· Transport-Mode IPSec By contrast, VPN products that feature transport-mode IPSec, such as Ravlin 10 from RedCreek, p rovide data encryption only. Packets destined for a VPN are encrypted and sent along to the next destination, leaving in place the existing IP header information. Consequently, Internet-bound IP traffic that is encrypted using transport mode requires InterNIC-registered addresses.

Although data encryption affords a measure of security, it still leaves you exposed to network analysis attacks. These attacks aim to gather information about who is talking to whom, how often the communication takes place and how much data is passed. This information, combined with other data about your users, is used to determine which sites, such as those of your trading partners, may be targets for attack or to determine who you are working with. Transport mode is best used internally because there is less likelihood that intruders will gain access to your traffic and network analysis attacks are more difficult to perform. It is also effec tive for encrypting point-to-point stations.

Non-IPSec-Compatible VPNs When applied as part of an established security policy, these products can greatly enhance the security and versatility of your network. However, whether they actually create a VPN or merely use the term for marketing is up for debate. Non-IPSec-compatible devices typically run protocols such as PPTP or Socks-based proxy servers.

· PPTP PPTP is an IETF draft protocol jointly developed by Ascend Communications, ECI/Telematics, Microsoft, 3Com Corp. and U.S. Robotics; it is built into the Windows NT operating system (there is also a free Windows95 upgrade, Dial-Up Networking, that includes PPTP). While PPTP was on the IETF protocol track, it was championed by Microsoft as a way to extend the LAN to remote users.

With remote-access giants, including Ascend, 3Com and U.S. Robotics, behind it, and PPTP's integration into Windows NT Remote Access Server (RAS), PPTP finds itself serving in two areas: remote user dial-up t unneling and LAN-to-LAN tunneling. Encryption and user authentication relies on Microsoft's Point-to-Point Encryption, which uses the RSA RC4 encryption algorithm (128-bit keys for domestic use, and 40-bit keys for international use). If your network security policy requires specific encryption algorithms such as DES or BlowFish, you won't be able to employ PPTP. User authentication is PPP-based with Challenge Handshake Access Protocol (CHAP), MS-CHAP and Password Authentication Protocol (PAP) available, and it uses NT Domains for its user database to ease user and server authentication management.

PPTP dial-up tunnels are implemented in two ways, depending on client connectivity. In one model, remote-access users dial into an ISP and establish a PPP connection. The ISP then creates a PPTP tunnel on behalf of the remote user. In the second model, a PPTP-enabled client makes the PPP connection to an ISP and then launches a PPTP session from the desktop. In either case, the protocol negotiation is t he same. Two connections are established: a control session and a data session. The control session creates, maintains and subsequently tears down the tunnel. The control session stays active while the tunnel is up, passing control messages about connection status. Once the control session is established, data transmission begins.