Virtual Private Network Service

The following security features are available:

CHAP (Challenge Handshake Authentication Protocol) is used with a RADIUS authentication server at the point where users log into the network.

When user accounts are ordered, user names and passwords are loaded into our network directory. With CHAP, the dial-up user is assigned a password, but it is encrypted when the user logs in. Whenever a link is established, the server challenges the dial-up client, which responds with a value calculated from the code via a one-way hash function. The password itself is never transmitted.

AT&T offers a Proxy RADIUS Option which allows you to retain control of your own user lists. When your users log into AT&T's network, the directory in AT&T's network queries your directory using the standard Remote Access Dial-In User Service (RADIUS) protocol. If the user name and password match your directory, users are authenticated; otherwise they are denied access.

With IP Closed User Groups you can limit dial-up users' access to your network, or to particular sites on it, while limiting access to your network to only those users you authorize.

Using our Closed User Group + Internet option, you can provide remote users Internet access while limiting access to only authorized users. For example, if you are offering an Extranet application for your business partners, you may wish to limit their access to specific servers dedicated to the service you are offering, while giving your employees access to all network resources. Similarly, you can offer your employees access to the public Internet and your private network with AT&T Virtual Private Network Service, while not providing Internet access for your business partners.

Based on your users' profiles, AT&T establishes IP Closed User Groups via packet filtering.

IP Closed User Groups are implemented by assigning source addresses for dial users from a specific AT&T provided private address pool in the AT&T Protected Address Space. Users are then restricted by destination filters to be routed only to those sites which their authentication profile allows, and in the case of Closed User Group + Internet, to all Internet sites.

When this service is combined with Intracorporate Restricted Access at dedicated sites, only restricted IP Closed User Group source addresses are allowed to access those sites. The result is that only Closed User Group users can access protected sites; all other users on the Internet and the AT&T network are blocked.

To use this feature, your networks connected to AT&T Virtual Private Network Service must use IP addresses from the AT&T Protected Address Space. If you use AT&T's Managed Router Option, we can enable Network Address Translation on the router to convert AT&T addresses to the addresses used on your network.

Above features use filters on your access point into the network and on the connection points between AT&T's private backbone and interface to the public Internet. This prevents packets from entering the network that are not truly from that your list of registered addresses.

Packets mimicking other addresses are dropped at the point of entry into the network.

At entry points to the AT&T IP backbone from the Internet and other service providers, filters deny access to packets coming into the network that bear a source address registered to AT&T. This helps prevent authenticated dial users from transmitting packets bearing AT&T VPNS addresses.

Used in conjunction with dial-up CHAP authentication and IP Closed User Groups, these features provide important protection against security breaches by other users and create a true virtual private network.

AT&T VPNS cannot protect against the mimicking of IP addresses elsewhere on the Internet (not registered with AT&T). This is why it is important to use a firewall if you are using our Basic IP service for Internet connectivity.

Lets dial up users connect directly to your network via AT&T VPNS; the traffic is encapsulated or "tunneled" across the AT&T network infrastructure securely to your premises LAN and host environment.

Traffic interworks with your authentication servers (e.g., RADIUS, TACACS) to securely authenticate your end users at your own network edge, retaining control over the authentication databases and address assignment.

Supports the use of protocols other than IP (IPX in particular) and allows for use of private registered or unregistered IP addresses for both dial users and dedicated resources.

Network-based tunneling requires that you choose the Managed Router Option with a Cisco 4700 series router. All restrictions associated with the Managed Router Option are applicable to the Network-Based Tunneling feature.

If you use this feature it is strongly recommended that your company maintain a RADIUS or TACACS+ authentication server on its site for the corporate network. You would provide and maintain this server.

AT&T VPNS enables dedicated connectivity between networks via the AT&T backbone. You can connect multiple networks using AT&T VPNS, creating a "virtual intranet", such that your sites can communicate only with each other.

The Intracorporate Restricted Access feature uses packet filtering to route traffic between corporate sites, blocking access by external users and access to the Internet. We recommend using this feature in conjunction with the IP Closed User Group feature to provide a complete virtual private IP network for the enterprise.

To use the Intracorporate Restricted feature your networks must use IP addresses from the AT&T Protected Address Space.

Basic IP dedicated access is also available. It is open to all unprotected AT&T users and the Internet.

footer