INTRODUCTION TO VPN

The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or around the world, and there is one thing that all of them need: A way to maintain fast, secure and reliable communications wherever their offices are.

There is much hype in the industry currently concerning VPNs, their functionality, and how they fit in the enterprise network architecture. Simply defined, a VPN is an enterprise network deployed on a shared infrastructure employing the same security, management, and throughput policies applied in a private network. VPNs are an alternative WAN infrastructure that replace or augment existing private networks that utilize leased-line or enterprise-owned Frame Relay/ATM networks. VPNs do not inherently change WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility. A VPN can utilize the most pervasive transport technologies available today: the public Internet, service provider IP backbones, as well as service provider Frame Relay and ATM networks. The functionality of a VPN, however, is defined primarily by the equipment deployed at the edge of the enterprise network and feature integration across the WAN, not by the WAN transport protocol itself.

Until fairly recently, this has meant the use of leased lines to maintain a wide area network (WAN). Leased lines, ranging from ISDN (integrated services digital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand its private network beyond its immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines, can become quite expensive and often rises in cost as the distance between the offices increases.

As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating their own VPN (virtual private network) to accommodate the needs of remote employees and distant offices.

Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.

What Makes A VPN?
There are two common VPN types:

• Remote-access - Also called a virtual private dial-up network (VPDN), this is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access the corporate network.

A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.

• Site-to-site - Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be either:
  • Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN.
  • Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.

A well-designed VPN can greatly benefit a company. For example, it can:

• Extend geographic connectivity
• Improve security
• Reduce operational costs versus traditional WAN
• Reduce transit time and transportation costs for remote users
• Improve productivity
• Simplify network topology
• Provide global networking opportunities
• Provide telecommuter support
• Provide broadband networking compatibility
• Provide faster ROI (return on investment) than traditional WAN

What features are needed in a well-designed VPN? It should incorporate:

• Security
• Reliability
• Scalability
• Network management
• Policy management

What Is a VPN?

Figure 1: VPN Defined

 

VPNs are segmented into three categories: remote access, intranets, and extranets. Remote access VPNs connect telecommuters, mobile users, or even smaller remote offices with minimal traffic to the enterprise WAN and corporate computing resources. An intranet VPN connects fixed locations, branch, and home offices, within an enterprise WAN. An extranet extends limited access of enterprise computing resources to business partners, such as suppliers or customers, enabling access to shared information. Each type of VPN has different security and bandwidth management issues to consider.

 In order to authenticate the VPN's users, a firewall will be necessary. While in the past, firewalls have been a major source of headaches for network administrators, the new generation of firewalls are far simpler to create and maintain. Nowadays, there is a wide variety of hassle-free, prepackaged appliances to keep unwanted packets out of the network. Many "black box" security systems also include some sort of encryption system, although some VPNs do not.

Firewall products for VPNs, such as NetScreen, Watchguard, or NetFortress are often relatively simple, plug-and-play solutions for network security. The system can be connected to as many LANs as needed, keys are exchanged between the two units, and the VPN is complete. However, these solutions can come at a substantial cost, and the right choice will depend on the unique networking and security needs of the company or companies using the network. Generally, if you already own the appropriate equipment and Internet connection, an out-of-the-box solution is not necessary.

All VPNs require configuration of an access device, either software- or hardware-based, to set up a secure channel. A random user cannot simply log in to a VPN, as some information is needed to allow a remote user access to the network, or to even begin a VPN handshake. When used in conjunction with strong authentication, VPNs can prevent intruders from successfully authenticating to the network, even if they were able to somehow capture a VPN session.

Most VPNs use IPSec technologies, the evolving framework of protocols that has become the standard for most vendors. IPSec is useful because it is compatible with most different VPN hardware and software, and is the most popular for networks with remote access clients. IPSec requires very little knowledge for clients, because the authentication is not user-based, which means a token (such as Secure ID or Crypto Card) is not used. Instead, the security comes from the workstation's IP address or its certificate, establishing the user's identity and ensuring the integrity of the network. An IPSec tunnel basically acts as the network layer protecting all the data packets that pass through, regardless of the application.

Depending on the solution used, it is possible to control the type of traffic sent over a VPN solution. Many devices allow the administrator to define group-based filter which controls UP address and protocol/port services allowed through the tunnel. IPSec-based VPNs also allow the administrator to define a list of specific networks and applications to which traffic can be passed.

 VPN products fall into three broad categories: hardware-based systems, firewall-based systems, and standalone application packages. Most hardware-based VPNs are encrypting routers, which are considered secure and simple to use, as they are the nearest thing to "plug-and-play" equipment available. However, they may not be as flexible as software-based systems, which are ideal in situations where both endpoints of a VPN are not controlled by the same organization, which is typical for business partnerships or when client support is required. Firewall-based VPNs are considered among the most secure, as they take advantage of the firewall's existing security mechanisms. However, if the firewall is already loaded, performance issues may pop up.

However, as the VPN market continues to rapidly evolve, the lines between different VPN architectures are increasingly blurred; many hardware vendors have included software clients to their product offerings, and extended their server capabilities to include the security features found in software- or firewall-based VPNs. Similarly, some standalone products have added support for hardware-based encryptors to boost their performance.

Companies providing managed VPN services will usually bundle other value-added services to their secure global connectivity such as consulting, design and support for emerging applications, such as voice over IP, e-commerce, and network-hosted applications.

As it is most commonly defined, a virtual private network (VPN) allows two or more private networks to be connected over a publicly accessed network. In a sense, VPNs are similar to wide area networks (WAN) or a securely encrypted tunnel, but the key feature of VPNs is that they are able to use public networks like the Internet rather than rely on expensive, private leased lines. At they same time, VPNs have the same security and encryption features as a private network, while taking the advantage of the economies of scale and remote accessibility of large public networks.

A VPN is an especially effective means of exchanging critical information for employees working remotely in branch offices, at home, or on the road. It can securely deliver information between vendors, suppliers, and business partners, who may have a huge physical distance between them. Since companies no longer have to invest in the actual infrastructure themselves, they can reduce their operational costs by outsourcing network services to service providers. VPNs can also reduce costs by eliminating the need for long-distance telephone charges to obtain remote access, as client need only call into the service provider's nearest access point.

VPNs today are set up a variety of ways, and can be built over ATM, frame relay, and X.25 technologies. However, the most popular current method is to deploy IP-based VPNs, which offer more flexibility and ease of connectivity. Since most corporate intranets use IP or Web technologies, IP-VPNs can more transparently extend these capabilities over a wide network. An IP-VPN link can be set up anywhere in the world between two endpoints, and the IP network automatically handles the traffic routing.

Privacy and protection of data is of utmost importance when deploying services over the Internet, where it can be vulnerable to attacks or illegal entry. Secure IP-VPNs are networks that are secured by encryption and authentication, and layered on an existing IP network. In response to security issues, the Internet Engineering Task Force (ietf.org) has developed the IP Security (IPSec) protocol suite, a set of IP extensions that offer strong data authentication and privacy guarantees.

Although security features differ from product to product, most IP-VPN providers generally private network tunnelling through the IP backbone, data encryption, authentication proxying,, firewall, and spam filtering.

What is a virtual private network?

A virtual private network is essentially a system that allows two or more private networks to be connected over a publically accessible network, such as the Internet. It usually consists of an encrypted tunnel of some kind, although a VPN can take several forms, using different combinations of hardware and software technologies. They can exist between an individual machine and a private network, or a remote LAN and a private network. 

What are the basic features of VPNs?

Aside from supporting basic LAN interfaces, a good VPN should have high-availability features such as redundant power supplies. Also, all VPNs require some kind of authorization protocol and encryption, although some companies may choose to opt out of the latter. Other advanced functions can be useful, such as data compression, routing ability, network address translation, bandwidth management capabilities and fail-over redundancy. When purchasing a ready-made VPN package from a solutions provider, it is often possible to get other bundled services to compliment the network, such as voice over IP and other hosted applications. 

Why would a company use a VPN?

A VPN service is an economical alternative to setting up a private network with expensive leased lines, as it can use existing IP infrastructure and equipment to connect remote users and offices. For offices with great distances between them, VPNs are ideal because they can provide connectivity for almost any location in the world, and without incurring long-distance charges. Also, the flexibility and relative simplicity of VPNs allows small- to medium-sized businesses the option to switch to a different provider, increase bandwidth, or add more offices to the network more freely than with other schemes. 

How do companies use VPNs?

Once a company connects to a VPN server, it can either use the same applications that it normally uses to connect to the Internet, or it can purchase or rent the appropriate devices, depending on the scope of the network. It can then be used to connect LANs in different sites, or give customers, clients and consultants access to corporate resources, provided they have compatible software and can be authenticated. Often VPNs are useful for mobile workers such as salespeople, for home workers or day extenders. 

Are extranets and VPNs the same thing?

Not really. An extranet is basically a glorified Web site, which allows clients or partners access to the corporate intranet for highly specific, often administrative functions. For example, an online newspaper's extranet might allow advertisers to change banner ads on its site. A VPN uses a protocol that allows a remote PC full access to a company's network neighbourhood, as if it were actually in the home office. Although extranets take a variety of forms, some of which can resemble a VPN, they do not have the same function. However, using a more sophisticated authentication and segmentation method, a company can build a separate extranet application on its VPN, possibly saving money in the process. 

How do VPNs save money?

By using a relatively cheap local dial-up or broadband connection, companies using VPNs save on telecommunications costs, and also reduce long-distance phone charges. They also cut down on operational costs by outsourcing the management of equipment used for remote access, as well as reducing the number of access line running into a corporate site. In some cases, the company can "borrow" the necessary hardware from a VPN service prover, at no extra charge. Finally, a VPN can theoretically alleviate the support burden, as the public service provider is generally responsible for supporting its dial-up customers.

What about VPN performance?

There are a number of factors that can contribute to the VPN's performance. While some of the issues may be related to the hardware or software applications being used, much of it depends on the Internet itself. The availability and speed of IP services may differ from one area to the next, as well as the actual provider. Because of this, most VPN providers will not offer a guarantee on the latency of packets moving across the network. Performance also depends somewhat on the encryption scheme being used, as well as the client's ability to process it. Highly encrypted data takes considerably longer to transmit, especially on larger packets being sent through a dial-up line. 

What about network availability?

Since VPNs rely on a public network to connect PCs, they are often at the mercy of Internet service providers. Equipment problems can plague ISPs, or even the root servers that make up the core of the Internet, which means outages are always a possibility. Lately, ISPs are trying to improve the reliability of their networks by making them more redundant and upgrading their infrastructure, but few will offer 100 percent availability. Some providers will offer refunds or credits to compensate for any downtime that might be experienced. Companies must be realistic, and take into account the possibility of downtime when setting out on any endeavour.

What are the drawbacks of SLAs?

Service Level Agreements have evolved over the last few years to offer more guarantees on uptime, network delay, packet loss, interoperability and security, but they are still far from perfect. Many SLAs are written in confusing doubletalk, often with multiple disclaimers and limitations that you should be aware of. In some cases, they are dependent on special purchases and other agreements by the customer. Many service providers have unsatisfactory quality of service guarantees on latency or mean time to repair. Furthermore, VPN SLAs usually only apply to the specific ISP, and not traffic crossing over to another network. Some companies have worked out "extended SLAs" between multiple cooperating ISPs, although they rarely work. Customer-defined SLAs may become more common as the industry evolves. 

What are some common tunneling protocols?

The most popular tunneling protocols for VPNs are the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSec), and Layer 2 Tunneling Protocol (L2TP), which combines PPTP and Cisco Systems' Layer-2 Forwarding (L2F). SOCKS 5 is yet another approach, which follows a proxy server model and is considered among the most secure. Companies with very low security requirements may consider other alternatives, such as Secure Shell (SSH).

What type of encryption can be used?

Modern VPNs can use just about any common encryption technology available, and equipment vendors usually give their customers the choice. Triple DES and 3DES seem to be the standards in North America, although in some countries encryption strength is regulated by legislation, and must use a less robust technology. Whether hardware- or software-based, all VPN providers offer some sort of encryption scheme, which can often be customized to suit the buyer. 

How are VPN users authenticated?

VPNs usually take some sort of firewall, often a surprisingly simple "plug-and-play" solution provided by a vendor. The system is installed on as many LANs as needed, and keys are exchanged between the users in order to provide authentication. All VPNs require that an access device be configured to recognize and authenticate remote users. A wide number of techniques and products, both hardware- and software-based, are available from vendors. Stronger and more advanced authentication techniques, such as tokens or regulated access levels, can also be implemented.