VPN devices that use the IPSec protocol sit on the outer edges of a security domain, encrypting traffic bound for another security domain. This encrypted stream of traffic forms a secure tunnel across an otherwise unsecured network. However, IPSec tunnels work only with IP; they offer no multiprotocol capability. Additionally, the majority of IPSec-based products are designed to secure networks, not individual workstations (FTP Software's Secure Client is a notable exception, sporting a TCP/IP protocol stack for Windows95 with IPSec built in).

With IPSec, securing the data stream falls into one of two operational modes: tunnel mode, where the entire IP packet (headers and data) is encrypted, with a new IPSec pa cket wrapped around; or transport mode, where only the data payload of the IP packet is encrypted, leaving the original IP addressing visible. Among the products we evaluated, TimeStep's PERMIT 1060 and VPNet's VSU-1010 offer both transport and tunnel modes, while RedCreek's Ravlin 10 and Ravlin 4 offer transport-mode IPSec only.

IPSec-compatible VPN devices provide encrypted tunneling at OSI Layer 3 between sites. They are largely transparent to the user (see "Extending the Network," right). The devices set up secure tunnels between sites, and provide their own certificate authority functionality and management. Currently, most IPSec devices will not interoperate, though that should change within three to eight months. Key hurdles include distribution of keys and certificates, policy management, and the development of a Public Key Infrastructure (PKI); for a detailed analysis of PKI, see "Bridging the Business-to-Business Authentication Gap," July 15, page 62. IPSec is still winging its way through the Internet Engineering Task Force (IETF) standardization process and, though it is far from complete, the protocol is becoming stable enough for devices to begin embracing the current IPSec definitions.

· Tunnel-Mode IPSec Configuring tunnel-mode IPSec VPNs involves a combination of implementing a routed network topology and implementing a security policy. Because tunnel mode encrypts and wraps IP packets destined for another LAN, you may need to change IP parameters of existing workstations, routers and servers to accommodate the new topology while also ensuring that servers, workstations and networks that carry sensitive data are properly protected.

TimeStep's PERMIT 1060, for example, acts as an IP router between the protected and unprotected LANs (see "Making a Secure Connection," page 74). Suppose you have a security policy that dictates that all traffic bound for payroll from human resources (and back) should be sent over a secure tunnel with IPSec devices at either end. If you install PERMI T 1060, it becomes the default gateway for the workstations it protects. This requires a one-ti me configuration change either on the workstations or via DHCP or BOOTP.

PERMIT 1060 routes all of the IP traffic sent to it. You can even hide IP address subnets behind it and use any numbering scheme that suits your needs, without having to register them with the InterNIC. IP hiding is useful if you have nonregistered IP networks that need to be connected across the Internet.

PERMIT 1060 doesn't perform Network Address Translation (NAT); instead, it blocks all traffic that is not destined for a VPN. This means that if you want some traffic to go over the VPN and some traffic to go to the public network, you will need to use your InterNIC-assigned address ranges on the public networks. This scheme worked extremely well in our testing; we were able to hide our private networks behind PERMIT 1060 and tunnel the traffic over the Internet without worrying about using precious address space.