This entry was posted on Monday, December 10th, 2007 at 6:20 pm and is filed under Viop article. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.
Pages
Creating the VPN
There are five ways to create a VPN:
- Between desktops
- Between routers
- Between firewalls
- Between VPN−specific boxes
- With integrated boxes
Although not normally considered a VPN, one can certainly use desktop PCs to encrypt data and send it across the Internet securely. Additionally, software is available that runs on a desktop capable of creating a VPN to a firewall or stand−alone VPN device. Most VPN equipment vendors offer corresponding software that runs on a laptop or desktop in order to provide a secure path to the home office over the Internet. Most of the discussion then involves creating a VPN between business locations, branch offices, and road warriors.
Encryption
The first basic rule is the more secure it is, the less convenient it is to use and the greater impact (negative) it will have on overall system performance. The strength of an encryption mechanism is dependent upon the complexity of the calculation and the length of the key. The most popular mechanism for which hardware is readily available is Data Encryption Standard (DES), developed by IBM and now standardized. The basic key is 54−bits long. Triple DES involves simply running the algorithm with a 112−bit key. The question here is as always how secure do you need to be? The more secure, the larger the key used (or the more times the algorithm is run with different keys). This all takes time to encode and to decode. Much has been made lately of the fact that by using thousands of computers, a DES−encoded message could be broken in 39 days. Keep in mind that this is for one key. If we change keys, it would take the crackers and hackers another 39 days. Are they (hackers and competitors) motivated to do this? The method mentioned previously used the brute force attack of guessing keys. Changing keys often means that the attackers must start all over again. The other encryption standard (not widely supported) is International Data Encryption Algorithm (IDEA), which uses 128−bit keys.
The second basic rule is that encryption performed in hardware is much faster than in software.
Key Handling
A very important part (some say the most important) of an encryption is the mechanism used to disseminate keys. Here again, security is the inverse of convenience. True, keys can be sent in a multi−encrypted file. They can also be sent by snail mail or given over the telephone (not very secure). The problem with this private key system is that both communicating parties must have the same key. If all locations are talking to the home office, they all must have the same key, or the central office must keep separate key pairs for each location. This key management nightmare can be handled in two ways. We could use the X.509 digital certificate system for key management. The other alternative is to use a public key system to encrypt the private key so that they can easily be exchanged.