Building and Managing Virtual Private Networks by Dave Kosiur Wiley Computer Publishing, John Wiley & Sons, Inc. ISBN: 0471295264   Pub Date: 09/01/98

INDEX

Page references in italic type indicate illustrations. Numbers are treated as if spelled out. Thus “T1 lines” would be found as if spelled “Tone lines,” and “L2F” and “L2TP” as if spelled LtwoF and LtwoTP respectively.

A

access concentrators, see network access servers

access control, 42, 286–288

design issues, 178–179

Ace Hardware, 326

address allocation, 292–295

address management, see IP address management

ADI, 250 table

aggressive mode, ISAKMP/Oakley, 106, 108–109

AltaVista Tunnel 98, 259, 265 table

analog phone lines, 18

ANS VPDN Services, 208, 367

Appletalk, PPP handling, 148

application proxies, 219–220, 221

applications, 170–171

ARPANET, 7–8

Ascend Communications, Inc., 121–122, 361

ASICs, 253

Assured Digital, Inc., 361–362

asymmetric encryption, 74

asynchronous transfer mode (ATM), 20, 315

AT&T WorldNet VPN Services, 209–210, 367

authentication, 42

extranets, 330–331

and firewalls, 227

IPSEC, 92–94, 96–98, 101, 113

ISPs, 199–200

L2TP, 146, 152–153, 281

PPTP, 133

types, 62

VPN hardware, 242, 246

authentication header (IPSec), 92–94, 96–98, 101, 113

authentication services, 63–72, 280–282

automatic rekeying, 180, 199, 229

Automotive Industry Action Group, 214, 328

Automotive Network Exchange (ANX), IPSec-compliance certification, 115–116, 328, 329

Aventail Corporation, 362

Axent Technologies, Inc., 362

B

bandwidth, 34, 194

design considerations, 169, 171

different applications, 170

performance issues, 304

scalability, 32

bandwidth conservation, 307

bandwidth-on-demand, 307

bandwidth over-provisioning, 307

Bay Networks, Inc., 362

BioAPI Consortium, 72

Biometric API, 71

biometric systems, 71–72

Blowfish, 81

Boardwatch Web site, 205

book resources, 345

border gateway protocol, 299

Borderguard, 259, 260, 265 table

bottlenecks, 35

brownouts, 10

business, changing environment, 4–6

C

CallID, L2TP, 149

CERT Coordination Center, 223

certificate authorities, 54, 82–83, 85–89

extranets, 331

in-house, 181–182, 282–286

ISPs as, 200

certificate revocation lists (CRLs), 88, 277, 283, 286, 340

certificates, see digital certificates

certificate servers, 284–286

challenge, token devices, 70

challenge handshake authentication protocol (CHAP), see CHAP

CHAP, 66–67

with L2TP, 146

with PPTP, 122, 124–125, 133

CheckPoint Software Technologies Ltd., 362

Chicago AADS NAP, 49

cipher, 72

cipher text, 72

ciPro-VPN, 250 table, 253

circuit proxies, 219, 220

Cisco Systems, Inc., 122, 362

CIX NAP, 49

classes, of network addresses, 53, 292, 300

classless inter-domain routing (CIDR), 291, 300

class of service (CoS), 308

IPv6 headers, 119

client-to-LAN tunneling, 41

closed user groups, 20

collision attacks, 97

.com domain names, 8

committed information rate, 22

common open policy service (COPS), 311

communication, 3

Compatible Systems, 362

compression control protocol (CCP), 133–134

compulsory tunnels

L2TP, 150–151, 154

PPTP, 128

CompuServe Authentication Service, 211

CompuServe IP Link, 210–211

CompuServe Network Services, 367

Concentric Network, 213, 367

Conclave, 259, 265 table

conditioned lines, 18

confidentiality, 42

Contivity Extranet Switch, 241, 252 table, 253, 300, 304

controlled-load service, 310

corporate networks, see private corporate networks; virtual private networks

CoS, see class of service (CoS)

cost comparisons, 26–31

cost savings, 25–26

Crypto API, 69

CryptoCard, 235

cryptographic chips/cards, 174, 240, 241

cryptography, 72. See also encryption; public-key cryptography

CSU/DSU devices, 50

costs, 26–30

ISP requirements, 198

location, 216

customer premises equipment, 33

CyberTrust, 87, 245

Cylink Corporation, 363

D

Data Fellows, Inc., 363

data integrity, 42

demilitarized zone (DMZ), 179

DEN (Directory Enabled Networks) Initiative, 317, 340–341

deployment

future directions, 335–336

IPSec, 116–118

L2TP, 162–164

planning, 184–185

PPTP, 139–142

DES (data encryption standard), 81

IPSec, 93

design

deployment planning, 184–185

ISP issues, 182–184

network issues, 174–178

requirements determination, 168–174

security issues, 178–182

Desktop Management Task Force, 341

dial-in VPNs

design considerations, 171, 175

firewalls, 225–227

future directions, 335–336

IPSec client software, 111, 114–115

management protocols, 47

PPTP deployment, 140

tunnels, 41

VPN hardware, 240–241

dial-up extranets, 330

Dial-Up Network Pack (Windows95), 124

dictionaries, 382

differentiated services, 307–312

Diffie-Hellman public-key cryptography, 77–79, 81

IPSec implementation, 93, 96–108

digital certificates, 54, 82–83, 282–283

classes, 87–88

deployment issues, 185

design issues, 180–182

distribution, 84–85

and firewalls, 227

future directions, 339–340

IPSec, 93

ISPs, 200

VPN hardware, 245–246, 247–248

VPN software, 262

digital data service (DDS), 19, 192

Digital Equipment Corporation, 363

Directory Enabled Networks (DEN) Initiative, 317, 340–341

domain name service (DNS), 36, 293–295

design issues, 177–178

internal vs. external, 295–297

domain of interpretation (DOI), IPSec, 94

DSA (digital signature algorithm), 81

DSO streams, 20

dynamic address allocation, 292–295

dynamic DNS, 290

dynamic host control protocol (DHCP), 290, 292–293

dynamic key management, 278

dynamic tunnels, 40, 128, 129

with RADIUS, 131–133

E

ECI Telematics, 122

electronic commerce, 4, 323

electronic data interchange (EDI), 327–328

electronic eavesdropping, 61–62

elliptic curve cryptography (ECC), 339

E-Lock, 265 table

e-mail security, 58

encapsulating security payload (ESP), 92–94, 98–101, 113

header, 99

modes, 101–103

encrypting routers, 234

encryption, 72–74. See also key management; public-key cryptography

future directions, 339–340

government restrictions, 119

Internet security, 11

IPSec, 92–94, 98–103, 113

L2TP, 153–156, 274

method selection, 79–82, 274–280

Network-layer vs. Link-layer, 59

PPTP, 124, 133–134

system comparison, 80 table

VPN hardware, 242, 243, 253

encryption algorithms

commonly used, 81

computational requirements, 35, 174, 175

and firewalls, 228–229

ISPs, 199

remote users, 176

VPN software, 262–263

Encryption Service Adapter (ESA), 236

end-to-end security, 43–44

Enterprise-Quality VPN, 213

Enterprise VPN, 213

Entrust Technologies, 181, 363

equipment requirement reduction, with VPNs, 33

Ethernet, 239

sniffing, 61

Ethernet VPN gateways, 243

ExpressRouter, 235, 236

extended markup language (XML), 328

Extended Systems, Inc., 363

ExtendNet, 252 table

extensible authentication protocol (EAP), 125, 152

external DNS, 295–297

ExtraLink, 212–213

extranets, 12–13, 323–325

design considerations, 173–174

motivations, 325–328

VPN conversion, 328–333

F

face-to-face key exchanges, 104

failover features, 253

Firewall-1, 225, 231, 304

firewalls, 51–52, 216–217

access control and, 287–288

design issues, 174

gateways as, 242

location, 216

port numbers, 223

product overview, 230–231, 232–233 table

product requirements, 227–230

remote access, 225–227

security policies and, 217, 225

stateful multi-layer inspection, 222–223

types, 217–221

VPN application, 224–225

flattening, of business organizations, 5

flexibility, 4–5

design issues, 183

ISPs and, 200

VPN benefits, 31

Fort Knox Policy Router 5000, 250 table

Fortress Technologies, Inc., 363

frame relay networks, 20–23

costs, 25, 31

FreeGate Corporation, 363

Frontier Technologies, 363

F-Secure VPN, 265 table

FWZ, 212

G

gateways, see remote VPN gateways; security gateways; VPN gateways

Gauntlet, 231

generic routing encapsulation (GRE) protocol, 122, 126, 127

geographic scalability, 32

Gigabit Ethernet, 170, 194

global business, 5–6

GRIC Communications, 195, 367

GTE Internetworking, 211, 367

guaranteed service, 310–311

H

hardware, see VPN hardware

hardware-based encryption, 278

hash functions

IPSec, 93, 96–98

MS-CHAP, 133, 134

one-time password systems, 64

public-key cryptography, 76

header cut-and-paste attacks, 113

HMAC hash function, 93, 96–98

host-to-host VPNs, 260–261

hub-and-spoke network topology, 21

Human Authentication API, 71–72

I

IBM, 364

IBM routers, 236

IDEA (international data encryption algorithm), 81

IETF Documents

Internet Drafts, 350–357

RFCs, 345–350

IETF Working Groups, 342 table

IKE, 103–111, 158, 242. See also ISAKMP/Oakley

unproven nature of, 119

incident logging

VPN hardware, 249

VPN software, 263

Indus River Networks, Inc., 363

Infocrypt Enterprise, 250 table

InfoExpress, Inc., 364

information, 14

Information Resource Engineering, Inc., 364

information technology departments, 6

inner header, IPSec, 103

Integrated Services Architecture, 310–311

Integrated Services (INTSERV) Working Group, 309–310

integrated solutions, 37, 239–242

integrated VPN devices, 52–53, 341–342

Intel Corporation, 364

InterLock, 208

InterManage, 208

internal DNS, 295–297

internal VPNs, 336

International Computer Security Association (ICSA)

firewall certification, 223

IPSec-compliance certification, 116

Internet, 3–4

business opportunities, 11–14

capabilities-benefits mapping, 14

components, 48–51

connectivity options, 9

future directions, 336–338

governance, 6–7

growth, 7–8

infrastructure, 8, 9

map of U.S., 10

multimedia capability, 11

multiple links to, 182–183, 299–300

offerings, 9–11

reliability, 10

Web sites with information on, 358

Internet Architecture Board (IAB), 7

Internet Assigned Numbers Authority (IANA), 7

Internet control message protocol (ICMP), 318

Internet Devices, Inc., 364

Internet Drafts, 350–357

Internet Dynamics, 364

Internet Engineering Task Force (IETF), 6

documents, 345–357

working groups, 342 table

Internet key exchange (IKE), see IKE

InternetMCI VPN, 211–212

Internet network access points (NAPs), 8, 48–51, 191–192

Internet protocols, 7, 9–11. See also specific protocols

Internet Provider Performance Metrics (IPPM) working group, 204, 319

Internet Research Task Force (IRTF), 7

Internet security association and key management protocol (ISAKMP), see ISAKMP/Oakley

Internet service providers (ISPs), 8, 48, 189–190. See also Service Level Agreements

connectivity options, 198

cost, 25

design issues, 182–184

expectations of, 195–196

for extranet maintenance, 332

firewall management, 223

future trends, 213–214, 336–338

infrastructures, 196–197

network performance and management, 197–198

network service providers contrasted, 50

outsourcing to, 205–207

performance guarantees, 11, 34

performance monitoring, 203–205, 317–319

point-of-presence (POP), 23, 32, 50–51, 192–193

security, 198–201

types, 48, 190–195

Web sites with information on, 358

Internet Society (ISOC), 6

Internet VPNs, see virtual private networks

interoperability, 35–36

VPN hardware, 242

intranets, 12–13, 323–324. See also extranets

Intraport VPN Access Server, 252 table

IP addresses, 43, 53

IP address management, 36, 289–290

address allocation, 290–297

IPv6, 289, 300–302

network address translation, 177–178, 297–299

iPass Inc., 195, 367

IP authentication header (IPSec), 92–94, 96–98, 101, 113

IP Link, 210

IP multicasting, 307–308

IPv6 built-in support, 301

tunnels, 40

IP packets

IPSec handling, 92, 93

L2TP handling, 148

PPTP handling, 124

IPSec, 45, 47

access control, 54

advantages, 91–92

architecture, 92–94

authentication header, 92–94, 96–98, 101, 113

components, 95–103

deployment, 116–118

encapsulating security payload, 92–94, 98–103, 113

encryption, 274–275

extranet application, 331

features, 46 table

firewalls, 225, 226, 228–230

future directions, 337–339

hardware compliance, 242

interoperability, 35

IPv6 built-in support, 301

ISAKMP/Oakley, 106–111

key management, 103–106

with PPTP, 153–155, 160

PPTP architecture contrasted, 136

problems with, 118–119

products, 115 table

relative emphasis, 242

router support, 234–236

security associations, 94–96, 110–111, 113

SKIP key exchange, 104–106

using, 111–118

VPN hardware, 242, 249

IPSec client software, 111, 114–115

IPSec security gateways, 111–112

IP Security Working Group, 92, 115

IP switches, 50

IP telephony, 169, 171

IPv4

address space inadequacy, 43, 177, 289, 292, 300

authentication header, 98

IPSec, 114

packet headers, 92, 93

IPv6

authentication header, 98

IP address management, 289, 300–302

IPSec, 114

packet headers, 92, 93

IPX, 36

L2TP handling, 146, 148

PPTP handling, 122, 124

ISAKMP/Oakley, 45, 47. See also IKE

aggressive mode, 106, 108–109

IPSec application, 106–111

main mode, 106, 107–108

quick mode, 106, 109–110

ISAKMP SA, 106

ISDN lines, 32

J

jitter, 194, 304

K

key lengths, 275–276

key management, 273

design issues, 180–182

gateways, 276–279

IPSec, 103–106

L2TP, 157–159

PPTP, 134

session key handling, 278–279

users, 279–280

VPN hardware, 242, 245–246, 248–249, 253

key recovery system, 182

keys, 72–74

L

LADP, 86, 228, 248, 285–286, 339–340

LanRover VPN, 250 table, 253

LAN-to-LAN tunneling, 41

L2TP, 156–157

PPTP, 134–135

LAN-to-LAN VPNs

design considerations, 169–171, 175

future directions, 338

IPSec security gateways, 111–112

management, 340

management protocols, 47

PPTP deployment, 141

VPN hardware, 240–241

laptop theft, 280

latency, 194, 304

different applications, 170

Layer2 forwarding protocol (L2F), see L2F

Layer2 protocols, 44–45. See also L2F; L2TP; PPTP

Layer3 protocols, 45. See also IPSec

Layer2 tunneling protocol (L2TP), see L2TP

leased Internet lines, 25

leased phone lines, 4, 17–23

star topology, 21

legacy integration, 33, 34

lightweight directory access protocol (LADP), 86, 228, 248, 285–286, 339–340

link control protocols (LCPs), 124

The List (of ISPs), 205

local exchange carriers, 25

long distance charge elimination, 25–26

L2F, 44–45, 121–122, 145

features, 46 table

L2TP, 45, 47, 145

applicability, 164–165

architecture, 146–147

authentication, 146, 152–153, 281

deployment, 162–164

encryption, 153–156, 274

features, 46 table

firewalls, 230

future directions, 337–339

hardware focus, 242

key management, 157–159

LAN-to-LAN tunneling, 156–157

multiprotocol support, 36–37

non-IP networks, 155, 157, 164

PPP, 146–149

products, 163 table

relative emphasis, 242

tunnels, 150–152

using, 164–165

L2TP access concentrators, 149, 152, 161–162

L2TP network servers, 149, 160–161

M

Macintosh, PPTP clients, 138

MAE East NAP, 49

MAE West NAP, 49

main mode, ISAKMP/Oakley, 106, 107–108

manageability, 33–34

managed access, 207

management protocols, 47–48

man-in-the-middle attack, 62–63

manual keying, 103, 105

MCI Internet backbone, 8

MD5 hash function, IPSec, 93, 97

MD4 hash function, MS-CHAP, 133, 134

message digest, 76

Microsoft Corporation, 364

L2TP support, 147

PPTP support, 122–124

Microsoft Point-to-Point encryption (MPPE), 123, 133–134

Milkyway Networks Corporation, 364

mobile IP, 40

mobile users, See also dial-in VPNs; remote users

address allocation, 290

client-to-LAN tunnels, 41

design considerations, 169

security, 35

modem banks, 4, 50, 131

modems, 18, 32

modular construction, 34

MS-CHAP, 133–134, 135, 138

multimedia, 11, 194

design considerations, 169, 171

performance requirements, 305–307

multiplatform issues, 176

multiprotocol label switching (MPLS), 313, 337

multiprotocol support, 36–37

Multiservices Internet Gateway, 250 table

N

NETBEUI

L2TP handling, 146, 148

PPTP handling, 122, 124

Netcom, 213, 367

NETCOMplete for Business service, 213

NetFortress VPN, 250 table

NetScreen, 250 table, 365

NetWare, 119, 247

network access points (NAPs), 8, 48–51, 191–192

network access servers, 175–176

L2TP, 160–161

PPTP, 130, 136, 138–139

network address translation, 177–178, 297–299

network control protocols (NCPs), 124

network file system (NFS) protocol, 218

network interface card, 61

networkMCI, 367

network operating systems (NOS), VPN support, 216, 259–260

network operations center, 198

networks

design issues, 174–178

performance, 304–307

performance management (ISPs), 197–198

security threats, 59–63

network service providers (NSPs), 50

Network Solutions, Inc., 6–7

Network Wizards survey, 8

new group mode, ISAKMP/Oakley, 106

node-to-node security, 43–44

nonrepudiation, 74

Nortel, 87

Novell, Inc., 365

O

Oakley protocol, 105

modes, 106–110

Omniguard/Power VPN, 265 table

one-armed VPN gateway configuration, 245

one-time password systems, 63–65

one-way hash functions, 76

online catalogs, 327

online certificate status protocol (OCSP), 278, 284, 340

outer header, IPSec, 103

outsourcing, 26, 32, 205–207

over-provisioning, of bandwidth, 307

P

PAC Bell NAP, 49

packet filters, 217–218

PAP, 65

with L2TP, 146

with PPTP, 122, 124–125, 133

password authentication protocol (PAP), see PAP

passwords, 63–65

remote users, 178

PC cards, 69–70

peering points, 192

perfect forward secrecy, 79

performance, 33, 34, 36

design issues, 183–184

factors influencing, 312–314

firewall effects, 231

ISP monitoring, 203–205

performance guarantees, 11, 34. See also service level agreements

performance management, 303–304

differentiated services, 307–312

ISP performance monitoring, 314–317

networks, 305–307

policy-based management, 314–317

permanent tunnels, 40

permanent virtual connections, 22

PERMIT security gateway, 225, 251 table

PGP (Pretty Good Privacy), 58, 331

Pilot Network Services, 213

pipes, tunnels, 40

PIX, 224–225

PN7, 251 table

point-of-presence (POP), 23, 32, 50–51, 192–193

point-to-point protocol (PPP), see PPP

point-to-point tunneling protocol (PPTP), see PPTP

policy-based management, 228, 314–317

VPN hardware for, 248, 254–255

port numbers, 223

Postal Service, 88

PPP

with L2TP, 146–149

with PPTP, 122–127

PPPEXT Working Group, 164

PPTP, 45. See also RADIUS

access control, 54

applicability, 142–143

architecture, 122–124

authentication, 133, 281

deployment, 139–142

encryption, 124, 133–134, 274

features, 46 table

firewalls, 230

future directions, 337–339

hardware focus, 242

IPSec architecture contrasted, 136

LAN-to-LAN tunneling, 134–135

multiprotocol support, 36–37

network access servers, 130, 136, 138–139

popularity, 121–122

PPP, 122–127

products, 140 table

RADIUS with, 124, 130–133

relative emphasis, 242

tunnels, 127–130, 134–135

using, 135–142

Windows-friendly nature, 123

PPTP client software, 136, 137–138

PPTP filtering, 137

PPTP Forum, 122

PPTP servers, 136–137

Pretty Good Privacy (PGP), 58, 331

private addresses, 297

private corporate networks, 12–13, 17. See also extranets; intranets; virtual private networks

evolution, 18–23

Internet application, 23–24

private key, 74–76

PrivateWire, 265 table

promiscuous mode network operation, 61

proxy agents, 219

proxy servers, 131, 132, 219

PSInet network, 8

public-key certificates, see digital certificates

public-key cryptography, 74–76. See also key management

Diffie-Hellman technique, 77–79, 81, 93, 106–108

IPSec, 93, 106–108

method selection, 79–82

RSA technique, 79, 81

public key infrastructures (PKIs), 82–89

public keys, 74–76

distribution, 84–85

generation, 84

public switched telephone networks, 18

Q

quality of service (QoS), 184, 310

ATM networks, 315

IPv6 built-in support, 301

ISPs, 197, 213–214

market for, 342

multimedia, 194, 306

routers, 236

VPN integration, 255

quick mode, ISAKMP/Oakley, 106, 109–110

R

RADGUARD, 365

RADIUS, 47–48, 246

authentication, 281–283

compulsory tunnels, 130

defined, 68–69

extranet application, 331

RADIUS authentication servers, 50

with L2TP, 151–152

with PPTP, 124, 130–133

Raptor Systems, Inc., 365

Ravlin, 251 table

RC2, 81

RC4, 81

realm, 129

realm-based tunneling, 130

real-time applications, 36

design considerations, 169, 171

performance requirements, 305–307

RedCreek Communications, Inc., 365

reliability, 33, 34, 36

design issues, 183

multiple Internet links, 299–300

remote access servers, see network access servers

remote authentication dial-in user service (RADIUS), see RADIUS

remote users, See also dial-in VPNs; mobile users

design issues, 175–176

firewalls, 225–227

IPSec, 111, 113–116

multinational, 182–183

password policies, 178

remote VPN gateways, 241, 246

product overview, 249, 250–252 table, 253–255

replay attacks, 229

requirements determination, 168–174

resource reservation protocol (RSVP), 213–214, 311

RFCs, 345–350

Riverworks, 252 table

roaming service, 130, 183, 195

root certificate, 285

root public keys, 85

routers, 50, 51, 234

costs, 26–30

design issues, 174

IP addresses and, 53

ISP requirements, 198

location, 216

product overview, 235 table, 236–237

product requirements, 234–235

traffic prioritization, 308

Routing and Remote Access Server (RRAS), 133–135, 137, 139, 259

features, 265 table

packet filtering with, 230

RSA chips, 253–254

RSA public-key cryptography, 79, 81

S

SafeNet/LAN, 251 table

scalability, 31–32, 33–34

secret-key encryption, 73, 74

Secure Computing Corporation, 363

secure HTTP (SHTTP), 58

secure MIME (S/MIME), 58

Secure Road Warrior service, 213

secure sockets layer (SSL), 58, 181

SecureVision, 251 table

SecurID, 227, 235

security, 35, 57–58. See also authentication; certificate authorities; digital certificates; encryption; key management

authentication services, 63–72, 280–282

deployment, 184–188

design issues, 178–182

encryption method selection, 79–82, 274–280

future directions, 339–340

in-house certificate authorities, 181–182, 282–286

integrated solutions, 241–247

Internet, 11

ISPs, 198–201

secure system components, 272

Web sites, 358

security associations

L2TP, 157–159

negotiating, 110–111

PPTP, 94–96

wild card, 112–113

security audit, 184

Security Dynamics Technologies, Inc., 365

security gateways, 40–41, 51–54

centralized configuration, 185

IPSec, 111–112

key management, 276–279

VPN hardware, 240, 247

security parameters index (SPI), 96, 99, 155, 279

security policies, 272–273

consistency across sites, 246

extranets, 330–331

firewalls and, 217, 225

security protocols, 44–47, 46 table. See also IPSec

non-interoperability, 35

security services, 41–44

security threats, 59–63

seed, one-time passwords, 64

servers, 50

Service Level Agreements, 34, 183, 201–203

performance monitoring, 203–205, 314–318

session hijacking, 60–61

session key handling, 278–279

SHA-1 hash function, 93, 97–98

Shiva Corporation, 365

simple key management for IP (SKIP), 104–106

Site Patrol, 211

Site Security Handbook, 178

S/Key, 64–65

Skipjack, 81

SKIP key exchange, 104–106

smart cards, 69–70, 339–340

SmartGate, 265 table

sniffers, 61

sniffing, 61–62

SNMP agents, 318

SOCKS proxy, 221

SOCKS v5, 47

features, 46 table

software, see VPN software

Speaker Verification API, 72

spoofing, 59–60

Sprint, 8

Sprint NAP, 49

standards, 33

future directions, 338–339

star network topology, 21

stateful multi-layer inspection (SMLI), firewalls, 222–223

static address allocation, 292–295

static resource allocation, 308–309

static tunnels, 40, 128–130

Stentor Alliance, 130

Storage Technology Corporation, 366

strong authentication, 62, 63

supply chain management, 326, 327

SureRemote, 208

S/WAN Initiative, 105, 114

symmetric encryption, 73, 74

T

TACACS, 67–68

TACACS+, 68

authentication, 281

TCG CERFnet, 213, 367

TCP/IP, 7

extranets, 323, 325

intranets, 12–13

security and, 58

teams, 5

tech support reduction, 32

temporary tunnels, 40

terminal access controller access-control system (TACACS), 67–68, 281

theft, 280

3Com Corporation, 122, 361

Tier One Internet providers, 48–49, 190–192

Tier Two Internet providers, 49, 192

TimeStep Corporation, 366

token-based authentication, 70–71, 282

deployment issues, 185

T1 lines, 19–20, 31

bandwidth scalability and, 32

costs, 25, 26–30

traffic prioritization, 308

transfer control protocol/Internet protocol, see TCP/IP

transparent key distribution, 85

transport mode ESP, 101–103

triple DES, 81

Trusted Information Systems, 366

trusted third-parties, 181, 282

T3 lines, 31

bandwidth scalability and, 32

costs, 25

TunnelBuilder, 251 table

tunneling protocols, 44–47. See also L2F; L2TP; PPTP

feature comparison, 46 table

non-interoperability, 35

tunneling software, 258–259

tunnel mode ESP, 101–103

tunnels, 24, 40–41. See also IP address management

L2TP, 150–152

PPTP, 127–130, 134–135

remote users and, 176

VPN hardware, 242–245, 253, 254

tunnel switches, 137, 138

turnkey solutions, 240, 241

U

UAC, 366

unified name space, 177

universal mailbox, 336

US Robotics, 122

UUNET Extralink, 8, 212, 367

V

value added network (VAN), 327

VeriSign, 87, 181, 245

videoconferencing, 169, 171

virtual circuits, 18, 24

Virtual Private Data Network (VPDN) services, 208–209

virtual private networks (VPNs), See also authentication; dial-in VPNs; encryption; Internet; key management; LAN-to-LAN VPNs; tunnels

architecture, 39–44

benefits, 24–33

commercial providers, 24–33, 208–213

components, 48–51

concerns, 33–37

cost comparisons, 26–31

cost savings, 25–26

defined, 17–18, 19

design, see design

future directions, 335–342

Internet application, 23–24

outsourcing, 26, 32, 205–207

product trends, 341–342

resources, 345–359

vendors and products, 361–366

voluntary tunnels

L2TP, 150–151, 154

PPTP, 128

V-ONE Corporation, 366

VPNet Technologies, Inc., 118, 366

VPN gateways, 240–241

access control and, 287–288

configurations, 242–247

VPN hardware, 52–53, 215–216

configurations, 242–247

integrated solutions, 239–242

product overview, 249, 250–252 table, 253–255

product requirements, 247–249

types, 240–241

VPN software, 53–54, 215–216

product overview, 263–266, 265 table

product requirements, 261–263

types, 258–261

VSU-1000/1010, 251 table

VTPC/Secure, 265 table

W

WAN-capable VPN gateways, 242–243

WANs, 19

equipment reduction from VPNs, 33

VPN hardware, 240, 242–243

Watchguard Technologies, Inc., 366

weak authentication, 62

Web, see World Wide Web

weighted fair queueing (WFQ), 308

wide area networks (WANs), see WANs

wild card security associations, 112–113

Windows environments

L2TP for, 123–124

PPTP for, 147

Windows NT servers, cost effectiveness, 30

Worldcom, 8

WorldNet VPN Services, 209–210, 367

World Wide Web, 4. See also Internet

and extranets, 323, 326

offerings, 10

security, 58

site hosting, 49

VPN-related information sites, 358–359

Web-based EDI, 327–328

World Wide Web Consortium (W3C), 6, 328

X

X.500 directories, 228, 248, 285, 339

X.25 networks, 20

X.509 standard, 83, 331, 355