Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50
329
Virtual Private Networks—
VPN
All of these layer-2 protocols only support end-to- end connections; they are
therefore not suitable for coupling entire networks.
On the other hand, these mechanisms do not require the slightest changes to
the network devices or access software. And unlike protocols in lower network
levels, they are still effective when the data content is already in the computer.
Combinations are possible
All of the alternatives listed above are compatible to IPSec and can therefore
be used parallel to it. This permits a further increase of the security level. It
would be possible, for example, to dial into the Internet using an L2TP
connection, set up an IPSec tunnel to a Web server and exchange HTTP data
between the Web server and the browser in secure SSL mode.
Each additional encryption would reduce the data throughput, however. Users
can decide on a case-by-case basis whe ther the security offered by IPSec
alone is sufficient. Only in rare cases is a higher level of security really
necessary. Particularly as the degree of security can be adjusted within IPSec.
14.8 The standards behind IPSecIPSec is based on a variety of protocols for the individual functions. These
protocols are based on, and complement one another. The modularity
achieved with this concept is an important advantage of IPSec over other
standards. IPSec is not restricted to specific protocols but can be
supplemented at any time by future developments. The protocols integrated
to date also offer such a high degree of flexibility that IPSec can be perfectly
adapted to virtually any requirements.
14.8.1 IPSec modules and their tasks
IPSec has to perform a number of tasks. One or more protocols have been
defined for each of these tasks.
Authentication of packets
Encryption of packets
Transfer and management of keys
14.8.2 Security Associations – numbered tunnels
A logical connection (tunnel) between two IPSec devices is known as an SA
(Security Association). SAs are managed independently by the IPSec device.
An SA consists of three values: