With the increasing desire to leverage the public Internet, and the concern about security, IP VPNs (Internet Protocol Virtual Private Networks) are becoming the secure access of choice. IP VPNs establish secure communications between employees, branches, or partners by using strong IP-based encryption and authentication techniques for transport security over the public Internet.
IP VPNs are typically viewed as falling into three major categories: remote access VPNs, intranets (company site-to-site), and extranets (business-to-business). These services are being adopted by companies of all sizes as a result of the powerful combination of high-speed access links and public networks. An example is the use of high-speed, low- cost broadband DSL connectivity to enable teleworkers or branch offices to link securely with the company network via the Internet, as if they were accessing the LAN
utcnist.colorado.edu 128.138.140.44 University of Colorado, Boulder time.nist.gov 192.43.244.18 NCAR, Boulder, Colorado
time-nw.nist.gov 131.107.1.10 Microsoft, Redmond, Washington
nist1.symmetricom.com 69.25.96.13 Symmetricom, San Jose, California nist1-dc.glassey.com 216.200.93.8 Abovenet, Virginia nist1-ny.glassey.com 208.184.49.9 Abovenet, New York City nist1-sj.glassey.com 207.126.98.204 Abovenet, San Jose, California
nist1.aol-ca.truetime.com 207.200.81.113 TrueTime, AOL facility, Sunnyvale, California nist1.aol-va.truetime.com 64.236.96.53 TrueTime, AOL facility, Virginia
Table 9-14 NTP Time Servers
at the office including all network applications. A sample VPN configuration is shown in Figure 9-1.
Figure 9-1 VPN Topology
IP VPNs can be provided via hardware or software solutions located at the remote facility (branch office or teleworker’s home) and the customer premises. These devices or solutions use technologies such as tunneling, encryption, and authentication to guarantee secure communications across a public infrastructure.
All the components of your ShoreTel 7.5 system must exist in the same enterprise private network. VPNs can be used to bridge your private networks across the Internet so that the networks for two buildings are both part of the same private network. For multiple locations that share a private network, bandwidth calculations should include the effective bandwidth inside the private network, rather than the raw bandwidth.
Tunneling
Tunneling encapsulates one type of data packet into the packet of another protocol. Multiple tunneling protocols are used today on the market:
• PPTP (Point-to-Point Tunneling Protocol): PPTP includes compression and
encryption techniques. This protocol was introduced by Microsoft to support secure dial-up access for its desktop, which corresponds to a large share of the desktop market.
• L2F (Layer 2 Forwarding): Introduced by Cisco Systems, L2F was primarily used
to tunnel traffic between two Cisco routers. It also allows IPX traffic to tunnel over an IP WAN.
• L2TP (Layer 2 Tunneling Protocol): L2TP is an extension the PPP (Point-to-Point
Protocol) that merges the best features of L2F and PPTP. L2TP is an emerging IETF (Internet Engineering Task Force) standard.
• IPSEC: This is a collection of security protocols from the Security Working Group
of the IETF. It provides ESP (Encapsulating Security Payload), AH (Authentication Header), and IKE (Key Exchange Protocol) support. This protocol, mature but still technically in a draft format, is currently considered the standard for encryption and tunneling support in VPNs.
For PPTP, IP VPN tunneling adds another dimension to the tunneling. Before
encapsulation takes place, the packets are encrypted so that the data is unreadable to outsiders. Once the encapsulated packets reach their destination, the encapsulation headers are separated, and packets are decrypted and returned to their original format. The L2TP tunneling protocol does not encrypt before encapsulation. It requires the IPSEC protocol to take the encapsulated packet and encrypt it before sending it over the Internet.
Encryption
See “Media Encryption” on page 9-29 for more information about ShoreTel’s proprietary media encryption methods.
Encryption is the marking, transforming, and reformatting of messages to protect them from disclosure and maintain confidentiality. The two main considerations with encryption are the algorithm, such as Triple Pass DES (112 bits), RCA (128 bits), and Triple DES (168 bits), and the management of the distribution of encryption keys (IKE and PKI). These more recent keys, which support more than 100 bits, have been a major driver in the success of IP VPNs. They make it extremely difficult to hack into enterprise computer systems without an investment of millions of dollars in
equipment.
Encryption starts with a key exchange that must be conducted securely. The IKE (ISAKMP/Oakley) protocol has been considered the most robust and secure key exchange protocol in the industry to date. It is also a de facto standard for service providers and product vendors requiring the highest level of security for their VPN solutions. PKI (Public Key Infrastructure), new to the key management scene, is currently thought to be the long-term solution to simplifying the management of VPNs. The industry is still evaluating and testing PKI, with some initial deployments
beginning to occur.
Performance
From an IP VPN1 performance perspective, encryption can be a CPU-intensive
operation. As a result, enterprises must evaluate VPN products in two primary areas as they relate to encryption. The first is whether the maximum throughput decreases substantially when encryption is used, and the second is whether a consistent throughput can be maintained when encryption is enabled. Typically, the trade-off between performance and price is debated from a software-based versus hardware- based encryption perspective.