9 grant your employees and customers, the computing resources that are available for use, and even your reputation. For instance, a security failure can cause your vendors email to bounce back to them, or prevent your users from making connections to other sites. The easiest thing would be to isolate, tabulate, and lock down your private data. Well over half the data you manage and distribute might call for some sort of security. Just think, even something as innocuous as customer records and addresses could be used against you in a negative advertising campaign; this might hurt you far worse than a negative campaign aimed at a random slice of the population. Unfortunately, in the client-server world of telecommuters, field sales agents, and home offices, its not so easy to keep all private data locked down in a single, protected area. The chief financial officer of a company may need to access financial information on the road, or a programmer working from home may need to access source code. VPNs help alleviate some of the worry of transmitting secure files outside of your network. In Chapter 2 , we will examine possible threats to your network and data, and explore the technologies that VPNs use to avoid them.

1.3 How VPNs Solve Internet Security Issues

There are several technologies that VPNs use to protect data travelling across the Internet. The most important concepts are firewalls, authentication, encryption, and tunneling. Here we will give them a cursory rundown, then go into more detail in Chapter 2 .

1.3.1 Firewalls

An Internet firewall serves the same purpose as firewalls in buildings and cars: to protect a certain area from the spread of fire and a potentially catastrophic explosion. The spread of a fire from one part of a building is controlled by putting up retaining walls, which help to contain the damage and minimize the overall loss and exposure. An Internet firewall is no different. It uses such techniques as examining Internet addresses on packets or ports requested on incoming connections to decide what traffic is allowed into a network. Although most VPN packages themselves dont implement firewalls directly, they are an integral part of a VPN. The idea is to use the firewall to keep unwanted visitors from entering your network, while allowing VPN users through. If you dont have a firewall protecting your network, dont bother with a VPN until you get one—youre already exposing yourself to considerable risk. The most common firewall is a packet filtration firewall, which will block specified IP services run on specific port numbers from crossing the gateway router. Many routers that support VPN technologies, such as the Cisco Private Internet Exchange PIX and the 3ComU.S. Robotics Total Control, also support packet filtration. Proxies are also a common method of protecting a network while allowing VPN services to enter. Proxy servers are typically a software solution run on top of a network operating system, such as Unix, Windows NT, or Novell Netware. 10

1.3.2 Authentication

Authentication techniques are essential to VPNs, as they ensure the communicating parties that they are exchanging data with the correct user or host. Authentication is analogous to logging in to a system with a username and password. VPNs, however, require more stringent authentication methods to validate identities. Most VPN authentication systems are based on a shared key system. The keys are run through a hashing algorithm, which generates a hash value. The other party holding the keys will generate its own hash value and compare it to the one it received from the other end. The hash value sent across the Internet is meaningless to an observer, so someone sniffing the network wouldnt be able to glean a password. The Challenge Handshake Authentication Protocol CHAP is a good example of an authentication method that uses this scheme. Another common authentication system is RSA. Authentication is typically performed at the beginning of a session, and then at random during the course of a session to ensure that an impostor didnt slip into the conversation. Authentication can also be used to ensure data integrity. The data itself can be sent through a hashing algorithm to derive a value that is included as a checksum on the message. Any deviation in the checksum sent from one peer to the next means the data was corrupted during transmission, or intercepted and modified along the way.

1.3.3 Encryption

All VPNs support some type of encryption technology, which essentially packages data into a secure envelope. Encryption is often considered as essential as authentication, for it protects the transported data from packet sniffing. There are two popular encryption techniques employed in VPNs: secret or private key encryption and public key encryption. In secret key encryption, there is a shared secret password or passphrase known to all parties that need access to the encrypted information. This single key is used to both encrypt and decrypt the information. The data encryption standard DES, which the Unix crypt system call uses to encrypt passwords, is an example of a private key encryption method. One problem with using secret key encryption for shared data is that all parties needing access to the encrypted data must know the secret key. While this is fine for a small workgroup of people, it can become unmanageable for a large network. What if one of the people leaves the company? Then youre going to have to revoke the old shared key, institute a new one, and somehow securely notify all the users that it has changed. Public key encryption involves a public key and a private key. You publish your public key to everyone, while only you know your private key. If you want to send someone sensitive data, you encrypt it with a combination of your private key and their public key. When they receive it, theyll decrypt it using your public key and their private key. Depending on the software, public and private keys can be large—too large for anyone to remember. Therefore, theyre often stored on the machine of the person using the encryption scheme. Because of this, private keys are typically stored using a secret key encryption method, such as DES, and a password or passphrase you can remember, so that even if someone gets on your system, they wont be able to see what your private key looks like. Pretty Good Privacy PGP is a well- known data security program that uses public key encryption; RSA is another public key system that is particularly popular in commercial products. The main disadvantage of public