Now that you understand both IPSec and IKE, let’s look at what really happens from the client’s perspective.
An IPSec client is a software component that allows a desktop user to create an IPSec tunnel to a remote site. IPSec provides privacy, integrity, and authenticity for VPN client operations. With IPSec, no one can see what data you are sending and no one can change it.
What’s input by a remote user dialing in via the public Internet is encrypted all the way to corporate headquarters with an IPSec client to a router at the home gateway.
Here’s how it works.
First, the remote user dials into the corporate network. The client uses either an X.509 or one-time password with a AAA server to negotiate an Internet Key Exchange. Only after it’s authenticated is a secure tunnel created.
Then all data is encrypted.
IPSec is transparent tot he network infrastructure and is scalable from very small applications to very large networks. As you can see, this is an ideal way to connect remote users or telecommuters to corporate networks in a safe and secure environment.
L2TP and IPSec Are Complementary
Another thing that people often get confused about is the relationship between L2TP and IPSec. Remember that L2TP is Layer 2 Tunneling Protocol. Some people think that the two technologies are exclusive of each other. In fact, they are complementary.
So you can use both of these together. IPSec can create remote tunnels. L2TP can provide tunnel and end-to-end authentication.
So IPSec is going to maintain the encryption, but often times you want to tunnel non-IP traffic in addition to IP traffic.
L2TP can be useful for that.
Encryption: DES and 3DES
DES stands for Data Encryption Standard. It is a widely adopted standard created to protect unclassified computer data and communications. DES has been incorporated into numerous industry and international standards since its approval in the late 1970s.
DES and 3DES are strong forms of encryption that allow sensitive information to be transmitted over untrusted networks. They enable customers to utilize network layer encryption.
The encryption algorithm specified by DES is a symmetric, secret-key algorithm. Thus it uses one key to encrypt and decrypt messages, on which both the sending and receiving parties must agree before communicating. It uses a 56-bit key, which means that a user must correctly employ 56 binary numbers, or bits, to produce the key to decode information encrypted with DES.
DES is extremely secure, however, it has been cracked on several occasions by chaining hundreds of computers together at the same time; but even then, it took a very long time to break. This led to the development of Triple DES which uses a 168-bit algorithm.
Firewalls
A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted.
User Authentication
A key component of VPN security is making sure authorized users gain access to enterprise computing resources they need, while unauthorized users are shut out of the network entirely. AAA services (that stands for authentication, authorization, and accounting) provide the foundation to authenticate users, determine access levels, and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet applications of VPNs.
VPNs and Quality of Service
So how does QoS play a role in VPNs? Well, the goal of QoS is to control the utilization of bandwidth so that you can support mission critical applications. Here’s how it works. The customer premises equipment or CPE assigns packet priority based on the network policy. Packets are marked and bandwidth is managed so that the VNP WAN links don’t choke out the important traffic.
One example of this could be an employee watching television off the Internet to his PC where the video traffic clogs a small 56K WAN line making it impossible for mission critical financial application data to pass.
With QoS, you can take advantage of the service providers differentiated services to maximize network resources and minimize congestion at peak times.
For example, e-mail traffic doesn’t care about latency, but video and mission-critical applications do. Some components of bandwidth management/QoS that apply to VPNs are as follows:
– Packet classification—assigns packet priority based on enterprise network policy
– Committed access rate (CAR)—provides policing and manages bandwidth based on applications and/or users according to enterprise network policy
– Weighted Random Early Detection (WRED)—complements TCP in predicting and managing network congestion on the VPN backbone, ensuring predictable throughput rates
These QoS features complement each other, working together in different parts of the VPN to create a comprehensive bandwidth management solution. Bandwidth management solutions must be applied at multiple points on the VPN to be effective; single point solutions cannot ensure predictable performance.