Virtual Private Network or VPN 

is a term that you may not have heard of, but is

becoming very common over the years.Instead of simply dealing with local or regional
branch, many companies
today have facilities or
businesses spread out across
the country or around the
world. In order for them to
maintain a fast, secure and
reliable communications, these
companies are creating their
own virtual privatenetwork to
accommodate the needs of
remote employees and distant offices.

VPN Introduction

VPN is an acronym for Virtual Private Network, is a private data network ( usually used
within a company, or by several different companies or organizations ) which has
a secure connection created over a public network by using tunneling-mode
encryption and other security procedures. The tunneling-mode encryption and
security procedures ensure that only authorized users can access the network and data
cannot be intercepted.
VPN message traffic is carried on public networking infrastructure e.g. the Internet using
standard (often insecure) protocols, or over a service provider's network providing VPN
service guarded by well-defined Service Level Agreement (SLA) between the VPN
customer and the VPN service provider.

The main purpose of a VPN is to give the company the capabilities of  having the same
protected sharing of public resources for data as the private leased lines, but at a much
lower cost by using the shared public infrastructure.

How it Works : To make use of the VPN, the remote user's workstation must have
the VPN client software installed. A firewall sits between a remote user's workstation or
client and the host network or server. When connection to thecorporate network is
 attempted, the VPN client software will first connect to the VPN server by means of a
tunneling protocol. After the remote computer has been successfully authenticated,
a secure connection (secret tunnel) between it and the VPN server will then be formed
as all subsequent data being exchanged through this tunnel will be encrypted at the
sending end and correspondingly decrypted at the receiving end of the tunnel. As such,
the network tunnel between them, even though established through the un-trusted
Internet, is still considered secure enough that the remote computer can be trusted by
local computers on the corporate LAN.

In short :
You connect to the Internet through your ISP. The VPN client software on your computer initiates a connection with the
VPN server. The VPN server encrypts the data on the connection so it cannot be read by others while it is in transit.
The VPN server decrypts the data and passes it on to other servers and resources.

For better security, many VPN client programs can be configured to require that all IP
traffic must pass through the tunnel while the VPN is active. From the user's standpoint,
this means that while the VPN client is active, all access outside their employer's secure
network must pass through the same firewall as would be the case while physically
connected to the office ethernet. This reduces the risk that an attacker might gain access
to the secured network.

Such security is important because other computers local to the network on which the
client computer is operating may not be fully trusted. Even with a home network that is
protected from the outside internet by a firewall, people who share a home may be
simultaneously working for different employers over their respective VPN connections
from the shared home network. Each employer would therefore want to ensure their
proprietary data is kept secure, even if another computer in the local network gets
infected with malware. And if a travelling employee uses a VPN client from a Wi-Fi
access point in a public place, such security is even more important. However, the use of
IPX/SPX is one way users might still be able to access local resources.
Different Types of VPN

A VPN supports at least three different modes of use:

 Remote Access (RAS) VPN - Under this application only a single VPN gateway is
involved. The other party involved in negotiating the secure
communication channel with the VPN Gateway is a PC or  laptops
that is connected to the Internet and running VPN Client software.
The VPN Client allows telecommuters and traveling users to
communicate on the central network and access servers from
many different locations.

Benefit : Significant cost savings by reducing the burden of long distance charges
associated with dial-up access. Also helps increase productivity and peace of mind by
ensuring secure network access regardless of where an employee physically is.

 Site-to-Site Intranet VPN - With Intranet VPN, gateways at various physical locations

within the same business negotiate a secure communication
channel across the Internet known as a VPN tunnel. An example
would be a network that exists in several buildings connected to
a data center or mainframe that has secureaccess through private lines. Users from the
networks on either side of the tunnel can communicate with one another as if it were a
single network. These may need strong encryption and strict performance and
bandwidth requirements.

Benefit : Substantial cost savings over traditional leased-line or frame relay technologies
through the use of Internet to bridge
potentially long distances between
sites.

 Site-to-Site Extranet VPN - Almost

identical to Intranets, except they are

meant for external business partners.
As such, firewall access restrictions
are used in conjunction with VPN
tunnels, so that business partners are
 only able to gain secure access to specific data / resources, while not gaining access to
private corporate information.

Benefit : Businesses enjoy the same policies as a private network, including security,
QoS, manageability, and reliability.

Advangages of VPN
Cost Saving
VPN eliminate the needs for expensive long-distance leased lines. What a corporate
require was only a relatively shortdedicated connection to the service provider. The
connection can be either a local broadband connection such as DSL service or a local
leased line. Both of the stated connection are much cheaper than a long-distance leased
lines. Service providers can in theory charge much less for their support than it costs a
company internally because the public provider's cost is shared amongst potentially
thousands of customers.

Elements of cost reduction also include transport media, bandwidth, backbone

equipment, and operations. According to industry research, site-to-site connectivity costs
are typically reduced by average 30% over domestic leased line networks. Cost
reduction for client to site dial access is even greater, in the 60%-80% range.

Instead of owning and operating a private network infrastructure, company may

outsource some or all of their wide area networking functions to a service provider. By
doing so, the cost of management and upkeep of the network setup can be reduced
substantially. Not only that, it also enables company to focus on core business
objectives, instead of managing a WAN or dial access network.

Scalability
The cost of using traditional leased lines may be reasonable at the beginning stage, but
as the the organization grows the number of leased lines required increases
exponentially as more branches must be added to the network. With VPN, company can
just tap into the geographically-distributed access already available, which is limited in
the case of a traditional leased lines.

Disadvantages of VPN
Listed below are some of the potential pitfalls in VPN :

Lack of Security

VPN message traffic is carried on public networking infrastructure e.g. the Internet, or

over a service provider's network, which mean - circulating corporate data —one of your
most valuable assets—on the line (literally). Even though there are many methods
and technologies available to ensure data protection
(like encryption implementation) , the level of concern about Internet security is quite
high and data on transmission is vulnerable to hackers. The use of VPNs at this moment
still require an in-depth understanding of public network security issues.

Less Bandwidth than Dedicated Line

The other major downside of VPNs relates to guaranteeing adequate bandwidth for the
work being done. Every use of internet system consume bandwidth; the more users
there are, the less bandwidth there is for any single user. Some VPN service providers
offer guaranteed bandwidth, and private networks can be built with guaranteed
bandwidth allocations, however, these options will increase the cost of the system.

The needs to accomodate protocols other than IP and existing ("legacy") internal
network technology.

IP applications were designed for low-latency, high-reliability networks. An increasing

number of real-time, interactive applications are being used on the network. Although
some applications can be tuned to allow for increased latency, many of the applications
tested cannot be easily adjusted or cannot be adjusted at all, making the use of the
application problematic.

Others pitfall to consider;

 VPN technologies from different vendors may not work well together due to
different standard compliant or immature standards.

 VPN is more prone to Internet connectivity problems.

 The availability and performance of an organization's wide-area VPN (over the

Internet in particular) depends on factors largely outside of their control.
SSL VPN
SSL VPN or Secure Sockets Layer VPN is a protocol, which is already imbedded in most
IP stacks and sits at the base of the application layer. This application can deliver
remote network access via HTTPS from a web browser. It require only minimal client
configuration, so virtually any client with a network connection can use SSL VPN without
the needs of additional VPN client software or a complex configuration and setup.
The main drivers for SSL VPN are:

 Cost saving - Because SSL VPNs can be clientless, the cost of deploying clients
is saved.

 Platform independent & mobile - Access can be granted from many types of
machine (Linux, Windows, PDAs) and from many locations.

 IP mobility -  Not bound to the source IP address, thus connections can be

maintained as clients move.

 Greater granular access control -  Ability to offer a greater granularity, even as

far as URL. SSL VPNs also lend themselves to more granular access control
because each resource accessed must be explicitly defined.

 No NAT issues - do not suffer Hide Network Address Translation (Hide NAT)
issues as it is not tied to the IP layer.

SSL VPN Category

There are 3 different techniques in used and most commercial SSL VPN products will
use a combination of these.

 Application layer proxies

 Protocol redirectors

 Remote control enhancers

Application layer proxies

This is the simplest form of SSL VPNs because they rely on the SSL functionality
used by existing applications and simplest form of SSL VPNs because they rely on
 the SSL functionality used by existing applications. This application only support E-
mail and Web based traffic. There are additional function such as file transfer,
however the function tends to be limited.

Advantages of Application layer proxies : Clientless - operate with nearly all

operating systems and web browsers.

Protocol redirectors
More flexible than application layer proxies, but not truly clientless in their
operation. It works by downloading a mini client from the gateway, which installs
locally and redirects traffic.

Advantages of Protocol redirectors : It can support any application that works on

fixed TCP or UDP ports and in some implementations, applications with dynamic
port applications can be supported (such as MS Outlook).

Remote control enhancers

This is the most flexible form of SSL based VPN, but they also have the highest
overhead. They work by enhancing a remote control protocol like Windows
Terminal Services or Citrix Metaframe and adding SSL VPN functionality and Web
Browser support. This means any application can be added to the SSL VPN by
adding the application to the remote control desktop.

Remote control enhancers are usually with other SSL VPN technologies because
applications that reside on the local desktop cannot be used directly.

Advantages of Remote control enhancers : Offer features like the ability to read and
update a documents held centrally without ever having to download the entire
document.

VPN Firewalls

A computer  firewalls act as a barrier between computers on a network.

It protect inside networks from unauthorized access by users on an
outside network and protect inside networks from each other.
Why we need a VPN Firewall?
Without a firewall, intruders/hacker on the network would likely be able to destroy,
tamper with or gain access to the files on your computer. With a firewall, you block all
traffic to your box, except for the traffic you initiate.

How it Works?
Firewalls function with a set of filters that are continuously monitoring traffic on the
network. Whenever a packet of information triggers one of the filters, the firewall
prevents it from passing through to prevent any unwanted damages. Of course, Firewalls
sometimes block wanted traffic, and through a continual process of refinement, the filters
can be customized to improve their efficacy.

Controlling network resources to an outside user

If you have network resources that need to be available to an outside user, such as a
web or FTP server, you can place ademilitarized zone (DMZ) on a separate network
behind the firewall. The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not
affect the other inside networks.

Controlling  inside users accessing outside network

You may also control inside users access outside networks,

 by allowing only certain addresses out,

 by requiring authentication or authorization, or

 by coordinating with an external URL filtering server.

VPN Tunnel
A VPN tunnel establishes a secure connection between two sites over the Internet.

VPN Tunnel Policy

This policy consists of a set of rules that define:

 what traffic will be securely transmitted into the tunnel, and

  how the traffic is secured in the tunnel - which authentication
and encryption algorithms will be applied to the data to ensure its authenticity,
integrity, and confidentiality.

This information is defined in a crypto map entry. Crypto map entries with the same
crypto map name- but different map sequence numbers, are grouped into a crypto map
set, which is applied to the VPN interfaces on the relevant devices. All IP traffic passing
through the interface is evaluated against the applied crypto map set. If a crypto map
entry sees outbound IP traffic that should be protected and the crypto map specifies the
use of IKE, a security association is negotiated with the remote peer according to the
parameters included in the crypto map entry.

When two peers try to establish a security association, they must each have at least one
crypto map entry that is compatible with one of the other peer's crypto map entries. The
following minimum criteria for two crypto map entries to be compatible,

 The crypto map entries must contain compatible crypto access lists (for
example, mirror image access lists). If the responding peer is using dynamic
crypto maps, the entries in the local crypto access list must be "permitted" by the
peer's crypto access list.

 The crypto map entries must each identify the other peer (unless the responding
peer is using dynamic crypto maps).

 The crypto map entries must have at least one transform set in common.

Tunnel policies define the VPN connection between two peers. They specify which traffic
will be secured and the authentication and encryption algorithms that will be used to
secure the traffic.

A tunnel policy's priority is indicated by its position in the list of policies (higher indicates
higher priority). If a traffic flow matches the filter conditions in more than one tunnel
policy, the policy with the highest priority is applied. You can change the order of the
policies in the list according to the priority you want them to have.

www.vpn-info.com access on 13/10/2009 vpn advs

http://en.wikipedia.org/wiki/Virtual_private_network vpn

http://networking.champlain.edu/gck/security_sit/sld008.htm applications

http://www.ncl.ac.uk/iss/netcomms/network/services/vpn/dock.html applictions

http://compnetworking.about.com/od/vpn/a/what_is_a_vpn.htm applications

http://www.vpntools.com/vpntools_articles/what-is-a-vpn.htm VPN client

http://compnetworking.about.com/od/vpn/g/bldef_vpn.htm VPN definition