95 Authentication tables Each tunnel group is assigned a specific username, password, and session key. The tunnel client is configured with this authentication information, and transmits it to the server for verification before tunnel traffic can commence. The Extranet server generates the authentication key, user group name, and password as exportable files described in the next section for installation into the Telecommuter Client clients that require access. These files should be treated as confidential information, and should be closely managed. The three parameters presented here are configured for each tunnel group. Configuration of the local firewall is also required for successfully routing tunnel traffic. See Section 6.4 below for details.

6.3.3.2 Security procedures

When you create a tunnel group, the AltaVista Tunnel Extranet server requires you to manually enter a unique username and password. Once the group is configured, the tunnel server creates a unique 1024-bit RSA authentication key for that particular group. Both of these authentication pieces may be extracted into separate ETA and key files. The ETA file contains the user group name and password, and is by default named groupname.eta. The key file is typically named groupname.key. These authorization files are needed by remote clients for connecting to and authorizing tunnel sessions to the tunnel server. Once extracted, these files should be distributed to all authorized remote clients. These security files should be handled as highly confidential information, as anyone with this file will be allowed access to the virtual private network. Distribution by floppy disk or private FTP site are semi-secure ways of distribution, but all transfers should be logged by the system administrator to maintain the integrity of the security system.

6.3.3.3 AltaVista Tunnel Telecommuter Client

The tunnel client software contains a single configuration for each tunnel group to which the client has access. Thus, the user could be a sales forecaster for a manufacturing company, and have access to the Sales group for historical sales data and the Manufacturing group for factory throughput. The following parameters are specific to each group: Username This is the unique tunnel group name as it appears in the tunnel servers authentication tables. This parameter is part of the extractable ETA file from the Extranet server, or it may be entered manually. Server key ID The server key also comes from the tunnel servers authentication tables. Each group has a specific key, which allows the client access to the tunnel group. A copy of this key is provided in the extractable key file from the Extranet server. 96 Tunnel server This is the domain name or IP address of the tunnel server on the Internet and the port for which tunnel traffic is handled default 3265. First firewall The first firewall is not typically used for single remote PCs, as the traffic is transparent until received by the remote firewall. This first firewall is typically the end users ISP, through which outbound tunnel traffic passes transparently. On the Extranet server acting as an outbound tunnel client, the first firewall parameter lists the address and port default 3265 of the local firewall between the LAN and the Internet. Second firewall This is the physical address and tunnel port for the private network being accessed. Ultimately, it is the first destination for tunnel traffic, and it is relayed from the tunnel port on the firewall to the tunnel port on the Extranet server for verification.

6.4 VPNs and AltaVista

AltaVistas flexibility allows an enterprise to accept several tunnel sessions to the virtual private LAN, either from a remote LAN or from remote single machine connections. The configurations here are each subtly different, because the Single Connection-to-LAN and LAN-to-LANLAN-to-WAN implementations of the AltaVista Tunnel are different. The LAN-to-LANLAN-to-WAN tunnel configurations are for an enterprise that requires two-way tunnel traffic between its two networks where an Extranet server is required on each end of the connection. This scenario is actually meant to replace traditional private leased line connections by using secure tunneling sessions over the Internet. The Single Connection-to- LAN scenario allows multiple end users to access the private network over the Internet, in a secure fashion, without being tied to a fixed IP address or a single access provider. In the following sections we show a sample configuration illustrating each scenario.

6.4.1 Implementing a LAN-to-LAN Tunnel

This configuration features a firewall on each side.

6.4.1.1 Sample configuration

In the LAN-to-LAN tunnel configuration shown in Figure 6-1 , LAN 1 is a corporate office connected to the Internet via a full T1 and protected with a firewall. There are four machines on the LAN: the AltaVista Extranet server, Finance, Human Resources, and Research Development. LAN 2 is a remote sales office running a second AltaVista Extranet server and three host machines. LAN 2 is connected to the Internet via 128Kbps ISDN and is protected by a firewall. This configuration is set up to illustrate the ability of the AltaVista Tunnel server to act as either an outbound or inbound tunnel router. In this example, LAN 1 is the inbound tunnel group and LAN 2 is the outbound tunnel group.