure critical information. Resent studies performed by independent scientist conclude that minimum key lengths should be no less than 90-bits. When choosing a secure VPN solution, ensure that it uses a proven encryption method, and that the algorithm supports key lengths longer than the recommended minimum bit length. Processing power is rapidly increasing and the longevity of a secure VPN solution can be shortened if its encryption algorithms are week or the key lengths are too short
PUBLIC KEY AND SECRET KEY CRYPTOSYSTEMS;
There are two major types of Cryptosystems in use today: Public key and Secret key and Cryptosystems. Secret key Cryptosystems, such as DES or Triple Pass DES, use the same key to encrypt and decrypt data and tend to be fast and efficient However, because they use is same key to encrypt and decrypt data, they suffer from a key distribution problem; how to get the Secret key to the other side without any one else intercepting the key. Public key Cryptosystems, such as RSA, use two keys, one to encrypt data and a different key to decrepit data. As such, the problems surrounding key distribution are solved since the encryption (Public key) can be freely distributed knowing that the receiver of the message is the only person who will be able to decrypt message as long as the description keys (private key) is kept secret. However, public key Cryptosystems tend to be solver than Secret key Cryptosystems of comparable strength. Therefore, a good VBN solution will use Public key technology for key distribution and Secret key technology to allow fast and efficient encrypted transfers.
AUTHENTICATION:
The ability to authenticate encryption device and users is a vital aspect of a secure VPN solution, password protection is easily broken and inherently insecure. X. 509 Digital Certificates are the defecate standard for authentication, because they provide stronger authentication over password based solution. In addition, since X. 509 Certification is independent of a central database, then-schema is more reliable and provides enhanced performance. By verifying the digital signature of the Certification authority, any user or network device can easily authenticate the other end of a communication channel before initiating communication with that specific use or device. A secure VPN solution that fully integrates X, 509 Certificates is beneficial because it follows industry standards and will provide an enhanced security over password - only solution.
AUTOMATED KEY MANAGEMENT:
Automated Key Management is an important component of a secure VPN. Automated Key Management defines Crypto periods for session keys as well as digital certificate. Many VPN solutions require administrators to manually enter keys on each device situated on the WAN. This solution is an extremely shortsighted approach and will become unmanageable as the business grows and the number of network devises increase imaging trying to manually changed key on 100 or 1000 devices everyday! It is also relatively insecure because humans tend to generate more predictable keys than what is produced through automation. It is vital for a secure VPN solution to include server - based key generation management, the random number generated that does not reveal keys and a secure operating platform that cannot be modified. The ability to Cryptoperiods is also important to ensure that keys are automatically recycled at set time intervals. This
will greatly inhibit any adversary's ability to break keys, and gain access to proprietary information.
FIRE WALLING:
Fire walls are designed to product Internal network from outside attack and to provide access control to the Internet for all users within your internal architecture. It is critical for a VPN solution to include a firewall that is fully integrated and interoperable with the other components of the solution.
The main security features of a VPN are:
¢ DES and Triple PASS DES algorithm.
¢ Network layer encryption
¢ Tunneling support
¢ Firewall functionality and interoperability with installed firewall technology
¢ Multi-protocol support
¢ Automated Key Management's set Cryptoperiods - adds security against key breaking X. 509 Certificate superior security over passwords.
¢ Secure desktop - to -desktop communication.
ADVANTAGES
Where is a VPN useful
Vans offer a cost effective alternative for data communications between intra company offices (both domestic and international), inter company communications (for electronic commerce in the form of the file transfer, electronic mail, EDI, web and client server applications) and remote access for domestic and international remote users and business partners. Industry research estimate that operational cost savings of up to 60% over equivalent private networks can be realized.
Ease of use:
> Completely transparent to the end user.
> Automatic key management
> Centralized logging Firewalling, bridging and routing functionality.
> Full interoperability with existing network infrastructure and applications remote access.
> Full compatibility with Microsoft Dial-Up networking ensures Desktop Applications compatibility.
> No day-to-day management required.
Significant Cost Savings:
Studies have shown that migrating from private to virtual private networks can generate cost savings of between 20 to 45%, even for relatively small networks.
Strategic Power:
Even more important than the substantial cost savings are the strategic avenues that VPNS open for an organization, a flexible, ubiquitous communications infrastructure enables company to pursue powerful new strategic initiatives and relationships, improve communication with offices and customers, lock in vendors and partners while creating to competition, and develop and deploy new products with improved time- to time- market.
Reinvent the Business:
A flexible, ubiquitous commimications infrastructure provides the companies the opportunity to literally reinvent themselves and their relationship with customers and partners. VPNs provides the freedom and flexibility to scale a business -quickly, easily and cost-effectively.
General Capabilities:
Provide "industrial-strength" security
Accommodates dynamically changing communities of users.
Able to exchange information in various forms (web pages, files,....etc)
Accommodates different users with different browsers, applications, Operating system, etc.
Allows users to join groups or administrator to assign identities in a controlled but simple fashions.
Maintains integrity over time, regardless of administrative turn over, changes in technology or the increasing complexity of the corporate information system.
CONCLUSION
VPNs: The best of both worlds
True VPNS combines the best aspects of both private and public networks: the flexibility, scalability and cost structure of a public network with the security and performance characteristic of a private network. It is this powerful combinations that makes VPNs reliable infrastructure for even the most critical corporate data.
BIBLIOGRAPHY
1. http://ww.vpn.com
2. http://pcwebopedia.com
3. http://altavista.com
4. http://egurukul.com
