What it is, How it works

A: A Tunnel gives you OnSite Access - remote access to your company's network without having to be physically present at work. With a tunnel, you can use the Internet for real business, and create a highly secure connection to the information, people, and resources you need that reside behind your corporate firewalls.

Wherever you're located, and even if you frequently change locations, you'll always have OnSite Access. Unlike a leased line that continuously links two sites, AltaVista Tunnel is dynamic - it can be instantly brought up or taken down from wherever you are, connecting you to any of your preferred business sites.

Q: What's the difference between the technology of AltaVista's Tunnel and other vendors' firewalls?

A: AltaVista offers a more flexible way to build a Virtual Private Network (VPN) than other vendors. Most VPNs only allow secure network-to-network connections. AltaVista Tunnel allows both network-to-network and PC-to-Network connections. This means that telecommuters and frequent travelers can gain secure OnSite access anytime, anywhere, from home or on the road.

Firewall vendors that support tunneling require the use of their firewalls at both ends of the encrypted link, which can be time- and cost-prohibitive. The AltaVista Tunnel's firewall-independent design allows it to work with virtually any firewall, thus enabling total flexibility and dynamic creation of VPNs among partners and remote offices.

Q: Does AltaVista Tunnel work with leading firewalls?

A: Yes. The AltaVista Tunnel products were tested for interoperability with all leading firewalls, including AltaVista Firewall, by an independent testing lab. In all cases, the firewalls were able to pass AltaVista Tunnel traffic. Most firewalls can be set up to allow encrypted tunnel traffic into a trusted network and onto the tunnel server. However, tunnels provide powerful access rights to trusted networks, so some care in selecting the method of bypass is warranted.

One good approach is to set up a generic relay on a firewall. This relays traffic addressed to a unique port on the firewall onto the appropriate port of the AltaVista Tunnel Workgroup Edition. This method hides the actual address of the Workgroup Tunnel server, and logs all attempts at connection at both the firewall and tunnel.

Q: What encryption technology is used in AltaVista Tunnel?

A: AltaVista Tunnel uses RSA's powerful 512-bit public key exchange technology to achieve mutual authentication between tunnel participants. After authenticating, the tunnel automatically switches to RSA's high performance RC4 128-bit secret key encryption and seals all data into secured cryptographic packets. These are then sent across the Internet as unreadable and unrecognizable data. Upon arrival at their final destination, the sealed packets are decrypted into a readable form and sent on their way across the private network.

The international version of the tunnel supports a 40-bit RC4 key and transparently reconciles the difference between domestic and international keys, enabling secure communications worldwide. As an added security enhancement, AltaVista Tunnel automatically and transparently exchanges new encryption keys among Tunnel parties every 30 minutes.

Q: What's the difference between using AltaVista Tunnel technology and Netscape's SSL protocol?

A: SSL and AltaVista Tunnel's encryption technology is similar, but the encryption is done at a different level of the IP stack. This means that SSL is application-dependent and the AltaVista Tunnel is application-independent. With SSL applications such as Web browsers that need to encrypt a specific session, Telnet or FTP must be modified to enable the request for an encrypted link. When using the AltaVista Tunnel, the applications are not modified, and all traffic between tunneled networks is encrypted.

Q: Isn't all this security stuff replaced by IPv6?

A: There are a lot of new security enhancements in the upcoming IPv6 (also known as IPng) protocol, which are collectively referred to as IPSec. However, it will be at least several years before networks have migrated all their systems to use IPv6. The AltaVista Tunnel products are an excellent way to use virtual private networking over the Internet today, and during the migration to IPv6.

Q: Will I need special network applications to use AltaVista Tunnel?

A: No, the AltaVista Tunnel does not require any modification of applications. It operates at the network level and simply passes encrypted data packets, allowing it to work with all IP applications without the need for costly customization. The AltaVista Tunnel Personal Edition uses a pseudo-network layer under the transport layer of the IP stack. Any TCP or UDP packet with a destination inside the trusted network will be encrypted, encapsulated, sent to the other end of the tunnel, and delivered unmodified to the destination.

Q: Can this tunnel technology be used to replace a private wide-area DECnet or Novell IPX network?

A: AltaVista Tunnel only supports the encryption and passing of IP traffic. If the private network traffic has already been converted to IP traffic, then it can be tunneled.

Q: Is there logging of tunnel use?

A: Yes. The AltaVista Tunnel generates a log for each tunnel that is constructed. The logs are sent to the syslog for analysis. A system utility on the tunnel server shows the status of live tunnels, and offers commands to disconnect tunnels and perform other management tasks.

Digital Equipment Corporation Copyright © Legal AltaVista Internet Software, 30 Porter Road, Littleton, MA Fax: (978) 506-2017