Table of Contents
Advertisement
Network design
Communication security
The public nature of the Internet, its reach, and its shared infrastructure provide cost savings
when compared to leased lines and private network solutions. However, those factors also
contribute to make Internet access a security risk. To reduce these risks, network administrators
must use the appropriate security measures.
It is important to note that a managed service can be implemented either as a premises-based
solution or a network-based VPN service. A premises-based solution includes customer
premises equipment (CPE) that allows end-to-end security and Service Level Agreements
(SLAs) that include the local loop. These end-to-end guarantees of quality are key
differentiators. A network-based VPN, on the other hand, is provisioned mainly by equipment at
the service provider's point-of-presence (PoP), so it does not provide equivalent guarantees
over the last mile. For a secure VPN that delivers robust, end-to-end SLAs, an enterprise must
demand a premises-based solution that is built on an integrated family of secure VPN platforms.
The "private" in virtual private networking is also a matter of separating and insulating the traffic
of each customer traffic so that other parties cannot compromise the confidentiality or the
integrity of data. IPSec tunneling and data encryption achieves this insulation by essentially
carving private end-to-end pipes or "tunnels" out of the public bandwidth of the Internet, and
then encrypting the information within those tunnels to protect against someone else accessing
the information. In addition to IPSec, there are two standards for establishing tunnels at Layer 2.
These are the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP),
neither of which includes the encryption capabilities of IPSec. The value of IPSec beyond these
solutions is that IPSec operates at IP Layer 3. It allows for native, end-to-end secure tunneling
and, as an IP-layer service, it also promises to be more scalable than the connection-oriented
Layer 2 mechanisms.
Also, note that IPSec can be used with either L2TP or PPTP, since IPSec encrypts the payload
that contains the L2TP/PPTP data. Indeed, IPSec provides a highly robust architecture for
secure wide-area VPN and remote dial-in services. It is fully complementary to any underlying
Layer 2 network architecture, and with its addition of security services that can protect the VPN
of a company, IPSec marks the clear transition from early tunneling to full-fledged Internet VPN
services.
An issue, however, is the fact that different implementations of IPSec confer varying degrees of
security services. Products must be compliant with the latest IPSec drafts, must support
high-performance encryption, and must scale to VPNs of industrial size.
Finally, a VPN platform should support a robust system for authentication of the identity of end
users, based on industry standard approaches and protocols.
Firewall technologies
To reduce security risks, appropriate network access policies should be defined as part of
business strategy. Firewalls can be used to enforce such policies. A firewall is a network
interconnection element that polices traffic the flows between internal (protected) networks and
external (public) networks such as the Internet. Firewalls can also be used to "segment" internal
networks.
308 Avaya Application Solutions IP Telephony Deployment Guide
Advertisement
Table of Contents
