Table of Contents
Advertisement
Network and Security Manager Administration Guide
Protecting Data in the VPN
532
To protect traffic as it passes over the Internet, you can create a secure tunnel between
devices using a tunneling protocol. Each device in the VPN uses the tunneling protocol
to establish a secure data path, enabling traffic between the devices to flow securely
from source to destination. NSM provides two tunneling protocols, IPSec and L2TP, as
detailed in the following sections.
Using IPSec
IPSec is a suite of related protocols that tunnel data between devices and
cryptographically secure communications at the network layer. Each device in the VPN
has the same IPSec configuration, enabling traffic between the devices to flow securely
from source to destination.
Because IPSec functions at the network layer, it protects all data generated by any
application or protocol that uses IP. Network layer encryption protects data generated
by all protocols at the upper layers of the protocol stack. It also protects all data
throughout the entire journey of the packet. Data is encrypted at the source and remains
encrypted until reaching its destination. Intermediate systems that transmit the packet
(like routers and switches on the Internet) do not need to decrypt the packet to route it,
and do not need to support IPSec.
When you create your VPN in NSM, you can use one or more IPSec services to establish
the tunnel and protect your data. Typically, VPNs use encryption and authentication
services to enable basic security between devices; however, for critical data paths, using
certificates can greatly enhance the security of the VPN. NSM supports the following
IPSec data protection services for VPNs.
Using Authentication
To authenticate the data in the VPN tunnel, you can use the AH protocol, pre-shared
secrets, or certificates:
Authentication Header (AH)—AH authenticates the integrity and authenticity of data
in the VPN. You can authenticate packets using Message Digest version 5 (MD5),
Secure Hash Algorithm-1 (SHA-1), or Hash-based Message Authentication Code
(HMAC).
Preshared Secret—NSM generates an ephemeral secret, distributes the secret to each
VPN node, then authenticates the VPN data using MD5 or SHA hash algorithms against
the secret.
Certificates—IKE uses a trusted authority on the client as the certificate server. For
details on using certificates, see the Network and Security Manager Configuring ScreenOS
and IDP Devices Guide.
Authentication only authenticates the data; it does not encrypt the data in the VPN. To
ensure privacy, you must encrypt the data using ESP.
Using Encapsulating Security Payload (ESP)
ESP encrypts the data in the VPN with DES, Triple DES, or AES symmetric encryption.
When the encrypted data arrives at the destination, the receiving device uses a key to
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
