The IBM 2212 facilitates e-commerce by supporting virtual private networks (VPNs) for extending secure extranets to business partners, customers, and suppliers and allowing employees secure dial-in network access. Designed to protect confidential transactions over the public Internet backbone, VPNs can also provide significant cost savings.
Figure 1-3. Use the 2212 Access Utility to Build Virtual Private Networks
The IBM 2212 provides cryptographic data protection with an emerging, comprehensive Internet security framework, using the IPSec protocol developed by the Internet Engineering Task Force (IETF). IPSec provides complete end-to-end network layer security to protect your data all the way to the target server. IPSec provides three layers of protection:
Virtual private networks build "tunnels" that enable secure communication links across TCP/IP networks. With IBM VPN technologies, you can securely integrate the public Internet backbone into your enterprise data communications network to allow suppliers, associates, and clients access to the information they need. Business partners may access VPNs for inventory or product information. Branch offices may access them for corporate data. And remote users may dial in for sales information. Rather than rely on costly leased lines to support these scenarios, VPN technologies enable enterprises to rely on the Internet.
VPNs are part of IBM's overall strategy for ensuring data security. While many VPN solutions today consist only of firewalls, IBM's solutions encompass multi-platform VPN-enabled clients and servers, routers, management functions, ISP services, and consulting services (for more information, see Planning for Virtual Private Networks).
The Internet Key Exchange (IKE) function ensures that your VPN policy can be conveniently and accurately implemented throughout the extended network with little manual configuration. An IPSec protocol, IKE allows you to automatically set up security associations and manage cryptographic keys. IKE defines a standardized framework to support automated negotiation of security associations, initial generation of all cryptographic keys, and subsequent refresh of these keys. Two methods of identity authentication are supported: digital certificate, which binds a public key to an identity; and pre-shared keys, which are manually configured. A public key infrastructure (PKI) based digital certificate provides a scalable solution for VPN security deployment. Only manual certification registration with a Certificate Authority (CA) is supported.
The 2212 Access Utility supports remote access virtual private dial-up networks (VPDNs) via Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), or Point-to-Point Tunneling Protocol (PPTP).
L2TP, an IETF standards-track protocol, is often used for dial-up, point-to-point protocol (PPP) remote-access traffic. When used with the IPSec protocol, L2TP provides cryptographically strong remote access control in multiprotocol networks. L2F, similar to L2TP and PPTP, carries privately addressed IP, IPX, and AppleTalk dial-up via PPP across the Internet. The IBM 2212 supports both Network Access Server and L2F Gateway, and the two network models: voluntary and compulsory tunneling. Because DIALs clients are supported, L2F does not need to be installed in the client. PPTP uses TCP for exchanging tunnel setup messages and enhanced GRE (Generic Routing Encapsulation) for PPP tunnel transport. The IBM 2212 supports both network models: voluntary tunneling for client initiated and compulsory tunneling for Network Access Servers initiated. Incoming calls, but not outgoing calls are supported. DIALs clients cannot use PPTP. Supported PPTP clients include Microsoft Windows 96 (DUN 1.2 and higher), Windows 98, and Windows NT.
The IBM 2212 supports virtual private networks not only from IP desktops to SNA hosts, but also across all-SNA networks. Data Link Switching transports SNA host and desktop traffic over IP networks. IBM's exclusive Enterprise Extender technology capitalizes on desirable SNA services such as traffic priority and reliable delivery, but over an IP network. By combining IPSec with these technologies, you can safeguard all of your e-business transactions.
The IBM 2212 supports VPN technology over IP version 4 (IPv4) and IP version 6 (IPv6).
Hardware features increase connectivity and improve performance to deliver VPN solutions: