What Is a Virtual Private Network?

In recent years , as more companies have come to require network connections to central offices, the need has grown for inexpensive, secure communications with remote users and offices. Although they're reliable and secure, dedicated circuits and leased lines are not financially feasible for most companies. A Virtual Private Network (VPN) simulates a private network by utilizing the existing public network infrastructure, usually the Internet. The network is termed "virtual" because it uses a logical connection that is built on the physical connections. Client applications are unaware of the actual physical connection and route traffic securely across the Internet in much the same way traffic on a private network is securely routed. When the VPN is configured and initiated, applications will not be able to tell the difference between the virtual adapter and a physical adapter.

After the VPN infrastructure is defined and configured, it provides seamless integration that enables the network to be viewed the same as a private network. Yet this connection is maintained over a separate physical network, which is handled at a lower level and not seen by applications. This separation allows for great flexibility with no additional modifications.

History of VPNs

In the early 1990s, VPNs were basically nonexistent. VPNs have experienced a lot of development in a relatively short period of time as corporate demand for flexible network designs increased.

A few vendors, such as IBM, Microsoft, and Cisco Systems, Inc., started developing tunneling technologies in the mid-1990s. Although products such as IPX and SNA over IP tunneling were available several years ago, they were very specific to their environments and of limited use to the industry as a whole. The industry needed a tunnel solution that could be standardized for all types of traffic. Much of this push toward standardization was based on the acceptance and standardization of TCP/IP in the operating system (OS) instead of vendors providing the whole stack as part of their products.

In 1996, several vendors realized the importance of VPNs, and many of these companies worked together to define tunneling protocols. These tunneling protocols facilitated two major VPN solutions: Point-to-Point Tunneling Protocol (PPTP), created by Microsoft, Ascend, 3Com, and US Robotics; and Layer 2 Forwarding (L2F), created by Cisco. Because both of these solutions are vendor-specific, proprietary protocol interoperability is limited to products from supporting vendors.

PPTP and L2F are Open Systems Interconnection (OSI) Layer 2 tunneling protocols that were designed to transport Layer 3 protocols, such as AppleTalk, IP, and IPX, across the Internet. To do this, PPTP and L2F leveraged the existing Layer 2 Point-to-Point protocol (PPP) standard to transport different Layer 3 protocols across serial links. The Layer 3 packets were encapsulated into PPP frames and then encased in IP packets for transport across the IP-based network. Because neither protocol provides data encryption, authentication, or integrity functions that are critical to VPN privacy, these functions must be added as separate processes.

Driven by the shortcomings of the existing tunneling protocols, in 1997 standardization and planning began to take place. This began with the introduction of Layer 2 Transport Protocol (L2TP) and Internet Protocol Security (IPSec) by the Internet Engineering Task Force (IETF). Because L2TP and IPSec are a multivendor effort, interoperability is not as much a problem as it was for their predecessors. Being a Layer 2 protocol, L2TP allowed for multiprotocol support over an IP-based network. This means that it was not restricted to a specific protocol, but could be used to transport several different protocols. The L2TP specification has no built-in data security functions and requires IPSec for data security in transport mode.

The year 1999 saw the introduction of pervasive VPNs with new features, such as a standards-based authentication model, an easier interface for server configuration, and additional client configuration tools. With the new authentication model, the SmartCards that could be deployed for client access increased security and integration of VPNs into consumer devices. Therefore, VPN use by telecommuters became widespread, and corporate use of VPNs for branch office links increased.

Windows 2000 and 2003 have mature VPN options, including IPSec, L2TP, and PPTP, which provide the necessary features for a secure and manageable tunneling solution that is dramatically less expensive than a hardware solution and/or leased lines. Microsoft has fully committed to implementing VPN technologies in Windows 2000/2003 because it believes VPNs are a critical element in corporate networks. Windows Server 2003 not only comes with built-in support for IPSec (including Network Address Translator Traversal [NAT-T]), L2TP, and PPTP, but also delivers a full suite of security- related services ranging from full Remote Authentication Dial-In User Service (RADIUS) support to the Extensible Authentication Protocol (EAP).

As stated previously, a VPN is essentially a "private tunnel" over a public infrastructure. To emulate a private network link, the VPN encapsulates data with a header that provides routing information, which enables the data to travel the public network (normally the Internet) from the source to the destination. To emulate a private link, the VPN encrypts the encapsulated data being sent for confidentiality, authenticity, and guaranteed integrity. Packets that are intercepted on the public network are unreadable without the encryption keys. A link in which the data is encapsulated and encrypted is known as a VPN, or tunnel, connection.

VPNs can be implemented and maintained by a variety of devices. It is now possible to have a Windows Server 2003 server connect to a router with an encrypted tunnel endpoint, or another Windows client, a firewall, or most anything that uses the standard.

It is critical to consider the design of the tunnel-based network. The goal of any VPN is to provide security throughout the network path so the data will be protected, regardless of the network media it might be traversing. This will be the basis of providing a solution for secure remote access technology.

Before planning a VPN, you must define the goals of the project. Remote access technology can be applied in a great number of ways that benefit most network designs. It takes planning to design a solution that will work efficiently and offer stability. Your company might be like many others and have employees who travel and work at remote sites, or work in their homes . Availability of high-speed Internet and the convenience and flexibility it affords employees makes providing VPN capability almost a necessity in today's business environment. These employees must have a way to access the corporate network that is both location-independent and secure. In the past, connectivity solutions were deployed with dial-up phone links, which was a very expensive solution. Currently, the trend is for many employees working from home to utilize cable and DSL modems that enable a much faster link. Private, dedicated high-speed connectivity for most corporations is prohibitively expensive. A VPN connection, on the other hand, allows remote users a less-expensive solution to high-speed connections to the network through the public Internet while still guaranteeing confidentiality.

A tunnel connection enables the user, either while traveling or at their home office, to connect to the Internet and then tunnel over this connection to the corporate network. This uses the Internet as a transport mechanism that eliminates the cost of a direct (and many times a long-distance) connection. Additionally, the tunnel connection does not care how it accesses the Internet, so traveling users can hop from any location and connect to the corporate network with no configuration changes. This mobility is a huge financial advantage when considering support and connectivity costs. Many companies have toll-free numbers that enable dial-in access from any location, but the phone bills the company pays to maintain these numbers often add up to a tremendous cost. I have worked with several companies that were regularly billed one million dollars per month just to support these dial-up users. Reducing this cost is the first very tangible result of deploying the tunnel environment.

When considering the complete cost of a network access strategy, you must factor in all parts of the solution. If you select a modem-based solution, it inherently has many problems. Modem banks are expensive, they must be updated often, it is virtually impossible for them to support some of the new communication technologies, and supporting their widely varying connection environments takes a great deal of administrative overhead. Additionally, it's difficult to scale the private dial solutions because it requires the purchase of new hardware (modems/servers). Installing a tunnel solution allows the corporation to basically outsource the modem cost and maintenance to Internet Service Providers (ISPs). If a client has a problem accessing the Internet, he or she contacts the ISP's help desk, not your IT staff. In addition, the ISP can provide your clients with high-speed solutions that would be impractical for most companies because it would require an expensive private infrastructure.

What Is a Tunnel?

To help you understand how the VPN works, let's first describe a tunnel . We use the term tunnel because the tunnel connection establishes a link between two systems that are independent of the actual physical route. If you have a link between two computers, say one in Boston and the other in Seattle, it can take 12 hops across the Internet for the two computers to talk to one another. However, when you establish a tunnel over the Internet between the two computers, one can talk directly to the other. This is possible because the tunnel follows a direct logical route instead of an indirect physical route. With a logical route, the application is unaware of the actual number of hops it takes between the client and the server. Instead, it views the tunnel as a single hop.

Historically, the public switched telephone network used these point-to-point capabilities, but it was designed for voice communication and is increasingly unsuitable for today's data communication and networking needs. The success and growth of the Internet is driving the migration from leased lines and dedicated corporate modems to VPNs. Conventional private networks and next -generation public networks typically exist in parallel today. However, with the maturity of VPN solutions, these separate infrastructures are converging. It was just a matter of time before someone asked if it would be possible to use the flexibility of the Internet to solve connection needs and reduce operational costs. Some of the contributing factors that led to development of VPN solutions for the Internet include the following:

• The high cost of implementing and maintaining private networks

• The increased number of remote and mobile users

• The increased number of applications that are dependent on networks, such as e-mail and other communication applications

• The requirement to create flexible and dynamic network connections

• The merging of network technologies such as telephony and/or multimedia applications such as video teleconferencing

It is likely that with all the continued development of network technologies, the demand for high-speed VPNs will continue to increase. Therefore, you should design your network to include capabilities that will support the demands of the near future.

Alternative Services

Services other than the tunneling environment provide capabilities similar to VPNs. Each service described in this section has its own advantages and disadvantages. Corporations that are considering a tunnel environment need to analyze these options to decide which is best for their environment.

Transparent LAN Services (TLS)

Transparent LAN Services (TLS) are high-speed LAN interconnection services that conceal the complexity associated with WAN technology. You can use TLS to permit a service provider to connect your corporation's LANs in such a way that they appear to the network to be interconnected by a standard LAN segment.

Advantages of TLS include the following:

• The service provider configures and maintains the network links.

• The service provider handles the support of the link.

• The learning curve of the support staff is minimal if the corporation is already using Frame Relay (because this service is closely related to Frame Relay).

Disadvantages of TLS include the following:

• This service is not offered everywhere. It is typically available only in metropolitan areas, but this is changing.

• The cost can be quite high. The service providers make their income by offering this service, and they charge customers accordingly .

• The flexibility is dependent on the service provider. If the service provider offers only certain technologies, your options are limited unless you change providers.

Secure Remote Procedure Call (RPC) Authentication (SRA)

Secure RPC Authentication (SRA) combines the RPC mechanism with user authentication and usually with Data Encryption Standard (DES). The goal of Secure RPC is to allow you to build a secure system that all users can share. With SRA, your users can log in to any remote computer (just as they can on a local system), and their login passwords are their passports through network security.

Advantages of SRA include the following:

• SRA enables a flexible and secure way to access remote systems.

• SRA is well supported on some UNIX platforms.

Disadvantages include the following:

• Every RPC-based program that authenticates users can use Secure RPC, but some programs have to be modified to support it.

• This technology is not widely deployed, and interoperability is limited. It is typically a UNIX-only solution.

• SRA is not a network LAN-to-LAN solution; it is an application-based solution.

Secure Sockets Layer (SSL)

Many Web sites use Secure Sockets Layer (SSL) technology in Web-based security. This makes it possible for you to deploy an application in a manner that would encrypt data destined for a public network. This technology could be viewed as an alternative to VPN technology for particular applications that are to be used at remote sites. SSL encodes data in such a way that only its intended recipient can decode it. SSL uses encryption and decryption to ensure that data is transmitted privately.

Advantages of SSL include the following:

• It ensures that data is transmitted privately. The application will transfer the data over a public network and protect it between the server and the client.

• It is based on Internet Web standards, so most of today's Web browsers can use SSL.

• Hardware acceleration is available.

Disadvantages include the following:

• Applications must be modified or written to use SSL.

• SSL is not a network LAN-to-LAN solution; it is an application-based solution.

Some vendors are taking the SSL approach to the next level with products that encapsulate IPSec traffic within SSL packets. This has the obvious advantage of full VPN capabilities, which will seamlessly traverse most firewalls with no administrative overhead. This approach is still being developed and is not currently based on standards, so cross-vendor connectivity is difficult. Additionally, many corporations are nervous about this technology because they must have Intrusion Detection Servers (IDS) in place to detect this type of SSL traffic. Firewall Administrators are concerned that this encapsulated traffic ” potentially containing company secrets ”could escape the detection as it left the corporate network. Network architects must evaluate the risks as part of the design of the remote solution.

Common Uses of VPNs

There are several ways to implement VPNs. You can make any network design work with tunneling network technology, but as the network architect, your plan must analyze what the goals are and how best to achieve them:

• Remote dial-in users

• Branch office network links

• Internal networks

Remote Dial-In Users

Currently, support for remote users is the largest application for VPNs. It is the easiest for you to implement, it has the most tangible results, and it has the quickest turnaround for you in cost savings. This application of VPNs will enable your remote users at home or on the road to connect to a tunnel server instead of a corporate modem pool.

This is typically accomplished through a connection between the user and a public network, such as the Internet, which is then used by PPP between the client and a corporate tunnel server. The infrastructure of the public network is irrelevant because after the VPN connection is made, the client's routing environment is adjusted to reflect the logical link. From the client's perspective, the VPN is a point-to-point connection between the client and the tunnel server. The VPN enables the connected user to have the same access to resources that he or she would normally have through the corporate network.

Branch Office Network Links

In the past, if a corporation had multiple remote sites, it would have leased dedicated circuits from the local telecommunications company for remote network traffic. Each site would have the necessary hardware on both sides of the leased lines, and the corporation would have a very predictable and reliable connection to every site.

The downside of this configuration is cost. For example, if a corporation leases a T1 link from Boston to California with guarantees regarding the uptime, it would cost several thousand dollars each month. This doesn't even include the cost of setting up the network. Additionally, the harsh truth about bandwidth is that it's very difficult to purchase the precise amount needed. Either the network Administrator will have to tweak the usage constantly, or the corporation will have to pay for a link that is never fully used.

The primary concern of a WAN that's based on VPN technology is the connection speed between the Internet and each endpoint of the tunnel. By design, the Internet has enough fault tolerance to cope with fairly substantial link failures by using routing technologies. Because of this, it is very important to have a fast and reliable link to the Internet on either side of the tunnel. The slowest connection to the Internet determines the overall connection rate for the tunnel. If one side of the tunnel has only a 56K link, both sides will be slowed to this rate regardless of the connection speed at the opposite end of the tunnel. Some ISPs offer guaranteed links to the Internet, which is certainly an option for companies that require an extra level of reliability, but this service is significantly more expensive. VPNs enable corporations to replace expensive leased lines with tunnel connections that link separate sites and branch offices. After the routing environment is configured, no service differences between the logical links and leased lines exist.

Because an existing public network can be used by the tunneling protocols, the typical overhead of leased lines and the administration cost of the lines are removed. Additionally, a typical leased line is reserved at all times of the day, so during off-peak hours, the organization experiences bandwidth waste. (Bandwidth waste occurs when a company is paying for bandwidth that is not being used.) With a VPN, if the link is not needed, it can simply be dropped. When it is needed again, the VPN automatically re-establishes the connection and enables traffic to pass through the connection.

The obvious concerns any corporation would have about trading leased lines for a VPN-based network infrastructure are security and reliability. The leased-line strategy has been used for many years; it is private and uses industry-standard , proven technology. VPNs, on the other hand, use public, unsecured network links. Fortunately, with the maturity of VPN technologies, you can address security concerns and increasingly rely on public infrastructure such as the Internet. At this point, for instance, if a route or link that affects the Internet's performance or reliability fails, a great number of people work as quickly as possible to fix the problem. And until the problem is resolved, redundant links are often available. The real advantage of using VPN-based network links is the scalability and flexibility of the environment. The cost savings are substantial.

Internal Networks

As I stated earlier in this chapter, the ultimate goal of a protected network is to encrypt network traffic throughout the path of the communication between the source and destination. In most VPN implementations , the client communication to a tunnel server is encrypted, but the network traffic on the corporate network is still unencrypted. This is a good start for most environments, but highly sensitive data requires a completely encrypted path.

Windows Server 2003 can encrypt data over all connections, both WAN and LAN. More and more corporations find that having open communications over the network poses a serious security risk. If this traffic were encrypted, it would be much more difficult for someone to capture traffic and retrieve valuable data. Using Windows Server 2003, a network designer can define security zones within a corporation to protect certain confidential resources and leave other noncritical resources in the open.

The most important feature of adding network encryption is the capability to roll out tunneling functionality without modifying the current applications or retraining users. The beauty of this capability in Windows Server 2003 is that security features are relatively simple to implement. One problem with this use of VPNs involves the predictable load on the environment when the system has to encrypt and decrypt all the data coming from or going to network servers. Fortunately, this is addressed by adding CPU off-loading hardware that is responsible for the cryptographic tasks . Key management, a feature built into Windows Server 2003, causes the biggest increase in network traffic. The network architect will have to design the frequency of the key exchange based on your network and security needs.

Additional Uses and Benefits of VPNs

VPNs have many other uses, and many more are being designed as the popularity of VPNs increases . Telecommunications companies use VPN links to carry voice traffic, multicast traffic, and more. As we move toward a totally protected network environment, it is likely that the current approach toward networks will dramatically change. With the VPN capabilities of Windows Server 2003, you can achieve the following goals:

• Lower networking costs by as much as 30 percent to 80 percent, according to industry analysts' projections

• Higher reliability through carrier-class redundancy of the public network

• Extended reach, allowing remote users convenient access to enterprise sites

• Secure connection relationships with allied companies

• Greater end-to-end control and better management features

Your network design can enable a single system to provide access to the Internet and corporate resources without the need for separate routers, modem bands, or remote access servers (RAS). This also simplifies the way in which you perform network expansions, configuration changes, and upgrades. A single network link enables the use of optimal data rates that eliminate the over-subscription associated with leased lines and idle dial-up links. Additionally, this consolidation reduces the complexity of network design, operation, and management responsibilities.

Recommendations

It is time for your production environment to rely on VPNs. As more vendors build software and hardware to work with VPNs, more customers are rolling out and relying on VPNs as part of their production networks. The balance of this chapter details how to use HP ProLiant hardware with Windows Server 2003 as a complete VPN solution that provides excellent stability, cost, and ease of configuration and administration.