41 As any good lawyer will tell you, intellectual property is just as tangible as real property, and in some cases easier to support in a court of law. Even using some technologies could constitute a legally binding agreement with the softwares creators, so you need to take care when dealing with any and all such systems. The U.S. government classifies all encryption routines as munitions, which is to say that they consider the mathematical formulas that protect data a dangerous technology. Cryptography, to the Feds, is the same as treason, illegal arms trading, smuggling, racketeering, and drug sales. The boys on the Hill do not take such matters lightly, either. You may ask yourself, How could a little code hurt the giant U.S. government or its citizens? To learn exactly why the government treats these technologies with such kid gloves, we have to look back at some historical elements. Remember the enigma box? It was a WWII German code box that scrambled military orders sent from the high command to the field. Along similar lines, the Japanese had developed a system involving a code box called Purple. In times of war, code cracking and encryption take on a very important role, best described by the saying: loose lips sink ships. The protection of even simple communication is of paramount importance to the government. If all the routines developed on U.S. soil were exported abroad with no restrictions and a war were to break out, it would be unclear to our military leaders if their communications were safe. Products and services described in this book may be prohibited from being exported outside of the United States, or crippled in such a way as to make them freely exportable. Generally a reduction in the size of the key used to encrypt the data allows for a license to ship overseas. International organizations are already working on strong world-wide encryption technologies, and we are sure that the next 10 years will paint a new landscape of the data protection universe. One typical legal protection that a cryptographic creator has is the patent. DES, contrary to popular belief, is patented, but it is distributed royalty-free, which is one of the reasons why it pops up almost everywhere. All public key two-key systems are patented as well, by either RSA Data Security Inc., or by the Public Key Partners PKP group see Table 2-1 . Obviously they make it their business to collect license fees and monitor for stray usages of their software. Table 2-1. Cryptographic Patents Encryption Routine Patent Information Hellman-Merkle Patent 4,218,582, expired August 19, 1997. Supposedly covers all public key systems. Rivest-Shamir-Adleman Patent 4,405,829, expires September 2, 2000. Covers the RSA algorithm. Hellman-Pohlig Patent 4,424,414, expires January 3, 2001. Related to Diffie-Hellman expired 1997. Schnorr Patent 4,995,082, expires February 19, 2008. The DSS Algorithm is based on this. Kravitz Patent 5,231,668, expires July 27, 2008. The actual DSS Algorithm. 42

Chapter 3. Wide Area, Remote Access, and the VPN

Even though this book is about virtual private networks, were prepared to admit that a VPN is not always the best networking solution. This chapter compares its costs and benefits, in very general terms, to two industry standard alternatives: a wide area network in which you lease dedicated lines between sites and remote access in which users dial up banks of modems at a central site. Each solution has its merits and flaws, and likewise, each has its comparative cost points. We do not offer an exhaustive price list, as this chapter would reach the size of an entire book and the prices change weekly anyway. What we do cover, however, is each solutions pros and cons and some price breakpoints for general comparison. This will at least allow for an informed decision on where to begin researching your own WANRASVPN solution.

3.1 General WAN, RAS, and VPN Concepts

All three of these networking solutions provide the same result: connection of remote users to private network resources. Likewise, each has its own set of parameters that maintain three important networking concepts: security, scalability, and stability. Finally, all three have similar pieces that can be assigned a break- down cost: telecommunication lines, networking hardwaresoftware, and system administration. All six of these generic concepts will be used to compare the three networking solutions in the following sections. A wide area network, or WAN, consists of two or more networks connected via dedicated and private telco lines. This could cover anything from two computers dialed in via a dedicated frame relay line similar in concept to retail credit card clearing devices, to several large regional office networks connected to a central office over private ATM lines. Figure 3-1 depicts a simplified WAN, with its basic component parts: networks, gateway routers, and telco lines. Figure 3-1. A typical leased line connection between two enterprise networks 43 Remote access services, or RAS, is composed of banks of incoming, on-demand telco lines for connecting remote users or networks. This could range from a terminal server with several modems to a RAS server with incoming PRI lines PRIs are digital T1 lines channelized for 23 ISDN or modem connections. Figure 3-2 shows a simplified RAS solution, with its RAS server and incoming networks and users. Figure 3-2. Dial-up connections The virtual private network, our VPN, is somewhat more complex, as you may have gleaned from previous chapters. The VPN concept, of course, is to allow users or networks to access central private network resources securely via the Internet. There are three basic solutions that mirror both WAN and RAS implementations: the point-to-network, the network-to-network, and the integrated solution. The point-to-network solution is meant to replace RAS as a primary connection method for the typical end user. Instead of dialing in to a central RAS point, the user dials in to a regional Internet service provider and connects to the private network via some secure protocol i.e., SSH, PPTP, L2TP, etc.. The network-to-network solution is similar except that the remote network connects to an ISP and sends its private communication to a central firewall or VPN server equipped with a secure protocol. The Cisco PIX firewall and the IPSec protocol fall into this scenario, though IPSec is also available for point-to-network connections. The integrated solution is generally VPN servers, firewall software, or dedicated hardware, or a combination of all three that allows both networks and end users to access the private network. IPSec products such as Checkpoint Firewall-1 are considered integrated solutions. Figure 3-3 shows a generic integrated solution using an IPSec firewall for connecting networks and a PPTP server for incoming end user connections.