Virtual Private Networks

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
Line 18: Line 18:
Before the Internet exploded onto the scene, a virtual private network consists of at least one circuit leased from a communications provider. Each leased circuit was a like a single wire in a network controlled by the customer.
Before the Internet exploded onto the scene, a virtual private network consists of at least one circuit leased from a communications provider. Each leased circuit was a like a single wire in a network controlled by the customer.
As companies grew beyond geographical limitations, it became expensive to maintain VPNs using leased circuits and with the rapid advancement of the Internet, it was inevitable that VPN technology would try and exploit it.
As companies grew beyond geographical limitations, it became expensive to maintain VPNs using leased circuits and with the rapid advancement of the Internet, it was inevitable that VPN technology would try and exploit it.
 +
=='''VPN Today'''==
=='''VPN Today'''==
Line 30: Line 31:
'''3. Reduced costs: ''' It is cheaper to maintain than WANs and reduces transportation/communication costs.
'''3. Reduced costs: ''' It is cheaper to maintain than WANs and reduces transportation/communication costs.
 +
===''Features of a VPN''===
===''Features of a VPN''===
Line 40: Line 42:
'''Independent Addressing: ''' Within the last decade, there has been lots of news buzzing that the address space provided by IPv4 was running out, and VPN with their own independent address space was an excellent solution to that end. However, with IPv6 expecting to eliminate IPv4’s problems, this is no longer a concern. However, for a company to possess their own independent address space also means increased security and one example includes limiting only those addresses to access a company’s sites, preventing unauthorized access.
'''Independent Addressing: ''' Within the last decade, there has been lots of news buzzing that the address space provided by IPv4 was running out, and VPN with their own independent address space was an excellent solution to that end. However, with IPv6 expecting to eliminate IPv4’s problems, this is no longer a concern. However, for a company to possess their own independent address space also means increased security and one example includes limiting only those addresses to access a company’s sites, preventing unauthorized access.
 +
 +
 +
==''VPN Technologies''==
 +
 +
In order to achieve emulation of a physical private network and provide the features mentioned above, various networking protocols and technologies are used to produce their desired results and are described below.
 +
 +
'''Internet Protocol Security (IPSec): ''' IPSec is a suite of open standards developed by the Internet Engineering Task Force (IETF) for protecting communications over IP networks by using cryptographic security services. It was designed to address the lack of security of IP-based networks. It is useful in VPNs because IPSec encapsulates a packet in another and then encrypts the resultant packet. Hence, streams of encrypted packets form a secure tunnel over an unsecured network, such as the Internet. Today, many VPN vendors implement IPSec into their solutions but there are interoperability issues between each vendor’s implementations because IPSec is a bi-directional protocol.
 +
 +
'''Layer 2 Tunneling Protocol (L2TP): ''' L2TP is a tunneling protocol standard that combines the best features of two existing tunneling protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and it was created to support VPNs. By itself, it does not provide strong authentication mechanisms or confidentiality that is provided alongside IPSec. L2TP protocol acts as a data-link layer protocol for tunneling traffic between two peers over an existing network in a UDP datagram. Since traffic for each session is isolated by L2TP, it is possible to set up multiple VPNs across a single tunnel.
 +
 +
'''Sockets v5 (SOCKS v5) Protocol: ''' SOCKS v5 is a circuit-level proxy protocol and the original SOCKS were designed to make travelling through firewalls easier. SOCKS is commonly used as a network firewall that enabled hosts behind a SOCKS server to gain full access to another network such as the Internet and preventing unauthorized access from other networks to its own internal hosts. SOCKS v5 supports a variety of authentication mechanisms, UDP proxies and other features not possible with IPSec or L2TP technologies. Its architecture also allows developers to build plug-ins such as content filtering and logging.
 +
 +
'''Firewalls: ''' A firewall provides a barrier between your private network and other networks. It denies or permits traffic based on a set of rules defined by the network administrator. Firewalls often have NAT capabilities, allowing the hosts behind a firewall to have their own private address range, increasing their security.
 +
 +
'''AAA server: ''' Sometimes, a proxy device (either a software or dedicated hardware) may act as a firewall by forwarding or rejecting packets but most of the time, they would be AAA (authentication, authorization and accounting) servers to provide more secure access in a remote-access VPN environment. The purposes of authentication and authorization mechanisms of AAA servers are obvious, but the accounting mechanism is not. It serves the purpose of keeping track of clients for security auditing, billing or reporting purposes.
 +
 +
It is also important to note that there are no single technology that can provide a VPN service with all the desired features of a private network, it usually combines several of the above features to provide a function of a private network.

Revision as of 03:57, 14 April 2008

Virtual Private Networks (VPNs)

A virtual private network (VPN) is a private data network that uses public telecommunication infrastructure. More precisely, it is a communications network tunneled through another network (usually the Internet) to provide certain functions that are meaningful to its users on the dedicated network.[R1]

The phenomenon caused by VPN technology has caused a huge stir in both the computer science field in the business world.[R2]

Contents

VPNs

Since there are many competing definitions for VPN, one possible broad definition could be:

'A network (or service) that emulates the properties of an actual private network using a shared public networking infrastructure.'


History

During the 1980s ATM technology and a suite of protocols known as X.25 were created for intended use in both local area and wide area networks. It can be argued that X.25, the oldest packet-switched service, was the forerunner of VPNs because of its prominent role in the telecommunication and financial industry during that period. Phone companies originally intended its use to carry digitized voice calls, but their importance in data networks was soon realized. An X-25 network consists of complex packet switches that route packets and hosts would attach to a packet switch using a serial communication line instead of attaching directly to a communication wire of a network. The result is a connection between the host and the X.25 packet switch which is now a miniature network consisting of one serial link. Before the Internet exploded onto the scene, a virtual private network consists of at least one circuit leased from a communications provider. Each leased circuit was a like a single wire in a network controlled by the customer. As companies grew beyond geographical limitations, it became expensive to maintain VPNs using leased circuits and with the rapid advancement of the Internet, it was inevitable that VPN technology would try and exploit it.


VPN Today

Why VPN?

Why would an organization choose to have a VPN? These are the main reasons.

1. No geographical limitations: This results directly in increased productivity of its employees who are now capable of working and accessing resources offsite and a potential increase in revenue due to increased productivity.

2. Improved security: Higher security due to separation of traffic.

3. Reduced costs: It is cheaper to maintain than WANs and reduces transportation/communication costs.


Features of a VPN

In the past, VPNs were secure by virtue of it being leased by a provider for only the customers’ use. With the Internet and improved networking technology, this became expensive hence and cumbersome hence, the requirements for a well-designed VPN had changed. The following list of requirements is the unofficial standard today of a well-designed VPN.

Security: This is the focus of most VPN solutions today. Security is achieved by concentrating on confidentiality, integrity, and authentication. Confidentiality is achieved primarily using secret key cryptography and public key cryptography such as DES with Diffie-Helman algorithms. One-way hash functions and digital signatures are some of the features that are included to protect the integrity of the information and to authenticate a user on the network; password authentication and digital certificates are used.

Predictability: Having ownership of the communication links of a network guarantees the bandwidth between the user sites and can make network performance more predictable. In addition, having ownership allows a company to control the information flow through the network thus, increasing performance, reliability, and security.

Independent Addressing: Within the last decade, there has been lots of news buzzing that the address space provided by IPv4 was running out, and VPN with their own independent address space was an excellent solution to that end. However, with IPv6 expecting to eliminate IPv4’s problems, this is no longer a concern. However, for a company to possess their own independent address space also means increased security and one example includes limiting only those addresses to access a company’s sites, preventing unauthorized access.


VPN Technologies

In order to achieve emulation of a physical private network and provide the features mentioned above, various networking protocols and technologies are used to produce their desired results and are described below.

Internet Protocol Security (IPSec): IPSec is a suite of open standards developed by the Internet Engineering Task Force (IETF) for protecting communications over IP networks by using cryptographic security services. It was designed to address the lack of security of IP-based networks. It is useful in VPNs because IPSec encapsulates a packet in another and then encrypts the resultant packet. Hence, streams of encrypted packets form a secure tunnel over an unsecured network, such as the Internet. Today, many VPN vendors implement IPSec into their solutions but there are interoperability issues between each vendor’s implementations because IPSec is a bi-directional protocol.

Layer 2 Tunneling Protocol (L2TP): L2TP is a tunneling protocol standard that combines the best features of two existing tunneling protocols: Cisco’s Layer 2 Forwarding (L2F) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP) and it was created to support VPNs. By itself, it does not provide strong authentication mechanisms or confidentiality that is provided alongside IPSec. L2TP protocol acts as a data-link layer protocol for tunneling traffic between two peers over an existing network in a UDP datagram. Since traffic for each session is isolated by L2TP, it is possible to set up multiple VPNs across a single tunnel.

Sockets v5 (SOCKS v5) Protocol: SOCKS v5 is a circuit-level proxy protocol and the original SOCKS were designed to make travelling through firewalls easier. SOCKS is commonly used as a network firewall that enabled hosts behind a SOCKS server to gain full access to another network such as the Internet and preventing unauthorized access from other networks to its own internal hosts. SOCKS v5 supports a variety of authentication mechanisms, UDP proxies and other features not possible with IPSec or L2TP technologies. Its architecture also allows developers to build plug-ins such as content filtering and logging.

Firewalls: A firewall provides a barrier between your private network and other networks. It denies or permits traffic based on a set of rules defined by the network administrator. Firewalls often have NAT capabilities, allowing the hosts behind a firewall to have their own private address range, increasing their security.

AAA server: Sometimes, a proxy device (either a software or dedicated hardware) may act as a firewall by forwarding or rejecting packets but most of the time, they would be AAA (authentication, authorization and accounting) servers to provide more secure access in a remote-access VPN environment. The purposes of authentication and authorization mechanisms of AAA servers are obvious, but the accounting mechanism is not. It serves the purpose of keeping track of clients for security auditing, billing or reporting purposes.

It is also important to note that there are no single technology that can provide a VPN service with all the desired features of a private network, it usually combines several of the above features to provide a function of a private network.

Personal tools