I intend for this to be the first of a number of articles explaining VPN technologies. The articles that follow on from this one will provide a more in-depth discussion of Virtual Private Networks. VPNs have become increasingly popular due to the flexibility they offer and the cost of site-to-site circuits. The demand for unified communications and mobility means that companies must ensure their networks facilitate inter-site communications while keeping costs reasonable. VPN technology enables us to safely transmit data streams over a public network (the internet) without fear of it being compromised.
There are many different vendors producing appliances responsible for terminating VPN tunnels and it is because of this that VPNs must conform to open standards for interoperability. The IPsec protocol suite was developed to provide a means of securing data transfer between two points and it can provide data encryption, authentication and anti-replay mechanisms.
IPsec works at layer 3 in the OSI stack and can therefore be used independently of application encryption. As this article is intended as a guide please remember that this is a brief overview of IPsec.
Amongst others discussed later, IPsec uses two protocols to provide these services, both of which offer different security parameters. They are:
Authentication Header (AH)
and
Encapsulating Security Payload (ESP)
Nowadays, AH is used when the data being sent and received is not deemed confidential and therefore does not require to be encrypted. AH offers connectionless integrity and data origin authentication and also optionally provides an anti-replay mechanism using sequence numbers. This function is enabled by default but it is optional to the receiver if they perform anti-replay checking on it. AH provides authentication by appending a hash value to the packet.
ESP provides data origin authentication, integrity and confidentiality. The latter being the reason ESP is far more popular than AH. ESP uses an encryption algorithm to scramble data that only the receiver can unscramble at the other end. This means that as well as ensuring you are connected to the correct person and the data hasn’t been modified, you can relax knowing that in the event someone is sniffing data along the path they cannot decipher what has been sent. ESP can use different forms of encryption algorithms to provide confidentiality – more on this in later articles.
Well, that is a a very brief overview of IPsec VPNs. My next article will discuss the process of a VPN being established, used and then torn down and articles from there on in will discuss individual areas of an IPS VPN. Once I have bored you all to tears with IPsec I’ll do a few articles about GRE tunnels.
Stay tuned and please remember before commenting that this a brief overview and I’ll focus on the other areas as each article progresses.
Ian
). Basically, it is a USB key with a encryption chip between the USB interface and the memory chip that encrypts and decrypts data as it is passed to and fro the USB memory chip. When the USB key is inserted the user is prompted for a password and that is used as the key to encrypting/decrypting the data on the fly. Don’r worry about brute force attacks on the password either, 10 strikes and you’re out! Dangerous, but secure – I like it. Reports indicate that the data transfer speeds are very quick due to the high quality memory being used internally. So, we have a very secure, fast and easy to operate USB memory key with IronKey, the only drawback is the price. IronKeys are a fair bit more expensive than traditional USB memory keys with prices starting at $79 for the 1GB Basic version right up to $299 for the 8GB Basic version but hey, you get what you pay for right?
