VPN Glossary

Advanced Encryption Standard (AES)
AES is the standard name for the Rijndael (Rain-doll) algorithm. It is a symmetric-block cipher that can be used with 128, 192, and 256-bit keys. NIST (the National Institute of Standards and Technology) has selected the AES (Advanced Encryption Standard) the successor to DES and 3DES.

ARCFour
Newer and faster encryption mechanism than DES.

Asymmetric Cryptography
Refers to the keys used to authenticate, or encrypt and decrypt data. Asymmetric cryptography or public key cryptography uses two keys for verification. Organizations such as RSA Data Security and VeriSign support asymmetric cryptography.

Authentication
A critical step in establishing secure network communications, it involves verification of an entity at the initiating end of the communication channel. The entity may include a user, host, application, and other network nodes, such as a router or security appliance. Authentication methods are classified into two categories: weak and strong. Weak authentication involves the use of an indentification mechanism and password, typically transmitted in cleartext. Strong authentication usually entails transmitting user IDs and passwords as encrypted text.

Broadband
A term used to describe any high-speed network that can carry multiple services on the same line, such as data, voice, and video. DSL and cable are broadband.

Cipher
Any encryption algorithm. Ciphers can be classified according to whether they are symmetric or asymmetric algorithms.

Content Filtering
The concept of denying a user access to certain web sites based on predetermined criteria. The FR/FV products provide URL or URL keyword-based (static) content filtering and optional list-based (dynamic) content filtering. Dynamic content filtering employs a subscription service that allows for filtering based upon subject matter rather than just words in the URL. NETGEAR offers optional subscriptions to the CyberNOT™ blocking list.

Data Encryption Standard (DES)
Encryption used for data communications where both the sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. NETGEAR DES encryption uses a 56-bit key.

Denial of Service (DoS) Attack
Packets or requests for service sent from one or multiple PCs that cause disruption of functionality in the target PC or server. One way to employ a DoS would be to relentlessly "ping" the target server (known as "Ping of Death"), which requires the target server to respond to the ping. If there were enough pings requested, the unfortunate server would not be able to respond quickly enough to the pings and at the same time perform other functions. The result is a denial of service

Diffie-Hellman Exchange
The Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by Diffie and Hellman in 1976. The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. "Authenticated" Diffie-Hellman is more secure since it uses digital signatures and public key certificates.

Digital Certificate
The best method for establishing user identities for virtual private networking and e-commerce. The information within a certificate includes the issuer (the Certificate Authority that issued the certificate), the organization that owns the certificate, public key, the validity period (usually one year) or the certificate, and the hostname that the certificate was issued to. It is digitally signed by the certification authority so that none of the details can be changed without invalidating the signature.

DSL
Digital Subscriber Line. The generic term that refers to the underlying technology inherent in all flavors of DSL, such as ADSL, SDSL, or IDSL.

Encryption
A mathematical operation that transforms data from "clear text" to "cipher text," which cannot be interpreted. Usually the mathematical operation requires that an alphanumeric key be supplied along with the clear text. The key and clear text are processed by the encryption operation, which leads to data scrambling that makes it secure. Decryption is the opposite of encryption; it is the mathematical operation that transforms cipher text to clear text.

Firewall
A security device that controls access from the Internet to a local network by using information associated with TCP/IP packets to make decisions about whether to allow or deny access.

Internet Key Exchange (IKE)
A negotiation and key exchange protocol specified by the Internet Engineering Task Force (IETF). An IKE SA automatically negotiates Encryption and authentication keys. With IKE, and initial exchange authenticates the VPN session and automatically negotiates keys that will be used to pass IP traffic.

IPSec
Internet Protocol Security. A robust VPN standard that covers authentication and encryption of data traffic over the Internet. VPN technology employing IPSec will encrypt all outgoing data and decrypt all incoming data so that a public network can be used, like the internet, as transportation media. IPSec can support two encryption modes: transport and tunnel. Transport mode encrypts the data portion of each packet but leaves the header unencrypted. The more secure the tunnel mode encrypts both the header and the data. At the receiving end, an IPSec-compliant device decrypts each packet. For IPSec to work, the sending and receiving devices must share a key. IKE protocol is a key management protocol standard which is commonly used in conjunction with the IPSec standard.

Key
An alphanumeric string used by the encryption operation to transform clear text into cipher text. A key is comprised of hexadecimal characters. A valid key would be 1234567890abcdef. Keys used in VPN communications can range in length. The longer the key, the more difficult it is to break the encryption.

L2F
Layer 2 Forwarding. L2F was developed by Cisco and is similar to PPTP in that L2F is a layer 2 tunneling protocol.

L2TP
Layer 2 tunneling protocol. L2TP is a combination of Microsoft's PPTP and Cisco's L2F. L2TP is a network protocol and it can send encapsulated PPP packets over IP, x.25, frame relay or ATM networks.

LAN
Local Area Network. A data network that connects computers in an area usually within the confines of an office or building. A LAN enables users to share information and network resources, such as a printer or a broadband connection.

Layer 2 tunnels
Carry point-to-point data link (PPP) connections between tunnel endpoints in remote access VPNs. In a compulsory mode, an ISP's network access server intercepts a corporate user's PPP connections and tunnels these to the corporate network. In a voluntary mode, VPN tunnels extend all the way across the public network, from dial-up client to corporate network. Two layer 2 tunneling protocols are commonly used today. The Point-to-Point Tunneling Protocol (PPTP) provides authenticated, encrypted access from Windows desktops to Microsoft or third-party remote access servers. The IETF standard Layer 2 Tunneling Protocol (L2TP) also provides authenticated tunneling, in compulsory and voluntary modes. However, L2TP by itself does not provide message integrity or confidentiality. To do so, it must be combined with IPsec

Layer 3 tunnels
Tunneled packets are wrapped inside IETF-defined headers that provide message integrity and confidentiality. These IP Security (IPsec) protocol extensions, together with the Internet Key Exchange (IKE), can be used with many authentication and encryption algorithms (e.g., MD5, SHA1, DES, 3DES). In site-to-site VPNs, a security gateway - an IPsec-enabled router, firewall, or appliance - tunnels IP from one LAN to another. In remote access VPNs, dial-up clients tunnel IP to security gateways, gaining access to the private network behind the gateway.

Manual Keying
Allows you to specify encryption and authentication keys.

Network Address Translation (NAT)
NAT is used in the router to prevent hacking into the local area network (LAN). NAT substitutes the "private" IP address of devices located on the LAN side of the router with a new "public" IP address that is visible on the "internet side" of the router. By virtue of this simple implementation, any device, up to 45, located on the LAN will be hidden, or "masqueraded" from Internet hackers trying to get to a specific PC. Only the router's IP address is visible on the Internet. This technology provides crude protection against hackers and is used widely in broadband routers.

Point-to-Point Tunneling Protocol (PPTP)
PPTP builds on the functionality of the Point-to-Point protocol (PPP) to provide remote access that can be tunneled though the Internet to a destination site or computer. PPTP encapsulates PPP packets using generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols other than IP.

Secure Socket Layer (SSL)
Used for sending encrypted data over the web. Generally used as part of a secured transaction, like you would use for remote access authentication or sending credit card information to on-line merchants. SSL is being used when you see the "https:" as part of the URL, as opposed to the standard "http:".

Security Association (SA)
A group of security settings related to a specific VPN tunnel. A Security Association groups together all the necessary settings needed to create a VPN tunnel. Different SAs may be created to connect branch offices, allow secure remote management, and pass unsupported traffic. All SAs require a specified encryption method, IPSec gateway address and destination network address. IKE includes a shared secret. Manual Keying includes two SPIs and an encryption and authentication key.

Security Parameter Index (SPI)
Used to establish a VPN tunnel. The SPI is transmitted from the remote VPN gateway to the local VPN gateway. The local VPN gateway then uses the network, encryption and keys associated with the SPI to establish the tunnel.

Shared Secret
A predefined field that the two endpoints of a VPN tunnel use to set up an IKE SA. This field can be any combination of alphanumeric characters with a minimum length of 4 characters and a maximum of 128 characters. Precautions should be taken when delivering/exchanging this shared secret to assure that a third party cannot compromise the security of a VPN tunnel.

Stateful Packet Inspection
SPI is a technology used in firewalls, which allows for robust screening than that offered by packet filtering devices (NAT routers) in that both packet content and packet history (its previous state) is used to establish filtering decisions.

Symmetric Cryptography
Refers to keys used to authenticate. or encrypt and decrypt the data. With symmetric cryptography, the same key is used to authenticate on both ends of the VPN. Symmetric cryptography, or secret key cryptography, is usually faster than asymmetric cryptography. Therefore symmetric algorithms are often used when large quantities of data need to be exchanged.

Telecommuting
Employees who work at home during the day for part or all of the workweek instead of going to the office. This is still the dominant form of remote work today but it is a more restrictive definition than telework.

Telework
A more encompassing term than telecommuting because it defines the remote access user as anyone (employee, contractor, partner, road warrior, etc.) using telecommunications to work from a remote location that can be anywhere. The term "telework" is a more generic term.

TripleDES
A variation on DES that uses a 168-bit key to provide more secure data transmission than DES. TripleDES is considered to be virtually unbreakable by security experts. It also requires a great deal more processing power, resulting in increased latency and decreased throughput.

VPN
Virtual Private Network. A way that private data can safely pass over a public network, such as the Internet. The data traveling between two hosts is encrypted for privacy along with other security features.

VPN Tunnel
A term that describes a connection between two or more private nodes or LANs over a public network, typically the Internet. Encryption is used to maintain the confidentiality of private data when traveling over the Internet.