Chapter 9: Network Requirements and Preparation Firewalls
ShoreTel 8 Planning and Installation Guide 119
The L2TP tunneling protocol does not encrypt before encapsulation. It requires the IPSEC
protocol to take the encapsulated packet and encrypt it before sending it over the Internet.
See Section 9.12 on page 121 for more information about ShoreTel’s proprietary media
Encryption is the marking, transforming, and reformatting of messages to protect them
from disclosure and maintain confidentiality. The two main considerations with encryption
are the algorithm, such as Triple Pass DES (112 bits), RCA (128 bits), and Triple DES (168
bits), and the management of the distribution of encryption keys (IKE and PKI). These
more recent keys, which support more than 100 bits, have been a major driver in the
success of IP VPNs. They make it extremely difficult to hack into enterprise computer
systems without an investment of millions of dollars in equipment.
Encryption starts with a key exchange that must be conducted securely. The IKE (ISAKMP/
Oakley) protocol has been considered the most robust and secure key exchange protocol in
the industry to date. It is also a de facto standard for service providers and product vendors
requiring the highest level of security for their VPN solutions. PKI (Public Key
Infrastructure), new to the key management scene, is currently thought to be the long-term
solution to simplifying the management of VPNs. The industry is still evaluating and
testing PKI, with some initial deployments beginning to occur.
From an IP VPN1 performance perspective, encryption can be a CPU-intensive operation.
As a result, enterprises must evaluate VPN products in two primary areas as they relate to
encryption. The first is whether the maximum throughput decreases substantially when
encryption is used, and the second is whether a consistent throughput can be maintained
when encryption is enabled. Typically, the trade-off between performance and price is
debated from a software-based versus hardware-based encryption perspective.
9.10.4 Integrated Security Appliances
A number of major vendors provide integrated broadband security appliances to eliminate
security concerns. These devices use custom ASICs to deliver wire-speed firewall, Triple
DES IPSec VPN, and traffic shaping in an easy-to-deploy, cost-effective solution. Installing
a security appliance, such as a NetScreen-5, eliminates the need to deal with complex PC
software installations and allows IT to centrally manage the security policies of these
remote offices and teleworkers. The firewall protection secures sensitive data at the remote
site and can prevent both U-turn attacks and the launching of denial-of-service attacks
from these computers. By combining broadband access technologies with an integrated
security appliance, enterprises and service providers can safely and securely capitalize on
all of the benefits of the broadband Internet.
A firewall is the first major purchase and the foundation of network security
(Figure 9-2). It prevents unauthorized access to the network or web site by examining both
incoming and outgoing traffic. Based on the predefined security policies, each individual
1. Note that Internet VPNs, though useful for data, may not offer sufficient protection against latency and
packet loss for VoIP.