"Tunnel your way to secure communication"

If you're a network or systems administrator, you've probably implemented some form of a VPN. As its name suggests, a VPN is a virtual private network connection over a public-access network, such as the Internet. VPNs were once exotic forms of dial-up connections that laptop users employed to connect to the corporate LAN. Today, VPNs take many forms—from a Windows NT RAS server's built-in PPTP connections to a full policy-based IP Security (IPSec) and Internet Key Exchange (IKE) scenario—and are attaining a significance that has Windows 2000 and NT server administrators and network managers devoting unprecedented amounts of time and money to VPN planning, implementation, and management.

A VPN has three primary goals. First, a VPN strives for privacy. Communicating parties want to make sure that no one else can read or see their communication. VPN products typically use encryption to address privacy. Second, a VPN offers integrity—a guarantee that the data arrives exactly as the sender intended (i.e., no one tampered with the message in transit). VPN products typically use an agreed-upon public-key private-key pair to address integrity. The third VPN goal is authenticity—a confirmation that the sender and receiver are who they say they are. VPN products typically employ digital certificates to address authenticity.

Because a VPN connection occurs over a nonsecure network medium, you must implement security measures. A VPN connection usually takes the form of a standard TCP/IP connection with an IP packet wrapped around the original packet. An encrypted payload inside this encapsulated packet is difficult to tamper with. This secure encapsulation is often called a tunnel. A server, called a gateway, on the corporate LAN acts as the tunnel coordinator and endpoint. Remote laptops or machines, called clients, typically run some form of VPN client software that monitors the tunneling with the gateway.

IES have many years experience in designing and implementing VPN's using both PPTP and IPSec security systems.

Contact us now to discuss your VPN requirements!

Types of Firewalls, routers etc.

Firewalls fall into four broad categories:

1. Packet filters
2. Circuit level gateways
3. Application level gateways
4. Tasteful multilayer inspection firewalls

Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router.

A router is a device that receives packets from one network and forwards them to another network. In a packet filtering firewall each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet, forward it or send a message to the originator. Rules can include source and destination IP address, source and destination port number and protocol used. The advantage of packet filtering firewalls is their low cost and low impact on network performance. Most routers support packet filtering. Even if other firewalls are used, implementing packet filtering at the router level affords an initial degree of security at a low network layer. This type of firewall only works at the network layer however and does not support sophisticated rule based models.

Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based filtering. Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect. On the other hand, they do not filter individual packets.

Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific. They can filter packets at the application layer of the OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In plain terms, an application level gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through. Because they examine packets at application layer, they can filter application specific commands such as http: post and get, etc. This cannot be accomplished with either packet filtering firewalls or circuit level neither of which knows anything about the application level information.

Application level gateways can also be used to log user activity and logins. They offer a high level of security, but have a significant impact on network performance. This is because of context switches that slow down network access dramatically. They are not transparent to end users and require manual configuration of each client computer.

Tasteful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer.

Whatever your firewall and router needs, IES have been supplying cost effective network device solutions and consultancy for many years and will happily discuss your current and future requirements.