Virtual private networks (VPN) have gained popularity as a secure and cheaper medium for sensitive information to be accessed and transmitted between two or more corporate network over a public network such as the internet, other network technologies have been innovated and used to connect within business sites and across to other sites that are miles away from each other.
In the sixties, sites were connected together to enable data transfer through the use of analog phone lines and 2,400-bps modems leased from AT&T, businesses had no other faster modems they could choose from because the telephone companies were controlled by the government. It was not until the early eighties that businesses were able to connect to sites at higher speed using 9,600-bps modems because other telephone companies emerged as a result of the changes in government control and policy on telephone. During this period, there were not much mobile workers besides the modem links were static not as dynamic as what is available now. The analog phone lines were permanently wired to the sites and were specially selected lines (called conditional lines) that were specifically built for full time use by companies; these lines are different from regular phone lines. This technology ensured full bandwidth and privacy but this came at a great cost, i.e. payment is expected for the full bandwidth even if the line was used or not.
Another innovation that was used for connecting sites which came out in the mid 1970s was the Digital Data Service (DDS). This was the first digital service with a connection of 56 Kbps and was used for private line. This service later became a major and useful innovation for wide area networks, which grew into other services that are popularly used today such as the T1 service which consists of 24 separate channels and each can carry up to 64 Kbps of either data or voice traffic. In the late 1970s the idea of VPN was initiated with the introduction of an innovation called the X.25. It is a Virtual Connection (VC) form of WAN packet switching which logically separates data streams. With this function, the service provider is able to send as many point-to-point VCs across a switch network infrastructure, depending each endpoints have a device that facilitates communication in the site.
Sometime in the early 1980s, X.25 service providers offered VPN services to customers (i.e. businesses) who used network protocols at the time as well as early adopters of TCP/IP.
Over years, in the 1990s other networking technologies were deployed for connecting private networks such as the high speed Frame relay and Asynchronous Transfer Mode (ATM) switching. This networking technologies were provided to give virtual connection to businesses at the speed of up to OC3 (155 Mbps). The components for setting up this kind of technologies involved the use of customer IP routers (customer premise equipment, or CPE) interconnected in a partial or full mesh of frame relay or ATM VCs to other CPE devices, in other words less equipment’s are needed for its set up. The frame relay and ATM technology are referred the standard for VPN technology. These technologies gained so much popularity after the leased line in connecting sites and they were also easy to set up. With the increasing speed at which businesses grow and expand globally, thereby allowing staffs to be mobile and work offsite, the frame relay is not the best technology to use for remote access since it is just an overlay technology. In as much as the leased line is a better technology alternative for connecting business sites, it is excessively expensive to be owned. With the advent of the internet and its wide use in everyday transaction, businesses have adopted the technology for transmitting and accessing data across various sites by implementing a VPN connection, which is relatively cheap, flexible and scalable, between both sites in order to secure the data that are sent across the insecure internet from being tampered by unauthorized persons.
Definitions of Virtual Private Network (VPN)
There are various definitions of a Virtual Private Network (VPN) which are given by various vendors which best describes their products.
- A Virtual Private Network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network.
- A Virtual Private Network (VPN) is a group of two or more computer systems, typically connected to a private network (a network built and maintained by an organization solely for its own use) with limited public-network access that communicates “securely” over a public network.
- A Virtual Private Network (VPN) enables a private connection to a LAN through a public network such as the Internet. With a VPN, data is sent between two nodes across a public network in a manner that emulates a dial-link. There are two types of VPN systems, one is used for connecting LANs across the Internet, and the other is used to connect a remote node to a LAN across the Internet.
- A Virtual Private Network (VPN) is a virtual network connection that uses the internet to establish a connection that is secure.
- A Virtual Private Network (VPN) uses a public network, such as the internet, to facilitate communication; however it adds a layer of security by encrypting the data travelling between companies and authenticating users to ensure that only authorized users can access the VPN connection.
- Virtual Private Network (VPN) enable companies to connect geographically dispersed offices and remote workers via secure links to the private company network, using the public Internet as a backbone.
Looking at all these definitions closely, they all stress on security and connectivity. These are the essential features of VPNs because they are able to create a connection between two private networks over a public network by encapsulation and tunneling protocols in transmitting data and also provide security by encryption and authentication in order to control access to data and resources on the company’s network. In other words a Virtual Private Network (VPN) is a network technology that securely connects two or more private networks over an insecure public network such as the internet, so as to enable internal access to files and resources and data transfer.
Types of Virtual Private Network (VPN)
There are three different Virtual Private Network (VPN) connectivity models that can be implemented over a public network:
- Remote-access VPNs: It provides remote access to an enterprise customer’s intranet or extranet over a shared infrastructure. Deploying a remote-access VPN enables corporations to reduce communications expenses by leveraging the local dial up infrastructures of internet service providers. At the same time VPN allows mobile workers, telecommuters, and day extenders to take advantage of broadband connectivity. Access VPNs impose security over analog, dial, ISDN, digital subscriber line (DSL), Mobile IP, and cable technologies that connect mobile users, telecommuters, and branch offices.
- Intranet VPNs: It links enterprise customer headquarters, remote offices, and branch offices in an internal network over a shared infrastructure. Remote and branch offices can use VPNs over existing Internet connections, thus providing a secure connection for remote offices. This eliminates costly dedicated connections and reduces WAN costs. Intranet VPNs allow access only to enterprise customer’s employees.
- Extranet VPNs: It links outside customers, partners, or communities of interest to an enterprise customer’s network over a shared infrastructure. Extranet VPNs differ from intranet VPNs in that they allow access to uses outside the enterprise.
Virtual Private Network (VPN) Configurations
There are two main types of Virtual Private Network (VPN) configurations for deploying the VPN connection over a public network. These are;
- Site-to-site VPNs: This is sometimes referred to as secure gateway-to-gateway connections over the internet, private or outsourced networks. This configuration secures information sent across multiple LANS and between two or more office networks and this can be done effectively by routing packets across a secure VPN tunnel over the network between two gateway devices or routers. The secure VPN tunnel enables two private networks (sites) to share data through an insecure network without fear that the data will be intercepted by unauthorized persons outside the sites. The site-to-site VPN establishes a one-to-one peer relationship between two networks via the VPN tunnel, describes a site-to-site VPN as a link between two or networks. This is mostly used in Intranet VPNs and sometimes in extranet VPNs.
- Client-to-Site VPNs: This is a configuration that involves a client at an insecure remote location who wants to access an internal data from outside the organization network’s LAN. A client-to-site VPN as a network made accessible to remote users who need dial-in access. Client-to-site VPN is a collection of many tunnels that terminate on a common shared end point on the LAN side. In this configuration, the user needs to establish a connection to the VPN server in order to gain a secure route into the site’s LAN and this can be done by configuring a VPN client which could either be a computer operating system or hardware VPN — such as a router. By so doing, the connection enables the client to access and use internal network resources. This kind of configuration is also referred to as secure client-to-gateway connection. This is usually used in access VPNs and sometimes in extranet VPNs.
Virtual Private Network (VPN) Configurations Components
To create a Virtual Private Network (VPN) connection between sites or networks, it involves the use of some components. These components however contain some elements that need to be properly set up in order to aid the transmission of data from one network endpoint to another. These elements include:
- VPN server: This is either a computer system or router configured to accept connections from the client (i.e. a remote computer) who gains access by dialling in or connecting directly through the internet. This serves as one endpoint of the VPN tunnel.
- VPN client: This can either be a hardware based system; usually a router that serves as the endpoint of a gateway-to-gateway VPN connection, or a software based system; either an inbuilt or downloaded software program on the computer operating system that can be configured to function as an endpoint in a VPN, such as Windows XP, 2000 or vista or checkpoint client software.
- Tunnel: This is the link between the VPN server and client endpoints through which the data is sent.
- VPN protocols: These are set of standardized data transmission technologies the software and hardware systems use to create security rules and policies on data sent along the VPN.
Types of Virtual Private Network (VPN) Systems
The Virtual Private Network (VPN) components form the endpoints of the VPN connection from one private network to another through the public network. The choice of what components to use is dependent on various factors such as the size of the organization — is it a small, large or growing organization, the cost involved in implementing a VPN either by using new components or existing components and lastly, the choice of which of the components will is best for the connection. There are three components that can be used to set up a VPN connection, also a combination of any of these components can be used to set up a VPN connection.
One way to set up a VPN is to use Hardware device. The hardware device is a VPN component that is designed to connect gateways or multiple LANS together over the public network by using secure protocols to ensure network and data security. There are two devices that are commonly used that perform these functions. One typical hardware based VPN device used is a router, which is used to encrypt and decrypt data that goes in and out of the network gateways. Another device is a VPN appliance, its objective is to terminate VPNs connection and join multiple LANs. This device creates a connection between multiple users or networks.
The VPN hardware devices are more cost effective for fast growing organizations since they are built to handle more network traffic. It is a better choice when considering the network throughput and processing overhead. It is also a good choice when the routers used at each network ends are the same and controlled by the same organization.
Another way to set up a VPN is to use a Software based component. The software component is a program, otherwise stored on the operating system of the system, which can be used to set up a VPN connection. It is easy to configure and more flexible and cost effective than the hardware VPN. They are suitable in networks that use different routers and firewalls or are best used between different organizations and network administrators — such as partner companies. The software VPNs allow traffic to be tunnelled based on address or protocols unlike hardware-based products, which generally tunnel all traffic that it handles. But software-based systems are generally harder to manage than hardware based systems. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms. And some software VPN packages require changes to routing tables and network addressing schemes.
The third component, is the Firewall based VPN; it makes use of the firewall’s mechanisms as well as restricting access to the internal network. This kind of component ensures that the VPN traffic passes through the network gateway of the desired destination and non-VPN traffic is filtered according to the organization’s security policy, this is achieved by it performing address translation, making sure that requirements for strong authentication are in order and serving up real-time alarms and extensive logging.
These three components can be combined together to set up a VPN in order add layers of security on the network. This can be a combination of hardware and software VPN or a combination of all three in the same device. There are several Hardware based VPN packages that offer software —only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices.
An example of such device is the Cisco 3000 Series VPN concentrator which gives users the option of operating in two modes: client and network extension mode. In the client mode the device acts as a software client enabling a client-to-host VPN connection while in the extension mode it acts as a hardware system enabling a site-to-site VPN connection. Also a combination of all these components by different vendors can be used to set up a VPN connection, but this comes with some challenges. The solution is to use a standard security protocol that is widely used and supported by all products.
Virtual Private Network (VPN) Security Features
The main purpose of Virtual Private Network (VPN) is to ensure security and connectivity (tunnel) over a public network and this cannot be done without some key activities being performed and policies set up. For VPNs to provide a cost—effective and better way of securing data over an insecure network it applies some security principles/measures.
Data sent over the internet using the TCP/IP rule are called packets. A packet consists of the data and an IP header. The first thing that happens to a data being sent across a VPN is that it gets encrypted at the source endpoint and decrypted at the destination endpoint. Encryption is a method of protecting information from unauthorised persons by coding the information that can only be read by the recipient. The method, encryption, is done by using an algorithm which generates a key that allows information to be coded as unreadable by all and only readable to the recipient. The larger the number of data bits used to generate the key, the stronger the encryption and the harder it can be broken by intruders. Data encryption can be done in two ways; it can either be encrypted by transport mode or tunnel mode. These modes are process of transmitting data securely between two private networks.
In transport mode, the data part (otherwise known as the payload) of the IP packet is encrypted and decrypted but not the header by both endpoint hosts. While in the tunnel mode both the data part and header of the IP packet are encrypted and decrypted between the gateways of the source computer and the destination computer.
Another security measure implemented by VPN on data is IP Encapsulation. The VPN uses the principle of IP encapsulation to protect packets from being intercepted on the network by intruders by enclosing the actual IP packet in another IP packet having the source and destination address of the VPN gateways, therefore hiding the data being sent and the private networks IP address which “does not conform to internet addressing standards”.
The third security measure is Authentication. This is a method of identifying a user by proving that the user is actually authorized to access and use internal files. Authenticating a, host, user or a computer that uses the VPN depends on the tunneling protocol established and also encryption for added security. The tunneling protocols that are widely used for authentication over a network are IPSec, PPTP, LT2P and SSL but the most commonly used is the IPSec. The hosts using VPN establish a Security Association (SA) and authenticate one another by exchanging keys which are generated by an algorithm (mathematical formula). These keys can either be symmetric key which is a private key that are exactly the same and only known by the hosts to verify the identity of one another or asymmetric key where each hosts has a private key that can be used to generate a public key. The sending host uses the other’s public key to encrypt information that can only be decrypted by the receiving host private key. The Point-to-Point Tunneling Protocol uses the Microsoft Challenge/Response Authentication Protocol (MS-CHAP) to authenticate computers using VPN by exchanging authentication packets to one another. Also the users connecting to VPN can be authenticated by what the user knows- a password (shared secret), what the user has — a smart card and what the user is — biometrics e.g. finger prints.