History Of The Virtual Private Network

A VPN supplies virtual network connectivity over a possibly long physical distance. The key feature of a VPN, however, is its ability to use public networks like the Internet rather than rely on private leased lines which consume valuable recourse and extra cost . VPN technologies implement restricted-access networks that utilize the same cabling and routers as a public network, and they do so without sacrificing features or basic security , a simple cooperation office and remote branched VPN shown in below diagram .

Sonicwall_Vpn

A VPN supports at least three different modes of use as shown above:

Remote access client connections.

LAN-to-LAN internetworking .

Controlled access within an intranet .

A several network protocols have become popular as a result of VPN developments state as following :

PPTP

L2TP

IPsec

These protocols emphasize authentication and encryption in VPNs. Authentication allows VPN clients and servers to correctly establish the identity of people on the network. Encryption allows potentially sensitive data to be hidden from the general public. Many vendors have developed VPN hardware and/or software products. Unfortunately, immature VPN standards mean that some of these products remain incompatible with each other till now.

Virtual private networks have grown in popularity as businesses to save money on remote network access for employees. Many corporations have also adopted VPNs as a security solution for private Wi-Fi wireless networks. Expect a continued gradual expansion in use of VPN technology to continue in the coming years.

Objectives:-

A virtual private network can resolve many of the issues associated with today’s private networks.

Cost: The cost of such links is high especially when they involve international locations. Even when VPNs are implemented on a provider private network, it would still be less expensive.

Mobility of workforce: Many companies are encouraging telecommunications to reduce their investment in real estate, reduce traffic, and reduce pollution from automobile

E-commerce applications: However, in traditional private networks, this kind of special access provision is difficult to incorporate because it is not easy to install dedicated link to all suppliers and business partners, nor it is flexible because a change in the supplier would require de-installing the link and installing another one to the new vendor.

Advantages of VPN

VPNs promise two main advantages over competing approaches — cost savings, and scalability (that is really just a different form of cost savings).

The Low Cost of a VPN

One way a VPN lowers costs is by eliminating the need for expensive long-distance leased lines. With VPNs, an organization needs only a relatively short dedicated connection to the service provider. This connection could be a local leased line (much less expensive than a long-distance one), or it could be a local broadband connection such as DSL service.

Another way VPNs reduce costs is by lessening the need for long-distance telephone charges for remote access. Recall that to provide remote access service, VPN clients need only call into the nearest service provider’s access point. In some cases this may require a long distance call, but in many cases a local call will suffice.

A third, more subtle way that VPNs may lower costs is through offloading of the support burden. With VPNs, the service provider rather than the organization must support dial-up access for example. Service providers can in theory charge much less for their support than it costs a company internally because the public provider’s cost is shared amongst potentially thousands of customers.

Scalability and VPNs

The cost to an organization of traditional leased lines may be reasonable at first but can increase exponentially as the organization grows. A company with two branch offices, for example, can deploy just one dedicated line to connect the two locations. If a third branch office needs to come online, just two additional lines will be required to directly connect that location to the other two.

However, as an organization grows and more companies must be added to the network, the number of leased lines required increases dramatically. Four branch offices require six lines for full connectivity, five offices require ten lines, and so on. Mathematicans call this phenomenon a combinatorial explosion, and in a traditional WAN this explosion limits the flexibility for growth. VPNs that utilize the Internet avoid this problem by simply tapping into the geographically-distributed access already available.

Disadvantages of VPNs

With the hype that has surrounded VPNs historically, the potential pitfalls or “weak spots” in the VPN model can be easy to forget. These four concerns with VPN solutions are often raised.

1. VPNs require an in-depth understanding of public network security issues and proper deployment of precautions.

2. The availability and performance of an organization’s wide-area VPN (over the Internet in particular) depends on factors largely outside of their control.

3. VPN technologies from different vendors may not work well together due to immature standards.

4. VPNs need to accomodate protocols other than IP and existing internal network technology.

Generally speaking, these four factors comprise the “hidden costs” of a VPN solution. Whereas VPN advocates tout cost savings as the primary advantage of this technology, detractors cite hidden costs as the primary disadvantage of VPNs

INTERNET VPNS FOR REMOTE ACCESS

In recent years, many organizations have increased the mobility of their workers by allowing more employees to telecommute. Employees also continue to travel and face a growing need to stay connected to their company networks. A VPN can be set up to support remote, protected access to the corporate home offices over the Internet. An Internet VPN solution uses a client/server design works as follows:

1. A remote host (client) wanting to log into the company network first connects to any public Internet Service Provider (ISP).

2. Next, the host initiates a VPN connection to the company VPN server. This connection is made via a VPN client installed on the remote host.

3. Once the connection has been established, the remote client can communicate with the internal company systems over the Internet just as if it were a local host.

Before VPNs, remote workers accessed company networks over private leased lines or through dialup remote access servers. While VPN clients and servers careful require installation of hardware and software, an Internet VPN is a superior solution in many situations.

VPNS FOR INTERNETWORKING

Besides using virtual private networks for remote access, a VPN can also bridge two networks together. In this mode of operation, an entire remote network (rather than just a single remote client) can join to a different company network to form an extended intranet. This solution uses a VPN server to VPN server connection.

Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be one of two types:

Intranet-based – If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN.

Extranet-based – When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.

vpn-type

INTRANET / LOCAL NETWORK VPNS

Internal networks may also utilize VPN technology to implement controlled access to individual subnets within a private network. In this mode of operation, VPN clients connect to a VPN server that acts as the network gateway. This type of VPN use does not involve an Internet Service Provider (ISP) or public network cabling. However, it allows the security benefits of VPN to be deployed inside an organization. This approach has become especially popular as a way for businesses to protect their WiFi local networks.

TUNNELING: SITE-TO-SITE

In a site-to-site VPN, GRE (generic routing encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet you are encapsulating and information about the connection between the client and server. Instead of GRE, IPSec in tunnel mode is sometimes used as the encapsulating protocol. IPSec works well on both remote-access and site-to-site VPNs. IPSec must be supported at both tunnel interfaces to use.

TUNNELING

Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.

Tunneling requires three different protocols:

Carrier protocol – The protocol used by the network that the information is traveling over

Encapsulating protocol – The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data

Passenger protocol – The original data (IPX, NetBeui, IP) being carried

Tunneling has amazing implications for VPNs. For example, you can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique IP address to extend a private network over the Internet.

COST SAVINGS WITH A VPN

A VPN can save an organization money in several situations:

Eliminating the need for expensive long-distance leased lines

Reducing long-distance telephone charges

Offloading support costs

VPNS VS LEASED LINES

Organizations historically needed to rent network capacity such as T1 lines to achieve full, secured connectivity between their office locations. With a VPN, you use public network infrastructure including the Internet to make these connections and tap into that virtual network through much cheaper local leased lines or even just broadband connections to a nearby Internet Service Provider (ISP).

LONG DISTANCE PHONE CHARGES

A VPN also can replace remote access servers and long-distance dialup network connections commonly used in the past by business travelers needing to access to their company intranet. For example, with an Internet VPN, clients need only connect to the nearest service provider’s access point that is usually local.

SUPPORT COSTS

With VPNs, the cost of maintaining servers tends to be less than other approaches because organizations can outsource the needed support from professional third-party service providers. These provides enjoy a much lower cost structure through economy of scale by servicing many business clients.

VPN NETWORK SCALABILITY

The cost to an organization of building a dedicated private network may be reasonable at first but increases exponentially as the organization grows. A company with two branch offices, for example, can deploy just one dedicated line to connect the two locations, but 4 branch offices require 6 lines to directly connect them to each other, 6 branch offices need 15 lines, and so on.

Internet based VPNs avoid this scalability problem by simply tapping into the public lines and network capability readily available. Particularly for remote and international locations, an Internet VPN offers superior reach and quality of service.

USING A VPN

To use a VPN, each client must possess the appropriate networking software or hardware support on their local network and computers. When set up properly, VPN solutions are easy to use and sometimes can be made to work automatically as part of network sign on. VPN technology also works well with WiFi local area networking. Some organizations use VPNs to secure wireless connections to their local access points when working inside the office. These solutions provide strong protection without affecting performance excessively.

VPN SECURITY: IPSEC

Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.

vpn-diagram2

Photo courtesy Cisco Systems, Inc.

A remote-access VPN utilizing IPSec

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as:

Router to router

Firewall to router

PC to router

PC to server

LIMITATIONS OF A VPN

Despite their popularity, VPNs are not perfect and limitations exist as is true for any technology. Organizations should consider issues like the below when deploying and using virtual private networks in their operations:

VPNs require detailed understanding of network security issues and careful installation / configuration to ensure sufficient protection on a public network like the Internet.

The reliability and performance of an Internet-based VPN is not under an organization’s direct control. Instead, the solution relies on an ISP and their quality of service.

Historically, VPN products and solutions from different vendors have not always been compatible due to issues with VPN technology standards. Attempting to mix and match equipment may cause technical problems, and using equipment from one provider may not give as great a cost savings.

TYPES OF VPN TUNNELING

VPN supports two types of tunneling – voluntary and compulsory. Both types of tunneling are commonly used. In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.

VPN TUNNELING PROTOCOLS

Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.

POINT-TO-POINT TUNNELING PROTOCOL (PPTP)

Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. The initial releases of PPTP for Windows by Microsoft contained security features that some experts claimed were too weak for serious use. Microsoft continues to improve its PPTP support, though.

LAYER TWO TUNNELING PROTOCOL (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, the best features of it and PPTP were combined to create new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI model — thus the origin of its name.

INTERNET PROTOCOL SECURITY (IPSEC)

IPsec is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution, or it can used simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model.

Using PPTP

PPTP packages data within PPP packets, then encapsulates the PPP packets within IP packets (datagrams) for transmission through an Internet-based VPN tunnel. PPTP supports data encryption and compression of these packets. PPTP also uses a form of General Routing Encapsulation (GRE) to get data to and from its final destination.

PPTP-based Internet remote access VPNs are by far the most common form of PPTP VPN. In this environment, VPN tunnels are created via the following two-step process:

The PPTP client connects to their ISP using PPP dial-up networking (traditional modem or ISDN).

Via the broker device (described earlier), PPTP creates a TCP control connection between the VPN client and VPN server to establish a tunnel. PPTP uses TCP port 1723 for these connections.

PPTP also supports VPN connectivity via a LAN. ISP connections are not required in this case, so tunnels can be created directly as in Step 2 above.

Once the VPN tunnel is established, PPTP supports two types of information flow:

Control messages for managing and eventually tearing down the VPN connection. Control messages pass directly between VPN client and server.

Data packets that pass through the tunnel, to or from the VPN client

PPTP CONTROL CONNECTION

Once the TCP connection is established in Step 2 above, PPTP utliizes a series of control messages to maintain VPN connections. These messages are listed below.

No.

Name

Description

1

StartControlConnectionRequest

Initiates setup of the VPN session; can be sent by either client or server.

2

StartControlConnectionReply

Sent in reply to the start connection request (1); contains result code indicating success or failure of the setup operation, and also the protocol version number.

3

StopControlConnectionRequest

Request to close the control connection.

4

StopControlConnectionReply

Sent in reply to the stop connection request (3); contains result code indicating success or failure of the close operation.

5

EchoRequest

Sent periodically by either client or server to “ping” the connection (keep alive).

6

EchoReply

Sent in response to the echo request (5) to keep the connection active.

7

OutgoingCallRequest

Request to create a VPN tunnel sent by the client.

8

OutgoingCallReply

Response to the call request (7); contains a unique identifier for that tunnel.

9

IncomingCallRequest

Request from a VPN client to receive an incoming call from the server.

10

IncomingCallReply

Response to the incoming call request (9), indicating whether the incoming call should be answered.

11

IncomingCallConnected

Response to the incoming call reply (10); provides additional call parameters to the VPN server.

12

CallClearRequest

Request to disconnect either an incoming or outgoing call, sent from the server to a client.

13

CallDisconnectNotify

Response to the disconnect request (12); sent back to the server.

14

WANErrorNotify

Notification periodically sent to the server of CRC, framing, hardware and buffer overruns, timeout and byte alignment errors.

15

SetLinkInfo

Notification of changes in the underlying PPP options.

With control messages, PPTP utlizes a so-called magic cookie. The PPTP magic cookie is hardwired to the hexadecimal number 0x1A2B3C4D. The purpose of this cookie is to ensure the receiver interprets the incoming data on the correct byte boundaries.

PPTP SECURITY

PPTP supports authentication, encryption, and packet filtering. PPTP authentication uses PPP-based protocols like EAP, CHAP, and PAP. PPTP supports packet filtering on VPN servers. Intermediate routers and other firewalls can also be configured to selectively filter PPTP traffic.

PPTP AND PPP

In general, PPTP relies on the functionality of PPP for these aspects of virtual private networking.

authenticating users and maintaining the remote dial-up connection

encapsulating and encrypting IP, IPX, or NetBEUI packets

PPTP directly handles maintaining the VPN tunnel and transmitting data through the tunnel. PPTP also supports some additional security features for VPN data beyond what PPP provides.

PPTP PROS AND CONS

PPTP remains a popular choice for VPNs thanks to Microsoft. PPTP clients are freely available in all popular versions of Microsoft Windows. Windows servers also can function as PPTP-based VPN servers.

One drawback of PPTP is its failure to choose a single standard for authentication and encryption. Two products that both fully comply with the PPTP specification may be totally incompatible with each other if they encrypt data differently, for example. Concerns also persist over the questionable level of security PPTP provides compared to alternatives.

Routing

Tunneling protocols can be used in a point-to-point topology that would generally not be considered a VPN, because a VPN is expected to support arbitrary and changing sets of network nodes. Since most router implementations support software-defined tunnel interface, customer-provisioned VPNs often comprise simply a set of tunnels over which conventional routing protocols run. PPVPNs, however, need to support the coexistence of multiple VPNs, hidden from one another, but operated by the same service provider.

Building blocks

Depending on whether the PPVPN runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combinations of the two. Multiprotocol Label Switching (MPLS) functionality blurs the L2-L3 identity.

While RFC 4026 generalized these terms to cover L2 and L3 VPNs, they were introduced in RFC 2547.

Customer edge device. (CE)

In general, a CE is a device, physically at the customer premises, that provides access to the PPVPN service. Some implementations treat it purely as a demarcation point between provider and customer responsibility, while others allow customers to configure it.

Provider edge device (PE)

A PE is a device or set of devices, at the edge of the provider network, which provides the provider’s view of the customer site. PEs are aware of the VPNs that connect through them, and which maintain VPN state.

Provider device (P)

A P device operates inside the provider’s core network, and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers’ PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provider.

Categorizing VPN security models

From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.

Some Internet service providers as of 2009[update] offer managed VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. Managed VPNs go beyond PPVPN scope, and are a contracted security solution that can reach into hosts. In addition to providing remote workers with secure access to their employer’s internal network, other security and management services are sometimes included as part of the package. Examples include keeping anti-virus and anti-spyware programs updated on each client’s computer.

Authentication before VPN connection

A known trusted user, sometimes only when using trusted devices, can be provided with appropriate security privileges to access resources not available to general users. Servers may also need to authenticate themselves to join the VPN.

A wide variety of authentication mechanisms exist. VPNs may implement authentication in devices including firewalls, access gateways, and others. They may use passwords, biometrics, or cryptographic methods. Strong authentication involves combining cryptography with another authentication mechanism. The authentication mechanism may require explicit user action, or may be embedded in the VPN client or the workstation.

Trusted delivery networks

Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider’s network to protect the traffic. In a sense, they elaborate on traditional network- and system-administration work.

Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality-of-service control over a trusted delivery network.

Layer 2 Tunneling Protocol (L2TP) which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco’s Layer 2 Forwarding (L2F) (obsolete as of 2009[update]) and Microsoft’s Point-to-Point Tunneling Protocol (PPTP).

Security mechanisms

Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking intercept and thus packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy.

Secure VPN protocols include the following:

IPsec (Internet Protocol Security) – A standards-based security protocol developed originally for IPv6, where support is mandatory, but also widely used with IPv4.

Transport Layer Security (SSL/TLS) is used either for tunneling an entire network’s traffic (SSL VPN), as in the OpenVPN project, or for securing individual connection. SSL has been the foundation by a number of vendors to provide remote access VPN capabilities. A practical advantage of an SSL VPN is that it can be accessed from locations that restrict external access to SSL-based e-commerce websites without IPsec implementations. SSL-based VPNs may be vulnerable to Denial of Service attacks mounted against their TCP connections because latter are inherently unauthenticated.

DTLS, used by Cisco for a next generation VPN product called Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLS

Secure Socket Tunneling Protocol (SSTP) by Microsoft introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels Point-to-Point Protocol (PPP) or L2TP traffic through an SSL 3.0 channel.

L2TPv3 (Layer 2 Tunneling Protocol version 3), a new[update] release.

MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark “MPVPN”.

Cisco VPN, a proprietary VPN used by many Cisco hardware devices. Proprietary clients exist for all platforms; open-source clients also exist.

SSH VPN — OpenSSH offers VPN tunneling to secure remote connections to a network (or inter-network links). This feature (option -w) should not be confused with port forwarding (option -L). OpenSSH server provides limited number of concurrent tunnels and the VPN feature itself does not support personal authentication.

VPNs in mobile environments

Mobile VPNs handle the special circumstances when one endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points. Mobile VPNs have been widely used in public safety, where they give law enforcement officers access to mission-critical applications, such as computer-assisted dispatch and criminal databases, as they travel between different subnets of a mobile network. They are also used in field service management and by healthcare organizations, among other industries.

Increasingly, Mobile VPNs are being adopted by mobile professionals and white-collar workers who need reliable connections. They allow users to roam seamlessly across networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. A conventional VPN cannot survive such events because the network tunnel is disrupted, causing applications to disconnect, time out, fail, or even the computing device itself to crash.

Instead of logically tying the endpoint of the network tunnel to the physical IP address, each tunnel is bound to a virtual IP address that stays with the device. The Mobile VPN software handles the necessary network logins and maintains the application sessions in a manner transparent to the user. The Host Identity Protocol (HIP), under study by the Internet Engineering Task Force, is designed to support mobility of hosts by separating the role of IP addresses for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access networks.

Conclusion:

So what is a Virtual Private Network? As we have discussed, a VPN can take several forms. A VPN can be between two end-systems, or it can be between two or more networks. A VPN can be built using tunnels or encryption (at essentially any layer of the protocol stack), or both, or alternatively constructed using MPLS or one of the “virtual router” methods. A VPN can consist of networks connected to a service provider’s network by leased lines, Frame Relay, or ATM, or a VPN can consist of dial-up subscribers connecting to centralized services, or other dial-up subscribers.

The pertinent conclusion here is that while a VPN can take many forms, there are some basic common problems that a VPN is built to solve, which can be listed as virtualization of services and segregation of communications to a closed community of interest, while simultaneously exploiting the financial opportunity of economies of scale of the underlying common host communications system.