Enterasys Networks X-PeditionTM manual Ensuring VPN Security with IPSec/IKE/GRE

Ensuring VPN Security with IPSec/IKE/GRE

•Encryption and decryption promote confidentiality by allowing two communicating parties to disguise information they share. The sender encrypts, or scrambles, data before sending it. The receiver decrypts, or unscrambles, the data after receiving it. While in transit, the encrypted information is unintelligible to an intruder.

•Tamper detection ensure data integrity by permitting the recipient of data to verify that it has not been modified in transit. Any attempt to modify data or substitute a false message for a legitimate one will be detected. A hash value is calculated by the sender every time data is sent, and calculated when data is received, and both values are compared.

•Authentication allows the recipient of data to determine its origin - that is, to confirm the sender's identity by digitally signing a message or applying the challenge-response method.

•Nonrepudiation prevents the sender of information from claiming at a later date that the information was never sent.

A later section of this chapter details the XSR’s security implementation.

How a Virtual Private Network Works

VPNs provide an advanced combination of tunneling, encryption, authentication and access control technologies and services to carry traffic over the Internet, a managed IP network or a provider's backbone.

Traffic reaches these backbones using any combination of access technologies, including Ethernet, T1, Frame Relay, ISDN, or simple dial access. VPNs use familiar networking technology and protocols. The client sends a stream of encrypted packets to a remote server or router, except instead of going across a dedicated line (as in the case of WANs), the packets traverse a tunnel over a shared network.

The initial idea behind using this method was for a company to reduce its recurring telecommunications charges that are shouldered when connecting remote users and branch offices to resources at a firm’s headquarters.

Using this VPN model, packets headed toward the remote network will reach a tunnel initiating device, which can be anything from an extranet router to a laptop PC with VPN-enabled dial-up software. The tunnel initiator communicates with a VPN terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then encrypts the package for security before transmitting to the terminator, which decrypts the packet and delivers it to the appropriate destination on the network.

The XSR provides Remote Access support for the connection of remote clients and gateways in a topology where PPTP or L2TP protocols are employed. The XSR also provides Site-to-Site tunnel support in a topology where routers occupy each end of a connection. Site-to-site tunnels, also known as peer-to-peer tunnels, employ IPSec as the main security provider.

The XSR’s site-to-site connectivity allows a branch office to divest multiple private links and move traffic over a single Internet connection. Since many sites use multiple lines, this can be a very useful application, and it can be deployed without adding additional equipment or software.

Ensuring VPN Security with IPSec/IKE/GRE

The key word in Virtual Private Networks is private. To ensure the security of sensitive corporate data, the XSR relies chiefly on IPSec, the standard framework of security protocols. IPSec is not a single protocol but a suite of protocols providing data integrity, authentication and privacy.

14-2 Configuring the Virtual Private Network