Enterasys Networks X-PeditionTM manual VPN Overview, Internet Security Issues

14

Configuring the Virtual Private Network

VPN Overview

As it is most commonly defined, a Virtual Private Network (VPN) allows two or more private networks to be connected over a publicly accessed network. VPNs share some similarities with Wide Area Networks (WAN), but the key feature of VPNs is their use of the Internet rather than reliance on expensive, private leased lines. VPNs boast tighter security and encryption features as a private network, while taking advantage of the economies of scale and remote accessibility of large public networks.

Internet Security Issues

All communication over the Internet uses the Transmission Control Protocol/Internet Protocol (TCP/IP) or User Datagram Protocol (UDP). They convey packets from one computer to another through a variety of intermediate computers and separate networks before they reach their destination.

TCP/IP’s great flexibility has led to its worldwide acceptance as the basic Internet and intranet communications protocol. But, the fact that TCP/IP allows traffic to pass through intermediate computers allows third parties to interfere with communications in the following ways:

•Eavesdropping - Information remains intact, but its privacy is compromised. For example, someone could learn your credit card number, record a sensitive conversation, or intercept classified data.

•Tampering - Information in transit is changed or replaced and then sent on to the recipient. For example, someone could alter an order for goods or change a person's resume.

•Impersonation - Information passes to a person who poses as the intended recipient. Impersonation can take two forms:

–Spoofing - A person can pretend to be someone else. For example, a person can pretend to have the email address jdoe@acme.com, or a computer can identify itself as a site called www.acme.com when it is not. This type of impersonation is known as spoofing.

–Misrepresentation - A person or organization can misrepresent itself. For example, suppose the site www.acme.com pretends to be a furniture store when it is really just a site that takes credit-card payments but never sends any goods.

Normally, users of the many cooperating computers that comprise the Internet or other networks do not monitor or interfere with network traffic that continuously passes through their machines. But, sensitive personal and business communications over the Internet require precautions that address potential threats. Fortunately, a set of well-established techniques and standards aggregated under Internet Protocol Security (IPSec)/Internet Key Exchange (IKE) and the Public- Key Infrastructure protocol (PKI) make it relatively easy to take such precautions.

The combined features of the above protocols facilitate the following tasks:

XSR User’s Guide 14-1