INTEL BOOK 1/19/0 9:11 AM Page 1

T H E T E C H N O L O G Y G U I D E S E R I E S™
visit www.techguide.com ™

Designing and Implementing a

Virtual Private Network (VPN)

This Guide has been sponsored by

INTEL BOOK 1/19/0 8:56 AM Page 2

Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Choices for Remote Access . . . . . . . . . . . . . . . . . . . . . . . 2
Today: Data over Voice (DoV) Remote Access . . . . . . . . . 2
Tomorrow: Data over Data (DoD) Remote Access . . . . . . 4
Driving Forces for Change . . . . . . . . . . . . . . . . . . . . . . . . 5
Remote Access Choices . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Steps to Implementing VPN . . . . . . . . . . . . . . . . . . . . . 10
Determine the Number of Ports . . . . . . . . . . . . . . . . . . . 10
Classify Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Evaluate User Locations . . . . . . . . . . . . . . . . . . . . . . . . . 12
Assess Data Security Requirements . . . . . . . . . . . . . . . . . 12
Making Hybrid DoV/DoD Work. . . . . . . . . . . . . . . . . . 14
Integrating VPN with Dial-up . . . . . . . . . . . . . . . . . . . . 14
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CASE STUDY: The Nature Conservancy. . . . . . . . . . . 18
The Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
The Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
The Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
The Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About the Nature Conservancy. . . . . . . . . . . . . . . . . . . . 22
Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

About the Editor…

Jerry Ryan is a principal at ATG and the Editor-in-Chief of techguide.com. He is the
author of numerous technology papers on various aspects of networking. Mr. Ryan has
developed and taught many courses in network analysis and design for carriers, govern-
ment agencies and private industry. He has provided consulting support in the area of
WAN and LAN network design, negotiation with carriers for contract pricing and services,
technology acquisition, customized software development for network administration,
billing and auditing of telecommunication expenses, project management, and RFP gen-
eration. Mr. Ryan has been a member of the Networld+Interop Program Committee
and the ComNet steering Committee. He holds a B.S. degree in electrical engineering.

The Guide format and main text of this Guide are the property of The Applied
Technologies Group, Inc. and is made available upon these terms and conditions. The
Applied Technologies Group reserves all rights herein. Reproduction in whole or in part
of the main text is only permitted with the written consent of The Applied Technologies
Group. The main text shall be treated at all times as a proprietary document for internal
use only. The main text may not be duplicated in any way, except in the form of brief
excerpts or quotations for the purpose of review. In addition, the information contained
herein may not be duplicated in other books, databases or any other medium. Making
copies of this Guide, or any portion for any purpose other than your own, is a violation
of United States Copyright Laws. The information contained in this Guide is believed to
be reliable but cannot be guaranteed to be complete or correct. Any case studies or
glossaries contained in this Guide or any Guide are excluded from this copyright.
Copyright © 1999 by The Applied Technologies Group, Inc. One Apple Hill,
Suite 216, Natick, MA 01760, Tel: (508) 651-1155, Fax: (508) 651-1171
E-mail: info@ techguide.com Web Site: http://www.techguide.com
INTEL BOOK 1/19/0 8:56 AM Page 2

Introduction company’s remote access server. The speed of the data

connection varies anywhere from 4.8Kbps to 56Kbps
depending on the modems used and the quality of the
Today, remote access to information is a strategic voice circuit.
corporate necessity. Remote access:
• arms employees with up-to-date information,
Local Inter Local
enabling them to make timely, informed decisions; Remote Exchange Exchange Exchange
Site Carrier Carrier Carrier Corporation
• extends the workplace beyond the office walls (LEC) (IXC) (LEC) T1= 24 calls
E1= 31 calls
allowing employees to be fully productive at home Telephone Voice
Network
and on the road;
Access
Local Local PBX
Switch
• provides an edge in recruiting employees looking Laptop
Voice Voice
Switch Switch
with
for flexible work styles such as telecommuting and Modem
LAN
job sharing; and,
• establishes a competitive advantage by creating Figure 1: Data Over Voice
closer links with customers, suppliers, and employees.

Two complementary technologies can help IS Cost Structure

managers maximize their remote access capabilities
while minimizing the underlying costs: Dial-up remote
access via the telephone network and Virtual Private
Network-based remote access via the Internet. The
combination of these two technologies provides optimal
cost, performance, and reliability.
Choices for Remote Access
Today: Data over Voice (DoV) Remote
Access
Today’s remote access systems use the existing
voice infrastructure, as illustrated in Figure 1. Here, a
remote computer user dials into a corporate location
through the telephone network (Data over Voice). A
dedicated voice circuit then carries the data transmis-
sion from the computer’s modem to a modem in the
Regulations or “tariffs” set forth by agencies such
as the Federal Communications Commission (FCC)
drive the economics of this approach. Charges are typ-
ically based on connection time and distance between
call termination points, not volume of data transmit-
ted. These charges vary widely throughout the world
and represent the bulk of remote access costs.
It is worth noting that connection time charges
vary depending on the distance between the remote
user and the corporate network. In the US, for instance,
local calls may be included in a toll-free zone, but the
cost of a long distance call depends upon the service
provider’s rate. The geographic spread of remote
access users is a key factor in determining the cost
of the service and the economics of VPN. This is
discussed in more detail in the section entitled Steps
to Implementing VPN, Evaluate User Locations.

2 • Designing and Implementing a Virtual Private Network Technology Guide • 3

INTEL BOOK 1/19/0 8:56 AM Page 4

“Last Mile” Cost Structure

The “last mile” refers to the connection between a The cost structure for DoD services will be different
location and the Wide Area Network (WAN), either the than that for DoV services. Instead of voice tariffs
telephone network or the Internet. The remote user’s based on distance and time, charges will depend on the
last mile connection through an analog phone line— performance and reliability of the connection or on
usually the weakest link in the end-to-end circuit— the amount of information transferred. Thus, while in
limits the available data bandwidth. At the corporate today’s environment, applications are optimized to
site, the call terminates via high performance digital limit connection times, future remote access applications
connections (e.g., T1, E1, and ISDN). These last mile will be optimized to limit amount of information trans-
connections can carry from 24 to 36 high quality, ferred between the remote user and the central site.
64Kbps circuits. However, they are quite expensive and
each remote access session requires a dedicated circuit “Last Mile”
for the duration of the connection. DoV remote access is limited to the use of the tele-
phone network; DoD remote access takes advantage of
any last mile technology that provides connectivity to
Tomorrow: Data over Data (DoD) the Internet. Technologies such as Integrated Service
Remote Access Digital Network (ISDN), Cable Modem, Digital
Tomorrow’s remote access systems will use the Subscriber Line (DSL) and even high speed wireless
Internet, as illustrated in Figure 2. Here, a remote services already offer anywhere from 128Kbps to more
user connects to the Internet (a data network) through than 10Mbps access at low, fixed-rate prices. VPN lets
an Internet Service Provider (ISP). Software on the companies harness the power of these high speed
remote computer creates a secure, virtual circuit or Internet access technologies for DoD remote access
tunnel to the company’s Virtual Private Network applications.
gateway.
Driving Forces for Change
Local
LEC Enterprise
Loop There are three main forces behind the trend
Voice IXC toward DoD networks:
Network
Telephone
Telephone
PBX • The economics of shared, data transport,
DSL
IP • The flexibility and scale of public networks, and
Laptop Data Network
Network
LEC Access
Gateway
• The need for ubiquitous, broadband access.
Concentrator

Data Transport
Figure 2: The Future Data Dial Tone Network DoD remote access delivers more efficient use of
available bandwidth. For example, in the US, a circuit-
based or “channelized” T1 used for voice connections
has a maximum capacity of (24) 64Kbps channels or

4 • Designing and Implementing a Virtual Private Network Technology Guide • 5

INTEL BOOK 1/19/0 8:56 AM Page 6
1.5Mbps. Since conventional DoV remote access
requires a dedicated channel for each connection, a T1
can accommodate 24 simultaneous user sessions. Each
user gets a 64Kbps slice of bandwidth whether they
use it or not.
A packet-based or “clear-channel” T1 used to
deliver data connections has almost no limit to the
number of virtual circuits it can support. This allows
the same 1.5Mbps pipe to carry a higher number of
user sessions. The magnitude of this increment depends
on the type and volume of traffic. If there are many
idle or low volume users, then a T1 could support up
to and perhaps more than 200 sessions.
Consider, for example, a classic pattern of remote
e-mail usage:
1) log in,
2) check e-mail,
3) send urgent replies, then
4) log off.
This sequence of steps generates a low volume
of traffic. For example, while a user is reading e-mail
or composing new messages, no data crosses the link.
Data only passes across the link while the user is
actually sending or receiving mail. A DoD connection
could, therefore, support a very high number of e-mail
users.
In contrast, running streaming applications such
as video or audio over the connection generates a high
volume of data traffic. In this case, a clear channel T1
will handle a much smaller number of sessions, though
more than the 24 sessions supported by a channelized
T1.
Shared Resources
A DoD remote access network allows many users
to share network resources including WAN devices, last
6 • Designing and Implementing a Virtual Private Network
mile connections and backbone infrastructure. This
sharing reduces the cost of equipment (per port costs
drop), last mile connections (one pipe can support many
users and applications) and long distance transport
(as the cost of the DoD service decreases relative to
DoV, service providers can pass these savings on to
their customers).
Higher Bandwidth
The DoD remote access network delivers higher
bandwidth all the way to the network end-points.
Performance of 56K modem technology over DoV
networks is determined by the length and quality of
the analog connection and the number of analog-to-
digital conversions that take place along the circuit.
While 56K modem technology works well over high
quality, local connections (delivering anywhere from
48Kbps to 56Kbps of actual throughput), it degrades
quickly over lower quality, long distance connections
(delivering from 4.8Kbps-28Kbps over international
circuits).
With DoD networks, every WAN connection is a
local connection supporting optimal performance of
56K modem technology. Furthermore, DoD networks
are not limited to access through modems. New high-
speed technologies such as DSL and Cable deliver
from 384Kbps to more than 10Mbps connections to
the Internet. A DoD network provides many last mile
options for the networking professional.
Remote Access Choices
The basic architecture for all remote access networks
is a connection from a remote or branch site through
a network to a central or other branch site. This basic
architecture may include two different remote access
implementations: dial-up over the telephone network
(DoV) and VPN over the Internet (DoD).
Technology Guide • 7
INTEL BOOK 1/19/0 8:56 AM Page 8
The difference between dial-up and VPN is the
data transmission medium. Dial-up involves direct
telephone network connections into the head office or
central site. As such, the cost of a dial-up connection is
dependent on the distance between the user and the
corporate office.
On the other hand, VPN uses the Internet to
establish a virtual circuit or tunnel that connects one
location to another. Internet costs are distance insensi-
tive and usually based on some type of flat-rate tariff.
In most cases, the optimal choice for remote access
is a combination of both Dial-up and VPN to best
serve the unique needs of each user, while minimizing
the cost to the corporation.
Direct Dial
In a direct dial scenario, a remote user dials from
a modem in their laptop through the PSTN, and the
call terminates in a corporate LAN-based modem in
an access server. Direct dial allows the IS Manager to
optimize the connections to the PSTN according to
users’ needs. With this solution, the connection depends
entirely on the voice network.
Virtual Private Networking
A VPN-based remote access connection begins
with a data connection to an Internet Service Provider
Point of Presence. This is typically a data-over-voice
call, but may also be achieved using cable modem,
DSL or wireless technology. From there, the data flows
through a VPN session over the Internet (or other IP
network) and ends at the corporate network gateway.
All of the data that traverses the Internet is encrypted
and authenticated providing the necessary security.
The differences between direct dial and VPN are
illustrated in Figure 3.
In essence, with a VPN connection, the Internet
becomes an extended private network. Compared to
8 • Designing and Implementing a Virtual Private Network
direct dial solutions, VPNs can reduce the long-distance
phone charges associated with remote LAN access, and
potentially eliminate them if remote users can access
the public IP network with a toll-free call.
Access
Equipment
Modem
Direct
LAN
Dial PSTN
Laptop
USER
Modem
WAN
WAN
LAN
VPN IP
PSTN Network
Laptop
Figure 3: VPN Versus Direct Dial Differences
Since Internet network access charges are typically
flat rates and are distance insensitive, the optimal solu-
tion (based on networking costs) will depend on the
geographical location of users.
Optimized Remote Access Solutions
VPNs and direct dial are not mutually exclusive.
In fact, a combination of the two technologies usually
provides the most cost-effective solution.
Leveraging the advantages of dial-up with the
lower costs of VPNs can create the best solution. While
a VPN is most effective for long-distance applications,
dial-up is an effective means for local access or backup.
To facilitate the implementation of an optimal solution,
Intel provides integrated management platforms and
authentication tools that let managers reduce the total
cost of ownership of the combined solution.
To achieve an optimal return on remote access
investment, an IS manager must review data and usage
patterns, and match this information to the appropriate
remote access solution. This section examines the
evaluation process.
Technology Guide • 9
INTEL BOOK 1/19/0 8:56 AM Page 10

Steps to Implementing VPN Classify Users

Remote users can be segmented into the following
classifications:
Determine the Number of Ports
• Mobile workers/business travelers are the classic
A reasonable starting point for corporations imple- road warriors who need access to the corporate
menting dial-up remote access is to provide one port for network and the Internet while traveling.
every ten users. The connection speed for direct dial
users will be determined by the modem technology • Telecommuters work one or more full days a week
used at either end of the communication connection from home. These workers are also more likely to
(typically 28.8 Kbps, 33.6 Kbps or 56 Kbps). have a higher bandwidth connection such as
For VPN solutions, it is also important to deter- ISDN or Cable Modem.
mine the number of simultaneous sessions or virtual • Day Extenders work from home for short periods
ports required. Again, a 10:1 user-to-port ratio is a of time, such as evenings or weekends, in addition
good starting point. Once the number of virtual ports to their main activity at the work site.
has been determined, the bandwidth per simultaneous
• Branch Offices are small remote offices that
session can be determined by dividing the total through-
require access to a central site or to each other.
put of the VPN server and WAN connection by the
number of ports. This will be the average available
A remote user may fall into different classifications
bandwidth per VPN tunnel. In practice, users get more
at different times:
bandwidth since even though a user may have a session
established, they may not be sending data through the • A home worker who picks up e-mail in the
virtual connection (as described above). This “idle” evenings or weekends,
bandwidth will be available for other users. Therefore, • A mobile worker who travels, or
in practice, the actual bandwidth per connection is like-
• An employee who telecommutes for a number of
ly to be two to five times greater than the average
days, perhaps while on sick leave.
bandwidth calculated depending on the type of traffic.
Figure 4 illustrates a typical distribution of user
types based on a 1996 survey by Merrill Lynch of 100
Average Throughput
US-based LAN Managers and MIS directors.
12Mbps Total Throughput of VPN
24Kbps =
500 Number of Ports

10 • Designing and Implementing a Virtual Private Network Technology Guide • 11

INTEL BOOK 1/19/0 8:56 AM Page 12
Branch
Offices
13%
Home Workers Telecommuters
13%
42%
Mobile
Workers
Business 16%
Travelers
16%
Figure 4: Typical Users of Remote Access
Evaluate User Locations
When planning a DoV and DoD remote access
network, it is important to understand how the geo-
graphical spread of users affects costs. In either case,
users must dial to a point of presence (POP): a corpo-
rate site for dial-up or an ISP POP for a VPN.
Depending on the country and the relevant regulations,
the distance to the POP determines the per-minute
cost which, when multiplied by the length of access
time, determines the total cost. Even when a POP is
within a free local calling plan, some proportion of
users may be outside the free zone.
The U.S. rate for dialed long distance calls is quite
competitive and can be anywhere from $0.05 to $0.25
per minute depending on the carrier, but relatively
distance insensitive. The U.S. rate for local calls is in
many instances free. Remote users and locations that
are outside the “free” zone, can use VPN to eliminate
the long distance charges by dialing a local service
provider POP within their free zone.
Assess Data Security Requirements
A key deployment decision is the degree of security
required. There are a number of security parameters
that should be considered:
12 • Designing and Implementing a Virtual Private Network
Authentication. Is the data really from the stated
source? Is the source a valid user for this corporate net-
work? This is an important issue with all remote access.
With VPN, traffic arrives from the Internet; it is there-
fore especially important to authenticate the user when
establishing the connection. Administrators can choose
from a variety of authentication techniques including
user names and passwords, secure tokens, and digital
certificates. User names and passwords have the advan-
tage that they are relatively simple and widely deployed
today. Both VPN solutions and dial-up solutions can
easily be integrated with RADIUS, NT Domains, and
Novell Directory Service user name and password
schemes. Secure tokens provide enhanced security over
traditional user name and password schemes since they
rely on a random password and hence are not suscepti-
ble to password guessing attacks. Digital Certificates
are becoming the de facto standard for authentication
and provide stronger authentication than either user-
name/passwords or secure tokens and greater reliability.
Administrators should balance the need for enhanced
security with the ease of integration provided by previ-
ously deployed authentication technologies. However,
it is recommended that the same user list and authen-
tication technique be used for both dial-up and VPN
services to avoid security problems associated with
administrative errors due to overly complex authentica-
tion schemes.
Integrity. Has anyone tampered with or changed the
data? The data session could have been altered as it
passed through the network. VPN solutions use crypto-
graphic techniques to verify that the data has not been
altered in transit.
Privacy. Does the data need to be kept confidential?
Some data must be concealed from the view of others.
This is a more important issue with VPN than direct
dial as the data passes through a public and (from the
corporation’s point of view) uncontrolled network.
Privacy is provided by encryption.
Technology Guide • 13
INTEL BOOK 1/19/0 8:56 AM Page 14

with encryption is usually not an issue. A typical laptop

Making Hybrid DoV/DoD Work
Integrating VPN with Dial-up
Optimizing Your Remote Access Solution
To optimize a remote access solution, the IS
manager usually must consider integrating VPN
connectivity with dial-up access. VPN and dial-up
each have their own strengths and weaknesses.
Cost. As the example in the following section shows,
the major cost in a dial-up solution is the time and dis-
tance-based charge to use the telephone system. VPN
can greatly reduce long distance charges. However, if
most of your users are local to the corporate POP, long
distance cost savings will not apply. Therefore, when
designing a remote access network, the geographic
location of your users will determine the optimum
solution. In most cases, this will be a combination of
dial-up and VPN.
Performance. The components limiting performance
in a dial-up connection are the last mile infrastructure
and the technology used at the remote site, e.g.,
33.6Kbps modem over an analog voice circuit.
The components limiting performance in a VPN
solution include the last mile technology used at the
remote site (e.g., 28.8Kbps, 33.6Kbps, or 56Kbps
modems, 64K ISDN, or cable modem), Internet
performance, and encryption overhead. VPN allows
companies to take advantage of faster access technolo-
gies such as cable modems increasing the speed avail-
able to users. Internet performance is optimized by
selecting a single service provider that offers the
minimum number of router hops between POPs and
can process the most secure encryption algorithms at
more than 2Mbps meaning that encrypted throughput
is not the gating factor.
Implementation. Setting up a VPN at a central location
generally involves less hardware than a direct-dial solu-
tion. A VPN server can, for example, be added behind
the firewall on the corporation’s existing Internet con-
nection. Intel provides an integrated dial-up and VPN
management platform allowing administrators to
deploy a solution using a single-user list with a single-
security policy across both the dial-up and VPN. In
addition, accounting information detailing connection
times for direct dial and VPN tunnels are also fully inte-
grated allowing seamless integration with existing
accounting and charge back mechanisms.
Comparing Costs: An Example
How does the IS manager determine the right
remote access solution? Only a detailed assessment of
current needs and viable options can result in the most
flexible and cost-effective solution. The example below
illustrates a hypothetical company and an optimized
remote access solution.
Company X has 900 employees. The nature of the
company demands that a large number of staff (70%)
be enabled for remote access. The following table sug-
gests a typical split of work patterns and geographical
spread:
Table 1. User and Usage Patterns
Number of Average Local Long
User Type Users hours/week Use Distance
Home Workers 315 2 5% 15%

high-capacity fiber backbone. By using a single service Travelers 95 2 2% 98%

provider, traffic does not pass through the major Telecommuters 113 8 82% 18%
Internet exchange points and traffic takes the shortest
possible path to your network. The overhead associated

14 • Designing and Implementing a Virtual Private Network Technology Guide • 15

INTEL BOOK 1/19/0 8:56 AM Page 16

Extrapolating these patterns of usage gives a total
remote access time per month of almost 8,000 hours.
However, the critical measure is the split of local to
long distance minutes:
TABLE 2: Company X Weekly Remote Access
The hybrid solution uses VPN for long distance and
direct dial for local calls. This increases hardware costs
but reduces the ISP bill. In addition to the cost benefit,
this approach allows the use of direct dial for mission
critical applications, or as a backup to Internet problems.

Percentage of remote access

Local users 74% Summary
Long distance users 26%

Remote access to corporate data resources has

Company X has a user port ratio of 10:1. It feeds T1 become a staple of modern business. Telecommuters,
lines into an access concentrator and uses an 800 service road warriors and remote offices count on timely access
to reduce long distance call charges. Amortizing the to mission critical information in order maintain com-
capital costs over 36 months and allowing for mainte- petitive advantage in the marketplace.
nance and help desk costs, the remote access costs are: This increased use of remote access has driven
demand for higher capacity connections from end-users
and increased IS costs, primarily in the form of long
TABLE 3: Company X Access Costs with/without VPN distance telephone charges.
A combination of dial-up networking and Virtual
COST/MONTH ($)
Private Networking allows IS managers to satisfy the
All Dial-up All VPN Hybrid increased demand for remote access services while
Item (DoV) (DoD) DoV/DoD
reducing costs. Dial-up networking provides the optimal
Monthly hardware costs 875 438 615 local access solution; VPN provides the best solution
(Capital amortized over 36 mos.)
for long distance. VPN also allows network administra-
Monthly maintenance 263 131 184
(Technology protection and
tors to take advantage of new access technologies such
support plan costs for hardware) as Cable and DSL. Furthermore, the combined VPN
Monthly central telco costs 2,231 669 1,511
and dial-up solution is more robust than either is alone,
(T1 lines) each serving as a back-up for the other in the case of
Monthly long distance costs 10,765 0 0 over-flow traffic or network failure.
(800 number) Intel has a remote access solution that provides the
Monthly personnel costs 16,667 16,667 16,667 best of both worlds: dial-up remote access for local
(Help desk etc) connections and VPN for long distance connections.
Monthly ISP costs (Staff accounts 0 15,750 4,007 Both using the same management and security infra-
with local ISPs, $30/account) structure to reduce the overall cost of ownership and
Total direct dial remote $30,801 $33,655 $22,984 mitigate security issues attributed to administrative
access cost errors.

16 • Designing and Implementing a Virtual Private Network Technology Guide • 17

INTEL BOOK 1/19/0 8:56 AM Page 18
CASE STUDY:
The Nature Conservancy
“VPN enables us to get complete, cost-effective,
secure connectivity for all of our staff.” Doug Barker,
Vice President and Chief Information Officer of The
Nature Conservancy
The Company
A virtual private network is helping The Nature
Conservancy save the world’s Last Great Places.
The Nature Conservancy, the world’s largest
conservation organization, protects plant and animal
species by conserving the lands and waters they need
to survive. The organization owns and manages more
than 1,400 preserves — the largest network of private
nature sanctuaries in the world. Since 1951, the Conser-
vancy has protected more than 11 million acres of
ecologically significant land in the U.S. and helped
protect another 60 million internationally.
The Challenge
The very nature of the Conservancy’s on-the-
ground conservation mission takes it to some far-flung,
remote places. As a result, its staff of 2,700 works out
of more than 300 offices in all 50 states as well as
throughout Latin America, the Caribbean, Canada,
Asia and the Pacific.
“One of our biggest challenges was to get these
remote staff members connected into the network,”
said Doug Barker, Vice President and Chief Information
Officer for The Conservancy.
“About half of our staff work in very remote
places that do not have local area networks or have
prohibitively high costs of connectivity to our Wide
18 • Designing and Implementing a Virtual Private Network
Area Network,” Barker said. “Where they’re at is
necessitated by the work we do. We’re working to save
the world’s Last Great Places. If you look at where the
last great places on the planet are, they’re not concen-
trated in big metropolitan areas.”
The Conservancy’s ambitious conservation agenda
into the next millennium calls for a dramatic increase
in its work with local communities. Working with
community partners, the organization will conduct
hundreds of large-scale conservation projects to stem
the tide of species extinction and preserve a high quali-
ty of life for future generations. To succeed, the group
knows that it must overcome the barriers to communi-
cation and information-sharing among a widely
dispersed network of conservation professionals, as
well as partners across the land.
Because the organization devotes 88 percent of its
resources to on-the-ground conservation, the non-profit
group had limited start-up funds to invest in full-time
connections via a Frame Relay network. Fifty-eight of
its worldwide offices were provided connections, leaving
250 offices and about 1,000 staffers relying on expensive
dial-up connectivity to access corporate resources such
as e-mail, the intranet, and mission critical systems.
For leadership in this area, the Conservancy
turned to Intel’s WAN Systems Operation, formerly
known as Shiva Corporation. “We’d done our home-
work on VPN technology. Their VPN solution could
meet the Conservancy’s challenge of providing remote,
traveling, international, and telecommuting staff with
affordable, secure, and reliable connectivity to our
internal network resources — all while reducing our
existing and future WAN costs,” says Barker.
The Solution
Thanks to a gift from Intel, The Nature Conser-
vancy received three of Intel’s LanRover™ VPN
Gateway Pluses, Shiva® VPN Client software for
Case Study • 19
INTEL BOOK 1/19/0 8:56 AM Page 20
1,000 users, Shiva® Access Manager management soft-
ware, Shiva® Accountant software, and service and
training on these new products. In other words, the
organization received a complete VPN solution.
“VPN enables us to get complete, cost effective,
secure connectivity for all of our staff,” Barker said.
The organization still maintains its Frame Relay
network with major Frame hubs connecting the regional
offices in Massachusetts, New York, Colorado, Florida,
North Carolina, Minnesota, California and Hawaii.
This network connects 58 offices fulltime at a through-
put of 256k between hub locations and 64k between
the others.
In the first phase of the project, The Nature Conser-
vancy is connecting its remote staff to the network via
VPN. In the past, remote staff were never connected to
the network or they were connected to the network
part-time via a direct dial, remote access solution
which usually required a long distance phone call.
In the second phase of the project, the organization
plans to implement a LAN-to LAN VPN connection
for smaller offices with Peer-to-Peer LANs where full-
time Frame connection would be cost prohibitive. In
the third phase, the Conservancy will upgrade Frame
Relay lines with VPN connections where appropriate,
according to Barker. They plan to look at the entire
Frame network and address the high-cost connections
as well as the low-bandwidth connections first. The
VPN solution opens up new options for connecting
staff, including DSL, cable modems and ISDN.
“The savings are in orders of magnitude,” Barker
said. “The wonderful thing about VPNs is we’re not
talking about 10, 20 or 30 percent savings. We’re talk-
ing about hundreds of thousands of dollars in savings.”
20 • Designing and Implementing a Virtual Private Network
The Benefits
Full connectivity
Today, 450 of The Nature Conservancy’s remote
employees are connected to the network via dial-up
VPN. When the project is complete, more than 1,000
employees will use VPN to access the network.
“The VPN solution enables us to achieve
complete connectivity, both very cost effectively and
securely,’’ Barker said.
Cost savings of up to $480 per month, per
employee
Before the VPN, remote workers and traveling
staffers gained access to the computer network by
dialing into a remote access server or a remote access
concentrator.
“In some cases we had individuals with phone bills
as high as $500 a month or more,” Barker said.
Today, workers dial into a local Internet Service
Provider and gain access to the corporate network via
VPN. This costs $20 to $30 per month per employee, a
savings of between $470 and $480 per employee per
month, Barker said.
Outstanding security
One of the Conservancy’s major concerns is keep-
ing confidential information confidential. Its systems
store highly sensitive corporate assets on the amount
and exact location of rare and endangered species, as
well as information on more than one million Conser-
vancy members, and other sensitive financial information.
“The encryption features of the Shiva solution
give us a strong level of confidence in our security,”
Barker said.
Case Study • 21
INTEL BOOK 1/19/0 8:56 AM Page 22

Quick, easy access to information The Conservancy is engaged in a major initiative

“In a highly distributed organization, it’s important
for people to feel that they’re part of the whole,”
Barker said.
One way to make them feel like part of the
organization is to give them quick and easy access to
each other, common resources and tools via corporate
network services such as e-mail, the organization’s
intranet, and other key applications.
to dramatically advance local conservation in the
context of global information. Technology is the key to
this effort, empowering multi-local work by providing a
common ground for collaboration, information exchange
and the sharing of best practices and knowledge.
For more information call 1-800-628-6860, or visit
the Conservancy’s web site at www.tnc.org.

Ease of use and management

Through Intel’s Shiva® Access Manager, network
management software, the information systems staff
can manage the VPN products and users from a
central location. In addition, the VPN client software
is very easy to install and to use.
“End users are able to install this and get going
on their own,” Barker said. “Importantly, this is not
something that requires the expense and effort of IT
professionals going out and visiting our distributed
staff.”

About the Nature Conservancy

The Nature Conservancy is the world’s largest
conservation organization working to protect plants,
animals, and natural communities by conserving the
lands and waters they need to survive. The Conservancy
maintains an on-the-ground presence unparalleled by
any other conservation organization. It has program-
matic chapters in all 50 states, and works internationally
with like-minded conservation partners. Increasingly, its
presence is growing in communities near high-priority
conservation sites. These smaller offices of one and two
staff members — who interact daily with community
leaders and are concerned about the ecological,
economic and cultural health of a place — represent
a trend for the future.

22 • Designing and Implementing a Virtual Private Network Case Study • 23

INTEL BOOK 1/19/0 8:56 AM Page 24
Glossary of Terms
10BaseT—A type of cable used for LAN connections.
Also known as Unshielded Twisted Pair.
Accounting Record—A record that contains call
accounting information. Network administrators can
use accounting records to track calls and to bill clients.
Generally used with the RADIUS protocol.
ACK—Positive acknowledgement signal confirming
receipt of data packet.
Application-Programmer Interface (API)—
This term is used in a general sense to mean a detailed
software interface. Included in an API would be routine
declarations, data structures, tasking structure, etc., and
detailed documentation describing each item.
Asymmetric Key (or “Public Key”)—Refers to
cryptographic systems that use a key to encrypt (private
key) and a second but related key to decrypt (public
key). Similarly these systems are used to sign (private)
and verify (public) a message.
Authentication Header (AH)—A security measure
in IPSec, used to authenticate packets, ensuring data
integrity and authenticity.
Authentication Header/Encapsulating Security
Payload (AH/ESP)—Two standards for IP security
from the IP Security Working Group of the IETF.
Auto-disconnect—A feature which automatically
releases the connection between a client and a remote
access server when a set period of time has elapsed and
the unit has not been used. Auto-disconnect can be
controlled through the client or management software,
depending on the products involved.
24 • Designing and Implementing a Virtual Private Network
Backbone Network—A high-capacity central net-
work that connects a number of networks, usually of
lower capacity.
Bindery—A database that stores a server configuration
that includes users, passwords, and groups on a
NetWare server.
Black—In the context of information security, any
information which has been cryptographically secured,
or any region of hardware or software which is respon-
sible for handling secured data. Black has the opposite
meaning (trusted network) in the context of firewall
security.
Black Network—The network portion that is not
secured by encryption. (The untrusted network.)
Block Cipher Encryption—System which works on
blocks of data. DES is a block cipher which works on
8-byte blocks at a time.
Bridge—A device that connects two network segments
which use the same communications protocol: Bridges
operate at the datalink layer (layer 2) of the OSI model.
When two LANs are successfully bridged together, they
can filter transmitted data to contain local traffic so that
the rest of the network is not involved. This boosts net-
work performance and is useful for security purposes.
Broadcast Address—The address used to send pack-
ets to all devices on the network (to broadcast).
Brute-Force Attack—Typically an attack that uses no
insight into the cryptosystem. Usually accomplished by
searching entire keyspace in order to discover a crypto-
graphic key.
Call Interface—The interface where a remote access
device can make or receive calls. It consists of the
UART ports and the WAN interface.
Glossary • 25
INTEL BOOK 1/19/0 8:56 AM Page 26
Callback—Allows a device user to request a return
call from a remote site. Bills are calculated on one line,
which can mean discounted tariffs. Also used as a secu-
rity feature. Also called dial-back.
Certificate—A package of information, digitally
signed by a trusted authority (usually referred to as a
CA or Notary) which binds a public key to an owner.
The package usually consists of an identifier field, a
public key field, serial number (of the certificate) activa-
tion and expiry date as well as a signature field. CCITT
X.509 defines a standard format for these certificates
(in ASN.1).
Certificate Authority (CA)—A trusted entity that
has the capability of creating and revoking public key
certificates for users and network elements.
Challenge-Handshake Authentication Protocol
(CHAP)—Part of the PPP suite, an authentication pro-
tocol that provides additional network security so that a
remote access device can authenticate users. It is more
secure than PAP because it uses a cryptographic hand-
shake to transmit and receive password information.
Chosen Plaintext Attack Situation—Where an
attacker can select plain-text to be encrypted and
observe the output. The encryption is broken when the
attacker can derive the key from some number of
input-output pairs.
Cipher-Block Chaining (CBC)—Refers to a mode
built around DES (or any symmetric algorithm). This
mode uses the algorithm in its purest form with plain-
text being encrypted directly by the key. This adds a
chained Initialization Vector to eliminate the problems
Electronic Codebook (ECB)
Cipher-Feedback (CFB)—Refers to a mode built
around DES (or any symmetric algorithm). This feeds
the cipher data back into an initialization vector to
26 • Designing and Implementing a Virtual Private Network
assure different outputs for identical inputs. This mode
also offers a mechanism of self-synchronization for data
loss.
Circuit—A logical or physical connection between two
points on a WAN, between one router and another, or
between a router and a remote access server. There are
many properties associated with circuits, which can vary
with the type of connection required, but which would
typically include phone numbers, authentication details,
bandwidth-on-demand, compression, encryption, and
the types of protocol that can be carried over the cir-
cuit.
Clear channel—A channel that places no restrictions
on the type of data or data patterns that it can carry.
Client—A computer that requests services from a server.
Compressed Serial Link Internet Protocol
(CSLIP)—A method for compressing the headers of
TCP/IP datagrams, to improve performance over low
speed serial links.
Compression—By eliminating redundancies, data
compression increases the amount of data that can be
carried across WAN connections in a given time.
StacLZS compression can improve ISDN performance
by as much as 400%.
Customer Premises Equipment (CPE )—A
general term for communications equipment at the
customers’ site.
Cyclic Redundancy Check (CRC)—A CRC error
means that the contents of the packet do not match
the checksum received. This shows that the packet is
damaged.
Data Carrier Detect (DCD)—Hardware signal
defined by the RS-232-C specification that indicates
that a device (such as a modem) is on-line and ready for
transmission.
Glossary • 27
INTEL BOOK 1/19/0 8:56 AM Page 28
Data Circuit-terminating Equipment (DCE)—
The signal-conversion device which translates a digital
signal from data terminal equipment (DTE) into a form
acceptable to the particular communications medium.
A modem is an example of DCE. Also called data
communications equipment.
Data Encryption Standard (DES)—A method of
encrypting and decrypting data by using a secret 56-bit
key. A symmetric key cryptographic system that has
been standardized by NIST.
Data Link Connection Identifier (DLCI)—Value
that specifies a Permanent Virtual Connection (PVC) or
a Switched Virtual Connection (SVC) in a Frame Relay
network.
Data Terminal Equipment (DTE)—Equipment
at the user end of a user/network interface, which con-
nects to a data network via DCE devices. DTE includes
both terminal and computer ports which use the RS-
232 interface standard to communicate with DCE.
Data Transfer Speed—The rate of data transmission
across the network, measured in bits per second (bps).
De-militarized Zone (DMZ)—A network or section
of network between an untrusted and trusted network
that has some degree of security (usually provided by a
packet screen) where application public information
and application relays can be located. The DMZ is part
of the untrusted network.
Decrypt—A process that changes encrypted data into
a readable state. Using a decryption key you can take in
encrypted information and translate it into decrypted
information.
DES (3DES)—An enhancement to DES which uses
three DES keys (168 bits to encrypt, decrypt, then
encrypt) in three successive rounds for added security.
28 • Designing and Implementing a Virtual Private Network
DES (Limited)—The same as 56-bit DES except that
16 key bits are fixed, reducing the effective key space to
40 bits.
DES (Triple)—An enhancement to DES which uses
two DES keys (112 bits to encrypt, decrypt, then
encrypt) in three successive rounds for added security.
Dial out—The process of initiating a call from a net-
worked device, using dial-out client software and a
modem to attach to a remote service.
Dial-in—The process of initiating a call from a device,
using dial-in client software and a modem to attach to a
remote network.
Digesting (or hashing)—Techniques of computing
a strong cryptographic “checksum” of a block of data.
The word “strong” implies that it is not feasible to
create or modify data to result in a specific digest.
Digital Signature Standard/Algorithm
(DSS/DSA)—This is US standard for digital signatures
and competes with RSA.
Dynamic IP Address Allocation—Allows a user to
be assigned an IP address which is dynamically selected
from a list of available addresses. See Dynamic Host
Configuration Protocol (DHCP) and IP Network
Control Protocol (IPCP).
Encapsulation Security Payload (ESP)—A security
measure in IPSec, used to encrypt the payload to
ensure privacy for sensitive data.
Encryption—Transformation of data into unreadable,
meaningless data through a cryptographic transforma-
tion using a key. Decryption is the process of reversing
the unintelligible data into meaningful data using a key.
Encryption Control Protocol (ECP)—Used to
negotiate the use of encryption on PPP links.
Federal Information Processing Standards
(FIPS)—US federal standards body.
Glossary • 29
INTEL BOOK 1/19/0 8:56 AM Page 30
Filtering—Allows the administrator to specify which
types of packets will be allowed access and which will
be rejected.
Firewall—A firmware function which protects an
Intranet (for example, a corporate LAN) from unautho-
rized access over the Internet.
Gateway—A device used to interconnect networks,
subnets, or other network devices. Gateways allow
networks using different communications protocols to
transfer information: Equivalent to a router, a gateway
is an intelligent device used to connect two or more net-
works at the upper protocol layers of the Open Systems
Interconnection (OSI) reference model. The networks
can use different protocols and different physical media.
A gateway has its own processor and memory.
Hashing—See “Digesting.”
Home Gateway (HG)—A device located on a corpo-
rate LAN that accepts authorized user tunnels over the
Internet.
Hop—A measure of distance between networks within
an internet. One hop typically consists of a passage to a
router or a host.
Initialization Vector (IV)—This is used for input or
chaining for all DES modes but Electronic Codebook
(ECB).
Internet—A collection of networks and gateways that
use the TCP/IP protocol suite and function as a single,
co-operative network. When the term “Internet” is cap-
italized, it specifically refers to the world-wide, intercon-
nected group of networks and gateways that use the
TCP/IP suite of protocols to communicate.
Internet—Any interconnected group of networks. An
accepted substitute for the word internetwork. This
should not be confused with Internet.
30 • Designing and Implementing a Virtual Private Network
Internet Protocol (IP)—Part of the TCP/IP suite, a
protocol which provides a connectionless internetwork
service.
Internet Protocol Security (IPSec)—A collection
of IPsecurity measures that define data privacy, integrity,
authentication, key management, and tunneling methods.
This is used to provide a secure VPN over the Internet.
Internet Service Provider (ISP)—A communica-
tions company that provides access to the Internet.
Internetwork Packet Exchange (IPX)—The main
communication protocol within the NetWare environ-
ment. IPX defines a particular method of addressing
used by all NetWare nodes and networks, and it is used
to communicate within and between (routing) NetWare
LANs.
IP Address—A 32-bit address assigned to every host
that wants to use TCP/IP to communicate across an
internet: The address consists of a network and a host
field. IP addresses are written in dotted decimal nota-
tion. For example, 123.45.67.89.
IP Network Control Protocol (IPCP)—Part of the
PPP suite, IPCP controls the use of IP on PPP links,
negotiating, for example, IP addresses and the use of
header compression.
IP Network Mask—A number that describes which
portion of the device’s IP address represents the network
address and which portion of the IP address represents
the host address.
LANs (red/black)—The LanRover VPN Gateway
uses two LANs: one unsecure (red) and one secure
(black). The Red LAN is the portion of the network
that is not secured by encryption, but may be secured
physically. The Black LAN is the portion of the network
that is secured by encryption.
Glossary • 31
INTEL BOOK 1/19/0 8:56 AM Page 32

Layer 2 Forwarding Protocol (L2F)—A VPN Multihoming—Allows a device to use more than one
protocol by which tunnels are established and terminated address on the same physical network.
over the Internet. Alternative to L2TP and PPTP
Name Resolution—When a device is named, the s
tunneling protocols.
ystem determines the appropriate IP address. This is
Layer 2 Tunneling Protocol (L2TP)—A VPN done using a name server and/or a host table file.
protocol by which tunnels are established and terminated
Name Server—A host on the IP network that runs a
over the Internet. Alternative to L2F and PPTP tunnel-
program to translate host names into IP addresses.
ing protocols. L2TP is also designed to operate over a
non-IP environment. Net Mask—An IP address (such as 255.255.0.0) that
specifies how much of the address to reserve for sub-
Link Quality Monitoring (LQM)—Part of the PPP
dividing networks. The mask contains 1s for the bit
suite, one of the methods used by PPP Link Control
positions in the 32-bit address used for the network and
protocol to detect that a link is functioning properly.
subnet parts, and 0s for the host part. The mask should
Link-State Advertisement (LSA)—Broadcast packet contain at least the standard network portion. See IP
used by link-state protocols (such as OSPF) that contains network mask.
information about neighbors and path costs. LSAs are
Network Access Server (NAS)—A RADIUS term
used by the receiving routers to maintain their routing
that refers to the network point of access for remote
tables. Sometimes called a Link-State Packet (LSP).
dial-in users. NAS is the hardware that answers remote
Local Loop—A twisted pair of wires that connects a user calls and routes traffic to the local network. In
telephone company network to a customer site. A copper VPN, NAS tunnels traffic to the HG.
wire local loop must not exceed 18,000 feet (approxi-
Network Address Translation (NAT)—A mecha-
mately 5.5km) when used for an ISDN-BRI line.
nism for reducing the need for globally unique IP
Management Information Base (MIB)—A set of addresses. NAT allows an organization with addresses
defined variables that are accessed through SNMP. that are not globally unique to connect to the Internet
by translating those addresses into globally routable
Message Digesting (MD 2,4,5)—Algorithms used
address space. DIAT and IPX DIAT are forms of NAT.
to guarantee the authenticity of data. (see “Digesting”).
Network Interface Card (NIC)—Board that provides
Modem—An abbreviation of MOdulator-DEModula-
network communication capabilities to and from a
tor. An electronic signal-conversion device used to con-
computer system. Also called an adapter.
vert digital signals from a computer to analog form for
transmission over the telephone network: At the trans- Network Number—Part of an address which identi-
mitting end, a modem working as a modulator converts fies the network that the device belongs to.
the computer’s digital signals into analog signals that can
Node—This can be a host computer, printer, terminal
be transmitted over a telephone line. At the receiving
server, router or another device. On a LAN, nodes are
end, another modem working as a demodulator converts
able to communicate with other network devices.
analog signals back into digital signals and sends them
to the receiving computer.

32 • Designing and Implementing a Virtual Private Network Glossary • 33

INTEL BOOK 1/19/0 8:56 AM Page 34
Nodes (red/black)—Nodes can switch from red to
black and vice versa depending on the type of node. A
PC that contains both Shiva’s encrypting software and
hardware can switch between a red and black node;
however, a Sun Station cannot because it does not work
with Shiva software. A Red Node is a physical terminal
responsible for handling sensitive or unsecured informa-
tion. A black node is a physical terminal responsible for
handling secured information through encryption.
Open Database Connectivity (ODBC)—The
standard for connecting to databases.
Open Datalink Interface (ODI)— Industry standard
interface between Network and Media access layers,
often associated with Novell stacks.
Open Shortest Path First (OSPF)—Part of the
TCP/IP suite, a link-state routing protocol designed for
use over IP networks: Each router maintains an identical
database which describes the topology of the network.
From this database, each router forms a routing table by
constructing a shortest path tree. OSPF is better suited
to large networks than RIP and offers additional features
such as variable-length subnetting support and authen-
tication of protocol exchanges.
Output Feedback (OFB)—Refers to a mode built
around DES (or any symmetric algorithm). This mode
uses the algorithm in its purest form with plaintext
being encrypted directly by the key. This feeds the
output of the DES back into the input to produce a
pseudo-random number stream.
Packet Header—The initial part of a packet, which
contains information such as the address, the packet
type and the packet size.
Password Authentication Protocol (PAP)—Part
of the PPP suite, a protocol that provides additional
network security on PPP links. It enables login IDs and
passwords to be transmitted over the link so that a
34 • Designing and Implementing a Virtual Private Network
remote device can authenticate users. PAP is less secure
than CHAP because it sends the password in plain text
across the link.
Peer-to-peer—Architecture in which connected work-
stations use and provide services such as file sharing.
Peripheral Component Interconnect (PCI)—An
Intel standard for connecting peripherals to a computer.
Technically, PCI is not a bus but a bridge, with buffers
to de-couple the CPU from relatively slow peripherals
and allow them to operate asynchronously.
Permissions—In a multi-user computer environment,
the ability of a specific user to access specific resources.
For example, the system administrator grants permissions,
which are stored in a permissions log.
Point-of-Presence (POP)—A dial-access number for
an Internet Service Provider (ISP) that allows a user to
obtain a general Internet connection by dialing a local
(POP) telephone number.
Point-to-Point Protocol (PPP)—A suite of protocols
that supports multi-vendor interoperation over point-to-
point interfaces of many types, supporting multiple
network layer protocols.
Point-to-Point Tunneling Protocol (PPTP)—
Part of the VPN suite, a protocol by which tunnels are
established and terminated over the Internet. Alternative
to L2F and L2TP tunneling protocols.
PPP Multilink—Part of the PPP suite, a method used
to sequence packets across multiple links—for example,
when using aggregation or augmentation.
Public Switched Telephone Network (PSTN)—
General term referring to the variety of telephone net-
works and services in place worldwide.
Glossary • 35
INTEL BOOK 1/19/0 8:56 AM Page 36
Remote Access Server—A network device that con-
nects to analog or digital telephone lines. It allows users
to dial into and out of a LAN from workstations with
analog modems, external terminal adapters, and inter-
nal ISDN BRI cards or from client routers.
Remote Authentication Dial-In User Service
(RADIUS)—A protocol that allows centralized authen-
tication and configuration of dial-in users, details of
which are stored in a central RADIUS server. RADIUS
also allows centralized logging of accounting information.
Reverse Address Resolution Protocol (RARP)—
Part of the TCP/IP suite, a protocol that provides a
method for finding IP addresses based on Ethernet
addresses.
Remote Client—A client at a remote location, such
as a computer at home, that uses remote access soft-
ware to dial in to a network.
Remote Network—A network at a remote location
that is accessed from a local network.
Rivest, Shamir, Adleman (RSA)—Public-Key tech-
nology based on factoring large numbers. Patents held
by RSA Data Security Inc.
Route—The path that network traffic takes to get from
a source to a destination.
Router—An intelligent connecting device which sends
packets to the correct LAN/WAN segment to take
them to their destination: Routers link LAN/WAN
segments at the network layer of the ISO/OSI model
for communications. The networks connected by
routers can use either similar or different protocols.
Routing Information Base (RIB)—Containing
detailed routing information about local and adjacent
routing areas.
36 • Designing and Implementing a Virtual Private Network
Routing Information Protocol (RIP)—A protocol
in the TCP/IP and IPX suites, RIP allows gateways
and hosts to exchange information about routes to
various networks. Devices use RIP over IP and IPX to
exchange routing information with other routers and to
update the information in the routing table.
Routing Table—A table of information maintained
in each router that lists the next router to which data
should be forwarded, in order to reach each possible
destination network on an internetwork.
Secret—Some security services use a secret to encrypt
and decrypt packets or to authenticate packets between
security servers and remote access devices.
Secure Data Transfer (SDT) SecurID™ —A
network access security system developed by Security
Dynamics, Inc. SecurID™ sits between the incoming
modem and the remote access server that provides
access to the network. When a dial-in client calls in
to the network, the user must first enter the correct
SecurID™ information before connecting to the remote
access server. Security Dynamics, Inc. manufactures
two security solutions that are compatible with remote
access servers: The first is a multi-port, stand-alone
remote access server that can be inserted between the
remote access server and the modem. The second,
Security Dynamics ACE/Server, is a system of server
and client software and SecurID™ cards. Once
enabled, SecurID™ authentication is used for the
following protocols: IP, IPX, NetBEUI, LLC, and ARA.
Secure Hash Standard/Algorithm (SHS/SHA)—
This is a US standard for digesting (or hashing) and is
an alternative to MD5.
Secure Net Key (SNK)—Client part of the Digital
Pathways Defender security system which can be either
hardware (a small box) or software (a program than
runs on a PC). SNKs are used to generate a response to
a Defender challenge.
Glossary • 37
INTEL BOOK 1/19/0 8:56 AM Page 38
Security Association ID (SAID)— An identifier for
a security association for a given link, a security associa-
tion defines security level and keying information.
Sequenced Packet Exchange (SPX)—Part of the
IPX suite, SPX is a connection-oriented protocol (IPX
is a connectionless protocol) and is used primarily for
client and server communications. SPX is encapsulated
in IPX packets.
Serial Interface—Hardware for sending and receiving
data one bit at a time.
Serial Line IP (SLIP)—Part of the TCP/IP suite, a
protocol that is used to connect PCs, X-terminals and
other computers to an IP network. It has been made
largely obsolete by PPP.
Server—Generally refers to a computer (node) on a
network that permits other nodes on the LAN to access
its resources. A dedicated server is one used solely for
this function; a non-dedicated server means that the
server can be used in other ways.
Server-based Application—An application that
runs partially on the server, as opposed to running
entirely on the remote station and using only data
stored on the server.
Shiva Password Authentication Protocol
(SPAP)—Part of the PPP suite, an authentication
protocol that allows full use of Shiva features. This is
Shiva’s proprietary network security for PPP links.
SPAP is used only for communicating with a LanRover
Access Switch or LanRover.
Simple Mail Transfer Protocol (SMTP)—
Internet protocol for electronic mail.
Simple Network Management Protocol
(SNMP)—Part of the TCP/IP suite, the standard
management protocol for TCP/IP networks, which
enables centralized network management.
38 • Designing and Implementing a Virtual Private Network
Skipjack—80-bit secret key (symmetric) encryption
algorithm. It is a proposed standard by the US govern-
ment and is intended for key escrow. The actual algo-
rithm is not publicly known.
Socket—An endpoint for network communication,
established by software, through which information can
be sent to and received from other parties.
Socket Number—All sockets have an identifying
socket number to distinguish them from all other sockets
on a network host, so that information sent through a
socket can be properly attributed, and information sent
to a node can be sent to the correct socket, and hence
to the correct application. Socket numbers are usually
added to the network address of the host node: with
TCP/IP protocols, for example, socket numbers
become the IP port number.
Source Address—The address of a network device
sending a packet.
Spoofing—A technique that allows a network device
to assume the “housekeeping” responsibilities of a
remote terminal. This prevents unnecessary network
traffic from being sent across a dial-in or LAN-to-LAN
connection, and allows a virtual connection to remain
suspended whenever actual network access is not
required.
StacLZS—A compression algorithm often used on
PPP links.
Stream Cipher—Encryption system which produces
a sequence of pseudo-random bytes which can be used
to encrypt a stream of bytes by exclusive ORing each
byte with each subsequent random byte. Decryption is
done exactly the same way.
Symmetric Key (or secret key)—Refers to encryp-
tion systems that use a key to encrypt and the same key
to decrypt.
Glossary • 39
INTEL BOOK 1/19/0 8:56 AM Page 40
Synchronous—A transmission method where there
is a constant interval between the transmitted bits.
This method is faster than asynchronous transmission.
The two computers involved in the interchange must
be synchronized for synchronous transmission. This is
achieved by the use of a clocking signal in both devices
and control information sent within the transmission.
TACACS+—The TACACS security protocol with
enhancements: TACACS+ includes a challenge and
response system, and data encryption. When a
Shiva device is accessed, the login request is sent to
a TACACS+ server on the network. The TACACS+
server performs user authentication, and the TACACS+
user profile defines the user’s permissions.
Terminal Access Controller Access Control
System (TACACS)—An industry-standard security
protocol used by terminal servers: It allows a user to
log in only if they are authenticated by a third party
(a TACACS host). When a user attempts to gain access
(such as a remote user logging on to a network),
TACACS forwards the user name and password infor-
mation to a centralized server. This server performs the
necessary verification and sends a response back to the
TACACS system as to whether to allow access to the
network.
Third Party Validation—An access control system
used by terminal servers that allows a user to log in only
if authenticated by a third party host. Examples of
Third Party Validation are TACACS and SecurIDTM.
Transmission Control Protocol (TCP)—Part of
the PPP suite, a protocol that organizes packets, manages
their transmission, and ensures their reliable delivery to
the receiving station.
Transmission Control Protocol/Internet
Protocol (TCP/IP)—A suite of protocols used to
provide a transport service in networks. The Internet
uses TCP/IP.
40 • Designing and Implementing a Virtual Private Network
Transparent—Describes computer operations that
take place automatically, performed either by the oper-
ating system or the application, without user intervention
or awareness: In ISDN, a 64 Kbps data transmission
that does not experience any encoding or decoding
within the channel is transparent.
Tunnel—A virtual communication channel established
over the Internet or other shared medium, by which
encapsulated data packets are exchanged.
Tunneling—Technique of encapsulating one protocol
within another, such as IPX within IP. In the context of
security it refers to encrypting IP within IP so that the
traffic may be routed securely.
User Datagram Protocol (UDP)—Part of the
TCP/IP suite, an Internet protocol at the transport
layer of the OSI model that defines a connectionless
datagram service. A connectionless datagram service
sends self-contained packets of data that include desti-
nation address information.
User List—A list that contains the profiles (names,
passwords, and permissions) of all users who can access
a remote access server.
Van Jacobson Compression (VJ Compression)—
A method of compressing TCP/IP headers to improve
performance over serial lines.
Virtual Connection—A connection which is not
actually physical, although it appears to be to the user.
Virtual Network Access Server (VNAS)—
Software that runs on an end-user device to initiate a
tunnel to a home gateway device. The function of the
software is sometimes referred to as client-tunneling.
Virtual Private Data Network (VPDN)—See
Virtual Private Network (VPN).
Glossary • 41
INTEL BOOK 1/19/0 8:56 AM Page 42

Virtual Private Network (VPN)—A combination of NOTES

software and hardware components that use public net-
works to create what appears to be a private network.
X.509—Defined structure for a certificate. Main fields
are ID, Subject field, Validity dates, public key and CA
signature.
Zone Access Privileges—In an AppleTalk network,
a feature of a remote access server that lets a network
administrator restrict access to zones.

42 • Designing and Implementing a Virtual Private Network Notes • 43

INTEL BOOK 1/19/0 8:56 AM Page 44

NOTES NOTES

44 • Designing and Implementing a Virtual Private Network Notes • 45

INTEL BOOK 1/19/0 8:56 AM Page 46

NOTES NOTES

46 • Designing and Implementing a Virtual Private Network Notes • 47

INTEL BOOK 1/19/0 8:56 AM Page 48

NOTES

48 • Designing and Implementing a Virtual Private Network

INTEL BOOK 1/19/0 8:56 AM Page 50

This Technology Guide is one in a series of topic-

focused Guides that provides a comprehensive
examination of important and emerging technologies.

This series of Guides offers objective information

and practical guidance on technologies related
to Communications & Networking, the Internet,
Computer Telephony, Document Management,
Data Warehousing, Enterprise Solutions, Software
Applications, and Security.

Built upon the extensive experience and ongoing

research of our writers and editorial team, these
Technology Guides assist IT professionals in making
informed decisions about all aspects of technology
development and strategic deployment.

techguide.com is supported by a consortium of lead-

ing technology providers. Intel Network Systems, Inc.
has lent its support to produce this Guide.

Visit our Web site at www.techguide.com

to view and print this Guide, as well as
all of our other Technology Guides.
Part# WSO135 Rev. 1/00

This is a free service.

produced and published by

visit www.techguide.com™