Section 16.1. Virtual Private Networks (VPNs)

Previous page
Table of content
Next page

16.1. Virtual Private Networks (VPNs)

A virtual private network (VPN) is a data network having connections that make use of public networking facilities. The (VPN) part of public network is set up "virtually" by a private-sector entity to provide public networking services to small entities. With the globalization of businesses, many companies have facilities across the world and use VPNs to maintain fast, secure, and reliable communications across their branches.

VPNs are deployed with privacy through the use of a tunneling protocol and security procedures. Figure 16.1 shows two organizations, 1 and 3, connected through their corresponding routers, forming a tunnel in the public network, such as the Internet. Such a structure gives both private organizations the same capabilities they have on their own networks but at much lower cost. They can do this by using the shared public infrastructure. Creating a VPN benefits an organization benefits by providing

  • Extended geographical communication

  • Reduced operational cost

  • Enhanced organizational management

  • Enhanced network management with simplified local area networks

  • Improved productivity and globalization

Figure 16.1. Two organizations connected through a tunnel using public facilities


But since each user has no control over wires and routers, one of the issues with the Internet is still its lack of security, especially when a tunnel is exposed to the public. Thus, VPNs remain susceptible to security issues when they try to connect between two private networks using a public resource. The challenge in making a practical VPN, therefore, is finding the best security for it. Before discussing VPN security, we focus on types of VPNs. There are two types of VPNs each determined by its method of tunneling, remote-access and site-to-site . We will explain these two approaches in the next two sections.

16.1.1. Remote-Access VPN

Remote-access VPN is a user-to-LAN connection that an organization uses to connect its users to a private network from various remote locations. Large remote-access VPNs are normally outsourced to an Internet service provider to set up a network-access server . Other users, working off campus, can then reach the network-access server and use the VPN software to access the corporate network. Remote-access VPNs allow encrypted connections between an organization's private network and remote users through a third-party service provider.

Tunneling in a remote-access VPN uses mainly the Point-to-Point Protocol (PPP). PPP is the carrier for other Internet protocols when communicating over the network between a host computer and a remote point. Besides IPsec, other types of protocols associated with PPP are L2F, PPTP, and L2TP. The Layer 2 Forwarding (L2F) protocol uses the authentication scheme supported by PPP. The Point-to-Point Tunneling Protocol (PPTP) supports 40-bit and 128-bit encryption and uses the authentication scheme supported by PPP. The Layer 2 Tunneling Protocol (L2TP) combines features of both PPTP and L2F.

16.1.2. Site-to-Site VPN

By using effective security techniques, an organization can connect multiple fixed sites over a public network. Site-to-site VPNs can be classified as either intranets or extranets.

  • Intranet VPNs connect an organization's remote-site LANs into a single private network.

  • Extranet VPNs allow two organizations to work in a shared environment through a tunnel built to connect their LANs.

Figure 16.2 shows the three types VPNs discussed so far. Organization 1's main campus and branch campus are connected through an intranet VPN tunnel. The main campus can also be connected to organization 2 through an extranet VPN tunnel. The employees of organization 1 can also access their corporation through a remote-access VPN. Each remote-access member must communicate in a secure medium. The main benefit of using a VPN is scalability with a reasonable cost. However, the physical and virtual distances of two communicating organizations have a great impact on the overall cost of building a VPN.

Figure 16.2. Three types of VPNs to and from a headquarter organization


In a site-to-site VPN, generic routing encapsulation (GRE) is normally the encapsulating protocol. GRE provides the framework for the encapsulation over an IP-based protocol. IPsec in tunnel mode is sometimes used as the encapsulating protocol. IPsec works well on both remote-access and site-to-site VPNs but must be supported at both tunnel interfaces. The Layer 2 Tunneling Protocol (L2TP) can be used in site-to-site VPNs. L2TP fully supports IPsec regulations and can be used as a tunneling protocol for remote-access VPNs.

16.1.3. Tunneling and Point-to-Point Protocol (PPP)

A tunnel is a connection that forms a virtual network on top of a physical network. In computer networking, a tunnel resembles a telephone line in a public switched telephone network. VPNs typically rely on tunneling to create a private network that reaches across a public network. Tunneling is a process of encapsulating packets and sending them over the public network. Employees who are located outside an organization's main building can use point-to-point connections to create tunnels through the Internet. Since tunneling connections normally run over the Internet, they need to be secure. A tunnel is a relatively inexpensive connection, since it uses the Internet as its primary form of communication. Besides Internet protocols, tunneling requires two other types of protocols:

  1. Carrier protocols , through which information travels over the public network

  2. Encapsulating protocols , through which data is wrapped, encapsulated, and secured

One of the amazing implications of VPNs is that packets that use a protocol not supported on the Internet, such as NetBeui, can be placed inside an IP packet and sent safely over the Internet. VPNs can put a packet that uses a nonroutable IP address inside a packet to extend a private network over the Internet.

Consider the two LANs of the two organizations shown in Figure 16.3. We want to connect these two LANs through the Internet by using tunnels. Assume that the two LANs, as organization 1 and organization 2, want to use their own customized networking protocols, denoted by x , using connectionless datagram IP services. The IP resources can be at the scale of the Internet. Therefore, x -type packets cannot run over the Internet directly. The IP gateway R 1 listens for x -type packets on organization 1, encapsulates x -type packets in the transport-layer UDP datagrams, and transmits them over the Internet to R 2 . When R 2 receives the encapsulates x packets, it decapsulates and feeds them into organization 2. This connectionin fact, a tunnel made through the Internetresembles a direct physical link between the two LANs.

Figure 16.3. A customized protocol packet tunneling through the Internet

Point-to-Point Protocol (PPP)

The basic notion in tunneling is packet encapsulation from one protocol into the same or higher-layer protocol. Thus, a tunnel can also be defined as an encapsulating protocol for protocols at the lower layers . Tunneling protocols, such as the Point-to-Point Protocol (PPP) or the Point-to-Point Tunneling Protocol (PPTP) are encapsulating protocols that allow an organization to establish secure connections from one point to another while using public resources. A PPP connection is a serial connection between a user and an Internet service provider.

Example.

In Figure 16.4, a point-to-point protocol (PPP) UDP tunnel connection is established while another virtual PPP connection exists. In this scenario, a user at 134.43..0.1 is communicating with a server at 134,43.0.10. These two end points are connected through their own PPP connection of 134.43.0.0/21, but the transmitted data flows through the tunnel on the 121.82.0.0/21 segment. This tunnel is established at an interface layer in a UDP transport-layer protocol as it appears from the frame format in the figure. Tunneling can also be formed at network- and transport-layer protocols, where equal layers are involved, such as IP-in-IP tunnels.

Figure 16.4. A point-to-point protocol (PPP) UDP tunnel connection

16.1.4. Security in VPNs

Without using dedicated hardware, a VPN uses virtual connections routed through the Internet from the company's private network to the remote site. Companies can create their own VPNs to accommodate the needs of remote employees and distant offices. This section looks at methods for keeping VPN connections secure. A well-protected VPN uses firewalls, encryption systems, IPsec features, and an authentication server.

A firewall provides an effective barrier between a private network and the Internet. Firewalls can be set up to restrict the number of open ports to monitor what types of packets are passed through and which protocols are allowed through. The authentication servers performs authentication, authorization, and accounting for more secure access in a remote-access environment. When a request to establish a session comes in, the request is loaded onto this server. The server then checks who the sender is (authentication), what it is allowed to do (authorization), and what it actually does (accounting and bills).


Previous page
Table of content
Next page
Computer and Communication Networks
Computer and Communication Networks (paperback)
ISBN: 0131389106
EAN: 2147483647
Year: 2007
Pages: 211
Authors: Nader F. Mir
BUY ON AMAZON
Snort Cookbook
Introduction to 80x86 Assembly Language and Computer Architecture
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy