Technology has always influenced and modularized the way we worked. From ever
changing form factors of computing devices to wireless communication, they have,
in one way or the other, made our lives easier. What used to be only dealing
with regional concerns earlier, everyone is now thinking of global markets and
logistics. Many organizations have branch offices scattered across the country
or even the whole planet, and there is only one thing that they need -a way to
maintain fast, secure and reliable com munication.
Until quite recently, getting branch offices connected meant the use of
leased lines to maintain a wide area network. Leased lines, ranging from ISDN
(Integrated Services Digital Network) to OC3 (Optical Carrier 3), provided
organizations with a way to expand their private networks beyond their immediate
geographical reach. A WAN has obvious advantages over public networks like the
Internet in terms of security and reliability, but with the increase in
distance, particularly when using over leased lines, it can prove to be very
expensive to run and maintain.
With the growing popularity of Internet, organizations turned to it as a
means of extending their own networks. They designed password protected sites
only to be used by their employees. But now businesses are creating their own
Virtual Private Networks as they are known to accommodate the needs of their own
remote employees and branch offices.
What is a VPN?
Let's take a simple example to understand virtual private networks. Think of
yourself living on an island in a huge ocean. There are numerous such more
islands, some close by and others far away. The conventional way to travel is to
take a boat, which of course leaves you with no privacy as it's visible to
others and so is its activities.
Now let's compare each island with a private LAN and the ocean being the
Internet. Traveling by a boat in this case is like connecting to a Web server or
a similar device through the Internet. There is no control over wires and
routers that comprise of the Internet. Now if you try to connect to a private
network with the help of a public resource, you are left susceptible to attacks
and other security issues.
However, there is a dire need of a reliable and secure path. One way to
resolve this issue is to build bridges to every island you want to connect to.
Though this is secure, but an expensive and difficult to maintain option. Leased
lines can be compared to such bridges in this case. A Virtual Private Network on
the other hand is like a submarine. It uses the ocean to connect different
islands but still remains invisible and completely hidden.
A VPN can grow to accommodate more users and different locations much easier
than a leased line. In fact, scalability is a major advantage that VPNs have
over typical leased lines. Unlike leased lines, where the cost increases in
proportion to the distances involved, the geographic locations of each office
matters little in the creation of a VPN. Another advantage of a VPN is that
remote employees and branches can use it when wanted with privacy and security.
That's essentially how a VPN works. Each remote member of your network can
communicate in a secure and reliable manner using the Internet as the medium to
connect to the private LAN.
Tunneling
To know more about how VPNs work, it is important to know tunneling.
Essentially, tunneling is the process of placing an entire packet within another
packet and sending it over a network. The protocol of the outer packet is
understood by the network at both points, called the tunnel interfaces, where
the packet enters and exits the network. Tunneling mainly uses three different
protocols. First one being the protocol used by the network that the information
is traveling over -also known as the carrier protocol. The process of wrapping
the data in another packet is done by the encapsulating protocol which includes
protocols like GRE, IPSec, PPTP and L2TP. The third protocol is the passenger
protocol, that comprises of the original data (IPX, NetBeui, IP).
The main advantage of tunneling is that you can place a packet that's not
supported by the Internet inside an IP packet and still send it over the
Internet. A packet that uses a private non routable IP address can be sent
safely by wrapping it in a packet that uses a globally unique IP address over
the Internet.
What can a VPN do for You?
Remote Service Access (RAS)
A single PC or a laptop computer, running a VPN client software is the party
trying to negotiate a secure connection with the VPN gateway. The VPN Client
allows telecommuters and traveling users to communicate on the central network
and access servers from many different locations. Increase in productivity of
telecommuters over a secure channel remains the main benefit.
Site to Site Intranet
Different physical locations like remote branch offices can connect through a
secure connection across the Internet through a VPN tunnel, making users from
different networks communicate as if over a single network. A strong encryption
technique for security and a high bandwidth is required. Major advantages come
in the form of substantial cost savings as compared to the traditional leased
lines.
Site to Site Extranet
Similar to Intranet, an extranet model can be used to bring business partners
together. As such, in conjunction with VPN tunnels, firewall access restrictions
are used, so that business partners are only able to gain secure access to
specific data or resources, while not gaining access to private corporate
information. Benefits include business partners can enjoy same policies as a
private network, including security, QoS, manageability and reliability.
VPN Protocols
A number of protocols are used in VPNs and more are being developed. Here are a
few of the most important ones that you would come across while looking for a
VPN solution.
Host Identity Protocol, HIP
This protocol helps in separating the end point identifiers and locater roles of
IP addresses by introducing a new host identity based on public keys.
Point to Point Tunneling Protocol, PPTP
The point to point tunneling protocol is another method for implementing virtual
private networks. Like L2TP, PPTP does not provide any confidentiality or
privacy on its own. It relies on the protocol being tunneled to provide privacy
but has now been made obsolete by L2TP. Since its inception, PPTP has had
security issues and was considered to be inherently insecure due to easy
spoofing. A typical upgrade path for PPTP is L2TP/IPSec.
Layer 2 tunneling protocol, L2TP
This is a tunneling protocol meant to support Virtual Private Networks. By
itself, it does not provide any encryption or confidentiality, but relies on the
encryption protocol that it passes within the tunnel in order to provide
privacy. If compared to the OSI model, L2TP acts like the Data Link layer but it
is in fact a Session Layer (Layer 5). As discussed, L2TP does not provide
confidentiality or strong authentication by itself. Therefore IPSec is often
used to secure L2TP packets by providing confidentiality, authentication and
integrity. The combination of these two protocols is generally known as L2TP/IPSec.
Layer 2 tunneling protocol version 3, L2TPv3
A draft version of L2TP that is proposed as an alternative protocol to MPLS for
encapsulation of multiprotocol Layer 2 communication traffic over IP networks.
Like L2TP, L2TPv3 provides a psuedo-wire service, but is scaled to fit carrier
requirements.
VPN options
Through a service provider
If you need a high performance VPN solution, then an MPLS based solution is the
best and most widely accepted option. Various service providers have options of
building a VPN over there private networks with advantages like QoS, better
performance but at the same time is expensive. Multi protocol label switching, (MPLS)
belongs to the family of packet switched networks, Multi protocol label
switching is a data carrying mechanism. MPLS operates at an OSI model layer that
is considered to belong between layer 2 (Data Link layer) and layer 3 (Network
layer), and thus is often refered to as a layer 2.5 protocol. The mechanism was
designed to provide a unified data carrying service for both circuit based
clients and packet switching clients providing a datagram service model. It can
be used to carry different kinds of traffic, including IP packets, as well as
native ATM, SONET and Ethernet frames.
MPLS VPNs are globally acknowledged by many to be the most secure and fast
VPN technology. One of the features in MPLS that contributes to its speed and
security is that there is a unique label (hence cannot be spoofed unlike IP
header) for every packet transmitted. This label is checked only at the service
provider edge routers unlike IP header analysis happening at every hop which
makes an IP VPN relatively less secure and also slower. MPLS is well suited to
the task as it provides traffic isolation and differentiation without
substantial overhead. IPsec over MPLS would therefore offer layered security and
is acknowledged by many service providers worldwide to be the most secure VPN
option in data transmission today.
Using the Internet, Open VPN
You can set up a VPN solution on your own through the Internet. This solution is
cost effective but lacks options like high performance and Quality of Service.
We deployed an open VPN solution in this issue and you can see how we did it.
What makes a VPN secure?
An organizations IT infrastructure needs to be protected from threats and
attacks. Mission critical data needs to be protected from theft. A typical
secure VPN uses cryptographic tunneling protocols to achieve confidentiality. It
blocks unwanted activities like snooping and packet sniffing. Identity spoofing
and message alteration is avoided by methods like sender authentication and
message integrity. To provide a secure communication over an unsecured network,
the right mixture of such techniques has to be chosen and implemented.
IPSec
It is a suite of protocols used for securing connections over Internet Protocol
(IP) and provides enhanced features such as better encryption algorithms and
more comprehensive authentication. The way of achieving this primarily is by
authenticating each IP packet of a data stream. Protocols for establishing
mutual authentication between agents at the beginning of a session and
negotiating of cryptographic keys are also included in IPSec. IPSec protocol
consists of two modes of encryption; tunnel and transport. Tunnel encrypts the
header and the payload of each packet while transport only encrypts the payload.
In the OSI model, IPSec works at layer 3 as it's an end to end security
scheme, operating at the Internet layer of the Internet Protocol suite. As
compared to some other Internet security systems in widespread use, such as SSL,
TLS and SSH which operate at higher levels of this model, IPSec has its own
advantages. It is more flexible as it operates at a lower level of the stack,
hence can protect more traffic. Another advantage being applications don't have
to be disigned specifically to use IPSec, whereas the use of higher layer
protocols has to be incorporated into the design of applications at that level.
AAA Servers
AAA stands for authentication, authorization and accounting. In a remote access
VPN environment, these servers are used for added security. The three functions
can be explained in the form of questions. When a request to establish a secure
session comes in from a dial up client, the request is transferred to the AAA
servers. The questions asked are who are you for authenticating? What are you
allowed to do for authorization and what you actually do for the purpose of
accounting? The last function can be useful for tracking client use for security
auditing, billing or reporting purpose.
VPN Quarantine
A source of attack or a threat could be the client machine at the end of a VPN.
This has to be left to system administration efforts , as it has no connection
with a VPN design. Solutions that provide VPN quarantine services are available
and should be deployed for this task. Applications like QSS (Quarantine security
suite) and a few others typically work by running end
point checks on the remote client while the client is kept in a quarantine zone
until healthy.