VPN
Khalid
VPN Motivation
Why is it useful to employ virtual private networks for business
communication? After all, separate private networks have been set up to
serve the specific communication needs of many businesses. What
advantages do you gain by converting the existing separate private
networks to an Internet-based VPN?
Ubiquitous Coverage
The Internet offers far wider coverage compared with the private data
network infrastructures offered by telecommunication providers. Adding
new destinations to a private network means adding new circuits.
Unlike the Internet, which has public and private peering points all
over the world, few interconnection agreements exist between the
service providers. Thus, the coverage of a private network is limited.
The Internet, on the other hand, is a vast interconnection of
heterogeneous networks. Any host connected to a network that is
connected to the Internet is in turn connected to any other host
connected to a network connected to the Internet.
Cost Reduction
Another advantage gained by using an Internet-based VPN is cost
reduction based on the system's economy of scale. Simply put, it
eliminates the need to purchase and maintain several special-purpose
infrastructures to serve the different types of communication needs
within a corporation.
Security
VPNs use cryptographic technology to provide data confidentiality and
integrity for the data in transit. Authentication and access control
restrict access to corporate network resources and services.
In traditional private networks, the security of the data during
transit relies on the telecommunication service provider's physical
security practices for data confidentiality. For example, frame relay
networks have no built-in provision for encrypting data frames.
Consequently, data frames, if intercepted, can be easily decoded. In
VPNs, you need not trust the perceived physical security of the
telecommunication service provider. Instead, data is protected by
cryptography.
E-Commerce
More and more business is being conducted using the Internet.
Electronic commerce is not only a major new method of retailing
merchandise (called "B2C" for business-to-consumer e-commerce), but it
is also a way for businesses to trade goods and services among
themselves (called "B2B" for business-to-business e-commerce).
Interconnectivity of businesses is essential, and the Internet is the
logical choice for the interconnection technology.
E-commerce must be secure. Private networks use physical separation for
security, but it is impractical to have a separate infrastructure for
each customer or B2B partner. Therefore, a closed, inflexible private
network is not well suited for supporting e-commerce. A public
infrastructure is more flexible but lacks security. VPNs provide both
interconnectivity and security.
1.1 Business Communication
There are many types of business communication. Broadly speaking,
business communication can be classified into three categories:
· Internal communication The message is limited to selected internal
audiences. For example, a corporation may periodically distribute an
updated company employee directory to all its employees.
Confidentiality is essential.
· Selected external communication The message is intended for selected
external audiences. For example, a retail store may want to order a
product from its supplier. Although not all communications of this type
are considered proprietary, one company's business with another is
generally confidential.
· Communication with public and other external audiences The message
is intended for general public consumption. Sometimes, the wider
audience the message reaches, the better. For example, a company may
place a 30-second commercial during a sporting event to reach a large
audience. At other times, a targeted message is designed to cater to a
specific audience to maximize its impact. This type of communication is
generally not confidential.
Businesses have traditionally used specialized technologies for these
different types of communication and have managed them separately.
The Convergence of Business Communication
Although businesses have a variety of communication types-and hence
the need for different modes of communication-the digitization of
information, and the creation of computer networks to deliver it, has
been a unifying factor. Internal memos are now emails, and employee
directories are kept in databases. Orders can be placed online. The
World Wide Web provides a means for publishing sophisticated product
brochures. Although there will always be the need for traditional forms
of information dissemination, much business communication is converging
on a digital network.
The computer networking technologies are also converging. There used to
be many types and formats of computer networks, each developed by a
different vendor. IBM offered Systems Networking Architecture (SNA) for
its mainframe and minicomputers. Digital had DECNET, used in the
once-popular VAX computing environment. In the PC environment, Novell's
Netware was dominant and still is fairly widely used for PC
interconnections. Nonetheless, with the development of the Internet,
most computer networks have migrated to an IP-based infrastructure.
IP-the Internet Protocol-serves as the common format for all
connected network devices on the Internet.
Private Networks
To meet their information infrastructure needs, corporations have
invested heavily in internal networks called intranets. Intranets serve
the employees at the corporate site, but not employees on the road or
telecommuting from home. To accommodate the remote access needs of
"road warriors" and telecommuters, companies have set up remote access
servers to extend intranets into the field. Usually, a bank of modems
allows these users to dial in through public switched telephone
networks (PSTNs). Furthermore, employees at branch offices require
access to the same information and the same resources, so private lines
are used to interconnect the various sites to make one corporatewide
intranet.
Special arrangements are sometimes made to allow business partners to
have limited access to some part of the corporate intranet.2 These
networks, usually called extranets, provide the means to improve the
efficiency of business information flow.
Each form of access to the intranet, is a separate private networking
solution. This is true even when some aspects of each solution, such as
the underlying networking protocols used, are the same. Each form of
access also has its own requirements for privacy-requirements that
are met by keeping data transmission on separate dedicated channels.
Public Networks
t is also imperative for a corporation to exchange information outside
the established private networks. This requires access to a public
networking infrastructure such as the Internet.
In addition, the public network opens a new avenue of commerce. It is
now unthinkable for a corporation not to have a presence in the World
Wide Web. For many companies, such as Amazon.com, there is no "brick
and mortar" storefront. The only place where they face customers is in
cyberspace.
Virtual Private Networks
Protection of private corporate information is of utmost importance
when designing an information infrastructure. However, the separate
private networking solutions are expensive and cannot be updated
quickly to adapt to changes in business requirements.
The Internet, on the other hand, is inexpensive but does not by itself
ensure privacy. Virtual private networking, is the collection of
technologies applied to a public network-the Internet-to provide
solutions for private networking needs. VPNs use obfuscation through
secure tunnels, rather than physical separation, to keep communications
private.
This introduction to VPNs covers the evolution of the VPN market, and
the latest technologies and solutions.
Advantages of VPNs
VPNs promise two main advantages over competing approaches -- cost
savings, and scalability (that is really just a different form of cost
savings).
The Low Cost of a VPN
One way a VPN lowers costs is by eliminating the need for expensive
long-distance.
One way a VPN lowers costs is by eliminating the need for expensive
long-distance leased lines.
With VPNs, an organization needs only a relatively short dedicated
connection to the service provider. This connection could be a local
leased line (much less expensive than a long-distance one), or it could
be a local broadband connection such as DSL service. Another way VPNs
reduce costs is by lessening the need for long-distance telephone
charges for remote access.
Recall that to provide remote access service, VPN clients need only
call into the nearest service provider's access point. In some cases
this may require a long distance call, but in many cases a local call
will suffice.
A third, more subtle way that VPNs may lower costs is through
offloading of the support burden. With VPNs, the service provider
rather than the organization must support dial-up access, for example.
Service providers can in theory charge much less for their support than
it costs a company internally because the public provider's cost is
shared amongst potentially thousands of customers.
Scalability and VPNs
The cost to an organization of traditional leased lines may be
reasonable at first but can increase exponentially as the organization
grows. A company with two branch offices, for example, can deploy just
one dedicated line to connect the two locations. If a third branch
office needs to come online, just two additional lines will be required
to directly connect that location to the other two.
However, as an organization grows and more companies must be added to
the network, the number of leased lines required increases
dramatically. Four branch offices require six lines for full
connectivity, five offices require ten lines, and so on. Mathematicans
call this phenomenon a "combinatorial explosion," and in a traditional
WAN this explosion limits the flexibility for growth. VPNs that utilize
the Internet avoid this problem by simply tapping into the
geographically-distributed access already available.
Compared to leased lines, Internet-based VPNs offer greater global
reach, given that Internet access points are accessible in many places
where dedicated lines are not available.
Disadvantages of VPNs
With the hype that has surrounded VPNs historically, the potential
pitfalls or "weak spots" in the VPN model can be easy to forget. These
four concerns with VPN solutions are often raised.
1. VPNs require an in-depth understanding of public network security
issues and taking proper precautions in VPN deployment.
2. The availability and performance of an organization's wide-area VPN
(over the Internet in particular) depends on factors largely outside of
their control.
3. VPN technologies from different vendors may not work well together
due to immature standards.
4. VPNs need to accomodate protocols other than IP and existing
("legacy") internal network technology.
Generally speaking, these four factors comprise the hidden costs of a
VPN solution. Whereas VPN advocates tout cost savings as the primary
advantage of this technology, detractors cite hidden costs as the
primary disadvantage of VPNs
What Exactly Is A VPN?
A VPN supplies network connectivity over a possibly long physical
distance. In this respect, a VPN is a form of WAN.
The key feature of a VPN, however, is its ability to use public
networks like the Internet rather than rely on private leased lines.
VPN technologies implement restricted-access networks that utilize the
same cabling and Routers as a public network, and they do so without
sacrificing features or basic security.
A VPN supports at least three different modes of use:
Remote access client connections
LAN-to-LAN internetworking
Controlled access within an intranet
VPN Pros and Cons
Like many commercialized network technologies, a significant amount of
sales and marketing "hype" surrounds VPN. In reality, VPNs provide just
a simple few clear potential advantages over more traditional forms of
wide-area networking. These advantages can be quite significant, but
they do not come for free.
The potential problems with the VPN outnumber the advantages and are
generally more difficult to understand. The disadvantages do not
necessarily outweigh the advantages, however. From security and
performance concerns, to coping with a wide range of sometimes
incompatible vendor products, the decision of whether or not to use a
VPN cannot be made without significant planning and preparation.
Technology Behind VPNs
Several network protocols have become popular as a result of VPN
developments:
PPTP
L2TP
IPsec
SOCKS
These protocols emphasize authentication and encryption in VPNs.
Authentication allows VPN clients and servers to correctly establish
the identity of people on the network. Encryption allows potentially
sensitive data to be hidden from the general public.
Many vendors have developed VPN hardware and/or software products.
Unfortunately, immature VPN standards mean that some of these products
remain incompatible with each other.
The Future of VPN
The success of VPNs in the future depends mainly on industry dynamics.
Most of the value in VPNs lies in the potential for businesses to save
money. Should the cost of long-distance telephone calls and leased
lines continue to drop, fewer companies may feel the need to switch to
VPNs for remote access. Conversely, if VPN standards solidify and
vendor products interoperate fully with other, the appeal of VPNs
should increase.
The success of VPNs also depends on the ability of intranets and
extranets to deliver on their promises. Companies have had difficulty
measuring the cost savings of their private networks, but if it can be
demonstrated that these provide significant value, the use of VPN
technology internally may also increase.
VPN technology is based on the idea of tunneling. Network tunneling
involves establishing and maintaining a logical network connection
(that may contain intermediate hops). On this connection, packets
constructed in a specific VPN protocol format are encapsulated within
some other base or carrier protocol, then transmitted between VPN
client and server, and finally de-encapsulated on the
For Internet-based VPNs, packets in one of several VPN protocols are
encapsulated within IP packets. VPN protocols also support
authentication and encryption to keep the tunnels secure.
Two Types of VPN Tunneling
VPN supports both voluntary and compulsory tunneling. Both types of
tunneling can be found in practical use.
In voluntary tunneling, the VPN client manages connection setup. The
client first makes a connection to the carrier network provider (an ISP
in the case of Internet VPNs). Then, the VPN client application creates
the tunnel to a VPN server over this live connection.
In compulsory tunneling, the carrier network provider manages VPN
connection setup. When the client first makes an ordinary connection to
the carrier, the carrier in turn immediately brokers a VPN connection
between that client and a VPN server. From the client point of view,
VPN connections are set up in just one step compared to the two-step
procedure required for voluntary tunnels.
Compulsory VPN tunneling authenticates clients and associates them with
specific VPN servers using logic built into the broker device. This
network device is sometimes called the VPN Front End Processor (FEP)
(also Network Access Server (NAS) or Point of Presence (POS) servers).
Compusory tunneling hides the details of VPN server connectivity from
the VPN clients and effectively moves control over the tunnels from
clients to the ISP. In return, service providers must take on the
additional burden of installing and maintaining FEPs.
VPN Tunneling Protocols
Several interesting network protocols have been implemented
specifically for use with VPN tunnels. The three most popular VPN
tunneling protocols listed below continue to compete with each other
for acceptance in the industry. These protocols are generally
incompatible with each other.
Point-to-Point Tunneling Protocol (PPTP)
Several corporations worked together to create the PPTP specification.
People generally associate PPTP with Microsoft because nearly all
flavors of Windows include built-in client support for this protocol.
The initial releases of PPTP for Windows by Microsoft contained
security features that some experts claimed were too weak for serious
use. Microsoft continues to improve its PPTP support, though.
Layer Two Tunneling Protocol (L2TP)
The original competitor to PPTP for VPN tunneling was L2F, a protocol
implemented primarily in Cisco products. In an attempt to improve on
L2F, the best features of it and PPTP were combined to create new
standard called L2TP. Like PPTP, L2TP exists at the data link layer
(Layer Two) in the OSI models -- thus the origin of its name.
Internet Protocol Security (IPsec)
IPsec is actually a collection of multiple related protocols. It can be
used as a complete VPN protocol solution, or it can used simply as the
encryption scheme within L2TP or PPTP. IPsec exists at the network
layer (Layer Three) in OSI.
Virtual private networks (VPN) provide an encrypted connection between
a user's distributed sites over a public network (e.g., the Internet).
By contrast, a private network uses dedicated circuits and possibly
encryption. This page describes IP-based VPN technology over the
Internet, though an organization might deploy VPN's on its internal
nets (Intranets) to encrypt sensitive information. We also have some
peformance members. The basic idea is to provide an encrypted IP tunnel
through the Internet that permits distributed sites to communicate
securely. The encrypted tunnel provides a secure path for network
applications and requires no changes to the application.