[1225] in WWW Security List Archive
Virtual Private Networks
daemon@ATHENA.MIT.EDU (Bomsu Yeh)
Mon Dec 11 00:43:40 1995
Date: Mon, 11 Dec 1995 11:24:18 +0900
To: www-security@ns2.rutgers.edu
From: Bomsu Yeh <bsyeh@soback.kornet.nm.kr>
Errors-To: owner-www-security@ns2.rutgers.edu
�$)C
www-security@ns2.rutgers.edu�7N :NEM >r@: A$:8@T4O4Y�. �H$=C GJ?dGO=E :P@: B|0m�
�GO=J=C?d�. �CbC34B ;}7+GO0Z=@4O4Y�.
>On Tue, 5 Dec 1995, Prince, Cheryl wrote:
>
> Digital recently released a new (?) way of using the public Internet to
create > --or replace--private local or wide area networks. All sensitive
data is
> encrypted with RSA tech, private key/public key cryptography on either end of
> communication as well as authentication so the parties can accurately identify
> each other. It's called the Digital Internet Tunnel.
>
> Has anyone heard about this kind of system (surely not the first of its kind)
> and is this safe??
Digital Internet Tunnel Overview
Using IP encryption, the Digital Internet Tunnel allows you to use
the public Internet as a secure, cost-effective extension or alternative
to your private network.
This product differs from many other IP encryption products in
its enhanced flexibility:
1) It is firewall independent and is compatible with
many popular firewalls.
2) The authentication of tunnel end-points is
user-based (not IP address-based) for greater
mobility.
There are two types of tunnel products offered: group tunnels and
personal tunnels. The Digital Internet Personal Tunnel enables you
to securely connect a client personal computer to a server in a
private network via the Internet. The Digital Internet Group Tunnel
lets you connect two servers-or two private networks-to support
confidential organization-to-organization communications.
The Digital Internet Tunnel employs RSA public key encryption for
authentication and session key exchange, and RC4-based secret keys
for bulk data encryption. Cryptographic identity and keys are tied to
the user, leaving the IP address free to be dynamically assigned. Once
the authenticated tunnel session is created, the tunnel server and
tunnel client automatically switch from RSA public key encryption to
RC4-based secret key encryption to perform bulk data encryption and
transmission. At 30-minute intervals, the tunnel client and server
pass new session keys back and forth to decode transmitted data.
During data packet transmission, each packet is integrity protected
and authenticated by MD5.
Please visit our home page:
http://www.digital.com/info/internet
---------------------------
As for this sort of firewall, you might want to look into RFC1825-1829,
which specify the Internet Security Architecture (which includes
encrypted tunnels). The mechanisms specified shall be integral part of
IPv6 and can also be used with IPv4. Several independent, but
interoperable implementations are being developed or already finished.
The key management problems are currently being worked on by the
IETF IP-SEC working group, several internet drafts have already
been published (Photuris, SKIP and others).
---------------------------
The following products are able to encrypt network traffic based on
source and destination address of IP packets. Some are also able to encrypt
based on the type of network service (TCP port number). As a result, sites
can create a Virtual Private Network (VPN) on the Internet. Note that one
would need two boxes in order to provide for site-to-site encryption over the
Internet.
Note: Public key encryption costs (in computing) about 100 times more than
shared key encryption (like DES). In a WAN environment, a shared key
is very feasible.
Survey Date: 14 AUGUST 1995
Firewall VPN Products are (in alphabetical order):
ANS InterLock Service
- Supports optional DES software.
Web URL: http://www.raptor.com http://www.ans.net
---------------------------
Brimstone Firewall Product
Web URL: http://www.soscorp.com/
---------------------------
Milkyway Black Hole
- Supports modified (proprietary) DES algorithm (DES++).
Web URL: http://www.milkyway.com
---------------------------
Checkpoint Firewall-1
- Encryption support planned for future release.
Web URL: http://www.checkpoint.com
---------------------------
Cisco Systems/Cylink
- Software solution (part of Cisco operating system) later this
calendar year, hardware board to follow.
Web URL: http://www.cisco.com/
---------------------------
Harris Computer Systems' CyberGuard Firewall
- Supports software DES and user replaceable encryption modules.
Web URL: http://www.hcsc.com
---------------------------
Hughes NetLOCK
- Supports DES and cXOR.
E-Mail: netlock@mls.hac.com
---------------------------
IBM
---------------------------
IRE
- Available later this calendar year.
Phone: (410) 931-7514
---------------------------
KarlBrouter
- Supports software DES.
Web URL: http://www.gbnet.net/kbridge/
---------------------------
LSLI's Portus Firewall
Web URL: http://www.sccsi.com/lsli/lsli.homepage.html
---------------------------
Morningstar EXPRESS Router
- Supports DES.
Web URL: http://morningstar.com
---------------------------
Motorola Network Encryption System (NES)
E-Mail: nes@email.mot.com
---------------------------
Network Systems Corp. (NSC)
- Security Router offers encryption using IDEA, DES, Triple DES,
and high speed proprietary algorithms.
Web URL: http://www.network.com
---------------------------
Network Translation Inc. Private Internet eXchange (PIX)
- PIX supports DES
Web URL: http://www.translation.com
---------------------------
Raptor Systems
- Will be offering DES encryption package.
Web URL: http://www.raptor.com/
---------------------------
RSA
- Standards effort to this sort initiated by RSA
Web URL: http://www.rsa.com/pub/S-WAN
---------------------------
SecureWare HannaH
- Supports authentication and encryption, in a non-invasive manner
Web URL: http://www.secureware.com
---------------------------
Semaphore Communications
- Network Encryption Unit (NEU), supports DES.
Phone: (408) 986-6292
---------------------------
SOCKS
- does authentication and encryption of SOCKS->SOCKS links.
using at least Kerberos for now. Still beta.
Web URL: http://www.socks.nec.com/Socks5.html
---------------------------
swIPe
- Publicly available. PGP based. can be easily added to BSD kernels.
Web URL: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/swIPe/
---------------------------
Sun Sunscreen SPF-100.
- Will support multiple encryption algorithms.
Web URL: http://www.sun.com/
---------------------------
TIS Gauntlet 3.0
- Supports software DES option and hardware DES board.
Includes resellers of Gauntlet.
Web URL: http://www.tis.com
---------------------------
UUNET LanGuardian
- Combination of hardware and software DES.
Web URL: http://www.uu.net
---------------------------
