Professional Documents
Culture Documents
VPN Introduction
VPN is an acronym for Virtual Private Network, is a private data network ( usually used
within a company, or by several different companies or organizations ) which has
a secure connection created over a public network by using tunneling-mode
encryption and other security procedures. The tunneling-mode encryption and
security procedures ensure that only authorized users can access the network and data
cannot be intercepted.
VPN message traffic is carried on public networking infrastructure e.g. the Internet using
standard (often insecure) protocols, or over a service provider's network providing VPN
service guarded by well-defined Service Level Agreement (SLA) between the VPN
customer and the VPN service provider.
The main purpose of a VPN is to give the company the capabilities of having the same
protected sharing of public resources for data as the private leased lines, but at a much
lower cost by using the shared public infrastructure.
How it Works : To make use of the VPN, the remote user's workstation must have
the VPN client software installed. A firewall sits between a remote user's workstation or
client and the host network or server. When connection to thecorporate network is
attempted, the VPN client software will first connect to the VPN server by means of a
tunneling protocol. After the remote computer has been successfully authenticated,
a secure connection (secret tunnel) between it and the VPN server will then be formed
as all subsequent data being exchanged through this tunnel will be encrypted at the
sending end and correspondingly decrypted at the receiving end of the tunnel. As such,
the network tunnel between them, even though established through the un-trusted
Internet, is still considered secure enough that the remote computer can be trusted by
local computers on the corporate LAN.
In short :
You connect to the Internet through your ISP. The VPN client software on your computer initiates a connection with the
VPN server. The VPN server encrypts the data on the connection so it cannot be read by others while it is in transit.
The VPN server decrypts the data and passes it on to other servers and resources.
For better security, many VPN client programs can be configured to require that all IP
traffic must pass through the tunnel while the VPN is active. From the user's standpoint,
this means that while the VPN client is active, all access outside their employer's secure
network must pass through the same firewall as would be the case while physically
connected to the office ethernet. This reduces the risk that an attacker might gain access
to the secured network.
Such security is important because other computers local to the network on which the
client computer is operating may not be fully trusted. Even with a home network that is
protected from the outside internet by a firewall, people who share a home may be
simultaneously working for different employers over their respective VPN connections
from the shared home network. Each employer would therefore want to ensure their
proprietary data is kept secure, even if another computer in the local network gets
infected with malware. And if a travelling employee uses a VPN client from a Wi-Fi
access point in a public place, such security is even more important. However, the use of
IPX/SPX is one way users might still be able to access local resources.
Different Types of VPN
Remote Access (RAS) VPN - Under this application only a single VPN gateway is
involved. The other party involved in negotiating the secure
communication channel with the VPN Gateway is a PC or laptops
that is connected to the Internet and running VPN Client software.
The VPN Client allows telecommuters and traveling users to
communicate on the central network and access servers from
many different locations.
Benefit : Significant cost savings by reducing the burden of long distance charges
associated with dial-up access. Also helps increase productivity and peace of mind by
ensuring secure network access regardless of where an employee physically is.
Benefit : Substantial cost savings over traditional leased-line or frame relay technologies
through the use of Internet to bridge
potentially long distances between
sites.
Benefit : Businesses enjoy the same policies as a private network, including security,
QoS, manageability, and reliability.
Advangages of VPN
Cost Saving
VPN eliminate the needs for expensive long-distance leased lines. What a corporate
require was only a relatively shortdedicated connection to the service provider. The
connection can be either a local broadband connection such as DSL service or a local
leased line. Both of the stated connection are much cheaper than a long-distance leased
lines. Service providers can in theory charge much less for their support than it costs a
company internally because the public provider's cost is shared amongst potentially
thousands of customers.
Scalability
The cost of using traditional leased lines may be reasonable at the beginning stage, but
as the the organization grows the number of leased lines required increases
exponentially as more branches must be added to the network. With VPN, company can
just tap into the geographically-distributed access already available, which is limited in
the case of a traditional leased lines.
Disadvantages of VPN
Listed below are some of the potential pitfalls in VPN :
Lack of Security
The other major downside of VPNs relates to guaranteeing adequate bandwidth for the
work being done. Every use of internet system consume bandwidth; the more users
there are, the less bandwidth there is for any single user. Some VPN service providers
offer guaranteed bandwidth, and private networks can be built with guaranteed
bandwidth allocations, however, these options will increase the cost of the system.
The needs to accomodate protocols other than IP and existing ("legacy") internal
network technology.
VPN technologies from different vendors may not work well together due to
different standard compliant or immature standards.
Cost saving - Because SSL VPNs can be clientless, the cost of deploying clients
is saved.
Platform independent & mobile - Access can be granted from many types of
machine (Linux, Windows, PDAs) and from many locations.
No NAT issues - do not suffer Hide Network Address Translation (Hide NAT)
issues as it is not tied to the IP layer.
Protocol redirectors
Protocol redirectors
More flexible than application layer proxies, but not truly clientless in their
operation. It works by downloading a mini client from the gateway, which installs
locally and redirects traffic.
Remote control enhancers are usually with other SSL VPN technologies because
applications that reside on the local desktop cannot be used directly.
Advantages of Remote control enhancers : Offer features like the ability to read and
update a documents held centrally without ever having to download the entire
document.
VPN Firewalls
How it Works?
Firewalls function with a set of filters that are continuously monitoring traffic on the
network. Whenever a packet of information triggers one of the filters, the firewall
prevents it from passing through to prevent any unwanted damages. Of course, Firewalls
sometimes block wanted traffic, and through a continual process of refinement, the filters
can be customized to improve their efficacy.
VPN Tunnel
A VPN tunnel establishes a secure connection between two sites over the Internet.
This information is defined in a crypto map entry. Crypto map entries with the same
crypto map name- but different map sequence numbers, are grouped into a crypto map
set, which is applied to the VPN interfaces on the relevant devices. All IP traffic passing
through the interface is evaluated against the applied crypto map set. If a crypto map
entry sees outbound IP traffic that should be protected and the crypto map specifies the
use of IKE, a security association is negotiated with the remote peer according to the
parameters included in the crypto map entry.
When two peers try to establish a security association, they must each have at least one
crypto map entry that is compatible with one of the other peer's crypto map entries. The
following minimum criteria for two crypto map entries to be compatible,
The crypto map entries must contain compatible crypto access lists (for
example, mirror image access lists). If the responding peer is using dynamic
crypto maps, the entries in the local crypto access list must be "permitted" by the
peer's crypto access list.
The crypto map entries must each identify the other peer (unless the responding
peer is using dynamic crypto maps).
The crypto map entries must have at least one transform set in common.
Tunnel policies define the VPN connection between two peers. They specify which traffic
will be secured and the authentication and encryption algorithms that will be used to
secure the traffic.
A tunnel policy's priority is indicated by its position in the list of policies (higher indicates
higher priority). If a traffic flow matches the filter conditions in more than one tunnel
policy, the policy with the highest priority is applied. You can change the order of the
policies in the list according to the priority you want them to have.
http://networking.champlain.edu/gck/security_sit/sld008.htm applications
http://www.ncl.ac.uk/iss/netcomms/network/services/vpn/dock.html applictions
http://compnetworking.about.com/od/vpn/a/what_is_a_vpn.htm applications