Information about Virtual Private Networks (VPNs)

Information about Virtual Private Networks (VPNs)

A Virtual Private Network (VPN) is an Internet-based network that uses the open, distributed infrastructure of the Internet to transmit data between corporate sites.
A virtual private network (VPN) is the next version of a private network that includes links across public and private networks like the Internet. A VPN permits to send data between two computers over a shared or public internetwork in such a manner that imitates the properties of a point-to-point private link. Virtual Private Networking refers to the act of configuring and creating a virtual private network.

VPNs do not provide any network services that aren't already offered by alternative mechanisms. But a VPN provides a unique mixing of technologies that improve on the traditional approaches of technologies.

VPNs for Remote Access

A VPN not only offers intranet/extranet services like WAN, but also support for remote access service. Many organizations increase the mobility of their workers by permitting more employees to telecommute. This cannot be achieved through leased lines because the lines fail to extend to people's homes or their travel destinations. In this case companies that don't use VPNs must implement specialized 'secure dial-up' services. By using a local number to log into a dial-up intranet, a remote worker must call into a company's remote access server.

A client who wants to log into the company VPN must call a local server connected to the public network. The VPN client tries to establish a connection to the VPN server. Once the connection has been established, the remote client can communicate with the company network as it resides on the internal LAN itself.

VPNs for Internetworking
A VPN remote access architecture's extension provides an entire remote network to join the local network. A server-server VPN connection joins two networks to form an extended intranet or extranet rather than a client-server connection.

VPNs Inside the Firewall
To implement limited access to individual subnets on the private network, intranets use VPN technology. In this mode, VPN clients hook up to a VPN server which acts as a gateway to computers behind it on the subnet. However, it takes benefits of the security features and handiness of VPN technology.

VPN Technologies

When deploying VPNs over the Internet, the two primary considerations are security and performance. The transmission control protocol and the Internet were not premeditated with these concerns in mind, because users and applications originally did not require security measures or performance.
VPNs provide the following functions to ensure security for data:

1] Authentication: It ensures that the data originates at the source that it claims
2] Access control: It restricts unauthorized users from gaining admission to the network
3] Confidentiality: It prevents anyone from reading or copying data as it travels across the Internet
4] Data integrity: It ensures that no one tampers with data as it travels across the Internet

To validate users on a VPN and control access to network resources, various password-based systems and challenge-response systems, such as challenge handshake authentication protocol (CHAP) and remote authentication dial-in user service (RADIUS), as well as hardware-based tokens and digital certificates can be used. The security of corporate information as it travels through the VPN is guarded by encrypting the data.

Private networks are created by using leased hard-wired connections between sites. From a single corporate customer these connections are devoted to the traffic. In order to extend that concept to the Internet, where the traffic from users passes over the same connection, a tunnel is created by using a number of protocols. Tunneling offers senders to embed data in IP packets that hide the underlying switching and routing infrastructure of the Internet from both senders and receivers. At the same time, these encapsulated data can be protected by using encryption techniques from outsiders.

Tunnels include two types of end points. These are either an individual computer or a LAN with a security gateway. Only two combinations of these end points are used in designing VPNs. One of these is LAN-to-LAN tunneling, which is a security gateway present at each end point and serves as the interface between the tunnel and the private LAN, while the other is a client-to-LAN tunnel, a type usually set up for a mobile user who wants to connect to the corporate LAN. The mobile user creates the tunnel on his end in order to exchange traffic with the corporate network.

There are four different protocols are required to create VPNs over the Internet: point-to-point tunneling protocol (PPTP), layer-2 forwarding (L2F), layer-2 tunneling protocol (L2TP), and IP security protocol (IPSec).

Point-to-Point Tunneling Protocol (PPTP)
Point-to-Point protocol (PPP) is the most commonly used protocol for remote access to the Internet. PPTP is based on the functionality of PPP to provide remote access that can be tunneled through the Internet to a destination site. By using a modified version of the generic routing encapsulation (GRE) protocol, PPTP encapsulates PPP packets, which offer flexibility to PPTP to handling protocols other than IP.

PPTP relies on the authentication mechanisms within PPP―namely password authentication protocol (PAP) and CHAP because of its dependence on PPP. To encrypt data PPTP uses PPP, but Microsoft also provides a stronger encryption method called Microsoft point-to-point encryption (MPPE) for use along with PPTP.

Layer-2 Forwarding (L2F)
Like PPTP, L2F was developed as a protocol for tunneling traffic from users to their corporate sites. L2F tunneling is independent upon IP; it is able to work with frame relay or asynchronous transfer mode (ATM). Like PPTP, L2F uses PPP for authentication of the remote user. L2F allows tunnels to support more than one connection.

For authentication of the dial-up user L2F uses PPP, but it also require support from TACACS+ and RADIUS authentication. L2F defines connections within a tunnel and allow a tunnel to support more than one connection at a time. There are two levels of user authentication, first by the ISP prior to setting up the tunnel, and then when the connection is set up at the corporate gateway. As L2TP is a layer-2 protocol of OSI, it provides users the same flexibility as PPTP for handling protocols such as IPX and NetBEUI.

Layer-2 Tunneling Protocol (L2TP)
To provide dial-up access L2TP uses PPP that can be tunneled through the Internet to a site. L2TP has its own tunneling protocol. L2TP transport is defined for a number of packet switching media including X.25, frame-relay and ATM. L2TP uses IPSec's encryption methods to strengthen the encryption of the data it handles.

It makes use of PPP for dial-up links. L2TP includes the PAP and CHAP authentication mechanisms within PPP. PPTP, L2F and L2TP all do not include encryption or processes for managing the cryptographic keys required for encryption in their specifications. For encryption and key management in IP environment L2TP standard recommends that IPSec be used.

IP Security Protocol (IPSec)
IPSec provides authentication or encryption of each IP packet or apply both operations on the packet for sender. Two different methods used by IPSec for packet authentication and encryption are called modes. In transport mode only the transport-layer segment of an IP packet is authenticated or encrypted. The tunnel node approach, entire IP packet is authenticated or encrypted.

For IP environment IPSec is best VPN solution because it consists of security measures like authentication, encryption and key management in its standards set. IPSec is designed to handle only IP packets.