Virtual Private Networks

From Computing and Software Wiki

Virtual Private Networks (VPNs)

A virtual private network (VPN) is a private data network that uses public telecommunication infrastructure. More precisely, it is a communications network tunneled through another network (usually the Internet) to provide certain functions that are meaningful to its users on the dedicated network.^R1

The phenomenon caused by VPN technology has caused a huge stir in both the computer science field in the business world.^R2

VPNs

Since there are many competing definitions for VPN, one possible broad definition could be:

'A network (or service) that emulates the properties of an actual private network using a shared public networking infrastructure.'^R3

History

During the 1980s ATM technology and a suite of protocols known as X.25 were created for intended use in both local area and wide area networks. It can be argued that X.25, the oldest packet-switched service, was the forerunner of VPNs because of its prominent role in the telecommunication and financial industry during that period. Phone companies originally intended its use to carry digitized voice calls, but their importance in data networks was soon realized. An X-25 network consists of complex packet switches that route packets and hosts would attach to a packet switch using a serial communication line instead of attaching directly to a communication wire of a network. The result is a connection between the host and the X.25 packet switch which is now a miniature network consisting of one serial link. Before the Internet exploded onto the scene, a virtual private network consists of at least one circuit leased from a communications provider. Each leased circuit was a like a single wire in a network controlled by the customer. As companies grew beyond geographical limitations, it became expensive to maintain VPNs using leased circuits and with the rapid advancement of the Internet, it was inevitable that VPN technology would try and exploit it.

VPN Today

Why VPN?

Why would an organization choose to have a VPN? These are the main reasons.^R3

1. No geographical limitations: This results directly in increased productivity of its employees who are now capable of working and accessing resources offsite and a potential increase in revenue due to increased productivity.

2. Improved security: Higher security due to separation of traffic.

3. Reduced costs: It is cheaper to maintain than WANs and reduces transportation/communication costs.

Features of a VPN

In the past, VPNs were secure by virtue of it being leased by a provider for only the customers’ use. With the Internet and improved networking technology, this became expensive hence and cumbersome hence, the requirements for a well-designed VPN had changed. The following list of requirements is the unofficial standard today of a well-designed VPN.^R3

Security: This is the focus of most VPN solutions today. Security is achieved by concentrating on confidentiality, integrity, and authentication. Confidentiality is achieved primarily using secret key cryptography and public key cryptography such as DES with Diffie-Helman algorithms. One-way hash functions and digital signatures are some of the features that are included to protect the integrity of the information and to authenticate a user on the network; password authentication and digital certificates are used.

Predictability: Having ownership of the communication links of a network guarantees the bandwidth between the user sites and can make network performance more predictable. In addition, having ownership allows a company to control the information flow through the network thus, increasing performance, reliability, and security.

Independent Addressing: Within the last decade, there has been lots of news buzzing that the address space provided by IPv4 was running out, and VPN with their own independent address space was an excellent solution to that end. However, with IPv6 expecting to eliminate IPv4’s problems, this is no longer a concern. However, for a company to possess their own independent address space also means increased security and one example includes limiting only those addresses to access a company’s sites, preventing unauthorized access.

VPN Technologies

In order to achieve emulation of a physical private network and provide the features mentioned above, various networking protocols and technologies are used to produce their desired results and are described below.

Internet Protocol Security (IPSec): IPSec is a suite of open standards developed by the Internet Engineering Task Force (IETF) for protecting communications over IP networks by using cryptographic security services. It was designed to address the lack of security of IP-based networks. It is useful in VPNs because IPSec encapsulates a packet in another and then encrypts the resultant packet. Hence, streams of encrypted packets form a secure tunnel over an unsecured network, such as the Internet. Today, many VPN vendors implement IPSec into their solutions but there are interoperability issues between each vendor’s implementations because IPSec is a bi-directional protocol.^R1

Layer 2 Tunneling Protocol (L2TP): L2TP is a tunneling protocol standard that combines the best features of two existing tunneling protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and it was created to support VPNs. By itself, it does not provide strong authentication mechanisms or confidentiality that is provided alongside IPSec. L2TP protocol acts as a data-link layer protocol for tunneling traffic between two peers over an existing network in a UDP datagram. Since traffic for each session is isolated by L2TP, it is possible to set up multiple VPNs across a single tunnel.^R1

Sockets v5 (SOCKS v5) Protocol: SOCKS v5 is a circuit-level proxy protocol and the original SOCKS were designed to make travelling through firewalls easier. SOCKS is commonly used as a network firewall that enabled hosts behind a SOCKS server to gain full access to another network such as the Internet and preventing unauthorized access from other networks to its own internal hosts. SOCKS v5 supports a variety of authentication mechanisms, UDP proxies and other features not possible with IPSec or L2TP technologies. Its architecture also allows developers to build plug-ins such as content filtering and logging.^R1

Firewalls: A firewall provides a barrier between your private network and other networks. It denies or permits traffic based on a set of rules defined by the network administrator. Firewalls often have NAT capabilities, allowing the hosts behind a firewall to have their own private address range, increasing their security. ^R4

AAA server: Sometimes, a proxy device (either a software or dedicated hardware) may act as a firewall by forwarding or rejecting packets but most of the time, they would be AAA (authentication, authorization and accounting) servers to provide more secure access in a remote-access VPN environment. The purposes of authentication and authorization mechanisms of AAA servers are obvious, but the accounting mechanism is not. It serves the purpose of keeping track of clients for security auditing, billing or reporting purposes. ^R5

It is also important to note that there are no single technology that can provide a VPN service with all the desired features of a private network, it usually combines several of the above features to provide a function of a private network. ^R3

Types of VPN Services

Currently, there are two broad classes:

1. Encrypted VPNs

2. Tunnel-based VPNs

Encrypted VPNs On VPNs, user data is encrypted so that potential eavesdroppers cannot understand the content even if it was intercepted. Secure data exchange through a public network provided by encrypted VPNs functions alongside a company’s firewall service that protects the data inside the network. Today, almost all companies with home-working employees use encrypted VPNs to give them secure remote access. Encryption can always be added to other types of VPN however, encryption is usually provided by a third party and a company must decide whether or not it is a security risk to involve a third party and there are also legal ramifications if the third party happens to stumble upon decrypted information.^R3

Tunnel-based VPNs There are several types of VPN that results depending on the networking technologies that are used for tunnel-based VPNs, but they all have one thing in common: transmitting traffic between VPN sites using tunnels. Such a VPN provides improved data security and improved site security because user data is isolated from other user data and the provider has control over the connectivity between each of their user sites. Another result of a tunnel-based VPN albeit indirect is improved network performance and reliability. VPNs within a public network can simplify QoS implementations as it provides increased knowledge of individual traffic flows hence, greater control of network traffic.^R3

Currently, there are no widely accepted standard for implementing a VPN hence, many companies have developed turn-key solutions on their own while others rely on ISPs that offer VPN solutions that are insufficient by themselves.^R6

VPN Technology Hurdles in the Future

As it stands, there are many challenges to both clients and providers alike. There are currently no standards in some VPN protocols such as L2TP and no standard in building VPNs. To add more to the dilemma, VPN technology is an expanding and lucrative field for providers and this makes it difficult to standardize anything, a fact made evident by interoperability issues between vendor implementations. Also, almost all research advancements and proposed standards are made by competing vendors in the industry such as Cisco, Nortel and large ISPs, making such problems difficult to solve. However, because of such fierce competition, it can be expected that much advancements can be made, and that is usually to the clients’ benefits. ^R6

Another major hurdle for VPNs is the leased line market. Currently, there are only a finite number of leased lines, and large telecommunication companies control many of them. The difficulty lies in deploying new lines to service more VPNs and it usually takes six weeks to deploy. This problem will continue to be a major hurdle unless there are new, cheaper methods of deployment.^R6

A third obstacle for VPN providers and clients is the number of technologies that are required to create a VPN. As more and more people jump onto the VPN bandwagon, more people expect one seamless, integrated product, a concept extremely far from what we currently have. The complete simulation of a physical private network with low complexity, cost, and full functionality is still a dream. ^R6

As it stands today, security is the focus of VPN implementations, and as a result, does not address performance and availability issues. QoS is not guaranteed since it is not necessary because most solutions today only provide certain functionalities for the users in the network do not affect the performance of the network. However, if the Internet is used as the medium, any cost savings that a VPN provides are quickly negated if users are forced to sacrifice QoS beyond certain limits. Hence, end-to-end performance guarantees will be difficult to implement. ^R6