Layer 3 VPNs
The dominant emerging form of VPNs are those networks
constructed across shared IP backbones, called IP VPNs.
Because the Internet is the largest and most widely accessible of the public
networks, this is where the greatest research and development is aimed. The
early Layer 3 VPN implementations were provided by private companies that
developed security implementations on top of the published TCP/IP and Internet
standards. Cisco encryption technology (CET) was an early Cisco proprietary
Layer 3 VPN technology.
The biggest drawback to these early efforts was the lack of
interoperability between different manufacturers. While a strong case can be
made for a single vendor end-to-end solution, the reality is this:
all-too-common business mergers and acquisitions often mean companies are forced
to merge different vendor VPN strategies and technologies.
A second issue is that not all vendors make products for all
implementations within the network. For example, a vendor might have a strong
VPN line for connecting branch locations and could even have client software for
individual remote users, but they might lack a solution for small multiuser
connections using cable modems or DSL service.
IPSec as an Emerging Leader
IP Security (IPSec) is a standards-based suite of protocols
developed by the Internet Engineering Task Force (IETF) to provide secure
exchange of packets at the IP layer (Layer 3). IPSec is rapidly becoming the
most widely deployed VPN implementation. Cisco has adopted IPSec for its VPN
products.
The single biggest problem with using the Internet—or any TCP/IP
network—for private communication is the lack of security. The underlying
protocols simply weren’t designed with security as a high priority. While it’s
easy to place blame using hindsight, a fair analysis would recognize that not
only was the technology brand new, but also that no one involved could have
visualized the masses from every corner of the Earth individually accessing the
resulting network.
The evolution of the World Wide Web as a more or less unregulated
playground for every interest and activity has lead to a growing number of
miscreants bent on causing problems. Add to this the technologically incompetent
and those who see the Internet as a tool for political and religious warfare,
and you can understand why the neighborhood has become an unfriendly place.
The security concerns in using the Internet for conducting private
communications can fall into the following categories:
-
Loss of privacy
-
Loss of data integrity
-
Identity spoofing
-
Denial-of-service
The ultimate goal in developing an IPSec standard is to
address these threats without the need for expensive host hardware or
application modifications and changes.
IPSec and the Future
Remember, IPSec is a new and still-evolving pool of
standards and protocols. The IETF working group for IPSec has dozens of draft
proposals they’re working on to extend the capabilities and interoperability of
IPSec with other common network technologies, such as NAT/Firewall traversal and
MIB standards.
The mandate is for IPSec to be in IP Version 6 when it’s finally
implemented. Once this occurs, we’ll all be using IPSec in its latest form. For
more information on the IPSec working group and its current activities go to the
following site: http://www.ietf
.cnri.reston.va.us/html.charters/ipsec-charter.html.
|
Note |
While this book is current at press time, probably no other
features warrant constant monitoring of Cisco documentation and releases
covering IOS and device upgrades more than IPSec and VPNs. Each new release
seems to bring expanded support for technologies like wireless, firewalls, and
even basic IPSec protocols supported. |
Sections
Comments (0 posted)
Syndication
