FVL328 Cable/DSL ProSafe High-Speed VPN Firewall

Page 3

addition, AH does not protect the data’s confidentiality. If data is intercepted and only AH is used, the message contents can be read. ESP protects data confidentiality. For added protection in certain cases, AH and ESP can be used together. In the following table, IP HDR represents the IP header and includes both source and destination IP addresses.

14.What is Encapsulating Security Payload (ESP)?

ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most importantly, provide message content protection.

IPSec provides an open framework for implementing industry standard algorithms, such as SHA and MD5. The algorithms IPSec uses produce a unique and unforgeable identifier for each packet, which is a data equivalent of a fingerprint. This fingerprint allows the device to determine if a packet has been tampered with. Furthermore, packets that are not authenticated are discarded and not delivered to the intended receiver.

ESP also provides all encryption services in IPSec. Encryption translates a readable message into an unreadable format to hide the message content. The opposite process, called decryption, translates the message content from an unreadable format to a readable message. Encryption/decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has an option to perform authentication, called ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the payload and not for the IP header.

The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.

15.What is a Security Association?

A group of security settings related to a specific VPN tunnel. A Security Association (SA) groups together all the necessary settings needed to create a VPN tunnel. Different SAs may be created to connect branch offices, allow secure remote management, and pass unsupported traffic. All SAs require a specified encryption method, IPSec gateway address and destination network address.

16.What is PKI?

Public Key Infrastructure (PKI) is a method by which valid VPN users are authenticated through the use of certificate authorities.

17.What is a Certificate Authority (CA)?

A Certificate Authority is an organization that provides certificates and provides a mechanism for verifying

their authenticity. Certificate authentication is a method whereby the computer would have a pre-assigned certificate (any X.503-based certificate, such as Entrust®, VeriSign®, Baltimore, etc.) that is necessary for the IPSec-based authentication algorithm to use for generating keys to exchange between the two VPN devices. It is generally recognized as a more secure method of authentication.

18.What is PPTP?

Point-to-point Tunneling Protocol builds on the functionality of the Point-to-Point protocol (PPP) to provide remote access that can be tunneled though the Internet to a destination site or computer. PPTP encapsulates PPP packets using generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols other than IP. The FVL328 supports pass-through mode for PPTP, but does not support end-point mode.