Table of Contents
Advertisement
Ensuring VPN Security with IPSec/IKE/GRE
•
Encryption and decryption promote confidentiality by allowing two communicating parties to
disguise information they share. The sender encrypts, or scrambles, data before sending it.
The receiver decrypts, or unscrambles, the data after receiving it. While in transit, the
encrypted information is unintelligible to an intruder.
•
Tamper detection ensure data integrity by permitting the recipient of data to verify that it has
not been modified in transit. Any attempt to modify data or substitute a false message for a
legitimate one will be detected. A hash value is calculated by the sender every time data is
sent, and calculated when data is received, and both values are compared.
•
Authentication allows the recipient of data to determine its origin - that is, to confirm the
sender's identity by digitally signing a message or applying the challenge-response method.
•
Nonrepudiation prevents the sender of information from claiming at a later date that the
information was never sent.
A later section of this chapter details the XSR's security implementation.
How a Virtual Private Network Works
VPNs provide an advanced combination of tunneling, encryption, authentication and access
control technologies and services to carry traffic over the Internet, a managed IP network or a
provider's backbone.
Traffic reaches these backbones using any combination of access technologies, including Ethernet,
T1, Frame Relay, ISDN, or simple dial access. VPNs use familiar networking technology and
protocols. The client sends a stream of encrypted packets to a remote server or router, except
instead of going across a dedicated line (as in the case of WANs), the packets traverse a tunnel
over a shared network.
The initial idea behind using this method was for a company to reduce its recurring
telecommunications charges that are shouldered when connecting remote users and branch
offices to resources at a firm's headquarters.
Using this VPN model, packets headed toward the remote network will reach a tunnel initiating
device, which can be anything from an extranet router to a laptop PC with VPN-enabled dial-up
software. The tunnel initiator communicates with a VPN terminator, or a tunnel switch, to agree
on an encryption scheme. The tunnel initiator then encrypts the package for security before
transmitting to the terminator, which decrypts the packet and delivers it to the appropriate
destination on the network.
The XSR provides Remote Access support for the connection of remote clients and gateways in a
topology where PPTP or L2TP protocols are employed. The XSR also provides Site-to-Site tunnel
support in a topology where routers occupy each end of a connection. Site-to-site tunnels, also
known as peer-to-peer tunnels, employ IPSec as the main security provider.
The XSR's site-to-site connectivity allows a branch office to divest multiple private links and move
traffic over a single Internet connection. Since many sites use multiple lines, this can be a very
useful application, and it can be deployed without adding additional equipment or software.
Ensuring VPN Security with IPSec/IKE/GRE
The key word in Virtual Private Networks is private. To ensure the security of sensitive corporate
data, the XSR relies chiefly on IPSec, the standard framework of security protocols. IPSec is not a
single protocol but a suite of protocols providing data integrity, authentication and privacy.
14-2 Configuring the Virtual Private Network
Advertisement
Table of Contents
Troubleshooting
