When to Use a VPN


A VPN allows you to extend your local network to remote locations. Of course, if your local network is connected to the Internet, remote users may have access to the local network even without a VPN. A VPN offers two main advantages over direct non-VPN access:

  • The illusion of local access ” Many local networks include protections against unwanted outside access. These may include firewall computers or iptables -based firewall rules on individual computers (both covered in Chapter 25, Configuring iptables), restrictions implemented in TCP Wrappers or xinetd (described in Chapter 4, Starting Servers), or restrictions set in individual server programs. A VPN allows a remote computer to look to local computers as if it were local, thus simplifying the configuration of potentially dozens of servers. The tricky task of determining what remote systems should have access as if they were local is isolated to the VPN server.

  • Encrypting nonencrypted protocols ” The P in VPN stands for Private, so a VPN that doesn't include some sort of encryption to provide privacy isn't much of a VPN. By encrypting normally nonencrypted protocols like NFS and Telnet, a VPN allows you to transfer data over the Internet in a fairly straightforward way, at least from the point of view of the client and server. These clients and servers need no special security configuration, but benefit from the encryption provided by the VPN. Of course, there are encrypted protocols you might use instead of a VPN, and if you're only looking for encryption on one or two protocols, these may be easier to set up than a VPN.

One common use for a VPN is in linking multiple offices at distant locations. If your company has offices in Boston and San Francisco, you can use a VPN to tie them together, giving employees secure access to servers at one location from the other. Figure 26.1 illustrates this arrangement. The VPN routers in this figure are routers, much like ordinary routers, NAT routers, or firewall computers. Instead of or in addition to performing ordinary routing, though, the VPN routers set up an encrypted link over which they can transfer data destined for each other.

Figure 26.1. A VPN is usually implemented by routers that are capable of encrypting data destined for particular targets.

graphics/26fig01.gif

NOTE

graphics/note.gif

Although Figure 26.1 shows a VPN that links just two networks, that's not the limit of VPN technology. You can link three, four, or more networks via a VPN.


Another use of a VPN is to grant individual users access to a larger network. This application is common to serve telecommuters and traveling employees. An individual can link a home computer or notebook to a larger network via a broadband or even a dial-up connection to get the benefit of the main office's servers. The VPN router in this scenario communicates directly with the individual remote systems; essentially , they are VPN routers as well, but they route only their own traffic for the remote system. This situation is illustrated in Figure 26.2.

Figure 26.2. VPN systems can link individual clients to a host network.

graphics/26fig02.gif

When implementing a VPN, you should carefully consider your bandwidth needs. Particularly when linking multiple remote networks to a central one, the large central network may need a great deal of external bandwidth to handle the demands from the remote sites. Many protocols that are common on local networks, such as file-sharing protocols and X, transfer vast quantities of data. These transfers may be reasonable on a 100Mbps local Ethernet connection, but over a slower Internet link, such as a 1.5Mbps T1 line, the local protocols may be unacceptably slow. If any of your connections use low-end broadband connections, such as Asymmetric Digital Subscriber Line (ADSL) accounts for telecommuters, you should remember that some such accounts are asymmetric in nature. Typically, upstream bandwidth is much lower than downstream bandwidth. ADSL, for instance, frequently uses 600 “1,500Kbps downstream speeds tied to 100 “300Kbps upstream speeds. This may be acceptable for some VPN uses, but not for others. Worse, travelers will probably be limited to analog modem speeds of no more than 56Kbps, and often less.

VPNs are not without their drawbacks, even over fast external connections. For one thing, although they're designed as a secure way to link networks, if they're implemented improperly they can actually degrade your security. Consider a telecommuter who connects to a larger network via a VPN. If the larger network is protected by firewalls and similar measures, it should be fairly safe. The home computer, though, may not be very well protected against intrusion. If a cracker breaks into this system, it serves as a gaping hole through the larger network's firewall. These security risks are covered in more detail in the upcoming section, "Potential Security Risks with a VPN."

Another problem with VPNs is that they can be tedious to configure, particularly in conjunction with firewalls. If your need for linking telecom muters, traveling individuals, or remote offices is limited, you might find it simpler to use one or two secure protocols, such as SSH.



Advanced Linux Networking
Advanced Linux Networking
ISBN: 0201774232
EAN: 2147483647
Year: 2002
Pages: 203

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net