Technology Focus
|
|
|
services
IP SEC (Internet Protocol Security)
IPSec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate from the transport layer up (OSI layers 4 - 7). This makes IPSec more flexible, as it can be used for protecting layer 4 protocols, including both TCP and UDP, the most commonly used transport layer protocols. IPSec has an advantage over SSL and other methods that operate at higher layers: an application doesn't need to be designed to use IPSec, whereas the ability to use SSL or another higher-layer protocol must be incorporated into the design of an application.
IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IPSec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate from the transport layer up (OSI layers 4 - 7). This makes IPSec more flexible, as it can be used for protecting layer 4 protocols, including both TCP and UDP, the most commonly used transport layer protocols. IPSec has an advantage over SSL and other methods that operate at higher layers: an application doesn't need to be designed to use IPSec, whereas the ability to use SSL or another higher-layer protocol must be incorporated into the design of an application.
IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
PPTP (Point-to-point tunneling protocol)
PPTP works by sending a regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to initiate and manage the GRE session. PPTP is difficult to forward past a network firewall because it requires two network sessions. As such, some firewalls are unable to let pass this traffic flawlessly, resulting in an inability to connect. This rarely happens in Windows or Mac OS, though.
PPTP works by sending a regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to initiate and manage the GRE session. PPTP is difficult to forward past a network firewall because it requires two network sessions. As such, some firewalls are unable to let pass this traffic flawlessly, resulting in an inability to connect. This rarely happens in Windows or Mac OS, though.
SSL VPN through Citrix
The protocol was developed by a vendor consortium formed by Microsoft, Ascend Communications (today part of Lucent/Alcatel), 3COM, and others, as described by the RFC document.
The protocol was developed by a vendor consortium formed by Microsoft, Ascend Communications (today part of Lucent/Alcatel), 3COM, and others, as described by the RFC document.
L2TP (Layer 2 Tunneling Protocol)
L2TP acts like a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). L2TP is in fact a layer 5 protocol session layer, and uses the registered UDP port 1701. The entire L2TP packet, including payload and L2TP header, is sent within a UDP datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec.
The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session (or call) is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP.
L2TP acts like a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). L2TP is in fact a layer 5 protocol session layer, and uses the registered UDP port 1701. The entire L2TP packet, including payload and L2TP header, is sent within a UDP datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec.
The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server). The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. Once a tunnel is established, the network traffic between the peers is bidirectional. To be useful for networking, higher-level protocols are then run through the L2TP tunnel. To facilitate this an L2TP session (or call) is established within the tunnel for each higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traffic for each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a single tunnel. MTU should be considered when implementing L2TP.
Cisco PIX 501
The Cisco PIX 501 is a compact, ready-to-use security appliance that delivers enterprise-class security for small offices and enterprise teleworker environments.
The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.
The Cisco PIX 501 is a compact, ready-to-use security appliance that delivers enterprise-class security for small offices and enterprise teleworker environments.
The PIX 501 includes an integrated 4-port Fast Ethernet (10/100) switch and a Fast Ethernet (10/100) interface. Ideal for securing high-speed broadband environments, the Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput.
Cyberoam
Cyberoam, a division of Elitecore, is a leading innovator of identity-based Unified Threat Management appliances offering a comprehensive range of security features, including identity-based firewall, VPN, gateway antivirus, gateway anti-spam, intrusion prevention system, content filtering, as well as bandwidth management and multiple link management - all over a single platform. Cyberoam offers robust Internet security to corporations, educational institutions and government organizations worldwide.
Cyberoam, a division of Elitecore, is a leading innovator of identity-based Unified Threat Management appliances offering a comprehensive range of security features, including identity-based firewall, VPN, gateway antivirus, gateway anti-spam, intrusion prevention system, content filtering, as well as bandwidth management and multiple link management - all over a single platform. Cyberoam offers robust Internet security to corporations, educational institutions and government organizations worldwide.
Fortigate
The FortiGate includes a four-port switch, dual DMZ interfaces, and dual WAN ports for redundant Internet connectivity. It's loaded with options, including a DHCP server that can be configured on a per-interface basis, virtual domain support, granular routing, firewall scheduling, antivirus, antispam, and intrusion prevention.
The FortiGate includes a four-port switch, dual DMZ interfaces, and dual WAN ports for redundant Internet connectivity. It's loaded with options, including a DHCP server that can be configured on a per-interface basis, virtual domain support, granular routing, firewall scheduling, antivirus, antispam, and intrusion prevention.
