Либертариум Либертариум
==========================================================

Здравствуйте, Максим!

Что сказать - ну влип я с предыдущим моим ответом, трудно ведь писать ответ на реплику, где меня обвиняют в запугивании народа (читай - враг народа) и используют словечки типа БЕЗУСЛОВНО, когда в нашем деле все очень даже условно:

1. "КОГДА ... РС1 отправляет Email ... ИСПОЛЬЗУЯ СРЕДСТВА ПРОВАЙДЕРОВ....". Я же вроде ясно конкретизирую событие, а Провайдеры, как правило, предлагают стандартизированные средства для своей МНОГОЧИСЛЕННОЙ клиентуры. Так что, батенька, у меня то преувеличения - НЕМА. И когда посылается сообщение (а речь идет у меня опять же о конкретном типе сообщения - Email) в некий хост smv14.iname.net (и стало быть - по адресу [email protected]), то некий хост - это уже не некий, а конкретно - почтовый сервер smv14 вполне зарегистрированного на Интернете и нормального 4-х уровнего Провайдера...

2. Избыточность - а в дешифрации вроде бы речь может идти только об одной "чего избыточности", а именно - избыточности текста, например, если только двоим известно что означает отправленное-полученное одно единственное слово "огурец", то его и не надо шифровать, шпарь врукопашную...

3. А насчет PPTP, RC4 и молодости спецслужб - так ведь у меня совсем про другое, а именно про то, что спецслужбам придется перекачивать из PPTP-трубы ВЕСЬ IP траффик,криптованный крепко и не, а это немного хлопотнее чем выявлять по Email-ящикам пользователей RC4 и посылать к ним участкового лейтенанта для выяснения личности. А насчет молодцов из спецслужб - то очень интересно про них написано в "Cyberspace: Pandora's Mailbox, RC4 a secret no longer" (www.lbbs.org/zmag/articles/chen.htm).

4. А вот приписывать мне то, что я не говорил - это просто нехорошо. Ну нет у меня такого - "как должно быть в Internet в ближайшие 5-10 лет". А что у меня есть- это просто что можно делать ЧЕРЕЗ ИНТЕРНЕТ как через shared media. Так что - не трогаю я Интернет, вот уж действительно -хватай мешки, вокзал уходит....

То, что сеть не будет слушать моих советов - это меня не огорчает, во-первых, их у меня нет и не было (я тут как спецслужбы - тоже молодой...), во-вторых, она, сеть, вообще давно, с ARPы, ничьих советов не слушает. А вот послушать что думают спецы Cisco Systems о технологиях VPN прежде чем делиться (хорошо - если только со мной...) своим мнением об ограничености VPN - это, безусловно (я - хороший ученик?), и вправду стоит сделать:

Reference Guide

A Primer for Implementing a Cisco Virtual Private
Network (VPN)

Executive Summary

The proliferation of the networked economy has spawned fundamental changes in how corporations conduct business.
Corporate staff is no longer defined by where they do their jobs as much as how well they perform their job functions.
Competitive pressures in many industries have spawned alliances and partnerships among enterprises, requiring separate
corporations to act and function as one when facing customers. While such developments have increased productivity and
profitability for many corporations, they have also created new demands on the corporate network. A network focused
solely on connecting fixed corporate sites is no longer feasible for many companies. Remote users, such as telecommuters or
road warriors, and external business partners now require access to enterprise computing resources. The classic wide-area
network must be extended to accommodate these users. Consequently, many enterprises are considering virtual private
networks (VPNs) to complement their existing classic WAN infrastructures.

According to the Gartner Group, a networking research and consulting firm, by 2003 nearly 100 percent of enterprises will
supplement their WAN infrastructures with VPNs. From a network architecture perspective, the motivation for this is
manifest---a VPN can better meet today's diverse connectivity needs. The advantages of a VPN, however, are also visible at
the bottom line. VPNs are less expensive to operate than private networks from a management, bandwidth, and capital
perspective. Consequently, the payback period for VPN equipment is generally measured in months instead of years. Perhaps
the most important benefit of all, however, is that VPNs enable enterprises to focus on their core business objectives instead
of running the corporate network.

Cisco VPN solutions encompass all segments of the networking infrastructure---platforms, security, network services,
network appliances, and management---thus providing the broadest set of VPN service offerings across many different
network architectures. Cisco's support of existing WAN infrastructures is essential in accommodating hybrid network
architectures, where users will require access to the VPN from leased line, frame relay, as well as IP and Internet VPN
connections. Leveraging existing network gear in these deployment scenarios is paramount. A VPN must extend the classic
WAN and provide a common networking, security, and management environment across the enterprise network. Cisco VPN
solutions enable corporations to deploy VPNs on their existing Cisco networking gear. Cisco's entire line of router platforms
is easily VPN-enabled through Cisco IOS" software enhancements, thus providing corporations a smooth migration path to a
VPN environment. Through Cisco IOS software enhancements, Cisco's installed base of VPN ready ports numbers nearly 10
million today. Cisco also offers integrated VPN platforms designed for specific needs of VPN-centric environments.

Network architecture flexibility and ubiquity make Cisco uniquely positioned as the guide to the new world of VPNs.
Industry-leading Cisco platforms, including routers, WAN switches, access servers, and firewalls---combined with robust
security and management services afforded by Cisco IOS software---are the foundation for deploying the most secure,
scalable, and manageable VPN solutions available. Cisco VPN solutions tightly integrate the many facets of VPNs with
existing Cisco products, ensuring the smooth integration of VPN technology into Cisco enterprise networks. The breadth of
Cisco solutions, such as voice over the enterprise WAN, are fully compatible with Cisco VPN platforms. Furthermore, the
ubiquity of Cisco equipment in service provider IP, Frame Relay, and ATM backbones provides the means for a high degree
of feature integration over the WAN, including common bandwidth management/quality of service (QoS) functions across
service provider and enterprise networks.

What is a VPN?

There is much hype in the industry currently concerning VPNs, their functionality, and how they fit in the enterprise network
architecture. Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same
security, management, and throughput policies applied in a private network. VPNs are an alternative WAN infrastructure that
replace or augment existing private networks that utilize leased-line or enterprise-owned Frame Relay/ATM networks.
VPNs do not inherently change WAN requirements, such as support for multiple protocols, high reliability, and extensive
scalability, but instead meet these requirements more cost effectively. A VPN can utilize the most pervasive transport
technologies available today: the public Internet, service provider IP backbones, as well as service provider Frame Relay
and ATM networks. The functionality of a VPN, however, is defined primarily by the equipment deployed at the edge of the
enterprise network and feature integration across the WAN, not by the WAN transport protocol itself.

VPNs are segmented into three categories: remote access, intranets, and extranets. remote access VPNs connect
telecommuters, mobile users, or even smaller remote offices with minimal traffic to the enterprise WAN and corporate
computing resources. An intranet VPN connects fixed locations, branch and home offices, within an enterprise WAN. An
extranet extends limited access to enterprise computing resources to business partners, such as suppliers or customers,
enabling access to shared information. Each type of VPN has different security and bandwidth management issues to
consider.

Why Enterprises Consider VPNs

VPNs offer many advantages over traditional, leased-line networks. Some of the primary benefits are:

Lower cost than private networks; total cost of ownership is reduced through lower cost transport bandwidth, backbone
equipment, and operations; according to Infonetics, a networking management consulting firm, LAN-to-LAN
connectivity costs are typically reduced by 20 to 40 percent over domestic leased-line networks; cost reduction for
remote access is in the 60 to 80 percent range

Enabling the Internet economy; VPNs are inherently more flexible and scalable network architectures than classic
WANs, thereby enabling enterprises to easily and cost effectively extend connectivity, facilitating connection or
disconnection of remote offices, international locations, telecommuters, roaming mobile users, and external business
partners as business requirements demand

Reduced management burdens compared to owning and operating a private network infrastructure, enterprises may
outsource some or all of their WAN functions to a service provider, enabling enterprises to focus on core business
objectives, instead of managing a WAN or dial-access network

Simplify network topologies, thus reducing management burdens; utilizing an IP backbone eliminates permanent virtual
circuits (PVCs) associated with connection oriented protocols such as Frame Relay and ATM, thereby creating a fully
meshed network topology while actually decreasing network complexity and cost

Components of the VPN

VPN solutions are defined by the breadth of features offered. A VPN platform must be secure from intrusion and tampering,
deliver mission-critical data in a reliable and timely manner, and be manageable across the enterprise. Unless each of these
requirements is addressed, the VPN solution is incomplete.

The essential elements of a VPN can be segmented into five broad categories:

Platform Scalability---Each of these elements must be scalable across VPN platforms ranging from a small office
configuration through the largest enterprise implementations; the ability to adapt the VPN to meet changing bandwidth
and connectivity needs is crucial in a VPN solution.

Security---Tunneling, encryption, packet authentication, user authentication, and access control

VPN Services---Bandwidth management and quality of service (QoS) functions like queuing, network congestion
avoidance, traffic shaping, and packet classification, as well as VPN routing services utilizing EIGRP, OSPF, and BGP

Appliances---Firewalls, intrusion detection, and active security auditing

Management---Enforcing security and bandwidth management policies across the VPN and monitoring the network

These five key components of VPN solutions are delivered by Cisco within the context of open standards, scalability, and
providing end-to-end networking capabilities.

Satisfying these VPN requirements does not necessarily require replacement of an existing wide-area networking
infrastructure. Cisco VPN solutions augment existing WAN infrastructures to meet the enhanced security, reliability, and
management requirements present in a VPN environment. Cisco's existing router portfolio is "VPN-capable," with VPN
features deployable through Cisco IOS software. In some VPN deployments, depending on encryption performance
requirements and WAN topology, the Cisco portfolio of "VPN-optimized" routers may be a better alternative.
VPN-optimized routers offer optional hardware extensibility for enhanced security performance. Implementing VPN
solutions on either portfolio of VPN routers enables robust VPN deployment using existing Cisco networking gear, thus
preserving enterprise investments in networking infrastructures.

Security and Appliances: Protecting the Network

Deploying WANs on a shared network makes security issues paramount. Enterprises need to be assured that their VPNs are
secure from perpetrators observing or tampering with confidential data passing over the network and from unauthorized
users gaining access to network resources and proprietary information. Encryption, authentication, and access control guard
against these security breaches. Key components of VPN security are as follows:

Tunnels and encryption

Packet authentication

Firewalls and intrusion detection

User authentication

These mechanisms complement each other, providing security at different points throughout the network. VPN solutions must
offer each of these security features to be considered a viable solution for utilizing a public network infrastructure.

Tunnels and Encryption

Cisco VPN solutions employ encrypted tunnels to protect data from being intercepted and viewed by unauthorized entities
and to perform multiprotocol encapsulation, if necessary. Tunnels provide logical, point-to-point connections across a
connectionless IP network, enabling application of advanced security features in a connectionless environment. Encryption
is applied to the tunneled connection to scramble data, thus making data legible only to authorized senders and receivers. In
applications where security is less of a concern, tunnels can be employed without encryption to provide multiprotocol
support without privacy.

Cisco VPNs employ IPSec, Layer 2 Tunneling Protocol (L2TP), Layer 2 Forwarding (L2F), and Generic Routing
Encapsulation (GRE) for tunnel support, as well as the strongest standard encryption technologies available---DES and
3DES. Furthermore, Cisco VPN solutions support major certificate authority vendors, like Verisign, Entrust, and Netscape,
for managing security/encryption administration.

Packet Authentication

While interception and viewing of data on a shared network is the primary security concern for enterprises, data integrity is
also an issue. On an unsecured network, packets can be intercepted by a perpetrator, the contents changed, then forwarded on
to their destination with erroneous information. For example, an order placed to a supplier over an unsecured network could
be modified by a perpetrator, changing the order quantity from 1000 to 100. Packet authentication protects against such
tampering by applying headers to the IP packet to ensure its integrity. Components of IP Security, authentication header (AH)
and Encapsulation Security Protocol (ESP) are employed in conjunction with industry-standard hashing algorithms such as
MD-5 and Secure Hash Algorithm (SHA) to ensure data integrity of packets transmitted over a shared IP backbone.

Firewalls, Intrusion Detection, and Security Auditing

A critical part of an overall security solution is a network firewall, which monitors traffic crossing network perimeters and
imposes restrictions according to security policy. In a VPN application, firewalls protect enterprise networks from
unauthorized access to computing resources and network attacks, such as denial of service. Furthermore, for authorized
traffic, a VPN firewall verifies the source of the traffic and prescribes what access privileges users are permitted. Cisco
VPN solutions provide enterprises flexibility in firewall choices, offering Cisco IOS software-based firewalls resident on
VPN routers, as well as the separate PIX Firewall appliance.

An added element of insurance in perimeter security is intrusion detection. While firewalls permit or deny traffic based on
source, destination, port, and other criteria, they do not actually analyze traffic. Intrusion detection systems, such as Cisco
NetRanger, operate in conjunction with firewalls to extend perimeter security to the packet payload level by analyzing the
content and context of individual packets to determine if the traffic is authorized. If a network's data stream experiences
unauthorized activity, NetRanger automatically applies real-time security policy, such as disconnecting the offending
session, and notifies a network administrator of the incident. The NetRanger products provide automated monitoring and
response of more robust network security while simultaneously reducing personnel costs associated with perimeter
monitoring.

Monitoring traffic and intrusion detection provide strong defense mechanisms against network attacks, but strong security
begins inside the corporate network by ensuring that security vulnerabilities are minimized. Security auditing systems like,
Cisco's NetSonar, scan the corporate network identifying potential security risks. NetSonar maps all active systems on a
network, their operating systems and network services, and their associated potential vulnerabilities. NetSonar also
proactively and safely probes systems using its comprehensive network security database to confirm vulnerabilities, and
provides detailed information about security vulnerabilities enabling network managers to better secure the network from
attacks.

User Authentication

A key component of VPN security is making sure authorized users gain access to enterprise computing resources they need,
while unauthorized users are shut out of the network entirely. Cisco VPN solutions are built around authentication,
authorization, and accounting (AAA) capabilities that provide the foundation to authenticate users, determine access levels,
and archive all the necessary audit and accounting data. Such capabilities are paramount in the dial access and extranet
applications of VPNs. Cisco VPN solutions support Remote Access Dial-In User Service (RADIUS) and Terminal Access
Controller Access Control System (TACACS+) user authentication platforms.

VPN Services: Managing Routing and Throughput

An essential component of VPN solutions is ensuring efficient use of precious WAN bandwidth and reliable throughput of
important data while performing traditional routing services. The bursty nature of network traffic characteristically makes
poor use of network bandwidth by sending too many packets into the network at once or congesting network bottlenecks. The
result is twofold: WAN links are often under utilized, letting expensive bandwidth lie dormant; network congestion during
peak times constrains throughput of delay-sensitive and mission-critical traffic. It is a lose/lose situation.

QoS determines the network's ability to assign resources to mission-critical or delay-sensitive applications, while limiting
resources committed to low-priority traffic. QoS addresses two fundamental requirements for applications run on a VPN:
predictable performance and policy implementation. Policies are used to assign network resources to specific users,
applications, project groups, or servers in a prioritized way. Components of bandwidth management/QoS that apply to Layer
2 and Layer 3 VPNs are as follows:

Packet classification---assigns packet priority based on enterprise network policy

Committed access rate (CAR)---provides policing and manages bandwidth based on applications and/or users
according to enterprise network policy

Weighted Fair Queuing (WFQ)---allocates packet throughput based on packet priority

Weighted Random Early Detection (WRED)---complements TCP in predicting and managing network congestion on the
VPN backbone, ensuring predictable throughput rates

Generic traffic shaping (GTS)---smooths bursty traffic and "packet trains" to ensure optimal average utilization of VPN
WAN links

Border Gateway Protocol (BGP) propagation---enables the bandwidth management policies to extend to traffic in both
directions of the VPN connection

These QoS features complement each other, working together in different parts of the VPN to create a comprehensive
bandwidth management solution. Bandwidth management solutions must be applied at multiple points on the VPN to be
effective; single point solutions cannot ensure predictable performance. Network performance can be monitored using the
Cisco Response Time Reporter (RTR), a network monitoring feature embedded on the router in Cisco IOS. Cisco RTR
measures network uptime, latency, and other service characteristics, enabling corporations to ensure service-level
agreements with their service providers are being met.

In addition to the benefits of managing bandwidth, Cisco recognizes the importance of providing VPN routing services that
complement QoS mechanisms while seamlessly integrating into existing corporate network routing configurations. By
supporting standard routing protocols, like EIGRP and OSPF, Cisco VPN routing services ensure cost-effective migration to
VPN infrastructures that provide robust bandwidth management without impacting existing network configurations.

Network Management: Operating the VPN

VPNs integrate multiple security and bandwidth management services in addition to the network devices themselves.
Enterprises need to seamlessly manage these devices and features across the VPN infrastructure, including remote access
and extranet users. Given these issues, network management becomes a major consideration in a VPN environment. A VPN
WAN architecture, however, affords network managers the opportunity to outsource many aspects of network management.
Unlike in a private network architecture, a VPN enables enterprises to define what level of network control they need to
retain in-house, while outsourcing less sensitive functions to service providers.

Many companies choose to retain full control over deployment and daily operation of their VPN, and thus require a
comprehensive, policy-based management system. Such a system extends the existing management framework to encompass
WAN management functions unique to VPNs. Cisco enterprise network management provides a comprehensive suite of tools
for managing devices, security policies, and services across any size VPN.

As the WAN is extended with VPN technology, a strict set of business requirements must be met for the enterprise network
manager to be successful. These requirements include:

Minimize risk---moving from a dedicated infrastructure to a shared infrastructure that utilizes WAN transport mediums,
such as the public Internet, presents the network manager with new security and auditing challenges; network managers
must be able to extend VPN access to multiple corporate sites, business partners, and remote users, while assuring the
integrity of the corporate data resources

Scale---the rapid addition of mobile users and business partners to the VPN requires network managers to expand the
network, make hardware and software upgrades, manage bandwidth, and maintain security policies with unprecedented
speed and accuracy

Cost---to fully realize the cost benefits of a VPN, network managers must be able to implement new VPN technologies
and provision additional network users without growing the operations staff at a proportional rate

Cisco enterprise management tools empower network managers to effectively meet these business requirements via a
three-tiered management strategy: enabling scalable device management, supporting hybrid network architectures, and
leveraging Cisco Powered Networks.

Scalable Device Management

Integrated tools that manage one device at a time will not enable network managers to deploy the vast portfolio of VPN
solutions and technology required by enterprises. The network must be managed by policy, as a uniform and integrated
entity, not as discrete segments and devices. This approach enables the network manager to consistently implement security
policy across the collection of resources that create the VPN.

Supporting Hybrid Network Architectures

In a hybrid private/virtual private network environment, VPN management functions must integrate seamlessly into the
existing private enterprise network management architecture. Private network management tools must be augmented to
support new VPN management capabilities, providing network managers with end-to-end control and visibility.

Leveraging Cisco Powered Networks

Service providers that deploy Cisco technology and services to deliver the VPN infrastructure may utilize the Cisco Service
Management (CSM) System to achieve their operations and business objectives. As part of the CSM solution set,
provisioning and service monitoring solutions enable the service provider to deliver the VPN connectivity to the enterprise
customer. By creating a bridge between enterprise management solutions and CSM solutions, Cisco enables enterprise
network managers to receive configuration information from the service provider, validate that service levels provided by
the service provider match the expectations of the enterprise, and deliver bandwidth management policy to the service
provider to ensure end-to-end QoS for mission-critical applications. Management tools such as the Cisco Internetwork
Performance Monitor (IPM) and Service Level Agreement Manager (SLAM) operate in conjunction with the Cisco RTR
enabling network managers to ensure their service level agreements with service providers are being met.

The Cisco Enterprise Network Management Strategy

Cisco has developed a phased plan for delivering policy-based management tools for enterprise VPNs that also leverages
the features of Cisco Powered Networks deployed by service providers. In the initial phases, VPN management features are
integrated into the CiscoWorks2000 product family, enabling Web-based, end-to-end management of Cisco networks.
Through CiscoWorks2000 enhancements, network managers can manage security and bandwidth management parameters of
VPNs. In the final phases, policy-based management of VPN features and security parameters will be added and extended to
include directory-enabled network (DEN) management and tools for measuring and monitoring service provider
performance against service-level agreement (SLA) commitments.

Platform Scalability and Migration Paths: Looking to the Future

When considering a VPN solution, enterprises should consider how VPN technology will integrate into their existing
network infrastructure and how it will grow with the dynamic requirements of the enterprise network. VPNs are not an all or
nothing network decision. A VPN can be phased into existing private network architectures offering a flexible migration path
for the evolution of private networks. Many organizations will likely deploy VPNs as an augmentation of their existing
private WAN infrastructures. For such hybrid applications, VPNs can be implemented on existing Cisco VPN-capable
routers using Cisco IOS software with its extensive array of VPN features. Additionally, existing VPN-optimized routers can
utilize optional hardware components to increase security performance. Implementing VPNs through Cisco IOS software and
optional hardware components enables robust VPN functionality without impacting existing network infrastructures, thus
ensuring flexibility and growth necessary for the future.

Throughout its VPN portfolio, Cisco employs standards-based solutions. For Layer 3 security, Cisco VPNs use IPSec, a
standards track proposal in the Internet Engineering Task Force (IETF) for IP security. For Layer 2 tunneling, Cisco supports
Layer 2 Tunneling Protocol (L2TP), the de facto industry Layer 2 tunneling standard. Furthermore, Cisco VPNs support
Layer 2 Forwarding (L2F) and Generic Routing Encapsulation (GRE). For encryption, Cisco supports the strongest standard
algorithms available in the industry---DES and 3DES.

According to the Gartner Group, the nascence of the VPN equipment market "raises risks of choosing the wrong vendor."
Cisco equipment comprises more than 80 percent of the Internet backbone and is the cornerstone of enterprise networks.
These factors make Cisco uniquely positioned as the guide to the new world of VPNs. Industry-leading Cisco platforms,
including routers, WAN switches, access servers, and firewalls---combined with robust Cisco IOS software---are the
foundation for deploying the broadest set of VPN service offerings across many different network architectures, enabling
corporations to preserve their network investments by deploying VPNs on their existing Cisco gear. Furthermore, Cisco
VPN solutions tightly integrate the many facets of VPNs with existing Cisco products, ensuring the smooth integration of
VPN technology into Cisco enterprise networks. The breadth of Cisco solutions, such as voice over the enterprise WAN, are
fully compatible with Cisco VPN platforms. Additionally, the ubiquity of Cisco equipment in service provider IP, Frame
Relay, and ATM backbones provides the means for a high degree of feature integration over the WAN, including common
bandwidth management functions across service provider and enterprise networks.

Common Architectures for VPNs

Today's Corporate WAN: The Private Network

Today's corporate WAN is typically built using private lines or private Frame Relay/ATM. The remote access portion of the
network is also typically a private solution with corporations deploying and managing their own dial access infrastructure.
Extranet applications are often not supported, or done so as an expensive and burdensome extension of the WAN cloud.

A private network architecture limits network extendibility to remote users and partners

22.08.1999

Комментарии (2)

  • Использование виртуальных приватных сетей

    Maxim E. Smirnoff, 24.08.1999
    в ответ на: комментарий (Виктор Ангелов, 22.08.1999)
    Здравствуйте Виктор.
    1. Не могли бы Вы использовать вместо полного текста описаний продуктов ссылки на такие описания, а то размер реплик становиться очень большим.
    2. Я стараюсь убедить Вас ровно в следующем:
    существует достаточно развитый и структурированный набор технологий криптозащиты информации, включая шифрование сообщений, шифрования соединений, шифрование IP пакетов и т.д. Использование средств шифрования IP пакетов для обеспечения конфиденциальности сообщений электронной почты - не оправдано. Идеи которые сегодня реализованы Cisco чуть ранее раскручивались Sun и затем Microsoft. Какой то сектор рынка они(идеи) заняли и на этом все закончилось. Не следует думать что какая-либо одна технология способна решить все Ваши проблемы. Конечно, разработчики систем заинтересованы в максимально широком внедрении своих продуктов, вот и рассказывают про молочные реки с киселными берегами, но Вы же не бросаетесь немедленно покупать товар, рекламируемый по TV. Лично мне не известны содержательные примеры организации VPN даже на сотни хостов, и вряд следует ожидать повальное увлечение ими пользователей рунет, для противодействии СОРМ, просто потому что люди не хотят использовать и более простые средства. Повнедряет немного Cisco свое видение VPN, осчастливит определенное количество клиентов, скроее всего корпоративных, и успокоится, вот увидите.
  • Использование виртуальных приватных сетей

    Виктор Ангелов, 28.08.1999
    в ответ на: комментарий (Maxim E. Smirnoff, 24.08.1999)
    =========================================================

    Здравствуйте, Максим !

    1. Замечание "ссылки вместо текста" - справедливо, крыть нечем. Sorry за задержку с ответами, не получается со временем в рабочие дни недели.

    2. Согласен - набор технологий криптозащиты огромен, большая часть из них разработана за пределами России, равно как и контртехнологии. Криптозащиту можно купить легально, а контрзащиту - разве что украсть (ну еще, возможно, "подкупить"), и чем при таком раскладе руководствовались Заказчики СОРМа - очень было бы любопытно узнать...

    2.1. То,что шифрование IP пакетов для электронной почты не оправдано - полностью согласен, ибо зачем их (IP пакеты ЭЛЕКТРОННОЙ ПОЧТЫ) шифровать для прохождения через все маршрутизаторы сети, если в конечном пункте, у Service Provider'a (а не у Клиента), эти пакеты все равно будут собраны в цельное и шифрованное сообщение (если, конечно, Отправитель позаботился о шифровании). Но, кроме электронной почты, существуют другие Приложения. Например - медицинская компания (Spastic Society - спецы по судорогам), у компании есть NT/Novell LAN на 60 PC в центральном офисе и еще множество маленьких LANs в 75-ти филиалах, разбросанных по штату Victoria. Вполне разумно в этой ситуации использовать Интернет как своего рода кусок коаксиального кабеля, чтобы связать все 76 LANs в единую сеть, используя технологию VPN и все блага ее криптозащиты. К сожалению, затерял WWW-ссылку на обьявление, приглашающее спеца на эту работу:
    -----------------------------------------------
    The Age,
    Saturday May 8, 1999

    COMPUTERS
    PC/Network Support
    The Spastic Society of Victoria requires a confident, customer oriented person to take up a technical support role within the Information Technology Department. We are currently upgrading our enterprise systems and communications infrastructure. The successful applicant for this role will gain exposure to Virtual Private Network technology in an NT environment.
    The Spastic Society currently operates at 75 locations throughout regional and metropolitan Victoria. We have a 60 user NT/Novell based LAN at our main site and various small PC networks at other sites all running Windows 95 or 98 with Microsoft Office/Pro 7 or 97.
    This position involves responding to general enquiries from internal customers, resolving PC/LAN based problems and purchasing computer and telephony equipment. Liaison with suppliers, administration of support agreements and LAN administration are integral parts of this role.
    Experience in configuring, installing and maintaining PC hardware and software is essential as is a good working knowledge of Windows 95 or 98 with MS Office products. Good administrative skills will be highly regarded as will solid all round experience of LT.support issues.
    Salary is negotiable dependant upon skills and experience.
    Mail/Fax resumes (No more than four pages) and covering letter (please include salary expctation range) to Rebecca Conboy, Project Admin Assistant, Spastic Society of Victoria, P.O. Box 381, 135 Inkerman Street, St.Kilda, 3182.
    No later than 5pm Monday 24 May 1999. Telephone (03) 9536 4238 for further information or fax (03) 9525 3274.
    -------------------------------------------------------

    Думается, что судить - закончились ли "эксперименты" с VPN или это уже целая индустрия - можно по спросу на рабсилу соответсвующего профиля, и здесь, дабы не заканчивать реплику огромными списками "Wanted !!!", проще посетить сайт www.vpninsider.com/Jobs/Jobs.shtml, чтобы убедиться - VPN далеко не умерли в экспериментах Microsoft и Sun Microsystem, а у Cisco, равно как у MS и Sun, очень много сильных конкурентов в этом перспективном бизнесе. Там же можно найти и содержательные примеры реализации даже не то что на сотни - на тысячи хостов, с подробными толкованиями, документацией и рекомендациями...

    2.2. Спору нет - не решить ВСЕ проблемы применением одной технологии, однако, например, если в Конторе до сих пор на IBM/S370/S390/AS400 крутятся Cobol и Fortran-IV программы Х0-летней давности с выдачей на АЦПУ или IBM3270/5250 конфиденциальных данных, то вместо дорогостоящих курьеров или строительства своих коммуникаций для доставки данных по PC-based филиалам дешевле организовать VPN нежели перепрограммировать soft-"старье" в, скажем, Web-Приложения.

    В случае с СОРМ - не так уж и дорого стоит оборудование Cisco Systems, если, конечно, есть что защищать:

    Cisco 805 (110 Ethernet, 1 Async, with IP Plus Firewall and IPsec software) стоит $1449;

    Cisco 1720 (with 110/100 Ethernet, T1/E1 DSU/CSU, Firewall and VPN software) стоит $4600 (еще дешевле - с 2*Async/Sync вместо T1/E1).

    2.3. "Люди не хотят использовать и более простые средства" - к Вашим словам, Максим, могу только добавить - "... к тому же и практически бесплатные". Например - тот же Netscape Communicator, у которого список криптографических функций просто вызывает уважение - RSA, RC2, DES, SHA-1, MD2, DSA, MD5, RC5, ... И хотя Разработчики Netscape осторожничают (а скорее всего - знают о чем пишут...) - в NetHelp, "About Security" они дают вводную:

    "...Learn how to make it MORE DIFFICULT for unathorized persons to access your system and correspondences",

    все таки "повальное" использование в России криптованных Email писем было бы неплохим, для начала, ответом на Стратегическую Оборонную Расшиздяйскую Муму...

    With kind regards,
    Victor Angelov

    ===================

Московский Либертариум, 1994-2020