Viop phone - Voice Over IP

Although we’re presenting some typical numbers here, you should run the numbers using your own particular configuration. The most beneficial comparisons of a VPN occur when compared to a dedicated, line−based network or one that makes extensive use of long distance dial−up lines. If you are already using a shared network (Frame Relay or ATM), the cost savings are not so striking. Consider that a VPN box at each location might cost $5,000 including installation; multiplied by seven sites is equal to $35,000. Now, how long will it take to save this cost if you substitute your ISP charges for each location and subtract the cost of your existing T1 or Frame Relay network? If you had six T1s at $5,000/month, you might now have seven T1 access lines from your ISP at $3,000 or $4,000/month. The $7,000/month savings will pay off the $35,000 investment in 5 months. If your Frame Relay service is costing $1,000/month per location, the break−even point doesn’t happen in any reasonable period. Using remote access server and dial−up lines is cheaper to install, costing about $6,000 to $7,000 for about 20 users to install at the central location. Now comes the big bite, which is the long distance charge from all the remote locations. This could easily grow to $5,000/month if each of the users spent two hours online. Each working day at $0.10/minute is about $8,000/month. Plug in your own assumptions as to duration and cost of telephone calls here. (Even at 1 hr/day and
$0.06/minute, that is $2,000/month for 20 users). A VPN system might cost $14,000 to install, including licenses for PC software at each location. The ISP charges that are $20/user/month, plus an ISDN line at the home shop for $100/month, means that we are saving $1,500 in monthly charges. We can pay off the system in 10 months. Again, do not assume that it will pay off in all cases. But, in all cases, it is worth the effort to perform the calculations. viop Your VPN will definitely require more network management than a dial−up system, so the cost of perhaps an additional system administrator may have to be added.

Proprietary Protocols
Most VPN products are designed strictly around IP. They will often handle other protocols, such as AppleTalk and IPX, by tunneling them inside of IP packets. This introduces both overhead and delay. If the amount of “foreign” protocol traffic is small, then this is not significant. If the bulk of your network is IPX or Apple talk, we recommend you investigate VPN vendors who will support these protocols in native mode.

VoIP VPN
The justification for doing VoIP on a VPN is primarily security, along with the reduced cost of VoIP. Depending on usage, voice generates relatively large amounts of traffic. Be sure to include this additional traffic in your sizing estimates. Our discussion of VoIP applies to whether we have a VPN or not. With a VPN, the delays due to encryption are larger, and therefore we would expect that the performance of voice over the VPN would be worse than VoIP. If we have chosen a network provider who will offer a SLA with QoS, there is a better chance for success, but the delays due to encryption and basic packet switching will still be there. With the exception of international calling, one must have a very large calling volume to make it worthwhile to put voice over the Internet and suffer the attendant quality
reduction.

Summary

VPNs can provide a cost−effective solution to have secure communications across the Internet. Performance can be improved by utilizing a national/international ISP that will offer SLAs and QoS. Choosing hardware−based over software−based VPN equipment will generally provide better performance. Choosing VPN vendors who embrace standards and support multiple standards increases your flexibility to your vendor/equipment choices. Knowing your current and anticipated traffic volumes permits you to make improved cost performance studies.

read comments (0)

The layman’s version (don’t try this at home because it won’t work as described here) is that each of us thinks up a couple of prime numbers (the bigger the better). One number we keep for ourselves and the other number we publish on our web site along with the product of the two prime numbers as our public key. Anyone wanting to send us something will use the public key to encrypt it with the public key, and only we can decrypt the message with our private key. We can authenticate the source if the sender used his private key to encrypt his signature because only his public key will decrypt his signature.

This system is secure because of the tremendous amount of processing power it takes to factor large prime numbers. (For example, if we could factor the product, we could determine the private key.) Unfortunately, performing the encryption and decryption are also processor intensive (slow). But it sure solves the key distribution problem. Therefore, we could use public key cryptography to
encrypt and distribute the keys to all our VPN boxes.
Authentication
Authentication is the process of verifying that this is the party to whom I am speaking, and that they have authorized access. There are several ways of doing this; however, the most common way is to provide an authentication server that passes out authenticated certificates based on something the user has or knows. User Level Authentication The user has or knows his/her account code (name) and password. User names are public, and passwords can be compromised. A more secure system is to use a type of secure ID card. These credit card sized devices are based on an internal clock that generates a different pseudo random code every minute. The authentication server is time synchronized with the card and therefore generates the same number at the same time. When the user calls in, he/she must enter his/her account code and the code from the card as the password. The IP has embedded in it a set of layer 2 protocols called the Point−to−Point Protocol (PPP). In PPP, the basic security methods used are Password Authentication Procedure (PAP) and the
Challenge Handshake Authentication Protocol (CHAP). PAP and CHAP do little for security. In fact, PAP and CHAP are part of the basic PPP protocol suite and fall short in providing a true security procedure. These schemes do not address issues of ironclad authentication and integrity, oreavesdropping. The PAP and CHAP are rudimentary procedures used to log on to a network, but
hackers and crackers easily defeat both.

Tunnel Protocol (L2TP) is another variation of an IP encapsulation protocol as shown in Figure 4−6. An L2TP tunnel is created by encapsulating an L2TP frame inside a UDP packet, which in turn is encapsulated inside an IP packet, whose source and destination addresses define the tunnel’s ends. Because the outer encapsulating protocol is IP, clearly IPSec protocols can be applied to this composite IP packet, thus protecting the data that flows within the L2TP tunnel. Authentication Header (AH), Encapsulated Security Payload (ESP), and Internet Security Association and Key Management Protocol (ISAKMP) can all be applied in a straightforward way.

L2TPs are an excellent way of providing cost−effective remote access, multiprotocol transport, and remote LAN access. It does not provide cryptographic robust security. L2TP should, therefore, be used in conjunction with IPSec for providing secure remote access. L2TP supports both host−created and ISP−created tunnels. A remote host that implements L2TP should use IPSec to protect any protocol that can be carried within a PPP packet. Integrated at the VPN point of access, user authentication establishes the identity of the person using the VPN node, and this is because an encrypted session is established between the two locations. The user authentication mechanism enables the authorized user of the VPN system access to the system, while preventing the attacker from accessing the system. Some of the common user authentication schemes are

• Operating system username/password
• S/Key (one time) password
• Remote Authentication Dial−In User Service (RADIUS)
• Strong two−factor token−based scheme

The strongest user authentication schemes available on the market are two−factor authentication schemes. These require two elements to verify a user’s identity: a physical element in their possession (a hardware electronic token), and a code that is memorized (a PIN). Some cutting−edge solutions are beginning to use biometrics mechanisms such as fingerprints, voiceprints, and retinal scans. However, these are still relatively unproven. When evaluating VPN solutions, it is important to consider a solution that has both data authentication and user authentication mechanisms. Currently, there are VPN viop solutions that provide only one form of authentication.
Because of this, VPN solution providers that only support one of the two authentication mechanisms will typically refer to authentication generically, without qualification of whether they support data authentication, user authentication, or both. A complete VPN solution will support both data authentication (also known as the digital signature process or data integrity) as well as user authentication (the process of verifying VPN user identity).

Packet Level Authentication The IPSec standard provides for packet level authentication to prevent man−in−the−middle attacks. (This is where someone intercepts your packets and substitutes his/her own.) IPSec is a layer 3 protocol that enhances the use of the layer 2 underlying checksum is calculated and encrypted with the data. If the checksum calculated by the recipient doesn’t match the one sent by the originator, someone has tampered with the data. The IPSec standard specifies two different algorithms for doing this MD−5 and SHA−1. If your vendor’s equipment supports both algorithms, it improves the chances for intervendor compatibility. The other alternative is to simply not use packet level authentication. In order to guarantee authenticity of the packets, a digital signature is required to authenticate the devices to one another. IPSec has included the X.509 digital certificate standard. Essentially, the X.509 certificate server keeps a list of certificates for each user. When you want to receive data from another device, you first ask for the certificate from the certificate server. The sender stamps all data with that certificate. Because this process is secure, you may be sure that these packets are
authentic. Your vendor then ideally supports both authentication algorithms and X.509. In any case, it is essential that someone in your organization understands in detail how each vendor supports the various levels of security that you intend to use. These authentication and encryption systems all have to work together flawlessly. If the vendors you choose stick to the standards, it improves the chances of, but does not guarantee, an integrated working environment.

IPSec offers a variety of advantages. Chief among those are

• IPSec is widely supported by the industry including Cisco, Microsoft, Nortel Networks, and so on.
• This universal presence ensures interoperability and availability of secure solutions for all types of end users. In addition, all IPSec−compliant products from different vendors are required to be compatible.
• IPSec provides for transparent security, irrespective of the applica−tions used.
• IPSec is not limited to operating system−specific solutions. It will be ubiquitous with IP. It will also be a mandatory part of the forthcoming Internet Protocol Version 6 (IPv6) standard.
• IPSec offers a variety of strong encryption standards. The key design decision to support an open architecture allows for easy adaptability of newer, stronger cryptographic algorithms.
• IPSec includes a secure key−management solution with digital certificate support. IPSec guarantees the ease of management and use. This reduces deployment costs in large−scale corporate networks

IPSec used in conjunction with L2TP provides secure remote−access client−to−server communication. L2TP alone cannot provide for a totally secure communication channel due to its failure to provide per packet integrity, inability to encrypt the user datagram, and the limited security coverage only at the ends of the established tunnel. The major drawback to packet−filtering techniques is that they require access to clear text, both in packet headers and in the packet payloads.
There are two major drafts in IPSec: AH and ESP. They are defined as follows:

• AH is used to provide connectionless integrity and data origin authentication for an entire IP datagram (hereafter referred to as authentication).
• ESP provides authentication and encryption for IP datagrams with the encryption algorithm determined by the user. In ESP authentication, the actual message digest is now inserted at the end of the packet (whereas in AH the digest is inside the authentication).

AH provides data integrity only and ESP, formerly encryption only, now provides both encryption and data integrity. The difference between AH data integrity and ESP data integrity is the scope of the data being authenticated. AH authenticates the entire packet, while ESP doesn’t authenticate the outer IP header. In ESP authentication, the actual message digest is now inserted at the end of the packet, whereas in AH the digest is inside the authentication header. The IPSec standard dictates that prior to any data transfer occurring, a Security Association (SA) must be negotiated between the two VPN nodes (gateways or clients). The SA contains all the information required for execution of various network security services such as the IP layer services (header authentication and payload encapsulation), transport or application layer services, and self−protection of negotiation traffic. These formats provide a consistent framework for transferring key and authentication data that is independent of the key generation technique, encryption algorithm, and authentication mechanism. One of the major benefits of the IPSec efforts is that the standardized packet structure and security association within the IPSec standard will facilitate third−party VPN solutions that interoperate at the data transmission level. However, it does not provide an automatic mechanism to exchange the encryption and data authentication keys needed to establish the encrypted session, which introduces the second major benefit of the IPSec standard: key management infrastructure or Public Key Infrastructure (PKI).
The IPSec working group is in the development and adoption stages of a standardized key management mechanism that enables safe and secure negotiation, distribution, and storage of encryption and authentication keys. A standardized packet structure and key management mechanism will facilitate fully interoperable third−party VPN solutions. Other VPN technologies that are being proposed or implemented as alternatives to the IPSec standard are not true IP security standards at all. Instead, they are encapsulation protocols that tunnel higher level protocols into a link layer protocols. When encryption is applied, some or all of the information needed by the packet filters may no longer be available.

read comments (0)