index_209
UNCLASSIFIED
Future Issues in Router Security
Version 1.0g
UNCLASSIFIED
209
7.4. Tunneling Protocols and Virtual Network Applications
As VPNs become more popular and widespread, expect a corresponding increase in
mobile users expecting to join home base networks, VPNs, and protecte d networks
from remote sites. Standard protocols exist for tunneling layer 2 protocols, such as
Ethernet or PPP, over IP networks. Use of such tunneling protocols allows remote
users to join a LAN, and actually use their home base LAN address, from a remote
part of the network. There are several approaches to doing this, each of which has
different security issues.
7.4.1. Virtual Private Dialup Networking
Cisco routers support tunnelling dial-up protocols, like PPP, over IP from a remote
router or network access server to a central router. This kind of tunneling
architecture is called Virtual Private Dial-up Networking (VPDN), and it is illustrated
in the figure below.
Figure 7-2: Overview of Virtual Private Dial-up Networking
In general, the security for a VPDN service depends on use of IPSec between the two
ends of the tunnel: the remote network access server and the central router. This is an
area that needs further study, but it seems possible that small deployments could use
static IPSec tunnels as described in Section 5.2.
home base router
Inside LAN
14.2.9.0/24
File Server
14.2.9.10
modem
Access Server
126.19.4.29
Internet
Virtual Connection
Remote User
14.2.9.185
dial-up
Virtual Private Dial-up Networking configured between these two devices