13

1.5 A Note on IP Address and Domain Name Conventions Used in This Book

The notation 1.0.0.024 is commonly used in describing IP address ranges. It means start with the address 1.0.0.0 and allow the right-most 8 bits to vary. The 8 is calculated by using 32 bits the maximum for an IP address minus 24 the size specified after the . So 1.0.0.024 means all addresses from 1.0.0.0 to 1.0.0.255. Weve elected to use the same IP address ranges and domain name throughout this book. For Internet-routable IP address ranges, were using the blocks 1.0.0.0-1.255.255.255 or 1.0.0.08 and 2.0.0.0-2.255.255.255 2.0.0.08, which we subnet to suit our needs. These ranges were chosen because they are designated as Internet routable, but are reserved by the IANA and arent currently being used. We hope that using these ranges, rather than randomly picking some or choosing them from active registered networks, will makes examples and figures easier to understand while protecting the innocent. We found that this helped us maintain our own sanity while writing the book. For internal networks, we use the IP ranges set aside in RFC 1918 for use on private networks. These ranges are 10.0.0.0-10.255.255.255 or 10.0.0.08, 172.16.0.0- 172.31.255.255 or 172.16.0.012, and 192.168.0.0-192.168.255.255 or 192.168.0.016. We also subnet these as we deem necessary for an example. The domain name we use for our examples is ora-vpn.com. Within this domain, however, we dont have a hostname convention, because we typically create a hostname to match whatever solution we are writing about in a given chapter. 14

Chapter 2. Basic VPN Technologies

This chapter focuses on the background technologies used to build a virtual private network. As we discussed in Chapter 1 , there are two competing camps at work when we talk about connecting networks. The first camp places the highest worth on the accessibility of data anywhere the user might be, and anywhere the data might be. The second emphasizes that the protection of the data itself, the content, is most important and must be protected to prevent unauthorized persons from using it. As you can see, these two concepts are not at all mutually exclusive, but more of a yin-yang. As you focus on sharing more and more information so that everyone can get what they need, you must also remain focused on the security of that information so that others will not take advantage of you. Because the Internet is a vast collection of resources, it is clear that sharing your information with other participants can help you prosper. It is not clear, however, at what risk you place yourself when you actually connect. It is our opinion that some companies see the Net as a huge untapped marketplace, full of consumers and advertising opportunities, but dont realize that the Internet has its own version of an underworld as well. It is this, above all else, that compels us to protect our data, and where the emergence of the virtual private network presents itself is a stepping stone into the 21st century. The protection of private data is the core of the virtual private network, and the two most relevant technologies encryption and firewalls are what make it all possible. In this chapter we will present an overview and background of the technologies used to build a VPN, and how they are incorporated into the products and services covered in this book. We will start with a discussion of how firewall techniques are used to protect an entire network at its gateway routers. Next, we will present you with a general background on encryption: how it is used in a traditional sense, plus how it will be deployed using a VPN. Following this, we will discuss authentication techniques and how they are used in conjunction with the encryption algorithms with VPNs. Also, we will delve into the protocols that have arisen from the growth of the VPN industry. Lastly, we will briefly cover various compromise methodologies that a potential assailant may use to try to gain access to your private network or data.

2.1 Firewall Deployment

The first of the security-related technologies that we cover in this book is the firewall. A firewall is a system that stands between your internal network and the world outside. Firewalls have been employed on large public networks for many years and are a great starting place in the development of a security strategy. The reason to start with firewalls is that they are generally placed at the point at which your network interconnects with a public network, like the Internet. Although not a perfect strategy, a firewall is easy to configure; it requires only the modification of one gateway router. Of course, if you have a large, multiply- connected WAN, with many paths to the Internet, then it should be noted that you will need to create a firewall for each interconnection point. The complexity of this process increases dramatically from the single point gateway to the multiple point gateway. 2.1.1 What Is a Firewall? The U.S. Department of Defense, probably the worlds authority on data sensitivity and security controls, used a system of confidences defined as security levels to restrict access to