Professional Documents
Culture Documents
Designing and Implementing A Virtual Private Network (VPN)
Designing and Implementing A Virtual Private Network (VPN)
Designing and Implementing A Virtual Private Network (VPN)
T H E T E C H N O L O G Y G U I D E S E R I E S™
visit www.techguide.com ™
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Choices for Remote Access . . . . . . . . . . . . . . . . . . . . . . . 2
Today: Data over Voice (DoV) Remote Access . . . . . . . . . 2
Tomorrow: Data over Data (DoD) Remote Access . . . . . . 4
Driving Forces for Change . . . . . . . . . . . . . . . . . . . . . . . . 5
Remote Access Choices . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Steps to Implementing VPN . . . . . . . . . . . . . . . . . . . . . 10
Determine the Number of Ports . . . . . . . . . . . . . . . . . . . 10
Classify Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Evaluate User Locations . . . . . . . . . . . . . . . . . . . . . . . . . 12
Assess Data Security Requirements . . . . . . . . . . . . . . . . . 12
Making Hybrid DoV/DoD Work. . . . . . . . . . . . . . . . . . 14
Integrating VPN with Dial-up . . . . . . . . . . . . . . . . . . . . 14
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CASE STUDY: The Nature Conservancy. . . . . . . . . . . 18
The Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
The Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
The Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
The Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About the Nature Conservancy. . . . . . . . . . . . . . . . . . . . 22
Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
The Guide format and main text of this Guide are the property of The Applied
Technologies Group, Inc. and is made available upon these terms and conditions. The
Applied Technologies Group reserves all rights herein. Reproduction in whole or in part
of the main text is only permitted with the written consent of The Applied Technologies
Group. The main text shall be treated at all times as a proprietary document for internal
use only. The main text may not be duplicated in any way, except in the form of brief
excerpts or quotations for the purpose of review. In addition, the information contained
herein may not be duplicated in other books, databases or any other medium. Making
copies of this Guide, or any portion for any purpose other than your own, is a violation
of United States Copyright Laws. The information contained in this Guide is believed to
be reliable but cannot be guaranteed to be complete or correct. Any case studies or
glossaries contained in this Guide or any Guide are excluded from this copyright.
Copyright © 1999 by The Applied Technologies Group, Inc. One Apple Hill,
Suite 216, Natick, MA 01760, Tel: (508) 651-1155, Fax: (508) 651-1171
E-mail: info@ techguide.com Web Site: http://www.techguide.com
INTEL BOOK 1/19/0 8:56 AM Page 2
Data Transport
Figure 2: The Future Data Dial Tone Network DoD remote access delivers more efficient use of
available bandwidth. For example, in the US, a circuit-
based or “channelized” T1 used for voice connections
has a maximum capacity of (24) 64Kbps channels or
1.5Mbps. Since conventional DoV remote access mile connections and backbone infrastructure. This
requires a dedicated channel for each connection, a T1 sharing reduces the cost of equipment (per port costs
can accommodate 24 simultaneous user sessions. Each drop), last mile connections (one pipe can support many
user gets a 64Kbps slice of bandwidth whether they users and applications) and long distance transport
use it or not. (as the cost of the DoD service decreases relative to
A packet-based or “clear-channel” T1 used to DoV, service providers can pass these savings on to
deliver data connections has almost no limit to the their customers).
number of virtual circuits it can support. This allows
the same 1.5Mbps pipe to carry a higher number of Higher Bandwidth
user sessions. The magnitude of this increment depends The DoD remote access network delivers higher
on the type and volume of traffic. If there are many bandwidth all the way to the network end-points.
idle or low volume users, then a T1 could support up Performance of 56K modem technology over DoV
to and perhaps more than 200 sessions. networks is determined by the length and quality of
Consider, for example, a classic pattern of remote the analog connection and the number of analog-to-
e-mail usage: digital conversions that take place along the circuit.
1) log in, While 56K modem technology works well over high
quality, local connections (delivering anywhere from
2) check e-mail, 48Kbps to 56Kbps of actual throughput), it degrades
3) send urgent replies, then quickly over lower quality, long distance connections
(delivering from 4.8Kbps-28Kbps over international
4) log off.
circuits).
With DoD networks, every WAN connection is a
This sequence of steps generates a low volume
local connection supporting optimal performance of
of traffic. For example, while a user is reading e-mail
56K modem technology. Furthermore, DoD networks
or composing new messages, no data crosses the link.
are not limited to access through modems. New high-
Data only passes across the link while the user is
speed technologies such as DSL and Cable deliver
actually sending or receiving mail. A DoD connection
from 384Kbps to more than 10Mbps connections to
could, therefore, support a very high number of e-mail
the Internet. A DoD network provides many last mile
users.
options for the networking professional.
In contrast, running streaming applications such
as video or audio over the connection generates a high
volume of data traffic. In this case, a clear channel T1 Remote Access Choices
will handle a much smaller number of sessions, though The basic architecture for all remote access networks
more than the 24 sessions supported by a channelized is a connection from a remote or branch site through
T1. a network to a central or other branch site. This basic
architecture may include two different remote access
Shared Resources implementations: dial-up over the telephone network
A DoD remote access network allows many users (DoV) and VPN over the Internet (DoD).
to share network resources including WAN devices, last
The difference between dial-up and VPN is the direct dial solutions, VPNs can reduce the long-distance
data transmission medium. Dial-up involves direct phone charges associated with remote LAN access, and
telephone network connections into the head office or potentially eliminate them if remote users can access
central site. As such, the cost of a dial-up connection is the public IP network with a toll-free call.
dependent on the distance between the user and the
corporate office.
On the other hand, VPN uses the Internet to Access
Equipment
Modem
establish a virtual circuit or tunnel that connects one Direct
LAN
Dial PSTN
location to another. Internet costs are distance insensi- Laptop
Modem
WAN
WAN
is a combination of both Dial-up and VPN to best
LAN
VPN IP
PSTN Network
serve the unique needs of each user, while minimizing Laptop
Extrapolating these patterns of usage gives a total The hybrid solution uses VPN for long distance and
remote access time per month of almost 8,000 hours. direct dial for local calls. This increases hardware costs
However, the critical measure is the split of local to but reduces the ISP bill. In addition to the cost benefit,
long distance minutes: this approach allows the use of direct dial for mission
critical applications, or as a backup to Internet problems.
TABLE 2: Company X Weekly Remote Access
Callback—Allows a device user to request a return assure different outputs for identical inputs. This mode
call from a remote site. Bills are calculated on one line, also offers a mechanism of self-synchronization for data
which can mean discounted tariffs. Also used as a secu- loss.
rity feature. Also called dial-back.
Circuit—A logical or physical connection between two
Certificate—A package of information, digitally points on a WAN, between one router and another, or
signed by a trusted authority (usually referred to as a between a router and a remote access server. There are
CA or Notary) which binds a public key to an owner. many properties associated with circuits, which can vary
The package usually consists of an identifier field, a with the type of connection required, but which would
public key field, serial number (of the certificate) activa- typically include phone numbers, authentication details,
tion and expiry date as well as a signature field. CCITT bandwidth-on-demand, compression, encryption, and
X.509 defines a standard format for these certificates the types of protocol that can be carried over the cir-
(in ASN.1). cuit.
Certificate Authority (CA)—A trusted entity that Clear channel—A channel that places no restrictions
has the capability of creating and revoking public key on the type of data or data patterns that it can carry.
certificates for users and network elements.
Client—A computer that requests services from a server.
Challenge-Handshake Authentication Protocol
Compressed Serial Link Internet Protocol
(CHAP)—Part of the PPP suite, an authentication pro-
(CSLIP)—A method for compressing the headers of
tocol that provides additional network security so that a
TCP/IP datagrams, to improve performance over low
remote access device can authenticate users. It is more
speed serial links.
secure than PAP because it uses a cryptographic hand-
shake to transmit and receive password information. Compression—By eliminating redundancies, data
compression increases the amount of data that can be
Chosen Plaintext Attack Situation—Where an
carried across WAN connections in a given time.
attacker can select plain-text to be encrypted and
StacLZS compression can improve ISDN performance
observe the output. The encryption is broken when the
by as much as 400%.
attacker can derive the key from some number of
input-output pairs. Customer Premises Equipment (CPE )—A
general term for communications equipment at the
Cipher-Block Chaining (CBC)—Refers to a mode
customers’ site.
built around DES (or any symmetric algorithm). This
mode uses the algorithm in its purest form with plain- Cyclic Redundancy Check (CRC)—A CRC error
text being encrypted directly by the key. This adds a means that the contents of the packet do not match
chained Initialization Vector to eliminate the problems the checksum received. This shows that the packet is
Electronic Codebook (ECB) damaged.
Cipher-Feedback (CFB)—Refers to a mode built Data Carrier Detect (DCD)—Hardware signal
around DES (or any symmetric algorithm). This feeds defined by the RS-232-C specification that indicates
the cipher data back into an initialization vector to that a device (such as a modem) is on-line and ready for
transmission.
Data Circuit-terminating Equipment (DCE)— DES (Limited)—The same as 56-bit DES except that
The signal-conversion device which translates a digital 16 key bits are fixed, reducing the effective key space to
signal from data terminal equipment (DTE) into a form 40 bits.
acceptable to the particular communications medium. DES (Triple)—An enhancement to DES which uses
A modem is an example of DCE. Also called data two DES keys (112 bits to encrypt, decrypt, then
communications equipment. encrypt) in three successive rounds for added security.
Data Encryption Standard (DES)—A method of Dial out—The process of initiating a call from a net-
encrypting and decrypting data by using a secret 56-bit worked device, using dial-out client software and a
key. A symmetric key cryptographic system that has modem to attach to a remote service.
been standardized by NIST.
Dial-in—The process of initiating a call from a device,
Data Link Connection Identifier (DLCI)—Value using dial-in client software and a modem to attach to a
that specifies a Permanent Virtual Connection (PVC) or remote network.
a Switched Virtual Connection (SVC) in a Frame Relay
Digesting (or hashing)—Techniques of computing
network.
a strong cryptographic “checksum” of a block of data.
Data Terminal Equipment (DTE)—Equipment The word “strong” implies that it is not feasible to
at the user end of a user/network interface, which con- create or modify data to result in a specific digest.
nects to a data network via DCE devices. DTE includes
Digital Signature Standard/Algorithm
both terminal and computer ports which use the RS-
(DSS/DSA)—This is US standard for digital signatures
232 interface standard to communicate with DCE.
and competes with RSA.
Data Transfer Speed—The rate of data transmission
Dynamic IP Address Allocation—Allows a user to
across the network, measured in bits per second (bps).
be assigned an IP address which is dynamically selected
De-militarized Zone (DMZ)—A network or section from a list of available addresses. See Dynamic Host
of network between an untrusted and trusted network Configuration Protocol (DHCP) and IP Network
that has some degree of security (usually provided by a Control Protocol (IPCP).
packet screen) where application public information Encapsulation Security Payload (ESP)—A security
and application relays can be located. The DMZ is part measure in IPSec, used to encrypt the payload to
of the untrusted network. ensure privacy for sensitive data.
Decrypt—A process that changes encrypted data into Encryption—Transformation of data into unreadable,
a readable state. Using a decryption key you can take in meaningless data through a cryptographic transforma-
encrypted information and translate it into decrypted tion using a key. Decryption is the process of reversing
information. the unintelligible data into meaningful data using a key.
DES (3DES)—An enhancement to DES which uses Encryption Control Protocol (ECP)—Used to
three DES keys (168 bits to encrypt, decrypt, then negotiate the use of encryption on PPP links.
encrypt) in three successive rounds for added security.
Federal Information Processing Standards
(FIPS)—US federal standards body.
Filtering—Allows the administrator to specify which Internet Protocol (IP)—Part of the TCP/IP suite, a
types of packets will be allowed access and which will protocol which provides a connectionless internetwork
be rejected. service.
Firewall—A firmware function which protects an Internet Protocol Security (IPSec)—A collection
Intranet (for example, a corporate LAN) from unautho- of IPsecurity measures that define data privacy, integrity,
rized access over the Internet. authentication, key management, and tunneling methods.
This is used to provide a secure VPN over the Internet.
Gateway—A device used to interconnect networks,
subnets, or other network devices. Gateways allow Internet Service Provider (ISP)—A communica-
networks using different communications protocols to tions company that provides access to the Internet.
transfer information: Equivalent to a router, a gateway
Internetwork Packet Exchange (IPX)—The main
is an intelligent device used to connect two or more net-
communication protocol within the NetWare environ-
works at the upper protocol layers of the Open Systems
ment. IPX defines a particular method of addressing
Interconnection (OSI) reference model. The networks
used by all NetWare nodes and networks, and it is used
can use different protocols and different physical media.
to communicate within and between (routing) NetWare
A gateway has its own processor and memory.
LANs.
Hashing—See “Digesting.”
IP Address—A 32-bit address assigned to every host
Home Gateway (HG)—A device located on a corpo- that wants to use TCP/IP to communicate across an
rate LAN that accepts authorized user tunnels over the internet: The address consists of a network and a host
Internet. field. IP addresses are written in dotted decimal nota-
tion. For example, 123.45.67.89.
Hop—A measure of distance between networks within
an internet. One hop typically consists of a passage to a IP Network Control Protocol (IPCP)—Part of the
router or a host. PPP suite, IPCP controls the use of IP on PPP links,
negotiating, for example, IP addresses and the use of
Initialization Vector (IV)—This is used for input or
header compression.
chaining for all DES modes but Electronic Codebook
(ECB). IP Network Mask—A number that describes which
portion of the device’s IP address represents the network
Internet—A collection of networks and gateways that
address and which portion of the IP address represents
use the TCP/IP protocol suite and function as a single,
the host address.
co-operative network. When the term “Internet” is cap-
italized, it specifically refers to the world-wide, intercon- LANs (red/black)—The LanRover VPN Gateway
nected group of networks and gateways that use the uses two LANs: one unsecure (red) and one secure
TCP/IP suite of protocols to communicate. (black). The Red LAN is the portion of the network
that is not secured by encryption, but may be secured
Internet—Any interconnected group of networks. An
physically. The Black LAN is the portion of the network
accepted substitute for the word internetwork. This
that is secured by encryption.
should not be confused with Internet.
Layer 2 Forwarding Protocol (L2F)—A VPN Multihoming—Allows a device to use more than one
protocol by which tunnels are established and terminated address on the same physical network.
over the Internet. Alternative to L2TP and PPTP
Name Resolution—When a device is named, the s
tunneling protocols.
ystem determines the appropriate IP address. This is
Layer 2 Tunneling Protocol (L2TP)—A VPN done using a name server and/or a host table file.
protocol by which tunnels are established and terminated
Name Server—A host on the IP network that runs a
over the Internet. Alternative to L2F and PPTP tunnel-
program to translate host names into IP addresses.
ing protocols. L2TP is also designed to operate over a
non-IP environment. Net Mask—An IP address (such as 255.255.0.0) that
specifies how much of the address to reserve for sub-
Link Quality Monitoring (LQM)—Part of the PPP
dividing networks. The mask contains 1s for the bit
suite, one of the methods used by PPP Link Control
positions in the 32-bit address used for the network and
protocol to detect that a link is functioning properly.
subnet parts, and 0s for the host part. The mask should
Link-State Advertisement (LSA)—Broadcast packet contain at least the standard network portion. See IP
used by link-state protocols (such as OSPF) that contains network mask.
information about neighbors and path costs. LSAs are
Network Access Server (NAS)—A RADIUS term
used by the receiving routers to maintain their routing
that refers to the network point of access for remote
tables. Sometimes called a Link-State Packet (LSP).
dial-in users. NAS is the hardware that answers remote
Local Loop—A twisted pair of wires that connects a user calls and routes traffic to the local network. In
telephone company network to a customer site. A copper VPN, NAS tunnels traffic to the HG.
wire local loop must not exceed 18,000 feet (approxi-
Network Address Translation (NAT)—A mecha-
mately 5.5km) when used for an ISDN-BRI line.
nism for reducing the need for globally unique IP
Management Information Base (MIB)—A set of addresses. NAT allows an organization with addresses
defined variables that are accessed through SNMP. that are not globally unique to connect to the Internet
by translating those addresses into globally routable
Message Digesting (MD 2,4,5)—Algorithms used
address space. DIAT and IPX DIAT are forms of NAT.
to guarantee the authenticity of data. (see “Digesting”).
Network Interface Card (NIC)—Board that provides
Modem—An abbreviation of MOdulator-DEModula-
network communication capabilities to and from a
tor. An electronic signal-conversion device used to con-
computer system. Also called an adapter.
vert digital signals from a computer to analog form for
transmission over the telephone network: At the trans- Network Number—Part of an address which identi-
mitting end, a modem working as a modulator converts fies the network that the device belongs to.
the computer’s digital signals into analog signals that can
Node—This can be a host computer, printer, terminal
be transmitted over a telephone line. At the receiving
server, router or another device. On a LAN, nodes are
end, another modem working as a demodulator converts
able to communicate with other network devices.
analog signals back into digital signals and sends them
to the receiving computer.
Nodes (red/black)—Nodes can switch from red to remote device can authenticate users. PAP is less secure
black and vice versa depending on the type of node. A than CHAP because it sends the password in plain text
PC that contains both Shiva’s encrypting software and across the link.
hardware can switch between a red and black node;
Peer-to-peer—Architecture in which connected work-
however, a Sun Station cannot because it does not work
stations use and provide services such as file sharing.
with Shiva software. A Red Node is a physical terminal
responsible for handling sensitive or unsecured informa- Peripheral Component Interconnect (PCI)—An
tion. A black node is a physical terminal responsible for Intel standard for connecting peripherals to a computer.
handling secured information through encryption. Technically, PCI is not a bus but a bridge, with buffers
to de-couple the CPU from relatively slow peripherals
Open Database Connectivity (ODBC)—The
and allow them to operate asynchronously.
standard for connecting to databases.
Permissions—In a multi-user computer environment,
Open Datalink Interface (ODI)— Industry standard
the ability of a specific user to access specific resources.
interface between Network and Media access layers,
For example, the system administrator grants permissions,
often associated with Novell stacks.
which are stored in a permissions log.
Open Shortest Path First (OSPF)—Part of the
Point-of-Presence (POP)—A dial-access number for
TCP/IP suite, a link-state routing protocol designed for
an Internet Service Provider (ISP) that allows a user to
use over IP networks: Each router maintains an identical
obtain a general Internet connection by dialing a local
database which describes the topology of the network.
(POP) telephone number.
From this database, each router forms a routing table by
constructing a shortest path tree. OSPF is better suited Point-to-Point Protocol (PPP)—A suite of protocols
to large networks than RIP and offers additional features that supports multi-vendor interoperation over point-to-
such as variable-length subnetting support and authen- point interfaces of many types, supporting multiple
tication of protocol exchanges. network layer protocols.
Output Feedback (OFB)—Refers to a mode built Point-to-Point Tunneling Protocol (PPTP)—
around DES (or any symmetric algorithm). This mode Part of the VPN suite, a protocol by which tunnels are
uses the algorithm in its purest form with plaintext established and terminated over the Internet. Alternative
being encrypted directly by the key. This feeds the to L2F and L2TP tunneling protocols.
output of the DES back into the input to produce a PPP Multilink—Part of the PPP suite, a method used
pseudo-random number stream. to sequence packets across multiple links—for example,
Packet Header—The initial part of a packet, which when using aggregation or augmentation.
contains information such as the address, the packet Public Switched Telephone Network (PSTN)—
type and the packet size. General term referring to the variety of telephone net-
Password Authentication Protocol (PAP)—Part works and services in place worldwide.
of the PPP suite, a protocol that provides additional
network security on PPP links. It enables login IDs and
passwords to be transmitted over the link so that a
Remote Access Server—A network device that con- Routing Information Protocol (RIP)—A protocol
nects to analog or digital telephone lines. It allows users in the TCP/IP and IPX suites, RIP allows gateways
to dial into and out of a LAN from workstations with and hosts to exchange information about routes to
analog modems, external terminal adapters, and inter- various networks. Devices use RIP over IP and IPX to
nal ISDN BRI cards or from client routers. exchange routing information with other routers and to
update the information in the routing table.
Remote Authentication Dial-In User Service
(RADIUS)—A protocol that allows centralized authen- Routing Table—A table of information maintained
tication and configuration of dial-in users, details of in each router that lists the next router to which data
which are stored in a central RADIUS server. RADIUS should be forwarded, in order to reach each possible
also allows centralized logging of accounting information. destination network on an internetwork.
Reverse Address Resolution Protocol (RARP)— Secret—Some security services use a secret to encrypt
Part of the TCP/IP suite, a protocol that provides a and decrypt packets or to authenticate packets between
method for finding IP addresses based on Ethernet security servers and remote access devices.
addresses. Secure Data Transfer (SDT) SecurID™ —A
Remote Client—A client at a remote location, such network access security system developed by Security
as a computer at home, that uses remote access soft- Dynamics, Inc. SecurID™ sits between the incoming
ware to dial in to a network. modem and the remote access server that provides
access to the network. When a dial-in client calls in
Remote Network—A network at a remote location to the network, the user must first enter the correct
that is accessed from a local network. SecurID™ information before connecting to the remote
Rivest, Shamir, Adleman (RSA)—Public-Key tech- access server. Security Dynamics, Inc. manufactures
nology based on factoring large numbers. Patents held two security solutions that are compatible with remote
by RSA Data Security Inc. access servers: The first is a multi-port, stand-alone
remote access server that can be inserted between the
Route—The path that network traffic takes to get from remote access server and the modem. The second,
a source to a destination. Security Dynamics ACE/Server, is a system of server
Router—An intelligent connecting device which sends and client software and SecurID™ cards. Once
packets to the correct LAN/WAN segment to take enabled, SecurID™ authentication is used for the
them to their destination: Routers link LAN/WAN following protocols: IP, IPX, NetBEUI, LLC, and ARA.
segments at the network layer of the ISO/OSI model Secure Hash Standard/Algorithm (SHS/SHA)—
for communications. The networks connected by This is a US standard for digesting (or hashing) and is
routers can use either similar or different protocols. an alternative to MD5.
Routing Information Base (RIB)—Containing Secure Net Key (SNK)—Client part of the Digital
detailed routing information about local and adjacent Pathways Defender security system which can be either
routing areas. hardware (a small box) or software (a program than
runs on a PC). SNKs are used to generate a response to
a Defender challenge.
Security Association ID (SAID)— An identifier for Skipjack—80-bit secret key (symmetric) encryption
a security association for a given link, a security associa- algorithm. It is a proposed standard by the US govern-
tion defines security level and keying information. ment and is intended for key escrow. The actual algo-
Sequenced Packet Exchange (SPX)—Part of the rithm is not publicly known.
IPX suite, SPX is a connection-oriented protocol (IPX Socket—An endpoint for network communication,
is a connectionless protocol) and is used primarily for established by software, through which information can
client and server communications. SPX is encapsulated be sent to and received from other parties.
in IPX packets.
Socket Number—All sockets have an identifying
Serial Interface—Hardware for sending and receiving socket number to distinguish them from all other sockets
data one bit at a time. on a network host, so that information sent through a
Serial Line IP (SLIP)—Part of the TCP/IP suite, a socket can be properly attributed, and information sent
protocol that is used to connect PCs, X-terminals and to a node can be sent to the correct socket, and hence
other computers to an IP network. It has been made to the correct application. Socket numbers are usually
largely obsolete by PPP. added to the network address of the host node: with
TCP/IP protocols, for example, socket numbers
Server—Generally refers to a computer (node) on a
become the IP port number.
network that permits other nodes on the LAN to access
its resources. A dedicated server is one used solely for Source Address—The address of a network device
this function; a non-dedicated server means that the sending a packet.
server can be used in other ways.
Spoofing—A technique that allows a network device
Server-based Application—An application that to assume the “housekeeping” responsibilities of a
runs partially on the server, as opposed to running remote terminal. This prevents unnecessary network
entirely on the remote station and using only data traffic from being sent across a dial-in or LAN-to-LAN
stored on the server. connection, and allows a virtual connection to remain
Shiva Password Authentication Protocol suspended whenever actual network access is not
(SPAP)—Part of the PPP suite, an authentication required.
protocol that allows full use of Shiva features. This is StacLZS—A compression algorithm often used on
Shiva’s proprietary network security for PPP links. PPP links.
SPAP is used only for communicating with a LanRover
Access Switch or LanRover. Stream Cipher—Encryption system which produces
a sequence of pseudo-random bytes which can be used
Simple Mail Transfer Protocol (SMTP)— to encrypt a stream of bytes by exclusive ORing each
Internet protocol for electronic mail. byte with each subsequent random byte. Decryption is
Simple Network Management Protocol done exactly the same way.
(SNMP)—Part of the TCP/IP suite, the standard Symmetric Key (or secret key)—Refers to encryp-
management protocol for TCP/IP networks, which tion systems that use a key to encrypt and the same key
enables centralized network management. to decrypt.
Terminal Access Controller Access Control User Datagram Protocol (UDP)—Part of the
System (TACACS)—An industry-standard security TCP/IP suite, an Internet protocol at the transport
protocol used by terminal servers: It allows a user to layer of the OSI model that defines a connectionless
log in only if they are authenticated by a third party datagram service. A connectionless datagram service
(a TACACS host). When a user attempts to gain access sends self-contained packets of data that include desti-
(such as a remote user logging on to a network), nation address information.
TACACS forwards the user name and password infor- User List—A list that contains the profiles (names,
mation to a centralized server. This server performs the passwords, and permissions) of all users who can access
necessary verification and sends a response back to the a remote access server.
TACACS system as to whether to allow access to the
network. Van Jacobson Compression (VJ Compression)—
A method of compressing TCP/IP headers to improve
Third Party Validation—An access control system performance over serial lines.
used by terminal servers that allows a user to log in only
if authenticated by a third party host. Examples of Virtual Connection—A connection which is not
Third Party Validation are TACACS and SecurIDTM. actually physical, although it appears to be to the user.
NOTES NOTES
NOTES NOTES
NOTES
visit www.techguide.com™