Virtual Private Network
Dlink DRO-210i User Guide 49
8 Virtual Private Network VPN or virtual private networks allow multiple sites from an organization (and its clients,
suppliers, etc.) to communicate securely over an insecure internet by encrypting all
communication between the sites.
IPSec protocol is the Internet standard protocol for tunneling, encryption and
authentication. IPSec can be used to protect the path between a pair of security gateways
(Peer-To-Peer Mode) or between a security gateway and a host (IPSec Server Mode).
IPSec is designed to protect the network traffic by addressing basic issues like:
Access control: This is controlling the access to the remote host machines
from the local hosts. This also invol ves local host access control, where the
system administrators can control which local hosts can communicate to the
remote hosts through the local IPSec gateways.
Data integrity: This makes sure that the data that is transferred from one
IPSec gateway to another IPSec gateway is not tampered (changed).
Authentication of IPSec peers: This ensures that an IPSec peer is
communicating with the proper remote IPSec peer. So it involves
authenticating the remote IPSec peer.
Protection against replays: An intermediate person between any two
communicating IPSec peers can spoof the p acket, tamper it and then
repeatedly send it to an y of those IPSec gateways, thus causing Denial – of –
Service attack. So IPSec has the capability to prevent this attack.
Traffic Confidentiality: This involves encrypting the data so that a third
person cannot peek in through the data.
IPSec provides the securing services at IP la yer, offering protection fo r IP and upper
layer protocols. The security services are provided through the use of the following
protocols
Cryptographic key management procedures and protocols, including the Internet
Security Association and Key Management Protocol (ISAKMP) and the
Internet Key Exchange protocol (IKE). In order to use IPSec, both the
communicating peers need to have the same protocol, encryption algorithms and
keys. IKE provides the mechanism for a pair of IPSec entities to negotiate
security services and their associated session authentication and encryption keys.
Security protocols such as the Authentication Header (AH) and the
Encapsulating Security Payload (ESP). The Authentication Header (AH)
addresses data origin authentication, data integrity, and replay protection. The
Encapsulating Security Payload (ESP) header has the same capabilities as AH in
addition to data confidentiality and encr yption. IPSec uses the AH by default. If
data confidentiality is desired, ESP can be used, which has the additional
encryption feature.