Virtual Private Networks

Author: Mihajlo Corovic
Last Revised: April 6th, 2007

A virtual private network (VPN) is a networking concept that allows a private network to be created and operated on top of an existing public or private network infrastructure.    The term "virtual" is used because the VPN does not have a real physical presence but rather consists of packets routed over various existing machines on an ad hoc basis through secure virtual connections.  The status of "private" is achieved through the use of encryption such that only authorized users can view the data that is being transferred through the VPN and is deemed confidential.

1 Why Build a VPN?
2 How It Works
3 Basic VPN Technologies
4 Configurations
5 Managing and Maintaining a VPN
6 See Also
7 External Links

Why Build a VPN?

The main reason to set up a VPN is to minimize the various risks associated with the Internet.  These include anything from coming across content that you do not wish to be seen by users to unauthorized users stealing or compromising confidential data from your machines.  The risk of stolen or compromised data is greater for corporations where the consequences could lead to the company being put out of business.  

How It Works

The following image illustrates the overall flow of a VPN in action [1].

As can be seen from the picture the internal network is protected with a VPN enabled firewall.  An authorized host is allowed to connect to the network (path 1b) while the connection is denied to the unauthorized host (line 1a).  Line 2 denotes that once the authorized host is connected to the network (usually through the use of a VPN software client that handles authentication and encryption) then the communication between the host and a machine within the network is secure.  

Basic VPN Technologies
In order for VPN to achieve the desired privacy and security, several important technologies need to be properly implemented.  
A firewall (such as a next generation firewall) is used to keep unwanted visitors out while allowing access to the users who are using the proper VPN client. Note that the firewall is usually not implemented by the VPN but nonetheless it is an integral part of a proper VPN setup.  In order to distinguish between authorized and unauthorized users a VPN has to have a strong authentication method (see cryptographic hashing).  Authentication is analogous to "logging in", however, a VPN needs to have a much more sophisticated and rigorous way of user validation.  Most VPN authentication algorithms are based on a shared key system.  A strong encryption method is also essential to a VPN setup as the data that is being sent needs to be protected against possible packet sniffing.  The two more common VPN techniques are private key and public key encryption. For more examples see  block ciphers or the more advanced AES and RSA algorithms.  Finally, in order to send the packets through public nodes without the nodes knowing that the data contained within the packets is comming from a private network, a method called tunelling is implemented.  Tunneling basically involves encapsulating the private network packet within a packet that has the properties of a public network packet.


The two main configurations of VPNs are the site-to-site and client-to-site configurations[2].  Site-to-site is used when two (or more) machines from different VPN's are logically connected over a public infrastructure.  This allows the machines to send and recieve data between each other.  Client-to-site is used when a remote machine is trying to connect to a VPN.  The remote machine needs to run a VPN client in order to "virtually" become a member of the private network.  This connection allows the remote machine to send and recieve data between the other members of the VPN as if the remote machine was physically connected to their LAN.

Managing and Maintaining a VPN

There are a few basic steps that need to be followed when it comes to VPN management and maintenance.
The first and maybe one of the most important steps is to choose the right internet service provider (ISP) for the VPN.  This choice should be based on geographical constraints as well as the quality of service (QoS) guarantee provided by the ISP.  When problems occur it is very difficult to pinpoint the exact problem as possible problems include connectivity problems, suthentication errors and numerous routing problems.  A QoS also has to be defined for the VPN itself as this allows for easier resource assignment which leads to an overall easier management of the VPN.  In order to increase the security of the VPN, acces should only be given to people who need it, restrictions should be put out on what the users are able to access while connected to the VPN and if possible a public DNS should not be assigned for the VPN.  During the life of the VPN the administrators should always aim to keep the VPN up to date in order to get the newest security updates or fix known existing problems.



See Also


External Links
VPN - Wikipedia