VPN Glossary

AUTHENTICATION

Authentication is a method used to prove the identity of any device attempting to build or use a virtual private network (VPN).

ENCRYPTION

Encryption is the process of disguising information in such a way as to hide its substance. (The process of converting the encrypted information back to its original form is called decryption.)

FIPS 140

The Federal Information Protection Standard (FIPS 140) is a standard for key recovery that some hardware-based VPN solutions support. Financial institutions and the U.S. federal government use only VPN solutions that support FIPS 140, which makes it possible to recover an encryption key that has been lost or corrupted. No software-based VPN solutions, firewall-based VPN solutions, or Internet service provider (ISP) based services support FIPS 140.

IPSEC

IP Security (IPSec) is an International Engineering Task Force (IETF) standard for IP security. The IPSec standard defines a suite of security protocols that authenticate TCP/IP connections, add data confidentiality and integrity to TCP/IP packets, and are transparent to the application being used and to the underlying network infrastructure. The IETF is in the process of reviewing a revision of this standard, which is detailed in Requests for Comments (RFCs) 1825­1829. Many vendors support the current version and plan to support the revised version when it is finalized.

ISAKMP/OAKLEY

Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley) is one of two public-key management schemes that the IPSec standard supports. ISAKMP/Oakley is actually a hybrid protocol, integrating ISAKMP with the Oakley key exchange scheme. ISAKMP builds secure associations in multiprotocol environments and has very low overhead. (See also SKIP.)

L2F

Layer 2 Forwarding (L2F) is a tunneling protocol that Cisco Systems Inc. submitted to the IETF as a proposed standard. L2F transports link-layer frames such as Point-to-Point Protocol (PPP) and Serial Line Interface Protocol (SLIP). L2F, as the name implies, operates at the data-link layer, which is layer 2 in the Open Systems Interconnection (OSI) model defined by the International Standards Organization (ISO). L2F is targeted at the ISP market.

L2TP

Layer 2 Tunneling Protocol (L2TP) authenticates dial-up users and establishes a router-based connection to a server. L2TP is a combination of L2F and Point-to-Point Tunneling Protocol (PPTP). Specifically, L2TP is designed to tunnel PPP and SLIP sessions over the Internet, operating at the data-link layer of the OSI model. Like L2F, L2TP is targeted at the ISP market.

PPTP

Microsoft Corp. submitted Point-to-Point Tunneling Protocol (PPTP) to the IETF as a proposed standard, and several vendors, including 3Com Corp. and Ascend Communications Inc., have endorsed this proposed standard. PPTP, which encapsulates dial-up PPP traffic, is currently available for Windows NT servers and workstations and also for Windows 95 workstations through an upgrade.

SKIP

Simple Key Management for Internet Protocol (SKIP) is one of two public-key management schemes that the IPSec standard supports. SKIP is optimized for client connections to a remote network. (See also ISAKMP/Oakley.)

STEP

Compatible Systems developed Secure Tunnel Establishment Protocol (STEP) to rival L2TP for secure LAN-to-LAN connectivity. Unlike L2TP, which operates at layer 2 of the OSI model, STEP operates at layer 3. One advantage STEP has over L2TP is that STEP prevents PPP connections from monopolizing an Internet connection. In other words, if a STEP tunnel is in place, a second connection can be established concurrently.

TUNNELING

Tunneling is a method by which packets are encapsulated within a protocol that is understood at the entry and exit points of a network. L2F, L2TP, PPTP, and STEP are all tunneling protocols.

VPN

A VPN can be defined in several ways: The broad definition of a VPN is a private network that uses a public network's infrastructure. The definition used in this article, however, is a private network created by tunneling encrypted packets through an IP-based network, such as the Internet or an intranet. A VPN can also be defined as a carrier-based service that creates a private network by tunneling encrypted packets through a switched network, such as a frame-relay network or an asynchronous transfer mode (ATM) network. Although the switched network is privately owned by a telecommunications carrier or by an ISP, this network is considered public because it is used by all of the service's customers.