<HTML><HEAD><TITLE>Chapter  22 -- How Virtual Secure Private Networks Work</TITLE><META></HEAD><BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EE" VLINK="#551A8B" ALINK="#CE2910"><H1><FONT SIZE=6 COLOR=#FF0000>Chapter&nbsp;22</FONT></H1><H1><FONT SIZE=6 COLOR=#FF0000>How Virtual Secure Private NetworksWork</FONT></H1><HR><P><CENTER><B><FONT SIZE=5><A NAME="CONTENTS">CONTENTS</A></FONT></B></CENTER><UL><LI><A HREF="#HowVirtualSecurePrivateNetworksWork">How Virtual Secure Private Networks Work</A></UL><HR><P>An intranet by itself may help a company make better use of itscomputing resources, allow for better intra-company communications,and allow for the company to present a better face to the world.But for many corporations, that isn't enough. Many companies alsoneed to do business directly with other business partners, suchas subcontractors, or companies from whom they're buying goodsand services.<P>Intranets can help there as well. They can allow companies todo business directly with each other over the Internet - and todo so securely. The technology that allows this to be done iscalled Virtual Secure Private Networks (VSPNs) or Virtual PrivateNetworks (VPNs). In essence, the technology allows two companieswith intranets to create a &quot;virtual&quot; link between themacross the Internet that is as secure as if they were connectedvia a private connection. VSPN technology can also be used tocreate a &quot;virtual&quot; intranet for a company that can linkbranch offices together over the Internet, while at the same timeensuring that the data that passes between them can't be seenby anyone except people in the &quot;virtual&quot; intranet.<P>These VSPNs can save corporations a substantial amount of money,both for communicating with business partners and for hookingtogether branch offices. Today, businesses commonly spend significantamounts of money every month leasing private lines that no oneelse can use. The data sent along these private lines cannot beseen by anyone else; they are used by the company only. Becauseof that, they are secure from prying eyes. If, however, therewere a way to link company's intranets over the Internet, therewould be no need to pay for leased lines-all the traffic couldbe handled over the Internet. In addition to saving money on lines,the creation of secure links from intranet to intranet would alsoallow companies to communicate more effectively electronically,leading to more efficiency and even more in savings.<P>VSPNs use a combination of routing technology, encryption technology,and a technique called tunneling. When someone from one intranetwants to send information to another intranet via a VSPN, VSPNserver software recognizes that the destination is a VSPN, andso knows to handle the data differently than if it is being sentto an unsecured site on the Internet. Using powerful encryptiontechnology, the software encrypts the IP packets so that no onewill be able to read it. It then places those IP packets insidean IP &quot;envelope&quot; or &quot;wrapper.&quot; That envelopeis essentially a normal IP packet, so it gets delivered as doesany other data, via routers. No one can read what is inside thewrapper, though, because it has been encrypted. When packets aresent this way over the Internet, it is called tunneling. <P>On the receiving intranet, the VSPN software throws away the wrapper,and then decrypts the data inside of it. The data is then deliveredover the intranet via intranet routers.<H2><A NAME="HowVirtualSecurePrivateNetworksWork"><FONT SIZE=5 COLOR=#FF0000>How Virtual Secure Private Networks Work</FONT></A></H2><P>A Virtual Secure Private Network (VSPN) or Virtual Private Network(VPN) allows business partners, each of whom has an intranet,to send secure communications to each other over the Internet,and know that no one else will be able to read the data. In essence,it creates a private, secure channel between intranets, even thoughthe data sent between them travels over the public Internet. Thismeans that companies will not have to lease expensive lines betweenthem to send data over a secure link. The technology can alsobe used to allow a company to link branch offices with each other,without having to lease expensive lines, and know that the datacan only be read by people on the VSPN.<OL><LI>When someone on an intranet wants to send private data toanother company via a VSPN, they don't do anything different thanwhen they send public data-they merely send the data as they wouldto any location on the Internet. As with any data sent throughan intranet, it is broken up into TCP/IP packets.<LI>All packets sent out from the intranet go through a specialVSPN server. The server examines each IP packet to see whetherthe packet is bound for another VSPN intranet, or instead to theInternet. It determines whether it's bound for another VSPN byexamining the IP addresses in the packet headers. It checks thedestination address against a database of VSPN addresses. If thepacket doesn't match a VSPN address in the database, it meansthat the packet is bound for the general Internet, not a VSPN,and so the VSPN software takes no further action. The packet issent to its destination as a normal packet, via routers.<LI>If the packet matches a VSPN ad-dress, the software knowsto take further action. It takes the entire TCP/IP packet-theheader as well as the data-and encrypts it with powerful encryptiontechnology. This means that no one who looks at the packet wouldbe able to read any part of it.<LI>A new IP &quot;envelope&quot; or &quot;wrapper&quot; is putaround the encrypted packet. This envelope contains IP informationsuch as destination and source address, so that the encryptedpacket can be delivered over the Internet. To the Internet, itlooks like a normal TCP/IP packet, but the encrypted informationin the packet will not be able to be read by anyone.<LI>The packet is sent to a router, and then sent over the Internetto its VSPN destination. When an encrypted packet inside a normalIP envelope or wrapper like this is sent over the Internet likethis, it is often referred to as &quot;tunneling.&quot;<LI>The packet is delivered to the destination VSPN, where theVSPN server examines the packet. It checks the IP address of thesender. If the address is not in the database of other VSPN intranets,it simply sends the packet along to an intranet router to deliverit. If the address is in the database, it strips off the IP wrapper,and decrypts the original TCP/IP packet. The packet is now inits original form.<LI>The packet is sent to an intranet router, which delivers itto its final destination. It can be used as any normal TCP/IPpacket.</OL><HR><CENTER><P><A HREF="ch21.htm"><IMG SRC="PC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="#CONTENTS"><IMG SRC="CC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="contents.htm"><IMG SRC="HB.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><A HREF="ch23.htm"><IMG SRC="NC.GIF" BORDER=0 HEIGHT=88 WIDTH=140></A><HR WIDTH="100%"></P></CENTER></BODY></HTML>