Virtual
Private Networks Author: Mihajlo
Corovic Last Revised: April 6th, 2007 A virtual private network
(VPN) is a networking concept that allows a private network to be
created and operated on top of an existing public or private network
infrastructure.
The term "virtual" is used because the VPN does not have a
real physical presence but rather consists of packets routed over
various existing machines on an ad hoc basis through secure virtual
connections. The status of "private" is achieved through
the use of encryption such that only authorized users can view the data
that is being transferred through the VPN and is deemed confidential.
Why Build a VPN? The main reason to set up a VPN
is to minimize the various risks associated with the Internet.
These include anything from coming across content that you
do not wish to be seen by users to unauthorized users stealing or
compromising confidential data from your machines. The risk
of stolen or compromised data is greater for corporations where the
consequences could lead to the company being put out of business.
How It Works The following image
illustrates the overall flow of a VPN in action [1].
As can be seen from the picture the internal network is protected with
a VPN enabled firewall. An authorized host is allowed to
connect
to the network (path 1b) while the connection is denied to the
unauthorized host (line 1a). Line 2 denotes that once the
authorized host is connected to the network (usually through the use of
a VPN software client that handles authentication and encryption) then
the communication
between the host and a machine within the network is secure.
Basic
VPN TechnologiesIn order for VPN to achieve the
desired
privacy and security, several important technologies need to
be
properly implemented.
A firewall (such as a next generation firewall)
is used to keep unwanted visitors out while allowing access to the
users who are using the proper VPN client. Note that the firewall is
usually not implemented by the VPN but nonetheless it is an integral
part of a proper VPN setup. In order to distinguish between
authorized and unauthorized users a VPN has to have a strong authentication
method (see cryptographic hashing). Authentication is analogous to "logging in", however,
a VPN needs to have a much more sophisticated and rigorous way of user
validation. Most VPN authentication algorithms are based on a
shared key system. A strong encryption method is
also essential to a VPN setup as the data that is being sent needs to
be protected against possible packet sniffing. The two more
common VPN techniques are private key and public key encryption. For more examples see block ciphers or the more advanced AES and RSA algorithms.
Finally, in order to send the packets through public nodes
without the nodes knowing that the data contained within the packets is
comming from a private network, a method called tunelling is
implemented. Tunneling basically involves encapsulating the
private network packet within a packet that has the properties of a
public network packet.
Configurations The two main
configurations of VPNs are the site-to-site
and client-to-site
configurations[2].
Site-to-site is used when two (or more) machines from
different VPN's are logically connected over a public infrastructure.
This allows the machines to send and recieve data between
each other. Client-to-site is used when a remote machine is
trying to connect to a VPN. The remote machine needs to run a
VPN client in order to "virtually" become a member of the private
network. This connection allows the remote machine to send
and recieve data between the other members of the VPN as if the remote
machine was physically connected to their LAN.
Managing and Maintaining a VPN There are a few basic steps that need to be followed when it comes to VPN management and maintenance.
The first and maybe one of the most important steps is to choose the
right internet service provider (ISP) for the VPN. This choice
should be based on geographical constraints as well as the quality of
service (QoS) guarantee provided by the ISP. When problems occur
it is very difficult to pinpoint the exact problem as possible problems
include connectivity problems, suthentication errors and numerous
routing problems. A QoS also has to be defined for the VPN itself
as this allows for easier resource assignment which leads to an overall
easier management of the VPN. In order to increase the security
of the VPN, acces should only be given to people who need it,
restrictions should be put out on what the users are able to access
while connected to the VPN and if possible a public DNS should not be
assigned for the VPN. During the life of the VPN the
administrators should always aim to keep the VPN up to date in order to
get the newest security updates or fix known existing problems.
