The Hi-Tech Gateway VPN Client provides your remote users with a transparent, secure way to leverage the Internet for cost-effective access to your networks and data centers. The VPN Client software works with the Intel® NetStructure™ 3100 Gateway Family to give Windows* 9x/2000 clients confidential, authenticated communications with other users, servers and networks. Gives Windows 9x/2000 clients confidential, authenticated, encrypted access to corporate networks through Hi-Tech’s VPN Gateways Supports transparent communications across the Internet, intranets, and extranets Integrates easily with existing security policies Delivers proven technology Support for triple-DES encryption Advanced IPSec support Remotely deployable by the Hi-Tech Gateway VPN Client Deployment Tool     To better understand the concept of VPNs, we've included a FAQ section below.      VPN Fundamentals      1. What is a virtual private network (VPN)?      A Virtual Private Network (VPN) is a network tunnel created for encrypted data transmission between two or more authenticated parties. This ensures data privacy, data integrity and data authenticity. Virtual private networks use a public shared network infrastructure such as the Internet as the means for transport. VPN data is encapsulated inside tunnels for travel through the public network.      2. What are the components of a VPN?      The main components of a VPN are VPN client software and tunnel server, network and data protection (encryption), scalable architecture, a wide choice of user authentication methods, and centralized management. VPN client software and tunnel server establish a private, encrypted tunnel over a shared network. Network protection can be provided by a firewall to protect the corporate network from unwanted visitors. Data protection has three components: integrity, privacy and authenticity. Data integrity features make sure that the data you received is the same data that was sent. Data privacy makes the packets hacker resistant when on the public network. Data authenticity makes sure that the data that was received was the same as the data that was sent. Scalable architecture allows the customer to grow the network as needed. A VPN should be able to authenticate users with a wide variety of methods, allowing customers to use their existing user authentication policies when deploying a VPN.      3. What are the applications for a VPN?      A VPN can be used in remote access, intranet and extranet applications: Remote access allows mobile users or telecommuters to use the Internet to gain access to the corporate network. A intranet-intra-company offices connected by a protected network-allow companies to reduce leased line expenses by using the Internet. An extranet connects a companies partners using the Internet.      4. What kinds of standards have emerged for tunneling technology?      L2F (Layer Two Forwarding), originally pioneered by Cisco and Nortel is an excellent tunneling protocol for managed networks where flow control is not an issue. L2F is detailed in an Internet draft but is unlikely to become a Request for Comment (RFC) or progress any further towards becoming a international standard.      PPTP (Point to Point Tunneling Protocol) was proposed Microsoft, Ascend, and other vendors. PPTP offers advantages when working in Microsoft server environments. Like L2F, PPTP is detailed in an Internet draft but is unlikely to become an RFC or standard. Microsoft has committed to L2TP as the way forward.      The emerging standard that will eventually be adopted is a combination of the two protocols known as L2TP (Layer 2 Tunneling Protocol), which offers the best performance over non-managed data networks such as the Internet. L2TP is currently an Internet draft and is being proposed as an RFC before the Internet Engineering Task Force (IETF) and progress to become the accepted tunneling standard. The target for L2TP as an RFC was the end of 1997. At the time of writing it is likely that this will be delayed until mid 1998.      None of the tunneling standards include integral encryption or authentication. However the L2TP draft standard recommends that IPSec be used for encryption and key management in IP environments.      5. What are the advantages of VPN compared to direct dial remote access?      VPN replaces variable, time based, direct dial costs with ISP Internet access fixed costs. For example, a VPN proved to be the answer for a Boston-based software vendor with a remote programmer in Atlanta who typically spends 50-60 hours per month downloading large files. By moving from the public switched network to a VPN for this application, the company went from spending $360 per month on long distance charges at 10 cents per minute to $35 per month for a flat rate Internet connection.      6. What are the disadvantages of VPN compared to direct dial remote access?      Performance. If a user is making a connection through the PSTN, a VPN-based connection will never be faster than a direct dial connection, and, in many cases, because of the latency associated with the Internet, will be slower than a direct dial connection. Performance-sensitive connections will do better through direct dial.      7. Why is a hardware solution important in designing a VPN solution?      There are different ways to implement encryption in order to create and manage Virtual Private Networks. One important distinction is whether the encryption is performed in hardware or software. Hardware encryption solutions provide two distinct advantages: Performance and protection.      By comparison, most software only encryption solutions, such as those employed in some firewall products, can provide encryption speeds of only 400 kbps under optimum conditions. In most cases, software only solutions will provide significantly less throughput.      A key component for the protection of any encryption solution is the degree of randomness in the keys that are generated by Key Management. The Hi-Tech VPN Gateway and Hi-Tech VPN Express use a specially designed and proven algorithm to produce truly random keys for each and every packet transmitted.      8. How is a tunnel server such as the Hi-Tech VPN Gateway or Hi-Tech VPN Express different from a firewall?      Tunnel servers and firewalls serve two different functions. Firewalls are analogous to border crossing guards. They ensure that unauthorized traffic outside your network can not come into your network. Thus firewalls protect the entry points to your network from an outside attack.      Tunnel servers, on the other hand, ensure that others can not read your data or tamper with your data while your data is outside your network and hence outside of your control. Tunnel servers will also authenticate the sender of a given message. This level of protection is necessary to increase the probability that no one can intercept, monitor or tamper with your data. Finally, they will restrict traffic to tunneled data.      In practice, a good data encryption policy will involve the use of both firewalls and tunnel servers - the right tool for the right job.      9. Do I need a special VPN remote access client?      A LAN-to-LAN application would consist of two Hi-Tech VPN Gateways, Hi-Tech VPN Expresses, or a combination of the two, communicating with one-another. A remote user connecting via a desktop would need to use the Hi-Tech VPN Client in order to communicate with the Hi-Tech VPN Gateway or Hi-Tech VPN Express on the LAN. The Hi-Tech VPN Client consists of three basic features: PPP or the ability to use existing dialers or network adapters, tunneling and encryption. Deployment of the client generally involves some add-on to a standard dialer. Typically this software would come from the same vendor that supplied the central site VPN equipment, although Microsoft has plans to add an L2TP client with IPsec support to a future release of Windows.      Data encryption      10. What are authentication, digital signatures, and certificate authorities?      Authentication implies that the receiving party is certain of the identity of the sending party and vice versa. In a secret key exchange, authentication is implicit since a key was exchanged in secrecy. However, in a public key scheme authentication is not implicit. Because public keys are, by definition, public knowledge, other evidence is required to prove that the public key holder is in fact the issuer of that public key.      Digital signatures are a way to send digital proof of the sender's identity. By using the private key, the sender can encrypt information about their identity and the contents of the message, which can then be decrypted by the receiver using the sender's public key. Because a digest or part of the message content has been encrypted with the private key only the issuer of the key pair can create such a signature.      Digital signatures will only prove that the holder of the public key also holds the private key but offers no further assurance of the identity of the sending party. A certificate authority (or trusted third party) can be used as a witness to the identity of sender.      A certificate authority (CA) has a key pair of its own. By encrypting someone's public key with it's private key the CA is essentially testifying to the identity of the key pair holder. The encrypted public key is referred to as a digital certificate. Anyone wishing to verify the identity of a certificate holder can use the CA's public key to decrypt the certificate and retrieve the certificate holder's public key.      11. What is public key cryptography?      With public key cryptography, keys are generated in pairs, known as the public key and the private key. Each party knows its own private key and must never reveal it. Each party publishes its public key. A party can prove its identity by encrypting a challenge with its private key; only its corresponding public key can properly decrypt the encrypted challenge. Similarly, data can be made private "for your eyes only" by encrypting under a public key, the data can then be decrypted only with the corresponding private key.      If a valid users private key can be learned by another party, then the valid user can be mimicked. Because of this and the requirement to control and distribute keys a significant management infrastructure is required to control the technology: Certification Authorities (CA) are used to vouch for the validity of keys X.509 Certificates provide a standardized way of representing names and their associated public keys Certificate Revocations Lists (CRL) list compromised certificates and their keys An X.500 server provides a publicly accessible database for storing certificates and CRLs      12. What is Symmetric Key Encryption?      Symmetric key encryption is a cryptosystem where the key that encrypts is the same key that decrypts. Symmetric encryption systems are typically used for bulk data encryption as they are very efficient.      13. How are Public Key and Symmetric Key cryptosystems used in practice?      Symmetric key algorithms are used to encrypt bulk data because they are orders of magnitude faster than public key algorithms. However, symmetric key algorithms depend on the secret key remaining a secret, which creates a key management problem. How do both parties agree on a key without anyone else knowing? Public keys solve this problem. A public key system can be used to agree on and exchange a secret key without risk of an intruder finding out the secret key. Suppose person A wants to send a secret symmetric secret key to person B. Person A can obtain the public key of person B and use that public key to encrypt a secret key to send to person B. Person B can then decrypt the message with their private key and obtain the secret key.      14. Why is DES (Data Encryption Standard) a good algorithm to use in a Symmetric Cryptosystem?      One of the important tests as to the strength of a cryptosystem is how well it is known and understood. A cryptosystem that depends on "not- knowing" how it is implemented is considered suspect. Conversely, a cryptosystem that is well known, has been well studied and has passed through many tests is considered protected. The DES algorithm has been around for over 20 years. During that time it has been carefully scrutinized and its strength is well known and measurable. DES is also fast and efficient for bulk data transfers and thus an excellent choice for use in network encryption devices.      15. How strong is DES?      In general, the relative strength of an encryption solution is determined by the algorithms used, the length of the keys used to encrypt and decrypt data, and the frequency in which the keys are changed. The Hi-Tech VPN Gateway and Hi-Tech VPN Express uses Triple Pass DES 168 bit keys.      DES or its variant, Triple Pass DES, is mature technology and is well understood. As such, the effort required to break a DES key is well known. Because of this, an encryption solution can be designed to have the length of key that will provide the appropriate level of data encryption.      A recent report by a group of scientists from AT&T Research, Sun Microsystems, the MIT Laboratory for Computer Science, the San Diego Supercomputer Center, Bell Northern Research and others, entitled Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security (Blaze, Diffie, Rivest, Schneier,Shimomura, Thompson and Wiener), found that "cryptosystems with 40-bit keys offer virtually no protection at this point against brute force attacks". They go on to suggest that: "To protect information adequately for the next 20 years in the faces of expected advances in computing power, keys in newly deployed systems should be at least 90 bits long."      16. What are the competing encryption technologies?      There are several different competing encryption technologies. Competition can be defined in several ways. The first is with respect to the strength of the encryption algorithms used.      Generally speaking to be hacker resistant, an encryption algorithm should be well known and in the public domain for a long period of time. Encryption Algorithms, such as Triple Pass DES, which have this property, are studied extensively and hence the relative strengths of the algorithms are well known and can be compared.      Encryption solutions can also be compared with respect to their approach to encryption. Relating to the OSI communication model, products can work at the physical layer, the network layer or the application layer. The Hi-Tech VPN Gateway and Hi-Tech VPN Express operate at the network layer.      Technologies that operate at the application layer have significant limitations. Encryption needs to embedded in every application, with associated effort and cost. Also there is very little standardization between different applications requiring retraining of the end-user. Finally, sessions can be hijacked, while the network layer cannot be. Network layer encryption provided by the Hi-Tech VPN Suite will operate transparently with any existing IP network infrastructure and provide data encryption which is transparent to the end user.      An alternative competing technology is link encryption. Link encryption is based on point-to-point encryption and thus all routing or switching information is lost. Because of this fact, link encryption cannot take advantage of meshed networks. Two encryptors are required for each point-to-point link, dramatically increasing the cost in a complex network. Also there is no key management protocol for such an environment, greatly increasing the expense of encryption in this environment.      Cost Savings      17. How much money can I expect to save if I utilize VPN?      VPN saves money by eliminating long distance toll calls and simplifying management. Often the most cost-effective solution is a combination of VPN and direct dial. Intel has developed a VPN calculator to demonstrate the benefits of VPN for your particular environment. It can be found at http://www.shiva.com/remote/vpnroi. According to a 1997 research report by Infonetics Research, Inc., virtual private networks (VPNs) can deliver savings from 20% to 47% of wide area network costs by replacing leased lines to remote sites. Savings on corporate remote access dial-up costs can be even more dramatic with remote access VPNs - up to 60% - 80%! Additionally, Internet access is available worldwide where other connectivity alternatives may not be available. These are the types of ROI information that you will need to consider when evaluating VPNs vs. your current access infrastructure.      18. How can direct dial and VPNs be combined for the best business access solution?      Direct dial should be used for mission-critical and performance-sensitive applications and in cases where a local call is being made (note that studies have shown that over 50% of remote access is local). VPNs should be deployed to reduce expensive private line costs, such as long distance telephone and leased line charges. In order to optimize a business access solution, in most cases the IS manager will want to consider integrating VPN connectivity with direct dial access. An optimized remote access solution should be based on a detailed assessment of an organization's remote access needs      Product Features      19. What's the difference between the Hi-Tech VPN Express, the Hi-Tech VPN Gateway and the Hi-Tech VPN Gateway Plus?      All three Hi-Tech VPN products use the same hardened real-time operating system firmware. Some of the key features are: Shiva Smart Tunneling for automated fail over, redundancy, and load-balancing; support for X.509 digital certificates, RADIUS, integrated hard token, and challenge-response authentication; 168-bit encryption; automated key management; and an available ICSA certified firewall. All three hardware products work with the Shiva VPN Client for remote access applications. V.35 serial connectivity is now available on all Hi-Tech VPN Products.      The differences among the three Hi-Tech VPN products are primarily focused on capacity and performance; The Hi-Tech VPN Express supports up to 50 simultaneous tunnels with an aggregate throuput of 2Mbps, The Hi-Tech VPN Gateway supports up to 300 tunnels with an aggregate throuput of 6-10Mbps, while the Hi-Tech VPN Gateway Plus with its dedicated ASIC encryption card can support up to 1024 tunnels (600 simultaneous for optimal performance) and an aggregate throuput of 10-12 Mbps.      20. Which Hi-Tech VPN product will integrate into which topologies?      The Hi-Tech VPN Gateway, VPN Gateway Plus, and Express will all integrate into the existing network topology, including Intranet, Extranet, and Remote Access applications. All three Hi-Tech VPN products will support LAN-to-LAN as well as Client-to-LAN applications, allowing corporations to purchase one VPN solution for all of their VPN needs.      21. Does the Hi-Tech VPN Express uphold the same standards compliance as the Hi-Tech VPN Gateway and Hi-Tech VPN Gateway Express?      Yes. All Hi-Tech VPN products incorporate the same firmware, thereby supporting the same ICSA-certified features such as Firewall and IPSec.      22. Will the Hi-Tech VPN Express support the SST features, which allow scalability, redundancy, load-balancing and fail-over protection?      Absolutely. The Hi-Tech VPN Express allows for a per-tunnel selection of IPSec or SST (Shiva Smart Tunneling) tunneling protocols. IPSec provides standards compliance, while SST provides capabilities including scalability, redundancy, load-balancing and fail-over protection.      23. What standards does the Hi-Tech support?      The Hi-Tech VPN Gateway provides standards based VPN to the IPSec data encryption specification proposed by the Internet Engineering Task Force (IETF). Both the VPN Gateway firewall and the VPN Gateway IPSec implementation are ICSA certified. The Hi-Tech VPN Gateway, Hi-Tech VPN Express, and the Shiva VPN Client support DES encryption for data. X.509 digital certificates can be used to provide strong authentication.