Chapter 14 - Encrypting network traffic (Virtual Private Networks) with IPSec

By Kurt Seifried, [email protected], Copyright Kurt Seifried

With sensitive data moving across public networks some form of encryption is needed to protect the data, provide authentication, and prevent spoofing/etc. The emerging standard for this problem is IPSec (IP Security), which has broad industry support and a recognized set of RFC's laying down the rules. Unfortunately one of the major areas of IPSec is key management, and this is one area where many vendors have trouble interoperating, so if you are considering a hetrogenous network do plenty of testing beforehand. The good news is most vendors support IPSec, many "out of the box", and there are numerous free to cheap clients for Windows 95/98/NT (2000 has built in support).

The first decision needed when implementing IPSec is to decide what traffic you want to encrypt. Will you simply be using IPSec to connect various LAN's across the Internet securely (gateway to gateway), will dial-up and other remote users be connecting into the corporate LAN (client to gateway), or will all traffic be encrypted (client to client)? For servers and gateways you should definately consider buying hardware accelerators, there are also several new ethernet cards on the market (like this one from Intel) that have built in hardware to handle the encryption, and driver support under several operating systems.

[ Back | TOC | Forwards]