,-Ns are connections that allow private data to be sent securely over a shared or public network. A virtual private network is a way to maintain fast, secure, and reliable communications wherever offices and workers are located. Virtual private networks (vpns) allow companies to e tend their network service to branch offices and remote users such as traveling employees, telecommuters, and strategic partners.
,-Ns are connections that allow private data to be sent securely over a shared or public network. A virtual private network is a way to maintain fast, secure, and reliable communications wherever offices and workers are located. Virtual private networks (vpns) allow companies to e tend their network service to branch offices and remote users such as traveling employees, telecommuters, and strategic partners.
,-Ns are connections that allow private data to be sent securely over a shared or public network. A virtual private network is a way to maintain fast, secure, and reliable communications wherever offices and workers are located. Virtual private networks (vpns) allow companies to e tend their network service to branch offices and remote users such as traveling employees, telecommuters, and strategic partners.
In todays New Economy, small businesses that might have dealt with just local or regional concerns now have to consider global markets and logistics. Many companies even have facilities spread across the country or throughout the world. t the same time security concerns of their network from hackers, !enial"of"#ervice $!o#% attacks and sending data over the Internet have become more widespread. &hether companies have a local, national, or global presence, they all need one thing' a way to maintain fast, secure, and reliable communications wherever their offices and workers are located. (ntil recently, such communications were only available by using leased telephone lines to maintain a &ide rea Network $&N%. )eased lines enabled companies to e*pand their private network beyond their immediate geographic area. Moreover, a &N provided advantages over a public network like the Internet when it came to reliability, performance, and security. (nfortunately, leased lines are e*pensive to maintain, with costs rising as the distance between the offices increases. s the popularity of the Internet grew, businesses turned to it as a cost"effective way to e*tend their networks. +he continuing popularity with the Internet has led to the evolution of ,irtual -rivate Networks $ ,-Ns %. ,-N is a connection that allows private data to be sent securely over a shared or public network, such as the Internet. In fact, one of the driving forces behind ,-Ns is the Internet and its global presence. &ith ,-Ns, communication links between users and sites can be achieved .uickly, ine*pensively, and safely across the world. In this way, ,-Ns empower organi/ations to e*tend their network service to branch offices and remote users such as traveling employees, telecommuters, and strategic partners by creating a private &N via the Internet. &ith all these benefits, small businesses are also eager to reap the advantages afforded by ,-Ns. 0owever, they1re also eager to learn more first. +his paper e*plains what a ,-N is and how ,-Ns provide secure, private connections to network applications. 2y reading this paper, you will gain a fundamental understanding of ,-Ns, including their security mechanisms, benefits, and cost" saving advantages. What is a VPN? Internet technologies have changed the way that companies disseminate information to their employees, customers, partners, and suppliers. 3
Everybodys connecting. Initially, companies were conservative with the information they published on the Internet 4 product information, product availability, and other less business"critical items. More recently, using ,-Ns across the Internet has gained wider acceptance as a way to provide more costeffective access to business"critical information. ,-N is a combination of software and hardware that allows mobile employees, telecommuters, business partners, and remote sites to use a public or 5unsecured5 medium such as the Internet to establish a secure, private connection with a host network. &ith a ,-N deployed across the Internet, virtual private connections can be established from almost anywhere in the world. 6rom the users perspective, a ,-N connection is a point"to"point connection between the users computer and the companys server. +he nature of the intermediate internetwork is irrelevant to the user because it appears as if the data is being sent over a dedicated private link. In this way, the secure connection across the internetwork appears to the user as a private network communication, despite the fact that this communication is occurring over a public internetwork hence the name ,irtual -rivate Network. VPN Security 2ecause the Internet facilitates the creation of ,-Ns from anywhere, networks need strong security features to prevent unwelcome access to private networks and to protect private data as it traverses the public network. fter all, companies that have e*pectations of privacy over their own networks have the same e*pectation when the Internet is involved. (nfortunately, as data travels between users and their remote offices, it can pass through 78 or more different servers around the world before reaching its final destination. &ith so many potentially prying eyes, the data should be secured through some form of encryption. 7 6igure 3 shows an e*ample of a ,-N. Figure 1. Example of a VPN
Everybodys connecting. Encryption key component of a ,-N solution is providing data privacy. &ithout an e*plicit way to provide data privacy, information traveling over an unsecured channel like the Internet is transmitted in clear te*t. !ata transmitted in clear te*t can be viewed or even stolen through common 9sniffing: programs and;or devices that monitor data traveling over a network. +ools such as a protocol analy/er or network diagnostic tools built into todays operating systems can easily 9see: the clearte*t information as it is transmitted. <ompanies are also concerned that some private data may not be encrypted by the ,-N before it is transmitted on the public wire. I- headers, for e*ample, will contain the I- addressees of both the client and the server. 0ackers may capture these addresses and choose to target these devices for future attacks. +o ensure data privacy and protect valuable transmitted data against 9man"in"the"middle: attacks, encryption techni.ues are re.uired to scramble clear te*t into cipher te*t. Encryption scrambles a message into cipher te*t. +he cipher te*t is then sent to the recipient, who decrypts the message back into clear te*t again. +his encryption;decryption process on the parts of the sender and receiver of the message combine to form a cryptosystem. +here are two types of cryptosystems' private key $described below% and public key $ described on page =%. Private Key (Symmetric) ryptosystems private key cryptosystem uses the same secret, fi*ed"length bit string as a key for both encryption and decryption. +o emulate a private link, the data being sent is encrypted for confidentiality. -ackets that are intercepted on the shared or public network are indecipherable without the private key. 6igure 7 shows an e*ample of how data flows in a private key cryptosystem. In this e*ample, the originator encrypts the message 9abc: using the secret key, transforming it into 9>?@:. nyone that has the same secret key can then decrypt the message 9>?@: back into the original message of 9abc:. A
Everybodys connecting. Figure 2. Example of a Private Key (Symmetric) Cryptosystem #ome common symmetric encryption algorithms include' !ata Encryption #tandard $!E#% !E# takes a B="bit block of data and a 8B"bit key and produces a B="bit block of encrypted data. C<= an alternate to !E# that the same key to scramble and descramble packets. C<= uses either =D" or 37E"bit encryption and is appro*imately 3D times faster than !E#. +riple"!E# $A"!E#% an even more highly sophisticated encryption mechanism that uses three keys instead of one, thereby providing a much higher level of security than !E#. Each of these algorithms differs in bit length $or 5strength5%. +he strength of the algorithm establishes the amount of effort re.uired to break the system. +he longer the bit length, the 9stronger: the encryption algorithm and the greater the effort re.uired to break the system. private key cryptosystem suffers from the following drawbacks' #ince the 9secret key: is used for both encryption and decryption, anyone who steals the key can steal all the data that is currently or had already been encrypted, jeopardi/ing all present and past communications using the shared key. 2ecause of this danger, the keys must be delivered in a protected manner such as a direct face"to"face negotiation or a telephone call e*change.
#ince the privacy of all data communications is based on the integrity of the secret key, it is important to replace keys periodically. Ceplacing keys on a fre.uent basis presents hackers with a very small window of access to the system, thereby providing a greater level of privacy. Pub!ic Key ("symmetric) ryptosystems public key cryptosystem uses a pair of mathematically related keys' private key that is kept secret within the system, and =
Everybodys connecting. public key that can be made known to the public. 2ecause one of the two elements the public key is made available to the general public, the initial creation and e*change of a 9shared secret key: that is used for secure communications can be accomplished more easily than with a private key cryptosystem. +wo public key cryptosystems that are commonly used within ,-N solutions today are !iffie"0ellman $!0% and Civest #hamir dlemen $ C# %. 6igure A shows an e*ample of a private key $symmetric% cryptosystem. Figure 3. Example of a Private Key (Symmetric) Cryptosystem #ser "uthentication and "ccess ontro! (p to this point, this paper has discussed the encryption aspects of ,-Ns. E.ually as important is the process of ensuring that users are who they she say they are. +he following sections describe the steps taken to address and resolve these security concerns. $nternet Protoco! Security Internet -rotocol #ecurity $I-#ec% is a framework of open standards developed by the Internet Engineering +ask 6orce $IE+6% to ensure data privacy, data authentication, and user authentication on public networks. It is a robust standard that has withstood e*tensive peer review and emerged as the clear industry standard for Internet ,-Ns. 8
Everybodys connecting. Fne of the advantages of I-#ec is that it operates at the network layer, whereas other approaches insert security at the application layer. +he benefit of network layer security is that it can be deployed independently of applications running on the network. +his means that organi/ations are able to secure their networks without deploying and coordinating security on an application"by" application basis. %ata and #ser "uthentication !ata authentication methods can be used to verify that communications have not been modified in transit. &ith user authentication, the identity of the remote user must be verified before that user is granted access to the corporate network. &ith this method, unauthori/ed individuals are denied access to the network. +his process is arguably the most important element of any ,-N solution. +here are a number of user"authentication methods. +hese include' Pres!are" secrets -re"shared secrets are passwords that are distributed to users 9out of band,: or independent of the ,-N technology infrastructure. +hey offer an easy way to deploy ,-Ns .uickly to a limited number of remote users. 0owever, shared secrets do not provide robust scalability for large remote user environments. #igital certificates !igital certificates are electronic credentials for proving user identity. +hese electronic credentials can be stored on the remote computer or on tokens carried by the user. Management of digital certificates, including distribution and revocation, is automated by a -ublic Gey Infrastructure $-GI%. -GIs offer a stronger and more scaleable authentication infrastructure than shared secrets, but are more e*pensive and comple* to deploy. $y%ri" &o"e 'ut!e(ticatio( 0ybrid Mode uthentication allows organi/ations to integrate legacy authentication schemes such as #ecureI!, +<<#H, and C!I(# with ,-Ns. &ithout 0ybrid Mode uthentication, these schemes must be replaced by shared secrets or digital certificates to deploy a ,-N, which can be a comple* and costly process. &oa!s and 'ypes o( VPNs ,-Ns address the following three goals' +hey provide remote, traveling, and telecommuting workers with access to central network resources. B
Everybodys connecting. +hey securely interconnect satellite offices to enable corporate intranets. +hey supply partners, suppliers, and customers with controlled access to selected network resources. 0istorically, remote access has been the strongest of the three goals for ,-N adoption, but this situation is changing. &hile remote access remains at the top of the list, the goals of establishing intranet and e*tranets have emerged. +oday, an e.ual percentage of network managers are building ,-N"based e*tranets and ,-N"based remote"access solutions, with the goal of interconnecting internal offices close behind. +o achieve these objectives, ,-Ns have evolved into the following three classifications' VPN )ype #escriptio( Cemote"access ,-Ns llow remote workers and telecommuters to connect to the companys corporate information resources ine*pensively using the Internet or an Internet #ervice -rovider1s $I#-s% backbone. Intranet"based ,-N n internal, +<-;I-"based, password" protected network that businesses use to share information with employees and others with authori/ation. E*tranet"based ,-N network that allows controlled network access from e*ternal networks, such as from customers, trading partners, suppliers, partners, and business associates. &hen a company has a close relationship with other companies, it may want to build an e*tranet"based ,-N that connects its )N to the )N of the other companies.
key ingredient of ,-N solutions is that the same network infrastructure can be used to support all three types of ,-Ns. single ,-N can support remote"access users, intranets, and e*tranets. +he following sections describes these ,-N types, and 6igure A illustrates them. I
Everybodys connecting. Figure *. Examples of )!ree V+'N )ypes Summary o( VPN )ene(its well"designed ,-N can provide companies with significant advantages, including' E*tended geographic connectivity Improved security Ceduced operational costs versus traditional &N Ceduced transit time and transportation costs for remote users Improved productivity #implified network topology Jlobal networking opportunities +elecommuter support 2roadband networking compatibility 6aster return on investment than traditional &N technology #calability that provides a comprehensive solution for cost" effective remote access, intranet, and e*tranet connectivity using public data services E
Everybodys connecting. ost*Saving "dvantages In addition to the benefits mentioned above, ,-Ns enable small businesses to save from ADK to IDK over competing remote"access solutions. 6or connectivity outside the (#, the savings can reach LD K. +he following sections provide additional information about the cost savings that can be achieved with ,-Ns. E!iminating Pricey +eased +ines Fne way a ,-N lowers costs is by eliminating the need for companies to procure e*pensive long"distance leased lines. &ith ,-Ns, an organi/ation needs only a relatively short dedicated connection to an I#-. +his connection can be a local broadband connection such as !igital #ubscriber )ine $!#)% service, cable service, or a local leased line $which is considerably less e*pensive than a long"distance leased line%. +his factor alone convinces many organi/ations to eliminate other remote"access methods in favor of ,-N solutions. ,educing +ong*%istance %ependence nother way ,-Ns reduce costs is by allowing remote employees to access the corporate )N via the Internet by placing a local call into the nearest I#-1s -F-. +his provides a three"fold cost savings. 6irstly, local Internet calls are significantly less e*pensive than pricey long"distance calls. #econdly, companies do not have to support e*pensive toll"free EDD telephone numbers to accommodate their remote employees. +hirdly, remote employees located at international venues can be supported ine*pensively $see 9Ceduced International <alling E*penses,: ne*t%. ,educed $nternationa! a!!ing E-penses ,-Ns can also slash communications costs significantly for companies that have many international sites. +ypically, the cost to link a European site to a North merican head.uarters office can be high when using leased lines or data services such as frame relay. ,-N built around an I#- with -F-s in countries where there are branch offices allows the international sites to pay only for dedicated Internet access to that -F-. +his method is much less e*pensive than paying for a longdistance link back to the (nited #tates. In fact, some studies show that international remote access ,-Ns can yield cost savings of between BD and LDK over other remote"access solutions. .bviating /u!tip!e "ccess +ines #ome organi/ations that have multiple access lines' one to carry data back to head.uarters and a second for Internet access. In L
Everybodys connecting. fact, some industry studies have found that as many as I7K of sites have multiple access lines. (sing a ,-N, a branch office with multiple links can eliminate its data lines and move traffic over the e*isting Internet access connection, resulting in dramatic cost savings. ,educed E0uipment osts ,-N e.uipment is much less e*pensive to deploy and maintain than e.uipment re.uired for other remote"access solutions. ccording to a recent survey by Jiga Information Jroup, domestic remote access ,-Ns can yield cost savings of 7D to IDK over other remote"access e.uipment. .((!oading Support )urden nother, more subtle way that ,-Ns lower costs is by offloading the support burden. &ith ,-Ns, the I#- handles remote access rather than the organi/ation. I#-s can, in theory, charge much less for their support than it costs a company internally, because the public provider1s cost is shared among potentially thousands of customers. In addition, I#-s possess the knowledge and capabilities for maintaining remote access, which may e*ceed a companys own core e*pertise. Sca!abi!ity and VPNs +he cost to an organi/ation of traditional leased lines may be reasonable at first but can increase e*ponentially as the organi/ation grows. company with two branch offices, for e*ample, can deploy just one dedicated line to connect the two locations. If a third branch office needs to come online, just two additional lines will be re.uired to directly connect that location to the other two. 0owever, as an organi/ation grows and more companies must be added to the network, the number of leased lines re.uired increases dramatically. 6our branch offices re.uire si* lines for full connectivity, five offices re.uire ten lines, and so on. In a traditional &N, this e*plosion limits the fle*ibility for growth. ,-Ns that utili/e the Internet avoid this problem by simply tapping into the geographically distributed access already available. "dditiona! "dvantages +he real benefits of ,-Ns lie not in cost savings, but in coverage and openness. ,-Ns particularly Internet"based ,-Ns are unmatched in their potential for global coverage. No other network service offers the global footprint available by using the Internet. +he same can be said about the openness of the standards"based I- protocol. If there1s an intranet or e*tranet in your companys 3D
Everybodys connecting. future, no other network infrastructure will get you there more directly than a ,-N. VPN 'unne!ing ,-N technology is based on a tunneling strategy. +unneling creates a private network that spans the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. +he protocol of the outer packet is understood by the network and the source and destination points $called tunnel interfaces% where the packet enters and e*its the network. +unneling utili/es three different protocols' Carrier protocol +he protocol used by the network that is carrying the information. E(capsulati(g protocol +he protocol that is wrapped around the original data Passe(ger protocol +he original data being carried +o better understand how these components work, think of tunneling as a package delivered to you by an overnight"delivery service. +he sender places the package $passenger protocol% in an envelope $ encapsulating protocol%, which is then put on a delivery truck $carrier protocol% at the sender1s office $entry tunnel interface%. +he truck $ carrier protocol% travels over the roads $Internet% to your home $e*it tunnel interface% and delivers the package. Mou open the package $ encapsulating protocol% and remove the contents $passenger protocol%. +unneling is just that simple. +unneling has significant implications for ,-Ns. 6or e*ample, you can place a packet that uses a protocol not supported on the Internet $ such as Net2eui% inside an I- packet and send it safely over the Internet. 6urthermore, you can insert a packet that uses a private $ non"routable % I- address inside a packet that uses a globally uni.ue I- address to e*tend a private network over the Internet. NE'&E", So!utions NE+JECs 6,#A3E <able;!#) -ro#afe ,-N 6irewalls provide the ability to establish multiple ,-N tunnels using I-#ec !E# or A"!E# encryption technology. +hese routers can be used together to establish and terminate a ,-N tunnel, without the need for ,-N client software. <onversely, they can be used in conjunction with standard ,-N client software $#afenet%, when using multiple routers is not practical. +he latter e*ample could apply to a mobile workforce, such as a salesperson, for e*ample. 33
Everybodys connecting. Fther routers that support I-#ec pass"through, such as NE+JECs C-B3= <able;!#) &eb #afe Couter, can be used at a remote site and terminate a ,-N tunnel, provided the -<s at the remote site are using a ,-N client. <learly, the most practical and easy"to"deploy method would be to have ,-N"enabled 6,#A3Es at both sites, which would eliminate the need for ,-N client software on each computer. onc!usion +his paper has shown that ,-Ns deliver tangible business benefits, with secure communications and significant cost savings versus other remoteaccess solutions. Moreover, end users do not need to know anything about ,-N client software or hardware to establish a ,-N tunnel and access the company )N. &hen a user wants to check e"mail remotely, for e*ample, the user simply opens his or her e" mail client and re.uests a download as if connected to the company )N. Fne of the most e*citing aspects of ,-Ns is that everyone can benefit from these solutions. In the beginning days of the technology, early adopters were the largest and the smallest of companies. )arge enterprises viewed ,-Ns as a way to contain escalating &N costs, connect remote users, and integrate partners, suppliers, and customers into their networks. ,ery small companies adopted ,-Ns because they were the first real &N or remote"access solutions they could afford. +oday, ,-Ns are e.ually appealing to companies of all si/es. Even small businesses are finding compelling reasons to implement ,-Ns. Many view ,-Ns as a competitive advantage, specifically because of their global coverage and the relative ease with which they can be e*tended to create e*tranets. ,-Ns also have universal appeal across industry types. +he earliest adopters included high"technology firms, computer services, and communications companies. 2usinesses in other industries including insurance, real estate, manufacturing, and finance have since found ,-Ns beneficial. s the technology continues to grow, success stories are coming from other industries as well, including education, health services, transportation, and government. Even the (# military takes advantage of ,-N benefits. &ith the decrease in the cost of ,-N technology, it is not surprising to see small businesses taking advantage of the savings reali/ed by embracing and deploying these networks. &ith all of the interest in ,-Ns, analysts predict tremendous growth. 2y late 7DD3, nearly IDK of businesses with networking 37
Everybodys connecting. needs are e*pected to be testing ,-Ns or using them in a production environment. Jiven the growing interest in and increasing deployment of ,-Ns, it is vital to scale that interest in terms of security. -ossessing a better understanding of ,-Ns and their security mechanisms empowers companies to e*pand the borders of their business, without increasing the vulnerability of their information assets. It also enables you to make a well"informed decision when evaluating ,-N solutions. $n(ormation +in1s