Design: Basic questions to ask before embarking onto VPN How many users are at each site? What are the bandwidth requirements for each needed connection? Does the connection need to be permanent or on-demand (dial-up)? How much traffic will the site generate? Are there times when traffic is higher than others? What are the service-level requirements? Are there any problems existing in your company that will be solved by the implementation of a VPN? Why is a VPN better than the next competing alternative? Should the VPN be outsourced or built in-house?
Design: ... Besides the internet there are three other important pieces for a VPN: security gateways: to provide security against unauthorized access to the information on the inside. Include: routers, firewalls, VPN hardware and or software security policy servers: contain the access- information list, to dictate what and who to allow and disallow access the resources. certificate authorities: for key verification. It could be a database for example. An outsourced one is the best option.
Implementation Options: VPN Appliances: Integrated appliances: come embedded in routers or firewalls. Reduced costs. Standalone: Concentrators, have to be bought on their own. VPN Servers: come in as software (Oss). Consider the hassle of managing the operating system and the network itself. Managed Service: Outsourcing. AT&T, WorldCom, etc.
Security Requirements to transfer data via VPN: Integrity Tamper-resistance Protection from duplication by unauthorized parties Confidentiality: from source to destination.
Security: Protocols These requirements are met through tunnelling protocols as described here: PPTP: uses Point to Point Protocol. PPP packets are encapsulated by using a modified version of GRE (Generic Routing Encapsulation) Protocol. which allows other protocols to be utilized by PPTP e.g. IPX and NetBEUI. L2F: works by encapsulation of PPP packets within IP Packets. L2TP: this combines the best of both PPTP and L2F
Security: Protocols IPSec: originally developed to plug the security inadequacies of IPv4 in the next generation of IP protocols, Ipv6 as Ipv4 was developed without consideration on security. IPSec can be used by two methods: tunnel mode and transport mode, This is possible because of the ability to separate authentication and encryption application to each packet. In transport mode, the transport layer is the only segment that is authenticated or encrypted. Tunnel mode authenticates or encrypts the entire packet, providing even more protection against unauthorized access, interception, or attack.