Fvl328 cable/dsl prosafe high-speed vpn firewall – NETGEAR FVL328 User Manual
Page 3
FVL328 Cable/DSL ProSafe High-Speed VPN Firewall
Page 3
addition, AH does not protect the data’s confidentiality. If data is intercepted and only AH is used, the
message contents can be read. ESP protects data confidentiality. For added protection in certain cases, AH
and ESP can be used together. In the following table, IP HDR represents the IP header and includes both
source and destination IP addresses.
14. What is Encapsulating Security Payload (ESP)?
ESP provides authentication, integrity, and confidentiality, which protect against data tampering and, most
importantly, provide message content protection.
IPSec provides an open framework for implementing industry standard algorithms, such as SHA and MD5.
The algorithms IPSec uses produce a unique and unforgeable identifier for each packet, which is a data
equivalent of a fingerprint. This fingerprint allows the device to determine if a packet has been tampered
with. Furthermore, packets that are not authenticated are discarded and not delivered to the intended
receiver.
ESP also provides all encryption services in IPSec. Encryption translates a readable message into an
unreadable format to hide the message content. The opposite process, called decryption, translates the
message content from an unreadable format to a readable message. Encryption/decryption allows only the
sender and the authorized receiver to read the data. In addition, ESP has an option to perform authentication,
called ESP authentication. Using ESP authentication, ESP provides authentication and integrity for the
payload and not for the IP header.
The ESP header is inserted into the packet between the IP header and any subsequent packet contents.
However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor
does it encrypt the ESP authentication.
15. What is a Security Association?
A group of security settings related to a specific VPN tunnel. A Security Association (SA) groups together
all the necessary settings needed to create a VPN tunnel. Different SAs may be created to connect branch
offices, allow secure remote management, and pass unsupported traffic. All SAs require a specified
encryption method, IPSec gateway address and destination network address.
16. What is PKI?
Public Key Infrastructure (PKI) is a method by which valid VPN users are authenticated through the use of
certificate authorities.
17. What is a Certificate Authority (CA)?
A Certificate Authority is an organization that provides certificates and provides a mechanism for verifying
their authenticity. Certificate authentication is a method whereby the computer would have a pre-assigned
certificate (any X.503-based certificate, such as Entrust
®
, VeriSign
®
, Baltimore, etc.) that is necessary for
the IPSec-based authentication algorithm to use for generating keys to exchange between the two VPN
devices. It is generally recognized as a more secure method of authentication.
18. What is PPTP?
Point-to-point Tunneling Protocol builds on the functionality of the Point-to-Point protocol (PPP) to provide
remote access that can be tunneled though the Internet to a destination site or computer. PPTP encapsulates
PPP packets using generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of
handling protocols other than IP. The FVL328 supports pass-through mode for PPTP, but does not support
end-point mode.