Internet Secure Tunneling

Implementation Guide

I n t e r n e t

S e c u r e

T u n n e l i n g

Dear Customer: Congratulations on your purchase of the Intel Express Routernow with Virtual Private Networking for secure networking over the Internet. Intel Express Routers can secure your private business communications for safe and affordable transmission over the Internet. At the same time, Intel Express Routers continue to offer a simple, cost-effective solution for your traditional WAN routing needs. This guide shows how to configure a secure tunnel for VPN using two Intel Express Routers. The guide covers different configurations and set-ups to meet most network needs. We also provide an introduction to secure tunneling and security issues. A list of responses to frequently asked questions is included. Weve attempted to provide complete information in this guide. If you should want further assistance, Intel offers a number of support and service options. For more information, go to http://support.intel.com/sites/support/. Thank you for your purchase!

Sincerely,

The Intel Express Routers Marketing Team

I m p l e m e n t a t i o n

G u i d e

Table of Contents
Introduction to Tunneling
Securing Data Over a VPN Advanced filters and firewalls PAP and CHAP

Example Scenarios for Configuration of a Tunnel

Configuration issues Static IP host route to the remote router Numbered IP WAN link Encryption Filtering Configuration Scenarios

1. Internet Tunneling only 2. Tunneling with browser (HTTP) access to the Internet 3. Tunneling with browser access and mail exchange on Internet 4. Tunneling with browser access on the Internet through a proxy server 5. Internet tunneling through a firewall

How to Configure Tunnels and Filters

Tunneling over a WAN connection Tunneling over a LAN connection How to configure IP filters

12

Frequently Asked Questions

13

I n t e r n e t

S e c u r e

T u n n e l i n g

Introduction to Tunneling
Tunneling is a technology that enables one network to send its data via another networks connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. It is almost like having your own private network. With two or more Intel Express Routers, you can use tunneling and encryption to create a Virtual Private Network (VPN). This virtual network allows safe use of the Internet to send and receive secure business data between LANs. You get the security of a private network at the vastly lowered expense of simple Internet connections. In addition to security and low cost, another benefit of tunneling is its global networking capability. Any international site can be connected to a VPN over the Internet. Because the tunnel link is independent of the Wide Area Networking (WAN) link, you can connect to the Internet via any WAN link, including T1/E1, ISDN, Frame Relay or X.25, for example. Tunneling employs the Internet Protocol (IP), which specifies the format of packets and the addressing scheme. All data transmitted over the tunnel is encapsulated in IP packets. As a result, you can route and bridge protocols, enable filters and deploy cost-control features the same way as when using a WAN link. You can transmit IP, IPX and bridged data over the tunnel.
2

Typically, because of current limitations in the Internet infrastructure, VPNs are most suitable for non real-time or lowerbandwidth traffic. For this reason, proprietary or leased-line solutions still make sense for businesses that regularly traffic in time-sensitive data or large files. Securing data over a VPN In a world where some people make a living by breaking into private property whether its real property or intellectual property in the form of datasecuring private transmissions over the Internet is imperative. Current security tools at your disposal include encryption, filtering and firewalls. With the increasing use of the Internet for private transactions, security and protection schemes constitute a major area of current high-technology research and development. Intel Express Routers offer a simple and inexpensive solution for securing private communications over the Internet, public Frame Relay and X.25 networks. Theres no need to alter your existing network architecture. Security is provided by using an Intel router for each point at which you connect to the Internet. Intel supplies its Express Routers with powerful encryption. Intel uses the Blowfish algorithm, with a 144-bit encryption key. This compares with competing solutions providing key lengths of only 40 to 128 bits. For even greater security, you can use a different key for each tunnel.

Before any data enters the public domain, each packet is encrypted and placed in a separate envelope for transmission. For greatest effectiveness, the encryption is performed across the entire data stream rather than on individual packets only. Even the original source and destination address of the data stream are hidden from potential hackers. Advanced filters and firewalls Encrypting data makes it virtually impossible to decipher. To keep intruders from gaining access to your tunnel in the first place, advanced filters provide additional security. You can establish these security screens to allow only predefined users to access the tunnel. Filtering on the WAN port is the first step to building a firewall to shield your network. If you are using your WAN connection for creating a VPN only, you can use filters to block all transmissions except those in the secure tunnel. In this case, you dont need a firewall. However, if you use the WAN connection both for Internet access (e.g., e-mail and the World Wide Web) and for a VPN, you should install a firewall. At the very least, you should install an Internet proxy to prevent some of the common attacks used by hackers.

I m p l e m e n t a t i o n

G u i d e

PAP and CHAP To authenticate remote users, the Internet uses a digital version of the old cowboy code: look them in the eye as you shake their hand. The handshake takes the form of Internet protocols known as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). PAP, the most basic form of authentication, transmits a users name and password over a network and compares it to a table of name-password pairs. The passwords stored in the table usually are encrypted. PAPs weakness, however, is that both the username and password are transmitted in the clear that is, in an unencrypted form. CHAP features stronger security measures. In CHAP, one router sends a key to the other router to be used to encrypt the username and password. This enables the username and password to be transmitted in an encrypted form to protect them against eavesdroppers. Other security features Other security features include Network Address Translation (NAT) and PPP Call Back. NAT enhances security by hiding internal IP addresses when data is sent over the Internet or WAN. NAT also provides considerable savings in time and money by eliminating the need to redesign your businesss internal TCP/IP addressing scheme when connecting to the Internet or remote sites with conflicting IP addressing schemes.

Using NAT, an Intel Express Router automatically maps an IP address to each internal LAN address, enabling transparent communication with those outside your corporate network. Alternatively, the router can maintain a pool of unique IP addresses, assigning a temporary address to a workstation whenever it connects over the Internet or WAN. This method requires fewer official Internet IP addresses. Over ISDN (EuroISDN only) and analog modems, PPP Call Back can be used for authentication. If a user dials in for access to the LAN, the router cuts the connection, then calls back to ensure that its an authorized link. PPP Call Back is compatible with the Microsoft Call Back standard.

Note: These tunneling configuration scenarios exclude many common services such as FTP, Telnet and common Internet plug-ins such as streaming audio or video. This strict configuration provides the most security. The more services you allow, the greater the susceptibility of the system to hackers. Add additional filters with caution. If you need to add filters for common services (also known as well-known ports), visit the following Web sites: Mark Daugherty's TCP/IP page: http://members.iquest.net/~mdd/tcpip.html RFC 1700 assigned numbers: http://www.internic.net/rfc/rfc1700.txt

For services not listed here, contact the product vendor for the protocol and port information needed to create a filter. Configuration issues Before we go to the specific examples, lets discuss some issues that apply to all configurations. With Intel Express Routers, configuring a tunnel is simple. You dont have to modify applications or add any specialized software to your LAN. Just enter the IP address of the router at the remote site and enter the same encryption key on both ends of the WAN. The connection will work with virtually any ISP and travel as easily as open traffic through the Internet. Disabling Telnet While Telnet allows remote configuration and management of the router, it also opens a high security risk. As a result, we recommend that you disable Telnet, and enable it only when you need it.When you
3

Example Scenarios for Configuration of a Tunnel

Now that we have covered some of the basics of tunneling, lets look at some specific examples of configuring the router for different applications that include a tunnel. There are five examples that cover these specific configurations:. 1. Internet tunnel without allowing Internet access 2. Internet tunnel with Internet access 3. Internet tunnel with web access and SMTP e-mail exchange 4. Internet tunnel with a proxy server installed 5. Internet tunnel with a firewall installed

I n t e r n e t

S e c u r e

T u n n e l i n g

enable Telnet, use a password containing at least six characters, with a mix of letters, numbers and punctuation marks. Static IP host route to the remote router To establish the tunnel you need to configure a static host route to the IP address of the remote router at the end of the tunnel. The IP address may be the address of either the WAN or the LAN interface. Numbered IP WAN link By using the IP address (if one is assigned) of the WAN interface instead of the LAN interface, you can hide your internal IP network from the Internet. However, hiding your internal IP network does not allow users to reach the Internet, unless you also use Network Address Translation (NAT).

Encryption The use of data encryption over a public data network is highly recommended. Private data being transferred over the public Internet should always be encrypted for security. Filtering Filters act like security guards who require all traffic to show a badge before passing a gate. In the case of a tunnel, filters allow only predefined traffic through the router. Filters are defined on a link basis, and separate filters are implemented for transmitting and receiving. Since you only need to protect the local LAN from intruders and do not want to restrict access to the Internet from the local LAN, it is enough to filter on incoming packets. Therefore, the transmit filter must be set to pass all packets.

Whenever an IP station wants to establish a session (over TCP), the ACK flag (in the TCP header) is always set to 0 in a connection-request packet. By filtering on the ACK flag, we can tell the router whether to allow incoming connection requests to the LAN from the Internet. The tunnel connection is a TCP connection to port 1990. When a router establishes a tunnel, it connects to destination port 1990 and uses a source port higher than 2000. Setting up IP filters is described more fully in Chapter 6 of the User Guide. A quick description on how to configure a tunnel and how to configure a filter is given at the end of this document.

Configuration Scenarios
1. Internet Tunneling Only In this example, the two sites (LAN1 and LAN2) want to exchange data over the Internet. There is no need for Internet e-mail or Web access. Filter configuration The router must accept only tunnel traffic from the WAN link to the ISP; it must only receive packets from the remote router over the tunnel (receive filter). All other packets must be discarded. Transmit filter: the default action must be set to Pass. Receive filter: the default action must be set to Discard.
4
WAN 1 Router 1 LAN 1 Tunnel

ISP Internet

ISP

WAN 2 Router 2 LAN 2

1. Internet Tunneling Only

I m p l e m e n t a t i o n

G u i d e

Receive filter on the WAN link toward the Internet

Action Tunnel client Pass Protocol TCP TCP Flag ACK Source IP Source. Port Destination IP Destination Port > 2000

IP address of the remote router IP address of the remote router

= 1990 (Tunnel) IP address of the local router > 2000

Tunnel server

Pass

TCP

All

IP address of the local router

= 1990 (Tunnel)

The Tunnel client filter allows the local router to establish the tunnel connection. The Tunnel server filter allows the remote router to establish the tunnel connection. The IP address of the local router should be the IP address of either the WAN interface or the LAN interface. For maximum security, the IP address of the WAN interface should be used (if one is assigned). The IP address of the remote router is the address to which the tunnel should be established. 2. Tunneling with browser (HTTP) access to the Internet Example 2 shows a configuration that opens a tunnel to the remote router as well as allowing users on the local LAN to browse the World Wide Web on the Internet. Internet access setup To establish Internet access, a static route to the Internet must be configured. A static route representing the Internet is 0.0.0.0 with subnet mask 0.0.0.0. The static route must be assigned to the WAN interface toward the Internet. The static route must be added under >Protocols>IP routing >Static Route> where: The network address is 0.0.0.0 Network mask is 0.0.0.0 Link is the WAN link toward the Internet.

Tunnel

ISP Internet WAN 1 Router 1 LAN 1

ISP

WAN 2 Router 2 LAN 2

2. Tunneling with browser (HTTP) access to the Internet

Filter configuration Filtering requirements:

The router must allow tunnel traffic between the LAN and the remote router. Users on the local LAN must have access to Web (HTTP) services on the Internet. Users must be able to access external Domain Name Servers.

Tunnel filter The router must accept Tunnel traffic from the remote router via the link to the ISP. Internet access filter The router must not allow external users to get access to the local LAN from the
5

I n t e r n e t

S e c u r e

T u n n e l i n g

Internet, i.e., it must discard all connect requests from the Internet (receive filter). At the same time, it must allow all users on the LAN to get Web access on the Internet.

Domain Name Server filter When connecting to a Web server on the Internet, you normally connect with an URL. To translate between IP addresses and URLs, you will need to connect to a Domain Name Server (DNS), which will give you the IP address of the name you want to connect to.

Transmit filter: the default action must be set to Pass. Receive filter: the default action must be set to Discard.

Receive filters on the WAN link toward the Internet

Action Tunnel Client Tunnel server WWW client DNS client Pass Pass Pass Pass Protocol TCP TCP TCP UDP TCP Flag ACK All ACK Source IP Source Port Destination IP Destination Port > 2000 = 1990 (Tunnel) > 1023 > 1023

IP address of = 1990 the remote router (Tunnel) IP address of > 2000 the remote router
All = 80 (HTTP) = 53 (DNS)

IP address of the local router IP address of the local router IP address of the local net IP address of the local net IP address of the local net

IP address of external DNS server IP address of external DNS server

DNS client

Pass

TCP

ACK

= 53 (DNS)

> 1023

The Tunnel client filter allows the local router to establish the tunnel connection. The Tunnel server filter allows the remote router to establish the tunnel connection. The WWW client filter allows local users to establish a Web connection to the Internet, but the default filter discards connection requests from the Internet to the LAN. The DNS filters allow the local users to access DNS servers on the Internet. DNS requests might use either UDP or TCP as a transport protocol; therefore, both protocols must be allowed to pass the filter. The IP address of external DNS server is the address of the external DNS server on the Internet, given by your Internet provider. The IP address of the local router should be the IP address of either the WAN interface or the LAN interface. For better security, the IP address of the WAN interface should be used (if one is assigned). The IP address of the remote router is the address of the router over the tunnel.

I m p l e m e n t a t i o n

G u i d e

Tunnel

3. Tunneling with browser access and mail exchange on the Internet In this example, users on the LAN have Web browser access to the Internet and access to the remote LAN via an Internet tunnel. They also need to be able to receive and send e-mail over the Internet via an internal mail server, using an external mail transfer agent. Internet access setup To get Internet access, a static route to the Internet must be configured.A static route representing the Internet is 0.0.0.0 with subnet mask 0.0.0.0. The static route must be assigned to the WAN interface toward the Internet. The static route must be added under >Protocols>IP Routing >Static Route> where: The network address is 0.0.0.0 Network mask is 0.0.0.0 Link is the WAN link toward the Internet.

ISP Internet WAN 1 Router 1 LAN 1

ISP

WAN 2 Router 2 LAN 2

Mail Server

3. Tunneling with browser access and mail exchange on Internet

Tunnel filter The router must accept tunnel traffic from the remote router via the link to the ISP. Internet access filter The router must not allow external users to get access to the local LAN from the Internet, i.e., it must discard all connection requests from the Internet (receive filter). At the same time, it must allow all users on the LAN to get Web and e-mail access on the Internet. Domain Name Server filter When connecting to a Web server on the Internet, you normally connect using an URL. To translate between IP addresses and URLs, you will need to connect to a

Domain Name Server. The DNS will give you the IP address of the URL to which you want to connect. Allowing access to and from an internal mail server and to and from an Internet mail server The internal mail server only needs to communicate with one external mail server on the Internet: a mail transfer agent. The Internet provider must supply the IP address of the external mail server. Transmit filter: the default action must be set to Pass. Receive filter: the default action must be set to Discard.

Filter configuration These are the requirements for filtering: The router must allow tunnel traffic to and from LAN and the remote router. Users on the LAN must have access to Web (HTTP) services on the Internet. Users must have access to an external Domain Name Server. Users must be able to receive and send e-mails to and from the Internet.

I n t e r n e t

S e c u r e

T u n n e l i n g

Receive filter on the WAN link toward the Internet

Action Tunnel client Pass Protocol TCP TCP Flag ACK Source IP Source Port = 1990 (Tunnel) > 2000 Destination IP Destination Port > 2000

IP address of the remote router IP address of the remote router IP address of external mail server IP address of external mail server
All

IP address of the local router IP address of the local router IP address of internal mail server IP address of internal mail server IP address of the local net IP address of the local net IP address of the local net

Tunnel server

Pass

TCP

All

= 1990(Tunnel)

Receive e-mails Pass

TCP

All

> 1023

= 25(SMTP)

Transmit e-mails Pass

TCP

ACK

= 25 (SMTP)

> 1023

WWW client DNS client

Pass Pass

TCP UDP

ACK

= 80 (HTTP) = 53 (DNS)

> 1023 > 1023

IP address of external DNS server IP address of external DNS server

DNS client

Pass

TCP

ACK

= 53 (DNS)

> 1023

The Tunnel client filter allows the local router to establish the tunnel connection. The Tunnel server filter allows the remote router to establish the tunnel. The Mail filters allow an internal SMTP mail server to send and receive mail with an external mail server (mail transfer agent). The WWW client filter allows local users to establish a connection to the Internet, but the default filter discards connection requests from the Internet to the LAN. The DNS filters allow the local users to access DNS servers on the Internet. DNS requests might use either UDP or TCP as a transport protocol; therefore, both protocols must be allowed to pass the filter. The IP address of external DNS server is the address of the external DNS server on the Internet.The address must be supplied by the Internet Service Provider. The IP address of the local router should be the IP address of either the WAN interface or the LAN interface. For maximum security, the IP address of the WAN interface should be used (if one is assigned). The IP address of the remote router is the address of the router over the tunnel. The IP address of external mail server is the address of the external mail server. The internal mail server communicates with the external mail server when sending and receiving e-mail.The external mail server address must be given by the Internet Service Provider.

I m p l e m e n t a t i o n

G u i d e

4. Tunneling with browser access on the Internet through a proxy server In this scenario, users on the LAN have browser access to the Internet.When users browse the Internet, they will connect through a proxy server. Internet access setup To get Internet access, a static route to the Internet must be configured.A static route representing the Internet is 0.0.0.0, with a subnet mask set at 0.0.0.0. The static route must be assigned to the WAN interface, toward the Internet. The static route must be added under >Protocols>IP Routing >Static Route> where: The network address is 0.0.0.0 Network mask is 0.0.0.0 Link is the WAN link toward the Internet.

Tunnel

ISP Internet WAN 1 Express Router Local net

ISP

WAN 2 Express Router Remote net

Proxy Server

4. Tunneling with browser access on the Internet through a proxy server

Users must have Domain Name Server access to the Internet through the proxy server.

Filter configuration These are the requirements for filtering: The router must allow tunnel traffic to and from the LAN of the remote router. Users on the LAN must be able to browse on the Internet through the proxy server. The filter must, therefore, only allow Web (HTTP) traffic to the proxy server.

Tunnel filter The router must accept tunnel traffic from the remote router via the link to the ISP. Internet access filter The router must not allow external users to get access to the local LAN from the Internet, i.e., it must discard all connect requests from the Internet (receive filter). The router should only accept packets to the proxy server from the Internet.

Domain Name Server filter When connecting to a Web server on the Internet, you normally connect using an URL. To translate between IP addresses and URLs, you will need to connect to a Domain Name Server. The DNS will give you the IP address of the name to which you want to connect. Transmit filter: the default action must be set to Pass. Receive filter: the default action must be set to Discard.

I n t e r n e t

S e c u r e

T u n n e l i n g

Receive filter on the WAN link toward the Internet

Action Tunnel client Pass Protocol TCP TCP Flag ACK Source IP Source Port = 1990 (Tunnel) > 2000 Destination IP Destination Port > 2000

IP address of the remote router IP address of the remote router

All

IP address of the local router IP address of the local router IP address of the proxy server IP address of the proxy server IP address of the proxy server

Tunnel server

Pass

TCP

All

= 1990 (Tunnel) > 1023

WWW client

Pass

TCP

ACK

= 80 (HTTP)

DNS client

Pass

UDP

IP address of external DNS server IP address of external DNS server

= 53 (DNS)

> 1023

DNS client

Pass

TCP

ACK

= 53 (DNS)

> 1023

The Tunnel client filter allows the local router to establish the tunnel connection. The Tunnel server filter allows the remote router to establish the tunnel connection. The WWW client filter allows local users to establish a connection to the Internet, but the default filter discards connection attempts from the Internet to the LAN. The DNS filters allow the local users to access DNS servers on the Internet. DNS requests might use either UDP or TCP as a transport protocol; therefore, both protocols must be able to pass the filter. The IP address of external DNS server is the address of the external DNS server on the Internet.The address must be provided by the Internet Service Provider. The IP address of the local router should be either the IP address of the WAN interface or the LAN interface. For maximum security, the IP address of the WAN interface should be used (if one is assigned). The IP address of the remote router is the address of the router over the tunnel.

10

I m p l e m e n t a t i o n

G u i d e

Tunnel

5. Internet tunneling through a firewall While not required for every application, a dedicated firewall for filtering is the most secure solution for tunneling. The firewall must be set up to allow tunnel traffic to pass between the remote router and the local router. The router on the LAN is used as a tunnel end-point to the remote network; it has no WAN connection. The router that connects the firewall to the Internet does not need tunnel links, nor does it have to be an Intel Express Router to pass tunnel traffic. Filter configuration You do not need to add filters in the local router. The firewall has the responsibility to filter out unwanted packets. However, the firewall must allow tunnel traffic to pass both ways between the local router and the remote router.

ISP Internet Router WAN 1

ISP

WAN 2 Express Router

Express Router Firewall

Desktop System

Desktop System

5. Internet tunneling through a firewall

Firewall Configuration The firewall must be configured to pass tunnel traffic in the same way the Express Router filters are configured to pass tunnel traffic (see table below.)

Transmit filter: the default action must be set to Pass. Receive filter: the default action must be set to Discard.

Receive filter in the firewall to allow tunnel traffic

Action Tunnel client Pass Protocol TCP TCP Flag ACK Source IP Source Port = 1990 (Tunnel) > 2000 Destination IP Destination Port > 2000

IP address of the remote router IP address of the remote router

IP address of the local router

IP address of the local router

Tunnel server

Pass

TCP

All

= 1990 (Tunnel)

The Tunnel client filter allows the local router to establish the tunnel connection. The Tunnel server filter allows the remote router to establish the tunnel connection. The IP address of the local router should be the IP address of the LAN interface. The IP address of the remote router is the address of the router over the tunnel.
11

I n t e r n e t

S e c u r e

T u n n e l i n g

How to Configure Tunnels and Filters

The following procedure is an abbreviated guide to configuring a tunnel, for routing data to a remote site via the Internet. See the User Guide for detailed instructions. It is assumed that the link to the Internet is already configured; if not, see the Quick Setup Guide or Chapter 5 of the User Guide for instructions. Tunneling over a WAN connection 1. Enter the Links option of Advanced Setup. 2. Add a new link. Choose Internet Tunnel as the WAN protocol. 3. For Local IP Address, choose either the address of the LAN interface or the address of the WAN interface, if one is assigned. Note: The address must be an official address given by the Internet Service Provider. 4. For Remote IP Address, use the address of the remote router to which the tunnel should be established. Again, either the WAN or the LAN IP address of the remote router should be chosen. 5. Enable encryption for the tunnel. Data communication via the tunnel is not secure otherwise. 6. Select IP routing under the Protocols option of Advanced Setup. 7. Add a static host route to the remote router. The host route must be set up with the same IP address as that for the Remote IP Address. The static host route must be assigned to the WAN interface toward the Internet.

Remember that the subnet mask to a host route is always 255.255.255.255. 8. Configure the protocols (IP, IPX and/or Bridging) to be used over the tunnel. See Chapters 6, 7 and 8 in the User Guide manual for information on configuring the protocols. Tunneling over a LAN connection 1. Enter the Links option of Advanced Setup. 2. Add a new link. Choose Internet Tunnel as the WAN protocol. 3. For Local IP Address, choose the IP address of either the LAN interface or the WAN interface, if one is assigned. Note: The address must be an official address given by the Internet Service Provider. 4. For Remote IP Address, use the IP address of the remote router to which the tunnel should be established. Again, choose either the WAN or the LAN address of the remote router. 5. Enable encryption for the tunnel. Data communication via the tunnel is not secure otherwise. 6. Select IP routing under the Protocols option of Advanced Setup. 7. Add a static host route to the remote router. The host route must be set up with the same IP address as that for the Remote IP Address. The static host route must be assigned to the LAN interface. Remember that the subnet mask to a host route is 255.255.255.255. 8. Forwarding Address must be the IP address of the local router connected to the Internet. If a firewall is used, the Forwarding Address must be the IP address of the firewall.

9. Configure the protocols (IP, IPX or Bridging) to be used over the tunnel. See Chapters 6, 7 and 8 in the User Guide manual for configuring the protocols. How to configure IP filters Use the following procedure to configure IP filtering on the LAN or the WAN interface. 1. Enter the Advanced screen under the IP link you would like to add a filter. 2. Set the Filtering parameter to Enabled on the Advanced screen for the IP link. 3. Select the Tx Filters on the Advanced screen for the IP link. Set the Default Action to Pass. Filter only on receiving traffic. 4. Go back to the Rx Filters to define receive filters. 5. Set the Default Action to Discard. 6. Use Add to add a new filter. 7. Set Action to Pass 8. Set the filter parameter as described in the examples given earlier in this document. The filtering of IP packets is based on the following criteria: IP protocol A filter can process packets based on UDP, TCP or ICMP. Other protocols can be defined by the IP number. TCP filtering also can be based on TCP Flags for all Flags or just with the acknowledge (ACK) flag set.

12

I m p l e m e n t a t i o n

G u i d e

Source address Use the Source Address to filter packets entering the router via the link from a specific host or network. Source port The Source Port filters packets originating from a single port (e.g., SMTP or HTTP), from a range of ports, or from all ports. Destination address A filter can process packets addressed to a host address or a network address. Destination port A filter can process packets addressed to a single port, a range of ports or all ports. Port values and port operator For the ports value, it is possible to define whether the port value should be equal (=), different (!=), greater than (>) or less than (<) the specified value.

Q. What kind of WAN connection do I need to create a secure tunnel? A. Tunneling is independent of WAN technology. You can even create a tunnel over the LAN connection without using a WAN port on the router. A tunnel can be created over any WAN media but is most useful over public data networks such as the Internet, Frame Relay and X.25. Q. Does the Internet connection used for the tunnel have to be dedicated for tunnel traffic? A. No, you can have both an Internet tunnel and Internet access at the same time. Q. Does my Internet Service Provider need to support any special protocols for tunneling or VPN? A. The only requirement is an Intel Express Router on both ends of the tunnel. Tunneling is independent of ISP support. Q. Are there any special requirements for my end-user workstation configuration? A. The tunnel is transparent to end-users and intermediate systems (routers).You just need to have TCP/IP installed for the workstation to access the appropriate gateway address. Q. What prevents others from creating a tunnel connection to my router from the Internet? A. PAP and CHAP authentication is required for dial-up and tunnel connections. Only qualified usernames and passwords can pass the router gate.

Q. Why should I transmit IP over an Internet tunnel instead of directly over the Internet? A. You run the risk of exposing private information on the open Internet. Data going over the Internet can be intercepted and read by just about anyone. Having powerful encryption is the key to creating secure tunnels on the Internet. Q. Cant I get encryption with any router? A. Not all routers support encryption. Few routers with encryption support the strength of encryption included with the Intel Express routers. Because no standard for encryption exists, encryption algorithms for routers are not compatible. Therefore, to enable encryption or a secure tunnel you must have two devices from the same vendor. Q. Does tunneling and encryption affect performance? A. Yes, a certain amount of bandwidth is required for encrypting, encapsulating and compressing data in the secure tunnel. The performance impact depends on what features you have enabled and the data being transferred. For instance, if you create a secure tunnel with encryption and compression, the router could sustain about 100Kbps throughput in the tunnel. Enabling compression on a WAN tunnel connection at greater than 128Kbps is not recommended.
1997 Intel Corporation. All rights reserved. *Other brands and product names are the property of their respective owners.

Frequently asked questions

Q. How secure is my data going over the Internet in a secure tunnel? A. Tunneling and encryption make it possible to create secure Virtual Private Networks over public networks. The 144-bit-key Blowfish encryption algorithm used in the Intel Express Routers is one of the strongest available.

13

C Please Recycle. NP1040