Blenheim IT Specialists
 remote_icon_small

Virtual Private Networks

 

The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, 

many businesses now have to think about global markets and logistics. Many companies have facilities spread out

across the country or around the world, and there is one thing that all of them need: A way to maintain fast, secure

and reliable communications wherever their offices are.

 

vpn1

 

 

 

 

 

 

 

 

 

 

 

 

 


                            Image courtesy Cisco Systems, Inc.


A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote

offices or facilities and individual users connecting from out in the field.

 

Until fairly recently, this has meant the use of leased lines to maintain a wide area network (WAN). Leased

 lines, ranging from ISDN (integrated services digital network, 128 Kbps) to  OC3 (Optical Carrier-3, 155 Mbps)

 fibre, provided a company with a way to expand its private network beyond its immediate geographic area.

A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance

and security. However, maintaining a WAN, particularly when using leased lines, can become quite expensive

and often rises in cost as the distance between the offices increases.

­As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks.

First came intranets, which are password-protected sites designed for use only by company employees. Now,

many companies are creating their own VPN (virtual private network) to accommodate the needs of remote

employees and distant offices.

Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites

or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual"

connections routed through the Internet from the company's private network to the remote site or employee.  

What Makes a VPN?

 A well-designed VPN can greatly benefit a company. For example, it can:

  • Extend geographic connectivity
  • Improve security
  • Reduce operational costs versus traditional WAN
  • Reduce transit time and transportation costs for remote users
  • Improve productivity
  • Simplify network topology
  • Provide global networking opportunities
  • Provide telecommuter support
  • Provide broadband networking compatibility
  • Provide faster ROI (return on investment) than traditional WAN

What features are needed in a well-designed VPN?

 It should incorporate:

  • Security
  • Reliability
  • Scalability
  • Network management
  • Policy management

There are three types of VPN.

 

Remote-Access VPN

There are two common types of VPN. Remote-access, also called a virtual private dial-up network (VPDN), is

a user-to-LAN connection used by a company that has employees who need to connect to the private network

from various remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will

outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and

provides the remote users with desktop client software for their computers. The telecommuters can then dial

a toll-free number to reach the NAS and use their VPN client software to access the corporate network.

A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales

people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private

network and remote users through a third-party service provider.

 

vpn2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Site-to-Site VPN

Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites

over a public network such as the Internet. Site-to-site VPNs can be one of two types:

  • Intranet-based - If a company has one or more remote locations that they wish to join in a single private
  • network, they can create an intranet VPN to connect LAN to LAN.
  • Extranet-based - When a company has a close relationship with another company (for example, a
  • partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows
  •  all of the various companies to work in a shared environment.

  

vpn3

 

 

 

 

 

 

 

 

 

 

 

 

 

 


                              Image courtesy Cisco Systems, Inc.

 


VPN Security: Firewalls

A well-designed VPN uses several methods for keeping your connection and data secure:

  • Firewalls
  • Encryption
  • IPSec
  • AAA Server

A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict

 the number of open ports, what type of packets are passed through and which protocols are allowed through.

Some VPN products, such as Cisco's 1700 routers  can be upgraded to include firewall capabilities by running

the appropriate Cisco IOS on them. Whereas, the Draytek 2800 series routers has an embedded Firewall. You

should already have a good firewall in place before you implement a VPN, but a firewall can also be used to

 terminate the VPN sessions.

VPN Security: Encryption

Encryption is the process of taking all the data that one computer is sending to another and encoding it into a

form that only the other computer will be able to decode. Most computer encryption systems belong in one of

two categories:

  • Symmetric-key encryption
  • Public-key encryption

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of

information before it is sent over the network to another computer. Symmetric-key requires that you know which

computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is

essentially the same as a secret code that each of the two computers must know in order to decode the

information. The code provides the key to decoding the message. Think of it like this: You create a coded

message to send to a friend in which each letter is substituted with the letter that is two down from it in the

alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is

"Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only

nonsense.

 

The sending computer encrypts the document with a symmetric key, then encrypts the symmetric key

with the public key of the receiving computer. The receiving computer uses its private key to decode

the symmetric key. It then uses the symmetric key to decode the document.

 

Public-key encryption uses a combination of a private key and a public key. The private key is known only to

your computer, while the public key is given by your computer to any computer that wants to communicate

securely with it. To decode an encrypted message, a computer must use the public key, provided by the

originating computer, and its own private key. A very popular public-key encryption utility is called Pretty

Good Privacy (PGP), which allows you to encrypt almost anything. You can find out more about PGP at

the PGP site.

VPN Security: IPSec

Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption

algorithms and more comprehensive authentication.

 

 

vpn4


                                    Photo courtesy Cisco Systems, Inc.
                    A remote-access VPN utilizing IPSec

 

 

 

 

 

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each

packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage

of this protocol. Also, all devices must use a common key and the firewalls of each network must have very

similar security policies set up. IPSec can encrypt data between various devices, such as:

  • Router to router
  • Firewall to router
  • PC to router
  • PC to server

VPN Security: AAA Servers

AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access

VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied

to the AAA server. AAA then checks the following:

  • Who you are (authentication)
  • What you are allowed to do (authorization)
  • What you actually do (accounting)

The accounting information is especially useful for tracking client use for security auditing, billing or reporting

purposes.