What Is a VPN? | FreeBSD 6 Unleashed

Corporate networks are protected from prying public eyes through various methods, many of which you have already seen in this book. Arguably the most common situation is for a company's network to be situated behind a firewall device that performs Network Address Translation (NAT) of IP addresses within the company to a single "masked" address visible from the outside. The idea behind this configuration is that machines within the network can access resources out on the Internet, but machines on the Internet cannot contact the "masked" corporate machines directly.

Tip

Network Address Translation is an Internet connection technique that enables multiple hosts to connect to the Internet using a single IP address. NAT is fully described in Chapter 28, "Configuring an Internet Gateway," in the "What Is NAT?" section. It is possible to perform NAT operation as well as VPN services on the same FreeBSD machine, as you will see in this chapter.

Protected in this way, servers within the corporate network are free to implement lax security policies (allowing employees to share resources among corporate servers without encryption or even authentication) and LAN-level network services (such as Windows file sharing and videoconferencing). The employees don't need to worry about security for these services because nobody outside the corporate LAN is capable of accessing anything inside it. This is an ideal configuration...as long as all the company's employees are within the corporate network at all times.

But what happens when employees want to work from home? What if members of the sales team want to check their intranet-based email and calendar sites and access marketing documents from internal corporate servers while they're in a hotel halfway around the world? Because of the firewall and NAT, they have no way of contacting the internal servers directly; if they try to look up the servers' hostnames, their external DNS servers will be unable to map the names to meaningful IP addresses.

If they try to connect directly to the servers' internal IP addresses, the Internet routers will be unable to find a way to the network containing the translated IP numbers (usually reserved ranges such as 10.x.x.x and 192.168.x.x). The employees have no way to get into the network; they're locked out by virtue of being topologically located outside the company's private LAN.

This is where a Virtual Private Network comes in. Conceptually, a VPN allows a client machine on the outside of the private network to join itself to the translated IP address pool used inside the network. The packets that carry data from the machine to the corporate servers travel over public Internet routers, but they're encrypted so as to protect them from the watchful eyes that drove the company behind a NAT firewall in the first place. Such encryption creates a tunnel, which is the term for the extra layer of encoding and packet headers that allows normal IP packets to be routed between machines whose configurations would not otherwise allow them to communicate. In a VPN tunnel, the public Internet's routers get your data packets to the VPN server, and then it does the rest. The conceptual layout of a VPN is shown in Figures 31.1 and 31.2.

Figure 31.1. Without a VPN, a packet either has no route to the translated corporate IP network or is rejected by the firewall as coming from an illegal source.

Figure 31.2. When a VPN is added to the client's packet path, each packet is encrypted and given a new IP destination, which sends it through the tunnel to a VPN server at the corporate network that decodes it.

A VPN is created through an authentication sequence in which the client machine exchanges keys with the VPN server to establish that it is a legitimate member of the corporate network. (Typically, a VPN would be used by an employee, and his username and password for the corporate network would be suitable to gain VPN access. This method is secure because the VPN authentication scheme is itself encrypted.)

Subsequently, the client machine is given a new virtual interface with an IP address that is compatible with the addresses of machines within the private network. With a VPN in place, DNS lookups of corporate servers work; LAN-level services such as Windows file sharing also function normally (even though the packets are encrypted and actually travel across the Internet instead of just the LAN). Best of all, the whole process is encrypted so that sensitive corporate data is not exposed to anybody who might want to sniff the public network for such treasures.

Note

Security-conscious administrators will recognize that if remote users use Windows file sharing and other such services while attached to unfamiliar networks, regardless of whether the actual sharing occurs over a VPN, the users have already exposed their laptops to a potential route of attack from other machines on their hotel or airport LANs merely by having file sharing active. These laptops, when brought back into the company's network, can proceed to infect its peers with any viruses or Trojans they brought with them from outside. For this reason, roaming employees should always be counseled that VPNs alone will not protect them or the company's security, and they should avoid using Windows file sharing unless absolutely necessary.

Each operating system handles VPN functionality in its own way. FreeBSD's implementation involves more work than you might be accustomed to using in a fully developed desktop operating system, but it has a number of features that help. This automation is largely due to the optional support for IPSec (Secure IP) in the kernel, rather than a reliance on third-party tools (you learn more about IPSec in "VPN Services in FreeBSD: IPSec," later in this chapter).