Virtual Private Network (VPN)


vpn_switch.jpg

Description:


A virtual private network (VPN) is a system commonly used by corporations who require communication between and among remote users, headquarters and other long distant offices. One of the primary reasons for the use of a VPN is the low costs involved when compared to other options. A VPN is less costly than alternatives as all it requires is an active Internet connection. Prior to VPNs, companies had to create Wide-Area Networks or WANs. This was extremely costly because it required the companies to make use of leased lines. These leased lines consisted of various types of fiber cables spanning large areas. Since cables had to be laid in the ground for this to work, the further out the network needed to go, the more expensive it became. But with the advent of VPN, companies no longer had to establish these leased lines to create WANs; they simply used the Internet to allow their mobile users to connect and access the network via VPN. Since the Internet is readily available pretty much anywhere most associates would go, they can access the companies network easily without any fiber cables or WANs.

Once correctly set up by an administrator, a VPN will provide a secure means of communication with relatively little maintenance. Server administrators are needed to maintain and secure the network, ensuring constant and reliable connectivity at all times. Some VPN clients are simple enough however, that they do not require training or an IT specialist to maintain the network.

external image ssl-vpn-diagram.gif


The illustration above is an example of how one could set up a system for communication and transmission of information using a VPN.

Benefits:


  • Greatly extends remote connectivity without fiber cables or establishing WANs.
  • Cheaper than WANs or other options.
  • More secure than other options.
  • Increase in mobile productivity.

Three types of VPNs:


When discussing VPNs, you have to look at the three types of VPNs that are commonly seen. There is the remote-access VPN, then there are two site-to-site VPNs called extranet VPNs and intranet VPNs. The remote-access VPN is a client-to-LAN setup where the remote user will connect to a network access server or a NAS. Once the NAS is established the remote user can access the network by using software installed on their device, whether it be a laptop, PDA, or other electronic device. The user dials a toll-free number that grants the user access to the NAS and from there the client's VPN installed on their device allows them access to networks and it's resources.

The two site-to-site VPNs are generally more common mainly because they use the Internet to connect to the VPN rather than toll-free number like the remote-access method. The intranet VPN is the one that is generally used by most corporations. With an intranet VPN there is a LAN-to-LAN setup where the user, simply using a public network we know as the Internet, can access the VPN from anywhere. Intranet VPNs allow the company to connect as many locations as they need to one network allowing the user not only to connect the main office, but other offices as needed. Finally, there is the extranet VPN, which is similar to the intranet except that an extranet VPN allows other corporations to be apart of the network. If a particular company has a relationship with another company, they may need to merge their networks together and this extranet VPN allows just that. A user can now not only connect to their offices, but the other companies office and vice-versa.


vpn-type.jpg
A visual description of the three types of VPNs.


Security:


Obviously with any network, especially in the corporate sector, security is of the the up-most importance and VPNs are no different. VPNs use a variety of methods to keep the network, files, and resources secure. These methods include firewalls, encryption, AAA server, and IPsec. Firewalls are the most common security measures in networks and in VPNs that is no different. The firewall allows you to restrict the number open ports, which protocols are allowed through the network, and can block access to those who are not supposed to be on the network. Encryption is also a common security feature seen in most networks. With encryption, the files and resources going across the network are encoded and can only be decoded by a computer that has been given access to the network via the firewall. Other security options include the AAA server which is generally seen more often in remote-access VPN. When the user dials the toll-free number to access the NAS, they would first have to go through the AAA server which would check for authentication, authorization, and accounting; hence AAA. Once those tests are passed, the user is given access to the NAS. Finally, the IPsec is a protocol that enhances encryption and increases authentication for the VPN.

Usually secured VPNs run through cryptographic tunneling protocols which increases security by providing the network with confidentiality, authentication, and message integrity. With proper implementation, these tunneling protocols can be accessed through generally unsecured networks such as the Internet, but allows for solid security for the VPN. A VPN is not required to use these tunneling protocols and there are many VPNs out there that do not use them and still function. There are also trusted VPNs which do not use any of the tunneling protocols and they rely on the incoming source to be secure and protected. So, with trusted VPNs the user may have to find a network, which still maybe the Internet, that is already secured in some way.

Software Solutions:
The software solutions might be better termed "software approximations." The classic solution is to provide privacy on an application-by-application basis using crypto APIs. Secure remote access is provided by encrypted telnet services like SRP or SSH. SSH also permits tunneling other services (like X) over the encrypted connection. For dial-in connections, Blaze's Encrypting Session Manager (ESM) provides encryption after the session has been established. Encrypted voice communication over the Internet is provided by Nautilus or PGPfone. Transport layer encryption for TCP is provided by SSL, also see the IETF's Transport Layer Security (TLS) drafts. More integrated software solutions can be provided by Kerberos or OSF's DCE or by using a Point to Point Tunnelling Protocol (PPTP or Microsoft's PPTP implementation and a FAQ) and vulnerabilities. L2TP combines the best of PPTP and Cisco's L2F protocol.

Applications:


VPNs are commonly used by corporations for its easy level of accessibility. VPNs allow for easy access from remote users, traveling associates, and any device connected to the Internet. It can also access the companies servers, files, and other network resources easily and efficiently. This allows associates to be more productive. For example, an associate is going to a meeting in Los Angeles, California, and fifteen minutes before the meeting he/she downloads the company's most recent sales figures from the companies main server in Dallas, Texas. This associate then brings the most recent sales figures they just downloaded and shows this potential client the most recent sales information. This really helps the corporation as it shows this possible new client the most up-to-date information and shows the client that this company is well run, efficient, and is focused on using technology to better their business.



This is a video tutorial of how to set up a VPN.

Terminology:


Virual Private Network (VPN) - A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. Source

Wide-Area Network (WAN) - A communications network that uses such devices as telephone lines, satellite dishes, or radio waves to span a larger geographic area than can be covered by a LAN. Source

Leased lines - A private communications channel leased from a common carrier. Most digital lines require four wires (two pairs) for full-duplex transmission. Source

Intranet - A privately maintained computer network that can be accessed only by authorized persons, especially members or employees of the organization that owns it. Source

Extranet - An extension of an institution's intranet, especially over the World Wide Web, enabling communication between the institution and people it deals with, often by providing limited access to its intranet. Source

Firewall - A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization's security policy. Firewalls can either be hardware and/or software based. Source

Encryption - The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. Source

AAA Server - (Authentication Authorization Accounting server) A network server used for access control. Authentication identifies the user. Authorization implements policies that determine which resources and services a valid user may access. Accounting keeps track of time and data resources used for billing and analysis. Source

IPsec - (IP SECurity) A security protocol from the IETF that provides authentication and encryption over the Internet. Unlike SSL, which provides services at layer 4 and secures two applications, IPsec works at layer 3 and secures everything in the network. Source

Tunneling protocol - A network protocol that encapsulates packets at a peer level or below. It is used to transport multiple protocols over a common network as well as provide the vehicle for encrypted virtual private networks (VPNs). Source

Links:

http://en.wikipedia.org/wiki/VPN
http://computer.howstuffworks.com/vpn.htm
http://www.cisco.com/en/US/products/hw/vpndevc/ps333/index.html
http://www.csm.ornl.gov/~dunigan/vpn.html