Virtual private network
In a very real sense, a virtual private network (VPN) is a public network (i.e., the service provider owns the network nodes) that looks like a private network (i.e., the user organization owns the network nodes). But of course the privacy of a VPN is really just an illusion, albeit a very good one.
To illustrate, consider two distinct organizations (Corporation A and Corporation B) who still own and operate their access routers but share capacity on the VPN service provider’s router backbone. All of the “A” routers can only see and access other “A” routers; the same is true of the “B” routers. There are two VPNs on one public infrastructure, but users on either VPN are completely unaware of the presence of the other users. They are mutually “invisible.”
The service provider backbone routers inside the cloud can be linked by a series of leased private lines or otherwise dedicated facilities, or (more and more often) by the Internet. In fact, there are some real attractions, but some real drawbacks, associated with supporting VPNs over the Internet. For instance, one attraction is that any customer-supported Web sites can be reached without “extra” Internet access. On the other hand, the Internet is notoriously free of any guarantees of privacy or delay between sites.
The visual also includes A and B remote users (e.g., workers in their home offices, traveling employees, and third parties like consultants with approved access).
The use of the Internet as a WAN has always carried an inherent security risk. The Internet is the “Wild West” of technologies. All information is free for inquisitive eyes. Equipment vendors have devised protocols and scenarios where the Internet can be used in such a manner that it appears as a private network to the users. This is the concept behind VPNs. In a VPN, a corporation creates a tunnel through the Internet. This tunnel allows the corporation to pass sensitive information between locations. A VPN allows corporations to use the Internet as a WAN technology without fear of security risk.
When creating a VPN a number of issues must be addressed. The first of the issues is the tunneling protocol to be implemented. Tunneling protocols are becoming sophisticated and the field is being culled. The second issue is the use and type of encryption being employed. Hardware, software, payload and full frame encryption options are all available. A third issue is the use of compression schemes being employed. The amount of transported data can be drastically reduced by using a compression algorithm.
VPN Benefits and Concerns
VPNs are relatively new network phenomena. Like all relatively new phenomena, VPNs have a lot of potential, which extends to both benefits and concerns. The visual lists a few of the potential benefits and concerns involved in an evaluation of VPNs.
Among the benefits is the attraction of saving money for linking a large number of sites with a VPN instead of private leased lines. This benefit is no more than the attraction of linking sites over a public data network like the Internet or frame relay applied to VPNs. One does not pay for public data network connectivity by the mile as with leased lines. The other benefit listed is the opportunity to better integrate the corporate network and the Internet. Many corporate routers employ TCP/IP almost exclusively, even for Systems Network Architecture (SNA) transport, and corporate and other Web sites must be made reachable to both employees and the general Internet-using public. Instead of needing separate links for this Internet connectivity, the VPN can employ the same Internet links for corporate purposes.
However, using the Internet as a basis for VPNs introduces a whole host of concerns. The easy Internet access, a real benefit, offers increased opportunities for hackers to gain entry to the “inside” corporate network. There will also be an increased threat posed from various well-known denial of service (DoS) attacks, which seek not so much to corrupt the data on the corporate portion of the network as to make the network unusable by authorized users.
There is also the perceived vulnerability to outsiders intercepting confidential information, encrypted or not, on the public portion of the network. While probably overestimated in frequency, the risk is great enough to justify the resources devoted to protect confidentiality on the public network.
Finally, the added network complexity of a full-blown VPN used for almost everything, coupled with the well-documented lack of quality of service (QoS) guarantees, especially on the “best effort” Internet, make the successful implementation of a large-scale VPN a challenging and formidable task for even the most well equipped and prepared organization.
Applications of VPNs
While network security should be forefront in the minds of anyone involved in computer technology and networking, the virtual private network is not the answer to all security concerns. A VPN should be thought of as a tool for a particular type of network security problem: the secure transmission of data.
Hacking a public Web page or stealing thousands of credit card numbers from a database server qualify as security issues for most network professionals. In both cases, however, implementing a VPN would not have prevented these crimes. The victims need to worry more about securing their servers by investing in robust firewall technology rather than by rushing to purchase a VPN solution.
Several essential applications of VPN technology make it a popular product. In general, VPN technology is the answer whenever protecting data in transit is necessary. While not a total security solution, this definition allows room for diverse implementations and products that support them.
One of the most common applications of VPN technology is connecting remote users to a corporate network. This “virtual” (remote) office application has many benefits for both a company and its employees. However, the IT staff must ensure that competitors cannot sniff packets containing proprietary information exchanged between remote employees and headquarters.
Another common application is connecting two networks over a public infrastructure. Two business partners might share portions of their internal networks, or two branches of a company might connect their networks for the benefit of employees. Although these connections could be implemented using a private line, the comparative cost of using the public network is too attractive. The VPN enables the privacy of a private line with the cost of the public network.
VPNs do not need to be limited to the WAN. Using the same technologies that protect data over the WAN, a company can ensure the security of data on its internal network. Generally this raises the specter of getting encryption to run at high speeds, but the potential exists to secure intra-LAN communications.
The VPN Environment
Networks today often employ a number of strategies to allow a wide range of remote access arrangements to access a target site. Not all organizations will support all of the possibilities, of course, and the visual is meant more as a concept than as a blueprint. There are two main categories of access to a target site. First, a private router with attached leased lines forming a private WAN can be employed. Second, a remote access server can be used to allow essentially public access to the target site, but only for authorized users. The topology of the private leased line network affords its own measure of privacy that is absent in the public remote access on the right.
The community of remote users served by these two methods varies as well. A large remote site with tens to hundreds of potential users is best served most efficiently and effectively by a leased private line. There is a good chance that someone always needs access to the target site. The remote access server handles different needs. A small remote site with a handful of users is a good candidate for ISDN or switched digital service (SDS) access such as Switched 56. Roaming users such as traveling sales representatives can use ISDN or even a dial-in 800 number to achieve the same result. Finally, authorized users in a SOHO can use either ISDN, analog modems, or even newer xDSL techniques to access the target site. The key factor here is the need for more geographically dispersed and/or more intermittent access.
The point is that a VPN can substitute for one or more of these access methods. But only the most “bleeding edge” organizations would consider replacing the leased line WAN with a VPN today, especially using the public Internet as the connectivity vehicle. More likely, the VPN will initially replace or enhance one or more of the remote access server options. As VPNs become more mature, the organization can explore leased line WAN replacement or enhancement.
Using a VPN for target site access requires the organization to consider changes to the remote access server and private router. The simple login and password usually used for access to the remote access server might not be adequate for the Internet. Additionally, private routers on leased line WANs typically have no additional security features enabled at all.
Three Approaches to VPNs
The products and services introduced for building and using VPNs fall into three main categories. The three categories all have similarities (e.g., transfer of secure information over a public network) but have significant differences as well. Some more or less require some form of firewall, while another merely tolerates the firewall if present. The visual shows the three major types of VPN implementation, but note that VPN hardware and software have many variations and options within each of these categories.
The first establishes secure tunnels between firewalls. The firewalls separate a private “inside” from the public “outside” of the network. The Internet often connects the firewalls, but other public networks (e.g., frame relay) can form the foundation of the VPN as well. In some cases, the firewalls might only provide basic filtering functions, and the firewalls’ main purpose might be the multiprotocol, non-IP tunneling features. Note that any additional security required on the private portions of the network is not provided in this scenario.
A second VPN type uses only one firewall to achieve the same effect. However, the VPN hardware and/or software must be built into at least one, if not many, end systems (anything running TCP/IP is a “host”).
A third type can tolerate the presence of one or more firewalls, but does not really rely on their presence at all. Secure tunnels are established end-to-end, such as when a Web browser client accesses a secure Internet Web site server to purchase something.
Premises-Based (Client-Initiated) VPNs
ISP customers can completely implement and control the VPN; all VPN features reside on customer premises-based hardware and software. The role of the ISP is simply connectivity. Mobile client PCs still use the ISP for remote access, but the ISP only furnishes a dial-in port for the user with a simple password and ID. Dedicated access relies on the private line for security and authorization.
The key point is the VPN is transparent to the ISP. The price for security can be high because it is necessary to deploy compatible equipment and methods across the entire network. Performance issues must be addressed as well since the initial LAN and router configurations could not have considered the added burden of VPN overhead processing.
Service-Based (ISP-Initiated) VPNs
Here, an ISP implements and controls the VPN; the ISP initiates and manages the entire VPN process. Mobile client PCs use the ISP for remote access, but the ISP can furnish additional authentication features above and beyond a simple password and ID. Dedicated access can rely on the nature of the private line for security and authorization, or the ISP can provide premises-based (but ISP controlled) hardware and software for the VPN features.
The VPN is totally a function and service of the ISP. The cost of the VPN benefits to an individual customer should be lower than client initiated VPNs due to economies of scale possible on the part of the ISP. The ISP is responsible for compatible equipment and methods across the entire ISP network. The ISP addresses performance issues and makes sure the VPN overhead processing does not overwhelm the LAN and router configurations. The ISP is free to add whatever value-added features related to the VPN such as audit trails, real-time monitoring, etc.
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q2/vpn.mp3%7Cdownload</mp3> | Virtual private network|