116    Chapter 3 • Communication Security: Remote Access and Messaging

                 The first step in creating a site-to-site VPN is selecting the tunneling protocol
             to be use. PPTP and L2TP are two common tunneling protocols in use. Once a
             tunnel is established, encryption protocols are used to secure data passing through
             the tunnel. Common protocol choices for securing data during transmission are
             IPSec and SSL.As data is passed from one VPN to another, it is encapsulated at the
             source and unwrapped at the target.The process of establishing the VPN and wrap-
             ping and unwrapping the data is transparent to the end user.
                 IPSec is another VPN protocol that is widely used. Here, the underlying con-
             nection is maintained through the use of IP while two new network protocols,
             Authentication Header (AH) and Encapsulated Security Protocol (ESP) are used to
             protect the data. IPSec VPNs can be deployed in one of two modes: transport
             mode or tunnel mode. In transport mode the IPSec-protected data is carried in IP
             packets that utilize the original IP addresses of the two VPN peers. In Tunnel mode
             the entire IP packet is encapsulated and encrypted and a new IP header of the two
             VPN peers is used to transmit the data from one end to the other.
                 Most commercially available firewalls come with a VPN module that can be set
             up to easily communicate with another VPN-capable device. Companies now use
             VPN concentrators, which have the capability to support the VPN technologies we
             just covered, but also the ability to increase performance and management of mul-
             tiple VPNs. Cisco’s ASA line, for example, contains devices like the 5540 that pro-
             vide firewall,VPN, concentration, IDS/IPS, and Anti X (malware, spyware, and so
             forth) services.
                 Whichever product or service is chosen, it is important to ensure that each end
             of the VPN is configured with the correct protocols and settings.

           Tools & Traps…  A common mistake that network security professionals make is setting up
                Issues With Site-to-site VPNs


                a site-to-site VPN, then disregarding other types of security. The three A’s
                still need to be observed: authentication, authorization, and accounting.



















          www.syngress.com