Home > Store

Virtual Private Networks: Technologies and Solutions

Register your product to gain access to bonus material or receive a coupon.

Virtual Private Networks: Technologies and Solutions


  • Sorry, this book is no longer in print.
Not for Sale




  • Copyright 2001
  • Dimensions: 7-5/8" x 9-1/2"
  • Pages: 336
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-70209-6
  • ISBN-13: 978-0-201-70209-5

VPNs enable any enterprise to utilize the Internet as its own secure private network. In this book, two leading VPN implementers offer a start-to-finish, hands-on guide to constructing and operating secure VPNs. Going far beyond the theory found in most books, Ruixi Yuan and Tim Strayer present best practices for every aspect of VPN deployment, including tunneling, IPsec, authentication, public key infrastructure, and network/service management. Strayer and Yuan begin with a detailed overview of the fundamental concepts and architectures associated with enterprise VPNs, including site-to-site VPNs, remote access VPNs, and extranets. They compare all options for establishing VPN tunnels across the Internet, including PPTP, L2F, and L2TP. Next, they present in-depth coverage of implementing IPsec; establishing two-party or trusted third-party authentication; building a robust public key infrastructure; and managing access control. The book includes expert coverage of VPN gateway configuration, provisioning, and management; Windows and other VPN clients; and network/service management, including SLAs and network operations centers. Finally, the authors preview the future of VPNs, showing how they may be enhanced to provide greater quality of service and network intelligence. For all networking and IT professionals, security specialists, consultants, vendors, and service providers responsible for building or operating VPNs.

Sample Content

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:

Table of Contents



1. Introduction.

Business Communication.

VPN Motivation.

The VPN Market.

VPN Technologies.

VPN Solutions.

2. Basic Concepts.

A Brief History of the Internet.

Network Architecture.

ISO OSI Reference Model.


Network Topology.

The Need for Security.


Shared Key Cryptography.

Public Key Cryptography.

Digital Signatures.

Message Authentication Codes.

3. VPN Architectures.

Site-to-Site Intranet VPNs.

Remote Access VPNs.

Extranet VPNs.

A Security Services Taxonomy.


4. Tunnels.


Data Integrity and Confidentiality.

VPN Tunneling Protocols.






5. Ipsec.

Basic IPsec Concepts.

Security Protocols.

Security Associations.

Security Databases.

IPsec and VPNs.

Authentication Header.

Encapsulating Security Payload.

Internet Key Exchange.

Phase 1 Negotiation.

Phase 2 Negotiation.

Key Generation in IKE.

IPsec Implementation.

Inbound Packet Processing.

Outbound Packet Processing.

6. Authentication.

Two-Party Authentication.

PPP Authentication.


S/KEY and OTP.

Trusted Third-Party Authentication.


X.509 Public Key Infrastructure.

Pretty Good Privacy Trust Model.

Authentication in VPNs.

Gateway-Gateway Authentication.

Client-Gateway Authentication.

7. Public Key Infrastructure.

PKI Architecture.



Certificate Revocation.

Trust Models.

Digital Certificate Formats.

X.509 Digital Certificate.

PGP Certificate.

PKCS #6, Extended-Certificate Syntax Standard.

X.509 Attribute Certificate.

Certificate Management System.

Certification Authority.

Registration Authority.

Certificate and CRL Repository.

Certificate Protocols.

Certificate Use in VPNs.


Key Management.

Access Control.

8. Access Control.

Access Control Policy.

Attributes and Conditions.

Access Control Rules.

Access Control Mechanisms.

Access Control Lists.

Capabilities Lists.

Access Control Policy Management.

Distributed Policy Management.

Centralized Policy Management.

Policy Repository.

Access Control in VPNs.


9. VPN Gateways.

VPN Gateway Functions.

Site-to-Site Intranet VPN Functions.

Remote Access VPN Functions.

Extranet VPN Functions.

Forwarding, Routing, and Filtering Functions.

Advanced Functions.

Gateway Configuration and Provisioning.

Gateway Identity Information.

External Device Information.

Security Policy Information.

Gateway Management.

Configuration Management.

Network Monitoring.

Accounting Information.

Gateway Certification.

Interaction with Firewalls.

VPN Gateway and Firewall in Parallel.

VPN Gateway and Firewall in Series.

Hybrid Configurations.

VPN Design Issues.

A VPN Solution Scenario.

10. VPN Clients.

VPN Client Functions.

Operating System Issues.

Microsoft Windows.

Other Operating Systems.

Operational Issues.

Working with the Corporate Firewall.

Working with Network Address Translation.

Fragmentation and MTU Issues.

Private and Public Domain Name Servers.

WINS Server Issues.

VPN Clients for Windows.

Layer 2 Clients.

IPsec Clients.

L2TP/IPsec Combination Clients.

VPN Client Software Installation.

VPN Clients for Other Platforms.

Layer 2 Implementations.

IPsec Implementations.

Alternative VPN Clients.

SSH as VPN Client.

SOCKS and SSL as VPN Client.

User-Level Daemon.

A Remote Access VPN Scenario.

11. VPN Network and Service Management.

Network Management Standards.

Network Management Architecture.

Network Management Station.

Managed Nodes.

Network Management Protocol.

Management Information.


6 Other Means of Management.


VPN Management.

Managing Tunnels.

VPN Management in a Service Provider Environment.

Secure Management Tunnel in VPN.

Out-of-Band Access for Management.

Service Management.

Service Level Agreement.

Network Operations Center.

Customer Portal.

International Issues.

12. VPN Directions: Beyond Connectivity.

Evolutions in Network Infrastructure.

Evolutions in VPNs.

Internetworking Beyond Connectivity.

Network Security.

Quality of Service.

Intelligence in the Network.

Index. 0201702096T04262001


The Internet has been around in one form or anotherfor more than three decades now, but it really has been since the middleof the 1990s that the use of the Internet became a daily part of people'slives. Connectivity to the Internet is now imperative for almost all companies,regardless of what their business really is. Individuals can find Internetaccess at school, work, and home, in cafés and kiosks, and in cellphones and PDAs. Staying connected has become an obsession.

The focus has shifted from being connected to being securelyconnected. It is one thing to have Internet access, but without security,the usefulness of the connectivity is rather limited. People want to havethe reach of the Internet, but they should not have to compromise theirprivacy or expose proprietary resources.

Fortunately, all of the ingredients are present for constructinga private network on top of a public one. The challenge comes in puttingthe technologies together so that the result is a viable and secure virtualprivate network.

This book provides a comprehensive guide to the technologiesused to enable VPNs, the VPN products built from these technologies, andthe combinations of various components to provide practical VPN solutions.

VPN technologies and solutions are still rapidly evolving.This book describes the current state of the art in this field. But thingschange quickly, so when appropriate, we have attempted to point out thecontinued effort in the industry to develop new technologies and solutions.


This book is intended for a broad range of readers interestedin virtual private networks.

For network engineers and managers, this book serves asa practical guide to the technologies and solutions. It discusses issuesto be considered in designing and implementing a VPN.

For VPN software and hardware developers, it provides the necessary background material to understand the functions to be developed and the rationale behind them.

For IT managers and executives, this book sets the overallcontext of VPNs and provides the means for assessing various implementationsfrom equipment vendors and service offerings from service providers.

For students and educators, this book can be used as areference text for a course in network security or electronic commerce.

Book Organization

This book is organized in three parts. Part I--VPN Fundamentals--consistsof three chapters: Introduction, Basic Concepts, and VPN Architectures.Chapter 1 introduces the concept of VPN and how it permits flexibilityin facilitating private communication in a public network. We also classifythe relevant technologies into four distinct categories. Chapter 2 setsVPNs in context by briefly reviewing the development of the Internet andhow security has been thrust to the forefront. It also reviews the basicIP networking and cryptography concepts that pertain to VPNs. Chapter 3presents VPN architectures in two ways. The first approach is based ondesigning VPN around practical networking solutions: site-to-site intranet,extranet, and remote access. The second approach focuses on the differenttraffic aggregation points where security services are applied.

Part II--VPN Technologies--consists of five chapters:Tunnels, IPsec, Authentication, Public Key Infrastructure, and Access Control.Chapter 4 is concerned with the most important technology category--tunneling.We investigate the many different tunneling technologies that are importantin VPN solutions. Chapter 5 concentrates on IPsec, the security protocolfor IP standardized by the IETF and, in our opinion, the VPN tunnelingtechnology that will be most prevalent going forward. Chapter 6 describesauthentication in a broad context first and then describes the varioustwo-party and three-party schemes that widely applied in networking. Themost important three-party scheme--PKI--is then presented in Chapter 7.In Chapter 8, we look at access control technologies, an often overlookedbut vital aspect of VPNs. We describe how access policies can be presented,managed, and enforced in a networked environment.

Part III--VPN Solutions--consists of four chapters: VPNGateways, VPN Clients, VPN Network and Service Management, and VPN Directions:Beyond Connectivity. This part describes how the various technology componentscan be assembled to create practical VPN solutions. Chapter 9 starts withthe roles played by a VPN gateway, then derives the requirements imposedon the gateway, and finally describes the various functions that shouldbe implemented. It also presents a concrete design example. Chapter 10details the many issues of VPN clients, some similar to VPN gateways andsome different. Chapter 11 presents the needs and approaches for performingcontinued management of VPNs from the viewpoints of both a network anda service. Finally, we discuss the future directions of VPNs in Chapter12 and how important it is to realize that networking is the means, notthe goal, and to look beyond simple connectivity in the networking arena.

How to Read the Book

There are two ways to read this book. For novices, werecommend completing Part I before proceeding to either Part II or PartIII. For readers already knowledgeable in networking and security, eachchapter is self-contained and can be read separately.

Readers are encouraged to read Chapters 4 and 5 togetherto obtain a fuller grasp on the concept of tunneling and IPsec as a layer-threetunneling technology. Similarly, Chapters 6 and 7 deal with authentication,with Chapter 7 exploring public key infrastructures in detail. It is alsoa good idea to review how a certain technology is introduced in Part IIbefore seeing how it is applied to a VPN solution in Part III.

Ruixi Yuan
Tim Strayer

Boston, Massachusetts
March 2001



3COM, 66
3DES (triple DES), 38, 81, 141, 143, 176, 178, 181, 183, 191, 230, 237, 266
See also DES

Access control, 9, 12, 15, 45, 51, 153-171, 182, 247, 269, 279
access control list (ACL), 160
attributes, 155, 157-159
capabilities list (C-list), 160
centralized policy management, 165
discretionary policy, 157
distributed policy management, 164
environmental conditions, 158
filters, 191-192
in IPsec, 75
mandatory policy, 157
mechanisms, 156, 160-163, 167
policy, 156-160, 167
policy management, 156, 163-167
resource attributes, 158
rules, 159-160
stakeholders, 159
user attributes, 157
as a VPN client function, 18, 216, 218
as a VPN gateway function, 17, 176
in VPNs, 167-171
Access control list, See ACL
Accounting, 193, 198
ACL (access control list), 160-162, 260
Adapter, network, 222, 229, 233
Adapter, shim, 222, 233
Adapter, virtual, 233-234
Adleman, Leonard, 40
Advanced Encryption Standard, See AES
Advanced Research Projects Agency, See ARPA
AES (Advanced Encryption Standard), 37, 230
AH (Authentication Header), 58, 63, 70, 76-77, 79, 83-88, 100, 203
fields, 84
protocol number, 77
transport mode, 86-87
tunnel mode, 87-88
Alcatel, 187, 195-196, 231, 234
Altiga, 226, 231
Amazon.com, 7
Anti-replay protection, 75, 85
AH (Authentication Header), 84
ESP (Encapsulating Security Payload), 88
Apple, 220, 224, 234
Application layer, 30
Application programming interface (API), 195
ARPA (Advanced Research Projects Agency), 23-24
ARPANET, 23-24, 26, 33
Ascend Communications, 66
ASN.1 (Abstract Syntax Notation One), 137, 253
Asymmetric key cryptography, 36
See also Public key cryptography
Asynchronous Transfer Mode, See ATM
AT&T, 220
ATM (Asynchronous Transfer Mode), 47, 68, 185
Attack, 18, 33, 88
against CA, 147
denial of service, 34, 93, 279
dictionary, 106
distributed denial of service, 279
Internet worm, 34
on keys, 16
network-based, 34
replay, 15, 94, 122
Trojan Horse, 122
Attributes, 157
environmental conditions, 158
identity, 157
resource attributes, 158
use conditions, 158
user attributes, 157
for VPN access control, 170
X.509 attribute certificate, 145
Authentication, 9, 12, 14, 45, 47, 51, 59-60, 103-128, 153, 155, 182, 189, 217, 269, 279
AH (Authentication Header), 84-86
CHAP (Challenge Handshake Authentication Protocol), 66, 112
client-gateway, 127
cryptography used for, 36-37
EAP (Extensible Authentication Protocol), 66, 113
ESP (Encapsulating Security Payload), 88
gateway-gateway, 126
in IPsec, 63, 75
Kerberos, 119
MAC (message authentication code), 43
lack of in MPLS, 73
one-time passwords, 117
options for VPN clients, 230
PAP (Password Authentication Protocol), 66, 107, 111
password, 43, 106, 157
PGP (Pretty Good Privacy)
RADIUS (Remote Access Dial In User Service), 114
S/KEY, 109, 117
Security Association Database (SAD), 80
Security Policy Database (SPD), 81
SSH (Secure Shell), 237
trusted third-party, 14, 104
two-party, 14, 104
as a VPN client function, 18, 216-217, 231
as a VPN gateway function, 17, 176
in VPNs, 126-128
X.509 public key infrastructure, 122
Authetication Header, See AH
Autonomous system (AS), 278

BBN, 33, 146
Bellcore, 252
Bellovin, Steven M., 35, 201
Berners-Lee, Tim, 26
BGP (Border Gateway Protocol), 278
Secure-BGP, 184
Blowfish, 38, 237, 241
Border gateway, 33
BSD Unix , See Unix
BSDI, 235
Business communication, 4, 8

CA (certification authority), 122, 129-130, 132-135, 145-147, 190, 210
cross-certification, 135
Microsoft, 139
root, 135
Cable modem, 19, 46, 49-50
Capabilities list (C-list), 160, 163
Capstone, 38
CAST, 141, 143, 176
CCITT, SeeITU, 122
Centralized policy management, 165
Cerberus, 236
CERN (Center for European Nuclear Research), 26
Certificate, 122, 129, 132-133
CRL (certificate revocation list), 124
cross certificate, 135
enrollment, 152
management system, 145
PGP (Pretty Good Privacy), 141-144
protocols, 149
root, 123, 135
self-signed, 143
use-condition certificate, 158
use in VPNs, 152-154
See also Digital certificate
Certificate and CRL repository, 130, 145, 148
Certificate management system, 145-149
Certificate protocols, 149-152
PKCS #10, Certification Request Syntax Standard, 151
PKCS #7, Cryptographic Message Syntax Standard, 151
PKIX (Public Key Infrastructure for the Internet), 150
SCEP (Simple Certificate Enrollment Protocol), 152
Certificate revocation list, See CRL
Certification authority, See CA
Certification Practice Statement (CPS), 147
Challenge Handshake Authentication Protocol, See CHAP
CHAP (Challenge Handshake Authentication Protocol), 66, 108, 112-113, 230
Check Point, 187, 231
Checksum, IP, 32, 59-60, 85
Checksum, TCP, 59
Cheswick, William R., 35, 201
CIDR (Classless Inter-Domain Routing), 179
Ciphertext, 35-36
CIR (committed information rate), 46
Cisco, 66-67, 152, 187, 194, 231
Altiga VPN client, 226
Compatible Systems VPN client, 234
Clipper, 38
CMIP (Common Management Information Protocol), 247, 252
CMIS (Common Management Information Service), 247
Command line interface (CLI), 193, 196, 252
Committed information rate, See CIR
Common Management Information Protocol, SeeCMIP, 246
Common Management Information Service, SeeCMIS, 246
Compatible Systems, 234
Compression, 231
Confidentiality, 9, 38, 59-61, 70
cryptography used for, 36-37
in IPsec, 63, 75
lack of in MPLS, 73
See also Data confidentiality
Configuration file, 194
Configuration management, 193
Coordinated universal time, See UTC
CRL (certificate revocation list), 124, 129-130, 133-134, 146, 180, 210
X.509v2, 148
Cross-certification, 147
Cryptanalysis, 37
Cryptographic keys, 35
Cryptography, 35
asymmetric, 36
block cipher, 37
key management, 39
public key, 36, 38-39
shared key, 36
symmetric, 36
Customer premises equipment (CPE), 54, 272
Customer relationship management (CRM), 263

Data confidentiality, 9, 60, 75, 269, 279
ESP (Encapsulating Security Payload), 88
as a VPN client function, 176, 216, 219
Data Encryption Standard, See DES
Data integrity, 9, 15, 36, 59, 61, 269, 279
AH (Authentication Header), 83
in IPsec, 75
as a VPN client function, 176, 216, 219
Data link layer, 28
Data origin authentication, 75
AH (Authentication Header), 83
Data security, 13, 15, 45
as a VPN gateway function, 17
as a VPN client function, 18
See also Data confidentiality and Data integrity
Decryption, 35
public key, 38
shared key, 37
Demilitarized zone, See DMZ
Denial-of-service attack, 34, 93, 279
Department of Defense (DoD), 23
DES (Data Encryption Standard), 37-38, 81, 176, 230
cracked, 37
DHCP (Dynamic Host Configuration Protocol), 181, 190, 219, 222, 230, 248
Dial-up networking, See DUN
Dictionary attack, 106
Differentiated service code point (DSCP), 207
Diffie, Whitfield, 36, 129
Diffie-Hellman algorithm, 96, 141, 153
DiffServ, 207
Digital certificate, 81, 130, 132-136, 171, 179-180, 182-184, 189, 191, 217-218
use in access control, 154
use in authentication, 153
creation, 146
formats, 136-145
use in key management, 153
revocation, 146
X.509, 136
See also Certificate
Digital certificates, 230, 241
Digital signature, 40-43, 133, 136
DSA, 43
RSA, 43
Digital Signature Algorithm, See DSA
Digital subscriber line, See DSL
Directory Access Protocol (DAP), 166
Directory System Agent (DSA), 166
Directory User Agent (DUA), 166
Distinguished name (DN), 81-82, 123, 139, 171
relative distinguished name (RDN), 139
Distributed denial-of-service attack, 279
Distributed policy management, 164
DMZ (demilitarized zone), 204
DNS (Domain Name System), 135, 162, 181, 189, 222, 225, 227-229, 278
DNSSEC (Secure Domain Name System), 135
Domain Name System, See DNS
DSA (Digital Signature Algorithm), 43, 141-142
DSL (digital subscriber line), 19, 46, 49-50, 234, 277
DUN (dial-up networking), 229
Dynamic Host Configuration Protocol, See DHCP

EAP (Extensible Authentication Protocol), 66, 113-114
ECI Telematics, 66
E-commerce, 9, 27
B2B, 9
B2C, 9
Electronic Frontier Foundation, 37
Electronic mail, See Email
ElGamal algorithm, 40, 144
Ellison, Carl, 134
Email, 24
Encapsulating Security Payload, See ESP
Encapsulation, 13, 30, 58, 63, 215, 219, 226
ESP (Encapsulating Security Payload), 90
GRE (Generic Routing Encapsulation), 64
modes for VPN clients, 230-231
modes for VPN gateways, 179
algorithm, 35
asymmetric, 60
ESP (Encapsulating Security Payload), 88
hardware acceleration, 187
NULL algorithm, 89
options for VPN clients, 230
public key, 38, 40
shared key, 37
symmetric, 60
Entrust, 203
ESP (Encapsulating Security Payload), 58, 63, 70, 76-77, 79, 88-91, 100, 183
fields, 89
protocol number, 77
transport mode, 90, 180
tunnel mode, 91, 179, 182
Ethernet, 257, 263
EUnet, 26
Extensible Authentication Protocol, See EAP
Extranet, 6
Extranet VPN, 46, 50-52
functions, 182-184

Federal Information Processing Standard (FIPS), 146
Feghhi, Jalal, 136
Feghhi, Jalil, 136
Finland, 140
FIPS 140-1, 146, 201
FIPS 140-1 certification, 200
Firewall, 21, 35, 48, 184, 218, 225, 230, 248, 276
DMZ (demilitarized zone), 204
interaction with VPN gateways, 201
Fischetti, Mark, 26
Fragmentation, 31, 60, 226-227
don't fragment IP flag, 31
more fragments IP flag, 31
Frame relay, 4, 9, 46-48, 67-68
CIR, 46
provisioning, 46
PVC, 46, 48
FreeBSD, 224, 234-235
FreeS/WAN, 235
FTP (File Transfer Protocol), 252, 259, 262

Gateway, 24, 29
border, 33
See also Router and VPN gateway
Generic Routing Encapsulation, See GRE
Germany, 140
GnuPG, 40, 141
See also PGP
Good, Gordon S., 167
Graphical user interface, See GUI
GRE (Generic Routing Encapsulation), 64, 67-68
GUI (graphical user interface), 194
Gutmann, Peter, 140

Hash function, 41
collision resistant, 41
one-way, 41-43
Hashed message authentication code, See HMAC
Hellman, Martin, 36, 129
HMAC (hashed message authentication code), 43, 85
Hot Standby Router Protocol, See HSRP
Howes, Timothy A., 167
HSRP (Hot Standby Router Protocol), 187
HTTP (Hypertext Transfer Protocol), 252
Hub-and-spoke, 46

IBM, 37
ICANN (Internet Corporation for Assigned Names and Numbers), 278
ICMP (Internet Control Message Protocol), 196
ping, 197
traceroute, 198
ICSA (International Computer Security Association), 200
IDEA, 38, 141, 143, 176
IETF (Internet Engineering Task Force)
firewall bypass effort, 226
IPsec standard, 12, 75, 98
L2TP Extensions working group, 69
MIB-II defined objects, 253
MPLS-based VPN effort, 276
NAT/IPsec compatibility effort, 226
PKIX Working Group, 123
RMON, 257
security policy effort, 159
SNMP, 247
VPN state synchronization effort, 187
VPN tunneling efforts, 260
IGRP (Interior Gateway Routing Protocol), 278
IKE (Internet Key Exchange), 76-77, 82, 91-99, 101, 260
use with firewalls, 203
ICSA certification, 200
key generation, 96, 179, 182-184
key management, 153
phase 1 negotiation, 94
phase 2 negotiation, 95
security policy effort, 159
Indus River, 231
Integrated Services Digital Network, See ISDN
Integrity check value (ICV), 85-86
Intel, 66, 231
Intercept driver, 222
Interface Message Processor (IMP), 24
International Computer Security Association, See ICSA
International Organization for Standardization, See ISO
International Telecommunication Union, See ITU
Internet, 3-4, 6, 8, 12, 48, 63
attacks, 34
connectivity, 47
evolution, 269
growth, 26
history, 23
IP (Internet Protocol), 30
management, 245
security, 278
unneling, 62-63
worm, 34
Internet Activities Board, 247
Internet Control Message Protocol, See ICMP
Internet Engineering Task Force, See IETF
Internet Explorer, 135
Internet Key Exchange, See IKE
Internet Protocol. See IP
Internet Security Association and Key Management Protocol, See ISAKMP
Internet service provider, See ISP
Internet worm, 34
Internet-Draft, 289
Internetwork, 24, 57
Internetworking, 29, 277
Intranet, 6, 63, 175
Intrusion detection system (IDS), 35, 279
IP (Internet Protocol), 6, 24-25, 30-32, 47, 59, 221
address, 24, 32
destination address field, 32
don't fragment flag, 31
flags field, 31
fragment offset field, 32, 85
fragmentation, 31, 85
fragmentation field, 60
header checksum field, 32, 85
header format, 30
header length field, 31
identification field, 31
Internet, 25
internetwork, 24
IPsec, 75
IPv4, 75
IPv6, 75
more fragments flag, 31
mutable fields, 85
options field, 32
padding field, 32
protocol field, 32
SLIP (serial line IP), 67
source address field, 32
time to live field (TTL), 32, 60, 85, 198
total length field, 31
type of service field (TOS), 31, 85
version field, 31
IP header, 59, 64, 70-71
IP service platform, 272-273
ipnsec, 236
IPsec, 12, 58, 70, 75-101
Authentication Header (AH), 83
certification from ICSA, 200
concepts, 75
Encapsulating Security Payload (ESP), 88
firewall issues, 219
fragmentation issues, 227
implementations, 98, 235
Internet Key Exchange (IKE), 91
iterated tunneling, 79
use with L2TP, 69
mode, 78, 80
NAT issues, 226, 276
nested SAs, 79, 273
packet filtering, 185
protocol, 80
SA (security association), 77, 79, 93-94
Security Association Database (SAD), 79
security databases, 79
Security Parameter Index (SPI), 77
Security Policy Database (SPD), 80
security policy effort, 159
security protocols, 76
transport adjacency, 79
transport mode, 86, 90
tunnel management, 260
tunnel mode, 70, 87, 91
as a VPN tunneling protocol, 63, 83, 176, 179, 191, 216-217, 230
IPv4, 75, 86, 235
IPv6, 75, 81, 86, 235
IPX (Internetwork Packet Exchange), 47, 59, 232
ISAKMP (Internet Security Association and Key Management Protocol), 76, 92, 99, 199
cookie, 93
master key, 97
SA (security association), 93-96
ISDN (Integrated Services Digital Network), 50, 61, 66
Isenberg, David, 281
ISO (International Organization for Standardization), 27, 110, 215, 246
ISP (Internet service provider), 11-12, 49-50, 53-54, 61-68, 245, 272
Iterated tunneling, 79
ITU (International Telecommunication Union), 122, 136
network management, 247

Kaliski, Barton, 144
KAME, 235
Kent, Steve, 134, 147
Kerberos, 116, 119-122
authentication server (AS), 119
ticket, 119
Ticket-Granting Server (TGS), 121
Ticket-Granting Ticket (TGT), 121
Key escrow, 132, 146-147
Key management, 36, 39, 153
Key ring, 125
Keyed MD5, 43

L2F (Layer Two Forwarding), 58, 61, 66-69, 111
as a VPN tunneling protocol, 176, 215, 230
L2TP (Layer Two Tunneling Protocol), 58, 61, 68-70, 111, 199, 238
compression methods for, 70
L2TP Access Concentrator (LAC), 68
L2TP Extensions Working Group, 69
L2TP Network Server (LNS), 68
tunnel management, 260
as a VPN tunneling protocol, 176, 191, 215, 230
Label Distribution Protocol (LDP), 280
Label switch router, See LSR
Label switched path, See LSP
Label switching, 63
Layer Two Forwarding, See L2F
Layer Two Tunneling Protocol, See L2TP
LDAP (Lightweight Directory Access Protocol), 167, 261
Leased line, 24, 241
Lightweight Directory Access Protocol, See LDAP
Link Control Protocol (LCP), 113
Link layer, 28, 30, 58, 274
Linux, 220, 224, 234-236
Local area network (LAN), 52
LSP (label switched path), 71, 275
LSR (label switch router), 71
Lucent, 66, 115

MAC (message authentication code), 43, 60
HMAC, 43
one-way hash function, 43
Unixpasswords, 43
MacOS, 220, 224, 234
standard autopush driver, 224
VPN clients for, 234
Management information base, See MIB
Management information tree, See MIT
Maximum transmission unit, See MTU
MD4, 117
MD5, 43, 85, 113, 117, 143
keyed, 43
Message authentication code, See MAC
MIB (management information base), 20, 196, 247, 251, 253, 259-260
IKE Monitoring MIB, 197, 260
IP Tunnel MIB, 197
IPsec DOI Textual Conventions MIB, 260
IPsec Monitoring MIB, 197, 260
ISAKMP DOI-Independent Monitoring MIB, 260
L2TP MIB, 260
MPLS Traffic Engineered LSPs MIB, 260
MPLS Traffic Engineering MIB Using SMIv2, 260
RMON (Remote Monitoring), 257
TCP/IP (MIB-II), 197, 247
MIB view, 257
MIB-II, 197, 247, 253
Microsoft, 12, 66, 136, 139, 190, 218, 220-221, 229, 234
approach to VPN clients, 229
extensions to CHAP, 66
extensions to PAP, 66
Internet Explorer, 135
WINS (Windows Internet Service), 181, 229
Microsoft NetBIOS, 229
Microsoft Windows, See Windows
MIT (management information tree), 251, 253, 256
MIT (Massachusetts Institute of Technology), 119
availability, 264
bank, 61, 63, 66-67
cable, 49
cost, 49
dial-back protected, 263
digital modulation standards, 49
with encryption capability, 263
NAS (network access server), 115
speed, 49-50
MPLS (Multiprotocol Label Switching), 63, 71-73
enabling QoS, 280
label stacking, 71, 273
shim header, 71
tunnel management, 260
as a VPN tunneling protocol, 274-276
MS-CHAP, 66, 230
MTU (maximum transmission unit), 80, 86, 90, 226-227
Multiprotocol Label Switching, See MPLS

NAS (network access server), 64-67, 69, 115-117, 199, 248
NAT (network address translation), 185, 207, 219, 226, 276
National Center for Supercomputer Applications, See NCSA
National Institute of Standards and Technology, See NIST
National Science Foundation, See NSF
National Security Agency, See NSA
Navy, U.S., 33
NCP (Network Control Program), 24
NCSA (National Center for Supercomputer Applications), 26
NDIS (Network Driver Interface Specification), 221
NetBEUI, 222
NetBIOS, 229
NetBSD, 224, 234-235
Netscape, 26, 136, 140
Communicator, 135
NetScreen, 187
Netware, Novell, 5
Network access server, See NAS
Network adapter, 233
Network Control Program, See NCP
Network Driver Interface Specification, See NDIS
Network layer, 24, 29-30, 58, 70, 75
Network management
architecture, 248
FCAPS, 246, 265
international issues, 266
Internet model, 247, 251
OSI model, 246, 250-251, 253
out-of-band access, 263
probe, 248, 251
tunnels, 260
Network management protocols, 248, 250
Network management standards, 246
Blue Book Recommendation M.30, 247
CMIP (Common Management Information Protocol), 246
CMIS (Common Management Information Service), 246
OSI Basic Reference Model, Part 4, 246
RMON (Remote Monitoring), 247
SNMP (Simple Network Management Protocol), 247
TL1 (Transaction Language One), 252
TMN (Telecommunications Management Network), 247
Network management station, See NMS
Network management system, 245
Network monitoring, 193, 196
Network operations center, See NOC
Network security, 33-35, 277-279
devices, 35
Network service management, 263-266
customer portal, 265-266
NOC (network operations center), 265
SLA (service level agreement), 264
Network Time Protocol, See NTP
Network topology, 32
NIST (National Institute of Standards and Technology), 37, 43, 106, 201
NMS (network management station), 248
NOC (network operations center), 213, 261-263, 265
Nonce, 94
Nonrepudiation, 40
Nortel Networks, 66, 187, 194-195, 231
Northern Telecom, See Nortel Networks
Novell, 5, 47
NSA (National Security Agency), 33, 37, 43
NSF (National Science Foundation), 26
NSFNET, 26, 277
NTP (Network Time Protocol), 121
NULL encryption algorithm, 70, 89

Oakley key determination protocol, 92, 98
Object identifier (OID), 253-254
One-time passwords (OTP), 108, 113, 117-118
S/KEY, 109, 117
One-way hash function, 41-43, 60, 113, 117
Open Systems Interconnection, See OSI
OpenBSD, 224, 234-236
OpenPGP, 141
OpenSSH, 236
OSI (Open Systems Interconnection), 27
network management, 247
protocol stack, 215
OSI Reference Model, 27, 29, 166, 246
OSPF (Open Shortest Path First), 187, 278
with digital signatures, 184
Over the air rekeying (OTAR), 16

Packet-switched network, 24, 29, 32, 48, 59
PAP (Password Authentication Protocol), 66, 107, 111
Password Authentication Protocol, See PAP
Passwords, 43, 66, 106, 117
challenge/response, 107
CHAP (Challenge Handshake Authentication Protocol), 108
dictionary attack, 106
entropy, 106
NIST guidelines for choosing, 106
one-time, 108
out-of-band access, 263
PAP (Password Authentication Protocol), 107, 111
RADIUS, 115, 128
salt, 106
PDU (protocol data unit), 58, 252, 254
PEM (Privacy Enhanced Mail), 135
Perlman, Radia, 134
Permanent virtual circuit, See PVC
PGP (Pretty Good Privacy), 40, 119, 124, 135, 141, 216
certificate, 141-144
GnuPG, 141
OpenPGP, 141
public key ring, 125
web of trust, 124, 144
Physical layer, 28
Ping, 197
PKCS (Public-Key Cryptography Standards), 144, 150
PKCS #10, Certification Request Syntax Standard, 151-152
PKCS #6, Extended-Certificate Syntax Standard, 144, 151
PKCS #7, Cryptographic Message Syntax Standard, 151-152
PKCS #9, Selected Object Classes and Attribute Types, 145, 151
PKI (public key infrastructure), 14, 122, 129-154, 180, 184, 200, 203, 218
architecture, 130-136
CA (certification authority), 129
certificate and CRL repository, 130
certificate revocation process, 130, 133
certification process, 129, 132
key escrow, 132
PKI (public key infrastructure)
name subordination, 135
RA (registration authority), 130
trust models, 131, 134
validation process, 129, 133
X.509, 122, 136
PKIX (Public Key Infrastructure for the Internet), 12, 123, 150
PMI (Privilege Management Infrastructure), 157
Point-to-Point Protocol, See PPP
Point-to-Point Tunneling Protocol, See PPTP
Policy management, 163
POP (point of presence), 46, 50, 52-54, 272
Port address translation, See PAT
PPP (Point-to-Point Protocol), 61-67, 69, 108, 185, 230, 232
authentication, 107, 111-114
Link Control Protocol (LCP), 111
PPPoE (PPP over Ethernet), 234
use in SSH, 237
PPPoE (Point-to-Point Protocol over Ethernet), 234
PPTP (Point-to-Point Tunneling Protocol), 58, 61, 63-69, 111, 229
authentication, 66
Microsoft, 66
PPTP Access Concentrator (PAC), 63, 68
PPTP Network Server (PNS), 63, 68
as a VPN tunneling protocol, 176, 215, 217, 230
PPTP Forum, 63, 66
Presentation layer, 30
Pretty Good Privacy, See PGP
Privacy Enhanced Mail See PEM
Private addressing, 63
Private Line Interface (PLI), 33
Private network, 4, 6, 8-9, 63, 175, 279
Privilege Management Infrastructure, SeePMI, 157
Project Athena, 119
Protocol data unit, See PDU
Protocol number, 32
Provisioning, 188
PSTN (public switched telephone network), 6, 61, 66, 263, 281
Public key certificate
X.509, 136
X.509v3, 140, 145
See alsodigital certificate, 136
Public key cryptography, 36, 38-39, 41, 129, 134
digital signature, 40
ElGamal algorithm, 40
encryption, 40
PGP (Pretty Good Privacy), 125
Rabin algorithm, 40
RSA algorithm, 40
use in SSH, 237
Public key infrastructure, See PKI
Public network, 6, 47, 175, 278
Public switched telephone network, See PSTN
Public-Key Cryptography Standards, See PKCS
PVC (permanent virtual circuit), 46, 48

QoS (quality of service)
denoted by IP TOS field, 31
for on-net traffic, 49
in the Internet, 49, 277
in IP service platform, 272
lack of standards, 12
enabled with MPLS, 63, 274-275
service beyond connectivity, 279-280
in VPN gateways, 21, 178, 186, 207
Quality of service, See QoS

RA (registration authority), 130, 132, 134, 145, 148
Rabin algorithm, 40
RADIUS (Remote Access Dial In User Service), 67, 114-117, 128
accounting for VPN gateways, 190, 199
authentication for VPN clients, 217, 230, 234
authentication for VPN gateways, 182, 190, 209-210
for storing policy information, 261
RAS (remote access server), 49, 61-62, 229
RC4, 176, 230
RC5, 230
Redcreek, 231
Registration authority, See RA
Remote Access Dial In User Service, See RADIUS
Remote access server, See RAS
Remote access VPN, 20, 45, 49-50, 54, 208
functions, 180-182
Replay attack, 15, 94, 122
Request for Comments, See RFC
RFC (Request for Comments), 33, 289
RFC Editor, 289
Rijndael algorithm, 37
RIP (Routing Info


Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020