11 key encryption is that, for an equal amount of data, the encryption process is typically slower than with secret key encryption. VPNs, however, need to encrypt data in real time, rather than storing the data as a file like you would with PGP. Because of this, encrypted streams over a network, such as VPNs, are encrypted using secret key encryption with a key thats good only for that streaming session. The session secret itself typically smaller than the data is encrypted using public key encryption and is sent over the link. The secret keys are often negotiated using a key management protocol. The next step for VPNs is secure IP, or IPSec. IPSec is a series of proposals from the IETF outlining a secure IP protocol for IPv4 and IPv6. These extensions would provide encryption at the IP level, rather than at the higher levels that SSL and most VPN packages provide. IPSec creates an open standard for VPNs. Currently, some of the primary VPN contenders use proprietary encryption, or open standards that only a few vendors adhere to. Rather than seeing IPSec as a threat to their current products, most vendors see it as a way to augment their own security, essentially adding another interoperable level to their current tunneling and encryption methods. Well go into detail about the power, politics, and use of various encryption techniques in Chapter 2 .

1.3.4 Tunneling

Many VPN packages use tunneling to create a private network, including several that we review in this book: the AltaVista Tunnel, the Point-to-Point Tunneling Protocol PPTP, the Layer 2 Forwarding Protocol, and IPSecs tunnel mode. VPNs allow you to connect to a remote network over the Internet, which is an IP network. The fact is, though, that many corporate LANs dont exclusively use IP although the trend is moving in that direction. Networks with Windows NT servers, for instance, might use NetBEUI, while Novell servers use IPX. Tunneling allows you to encapsulate a packet within a packet to accommodate incompatible protocols. The packet within the packet could be of the same protocol or of a completely foreign one. For example, tunneling can be used to send IPX packets over the Internet so that a user can connect to an IPX-only Novell server remotely. With tunneling you can also encapsulate an IP packet within another IP packet. This means you can send packets with arbitrary source and destination addresses across the Internet within a packet that has Internet-routable source and destination addresses. The practical upshot of this is that you can use the reserved not Internet-routable IP address space set aside by the Internet Assigned Numbers Authority IANA for private networks on your LAN, and still access your hosts across the Internet. We will look at how and why you would do this in later chapters. Other standards that many VPN devices use are X.509 certificates, the Lightweight Directory Access Protocol LDAP, and RADIUS for authentication. 12

1.4 VPN Solutions

A VPN is a conglomerate of useful technologies that originally were assembled by hand. Now the networking companies and ISPs have realized the value of a VPN and are offering products that do the hard work for you. In addition, there is an assortment of free software available on the Internet usually for Unix systems that can be used to create a VPN. In this book, were going to look at some of the commercial and free solutions in detail. Which one you choose for your network will depend on the resources available to you, the platforms you run, your network topology, the time you wish to spend installing and configuring the software, and whether or not you want commercial-level support. We cant cover every vendor and product in this book; they change too quickly. Instead, we offer guidelines you can use on all networks and details on a few stable products that were available when we were writing this edition—we dont mean to imply that theres anything less valuable about competing products. VPN packages range from software solutions that run on or integrate with a network operating system such as the AltaVista Tunnel or CheckPoint Firewall-1 on Windows NT or Unix, to hardware routersfirewalls such as those from Cisco and Ascend, to integrated hardware solutions designed specifically for VPN functions such as VPNet and the Bay Networks Extranet Switch. Some VPN protocols, like SSH or SSL, gained popularity for performing other functions, but have since become used for VPNs as well. In addition to products, ISPs are also offering VPN services to their customers. The tunneling usually takes place on the ISPs equipment. If both ends of the connection are through the same ISP, that ISP might offer a Service Level Agreement SLA guaranteeing a certain maximum amount of latency and uptime.

1.4.1 Quality of Service Issues

Running a virtual private network over the Internet raises an easily forgotten issue of reliability. Lets face it: the Internet isnt always the most reliable network, by nature. Tracing a packet from one point to another, you may pass through a half-dozen different networks of varying speeds, reliability, and utilization—each run by a different company. Any one of these networks could cause problems for a VPN. The lack of reliability of the Internet, and the fact that no one entity controls it, makes troubleshooting VPN problems difficult for a network administrator. If a user cant dial into a remote access server at the corporate headquarters, or theres a problem with a leased line connection, the network administrator knows there are a limited number of possibilities for where the problem may occur: the machine or router on the far end, the telecommunications company providing the link, or the machine or router at the corporate headquarters. For a VPN over the Internet, the problem could be with the machine on the far end, with the ISP on the far end, with one of the networks in between, with the corporate headquarters ISP, or with the machine or router at the corporate headquarters itself. Although a few large ISPs are offering quality of service guarantees with their VPN service if all parties involved are connected to their network, smaller ISPs cant make such a guarantee—and there will always be times when the network administrator is left to her own resources. This book will help you isolate and identify the problem when something goes wrong on your VPN.