8 the Internet. There may be cases, however, where youll want far-flung offices to share data or remote users to connect to your Intranet, and these users may be using the Internet as their means of connection. A VPN will allow them to connect to the Intranet securely, so there are no fears of sensitive information leaving the network unprotected. You might see this type of connection also referred to as an Extranet. Using our previous example of the customer database, its easy to see how a VPN could expand the Intranet applications functionality. Suppose most of your salespeople are on the road, or work from home. Theres no reason why they shouldnt be able to use the Internet to access the web server that houses the customer database application. You dont want just anyone to be able to access the information, however, and youre also worried about the information itself flowing unencrypted over the Internet. A VPN can provide a secure link between the salespersons laptop and the Intranet web server running the database, and encrypt the data going between them. VPNs give you flexibility, and allow practically any corporate network service to be used securely across the Internet.

1.2 Security Risks of the Internet

The risks associated with the Internet are advertised every day by the trade and mainstream media. Whether its someone accessing your credit card numbers, prying into your legal troubles, or erasing your files, theres a new scare every month about the supposedly private information someone can find out about you on the Internet. Not to mention the perceived risk that you might happen upon some information that you find offensive, or that you might not want your children to see. For corporations, the risks are even more real and apparent. Stolen or deleted corporate data can adversely affect peoples livelihoods, and cost the company money. If a small company is robbed of its project files or customer database, it could put them out of business. Since the Internet is a public network, you always risk having someone access any system you connect to it. It used to be that a system intruder would have to dial into your network to crack a system. This meant that they would have to find a phone number connected to a modem bank that would give them access, and risk the possibility of the line being traced. But if your corporate network is connected over the Internet and your security is lax, the system cracker might be able to access your network using any standard dial-up account from any ISP in the world. Even unsophisticated users can obtain and use automated security check tools to seek out holes in a companys network. Whats worse is that, chances are, youll never know that its happening. Before we put our private data out on the Internet, wed better make sure a VPN is robust enough to protect it. 1.2.1 What Are We Protecting with Our VPN? The first things that come to mind when you think of protection are the files on your networked computers: documents that contain your companys future plans, spreadsheets that detail the financial analysis of a new product introduction, databases of your payroll and tax records, or even a security assessment of your network pointing out holes and problematic machinery. These files are a good starting point, but dont forget about the other, less tangible assets that you connect to the Internet when you go online. These include the services that you 9 grant your employees and customers, the computing resources that are available for use, and even your reputation. For instance, a security failure can cause your vendors email to bounce back to them, or prevent your users from making connections to other sites. The easiest thing would be to isolate, tabulate, and lock down your private data. Well over half the data you manage and distribute might call for some sort of security. Just think, even something as innocuous as customer records and addresses could be used against you in a negative advertising campaign; this might hurt you far worse than a negative campaign aimed at a random slice of the population. Unfortunately, in the client-server world of telecommuters, field sales agents, and home offices, its not so easy to keep all private data locked down in a single, protected area. The chief financial officer of a company may need to access financial information on the road, or a programmer working from home may need to access source code. VPNs help alleviate some of the worry of transmitting secure files outside of your network. In Chapter 2 , we will examine possible threats to your network and data, and explore the technologies that VPNs use to avoid them.

1.3 How VPNs Solve Internet Security Issues

There are several technologies that VPNs use to protect data travelling across the Internet. The most important concepts are firewalls, authentication, encryption, and tunneling. Here we will give them a cursory rundown, then go into more detail in Chapter 2 .

1.3.1 Firewalls

An Internet firewall serves the same purpose as firewalls in buildings and cars: to protect a certain area from the spread of fire and a potentially catastrophic explosion. The spread of a fire from one part of a building is controlled by putting up retaining walls, which help to contain the damage and minimize the overall loss and exposure. An Internet firewall is no different. It uses such techniques as examining Internet addresses on packets or ports requested on incoming connections to decide what traffic is allowed into a network. Although most VPN packages themselves dont implement firewalls directly, they are an integral part of a VPN. The idea is to use the firewall to keep unwanted visitors from entering your network, while allowing VPN users through. If you dont have a firewall protecting your network, dont bother with a VPN until you get one—youre already exposing yourself to considerable risk. The most common firewall is a packet filtration firewall, which will block specified IP services run on specific port numbers from crossing the gateway router. Many routers that support VPN technologies, such as the Cisco Private Internet Exchange PIX and the 3ComU.S. Robotics Total Control, also support packet filtration. Proxies are also a common method of protecting a network while allowing VPN services to enter. Proxy servers are typically a software solution run on top of a network operating system, such as Unix, Windows NT, or Novell Netware.