Windows 7 includes support for advanced network features, which
include IPSec and VPN. These protocols have existed for some time, but
they are more readily available and usable in Windows 7 than they were in
earlier releases of Windows. I’ll also take a brief look at the Open
Systems Interconnection (OSI) model.14.4.1. Introducing VPN
If you are a traveler and you work in a corporate
environment, you have probably used a VPN connection to connect to your
corporate network on the road, in order to check your email, or possibly
to update sales orders and the like. VPN makes connecting to remote
networks secure and easy.
VPN allows remote users to connect to a network confidentially
over a public network. VPN uses standard protocols (TCP/IP, SSL) to
traverse the public network, making it very easy to use. VPN consists of
two types: Secure VPN and Trusted VPN. Each type uses different
processes to gain connectivity to a remote network.
Secure VPN uses cryptographic tunneling protocols to gain private access to the remote
network. Secure VPN can use IPSec to encrypt the data traversing the VPN
connection. Secure VPN also supports SSL to encrypt the data,
essentially creating a web proxy, not really a VPN connection.
Point-to-Point Tunneling Protocol (PPTP), the original VPN
protocol, has aged and does not secure data as well as Layer 2 Tunneling Protocol (L2TP). In addition, Layer 2
Tunneling Protocol version 3 (L2TPv3) also works in Windows 7.
Trusted VPN does not use a cryptographic set to allow tunneling.
Instead, it uses the provider’s network to encrypt data. Usually,
Multi-Protocol Label Switching (MPLS) makes up the trusted
VPN tunnel, but this type of VPN also supports use of the Layer 2
Forwarding (L2F) protocol.
Most networks supporting VPN give you access to a VPN client,
which you install. If you use Routing and Remote Access Service (RRAS) on your network,
you can use the Connect to a Workplace option in the “Set up a new
connection or network” window. You have the choice of dialing directly
to your workplace or using your Internet connection. Dialing directly
requires a phone line and does not use the Internet. Of course, the
other choice requires you to have a connection to the Internet. Click
your desired option and enter the name of the server, or IP address.
Give the destination a meaningful name; select the security properties,
which consist of Smart Cards, Sharing, and Just Set Up; and then click
the Next button. Enter your username, password, and optional domain
information and then click the Create button. To connect, click the
Connect Now button and you should connect to the VPN server.
14.4.2. Introducing IPSec
IPSec offers the ability to encrypt network transmissions
at the adapter level. IPSec varies from Secure Sockets Layer (SSL) in
terms of the OSI layer it encrypts. SSL typically encrypts at the
application/protocol layer (OSI layer 7), and IPSec encrypts data at the
transport layer (OSI layers 4–7). Because SSL works only at the
application protocol layer, if you transmit data over any other port or
use any application other than the one bound to the SSL protocol, that
data is not encrypted (for example, when you use an HTTPS URL to connect
to your bank’s website, only that web session is protected by SSL).
IPSec, however, encrypts all of the data transmitted from the network
adapter at the transport layer.
IPSec includes two encryption mechanisms: transport and tunneling. Most implementations use
the tunneling version, which encapsulates the entire packet. This
feature allows for routable information to other hosts to be unencrypted
while the internal header and the rest of the data stay encrypted. This
makes it possible to use Network Address Translation (NAT), which lets
you use a single device to allow traffic into and out of the network
using private IP addressing—something your broadband router does for you
automatically.
The transport mechanism usually consists of one-to-one
communication among computers on the same network. Transport encrypts
the data, not the header, and creates a hash of the packet. Using the
transport method does not allow you to use NAT, thereby making external
communications difficult. The reason lies in the method: transport
creates a hash of the packet; when it hashes the packet, it rewrites
part of the header, making the header value mismatch the rest of the
packet, thereby rendering the packet invalid.
You may ask yourself, “How does it encrypt the data?” That is a
very good question. First, the adapters create a trusted relationship by
importing a digital certificate into each network adapter. When the
adapter connects to the network, possibly via a VPN tunneling server or
Active Directory domain controller, it verifies the digital certificate,
trades private and public keys that are associated with the certificate,
and verifies the MAC address of the network adapter. The adapter creates
a hash value for each packet transmitted to the adapter, including a
timestamp, alleviating replay attacks against the adapter.
14.4.3. Understanding the OSI Model
The Open Systems Interconnection (OSI) model defines the
ways protocols operate by breaking the different aspects of protocols
into layers. The OSI model uses seven layers with different purposes to
define how protocols function. Each layer may use the functionality of
the first layer below it and export functionality to the next layer
above it. See Table 14-10 for a detailed
listing of the OSI model’s layers.
Table 14-10. OSI layer reference
| Layer
level | Layer
name |
|---|
| Layer 1 | Physical |
| Layer 2 | Data Link |
| Layer 3 | Network |
| Layer 4 | Transport |
| Layer 5 | Session |
| Layer 6 | Presentation |
| Layer 7 | Application |
OSI layer 1 covers all of the physical connectivity specifications
of devices. This includes any electrical voltage, pin-outs, connectors,
cables, and hubs. Layer 1 defines all network adapters, network devices
that do not work in layer 2, and host bus adapters used in storage area
networks (SANs). The main purpose of layer 1 includes establishing a
connection or disconnection from a network medium. Layer 1 also covers
modulation and flow control over the network medium.
OSI layer 2 controls the means of controlling data transfer among
network entities. Layer 2 also handles the control mechanism of data
transferred among network entities. Bridges and switches both work
within layer 2. Although there are layer 3 switches, they work on layer
2 without the use of a router.
OSI layer 3 controls the functional means of transferring data
among network entities. Layer 3 handles the variable length sequences to
and from destinations among networks. It also handles QoS for the
transport layer. Routing also occurs at layer 3 (in fact, routing is the
most common use of layer 3).
OSI layer 4 controls the transfer of data among users, and
provides reliable data transfer to the layers above itself. Layer 4
controls flow as well as errors. This layer controls the retransmit of
packets lost in transport among users. TCP uses this layer as the
control portion of the protocol. Layer 4 also converts data into the
User Datagram Protocol (UDP) and Stream Control Transmission Protocol (SCTP)
formats.
OSI layer 5 controls the networked communications between
computers. This includes managing and terminating connections among
machines. Layer 5 controls duplex modes on network traffic, which
includes full- and half-duplex operations. TCP uses layer 5 to control
the flow of data and to terminate connections.
OSI layer 6 provides a standard interface to transform data into
the correct format for the application layer. Standard uses of layer 6
include data encryption, compression, and specific types of encoding,
including MIME encoding. Layer 6 also allows for the transformation
into and out of the XML format.
OSI layer 7 controls the means a user needs to access network
resources through an application. Programs that use layer 7 include
SMTP, HTTP, FTP, Telnet, IPSec, IM, and other applications.
Each layer of the OSI model handles different portions of the
networking process and helps to define the process of finding errors, or
just understanding how the complex process of networking actually works.
Armed with the information from the OSI model, we can begin to truly
understand, create, and even fix networks as well as the protocols used
to transmit data across networks.
