CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.3  Security Topologies

Why Use NAT? 1 2 Pop Quiz 3.1

Examples of Tunneling

For example, layer 2 tunneling is often used to carry PPP traffic between VPN endpoints. When dialing in to a corporate VPN, there are two options – originating the tunnel at the dial-up user’s host (voluntary mode) or intercepting the user’s dial-in at the ISP and originating the tunnel to the corporate network from the ISP forward (compulsory mode). PPTP is an example of a layer 2 protocol that provides encrypted, authenticated tunneling. L2TP is a layer 2 protocol that provides authenticated tunnels, which can be encrypted using the layer 3 IPSec technology mentioned below.

Layer 3 tunneling provides virtual IP connections at the network layer. It is often implemented via the IPSec protocol extensions and IKE (Internet Key Exchange, an authenticated key exchange protocol). It supports a wide variety of encryption options, such as DES, 3DES, MD5, SHA1 and is often used in “security gateway” products such as IPSec-enabled routers, which provide dial-up or Internet users access to the internal network behind the gateway. Note that IPSec itself doesn’t provide for authentication, which is why it is often paired with other technologies like L2TP, or used in full site-to-site links where the organization considers individual authentication to be overkill.

Higher level tunneling, when you wish to tunnel traffic related to some applications, but not all traffic on the network, is most often accomplished via Secure Shell (SSH), or Secure Sockets Layer (SSL). SSH seems to be the protocol of choice when tunneling login connections (providing a more secure remote connection than the Berkeley UNIX “r-“commands it was developed to replace). And SSL is, of course, the protocol used to implement a secure version of HTTP communication used between web browsers and servers.

Interestingly, the use of both of these originally special-purpose tunneling protocols has been expanded to other applications as well. For instance, many companies now use SSH as an inexpensive way to provide general-purpose security tunnels between remote clients and all sorts of applications, including web servers and POP3 or SMTP email connections. And SSL has evolved into the IETF-standard Transport Layer Security (TLS), which uses digital certificates for authentication and confidentiality. ³³³

Why Use NAT? 1 2 Pop Quiz 3.1