|- foyer - me, myself & i - gallery - chartlist - ispy - reflections - blog - did you know? - swyswsy -|
Virtual Private Networks
The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or even around the world. But there is one thing that all of them need: A way to maintain fast, secure and reliable communications wherever their offices are.
Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.
What Makes A VPN?
There are two common VPN types:
- Remote-Access: Also called a Virtual Private Dial-up Network (VPDN), this is a User-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large Remote-Access VPN will outsource to an Enterprise Service Provider (ESP). The ESP sets up a Network Access Server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a 1-800 number to reach the NAS and use their VPN client software to access the corporate network. A good example of a company that needs a Remote-Access VPN would be a large firm with hundreds of sales people in the field. Remote-Access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.
- Site-to-Site: Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-Site VPNs can be either:
A well-designed VPN can greatly benefit a company. For example, it can:
What features are needed in a well-designed VPN? It should incorporate:
Analogy: Each LAN is an Island
Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The normal way to travel is to take a ferry from your island to whichever island you wish to visit. Of course, traveling on a ferry means that you have almost no privacy. Anything you do can be seen by someone else.
Although they are traveling in the ocean along with other traffic, the inhabitants of our two islands could travel back and forth whenever they wanted to with privacy and security. That's essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much easier than a leased line. In fact, scalability is a major advantage that VPNs have over typical leased lines. Unlike leased lines where the cost increases in proportion to the distances involved, the geographic locations of each office matter little in the creation of a VPN.
A well-designed VPN uses several methods for keeping your connection and data secure:
In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.
IPSec - Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication. IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as:
AAA Server - AAA Servers (Authentication, Authorization and Accounting) are used for more secure access in a Remote-Access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following:
The Accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.
Depending on the type of VPN (Remote-Access or Site-to-Site), you will need to put in place certain components to build your VPN. These might include:
Because there is no widely accepted standard for implementing a VPN, many companies have developed turn-key solutions on their own. For example, Cisco offers several VPN solutions including:
Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.
Tunneling requires three different protocols:
Tunneling has amazing implications for VPNs. For example, you can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique IP address to extend a private network over the Internet.
In a Site-to-Site VPN, GRE (Generic Routing Encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet you are encapsulating and information about the connection between the client and server. Instead of GRE, IPSec in Tunnel Mode is sometimes used as the encapsulating protocol. IPSec works well on both Remote-Access and Site-to-Site VPNs. IPSec must be supported at both tunnel interfaces to use.
In a Remote-Access VPN, tunneling normally takes place using PPP. Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. Remote-Access VPN tunneling relies on PPP.
Each of the protocols listed below were built using the basic structure of PPP and are used by Remote-Access VPNs.
L2TP can be used as a tunneling protocol for Site-to-Site VPNs as well as Remote-Access VPNs. In fact, L2TP can create a tunnel between:
Think of tunneling like having a computer delivered to you by UPS. The vendor packs the computer (passenger protocol) into a box (encapsulating protocol) which is then put on a UPS truck (carrier protocol) at the vendor's warehouse (entry tunnel interface). The truck (carrier protocol) travels over the highways (Internet) to your home (exit tunnel interface) and delivers the computer. You open the box (encapsulating protocol) and remove the computer (passenger protocol). Tunneling is just that simple!
As you can see, VPNs are a great way for a company to keep its employees and partners connected no matter where they are.