jump to navigation

VPN August 10, 2005

Posted by Coolguy in Networks.
add a comment
  • Many companies have facilities spread out across the country or around the world
  • Until fairly recently, this has meant the use of leased lines to maintain a wide area network (WAN).
  • A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines, can become quite expensive and often rises in cost as the distance between the offices increases.
  • Many companies are creating their own VPN (virtual private network) to accommodate the needs of remote employees and distant offices
  • A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field
  • Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together
  • Instead of using a dedicated, real-world connection such as leased line, a VPN uses “virtual” connections routed through the Internet from the company’s private network to the remote site or employee

Benefits of VPN

  • Extend geographic connectivity
  • Improve security
  • Reduce operational costs versus traditional WAN
  • Reduce transit time and transportation costs for remote users
  • Improve productivity
  • Simplify network topology
  • Provide global networking opportunities
  • Provide telecommuter support
  • Provide faster ROI (return on investment) than traditional WAN

Features needed in a well-designed VPN

  • Security
  • Reliability
  • Scalability
  • Network management
  • Policy management

Types of VPN

  • Remote-Access VPN
  • Site-to-Site VPN

Remote-Access VPN

  • A user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations
  • The telecommuters can then dial a toll-free number to reach the network access server (NAS) and use their VPN client software to access the corporate network

Site-to-Site VPN

  • Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet
  • Site-to-site VPNs can be one of two types:
  • Intranet-based – If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN
  • Extranet-based – When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment

VPN Security

  • A well-designed VPN uses several methods for keeping your connection and data secure
  • Firewalls
    AAA Server

VPN Security: Firewalls

  • A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports, what type of packets are passed through and which protocols are allowed through.

VPN Security: Encryption

  • Most computer encryption systems belong in one of two categories:
  • Symmetric-key encryption
  • Public-key encryption
  • In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one.
  • Public-key encryption uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP)

VPN Security: IPSec

  • Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication
  • IPSec has two encryption modes: tunnel and transport
  • Tunnel encrypts the header and the payload of each packet
  • Transport only encrypts the payload
  • Only systems that are IPSec compliant can take advantage of this protocol
  • All devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as:
    Router to router
    Firewall to router
    PC to router
    PC to server

VPN Security: AAA Servers

  • AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment
  • When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server.
  • AAA then checks the following:
    Who you are (authentication)
    What you are allowed to do (authorization)
    What you actually do (accounting)
  • The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.

VPN Technologies

Components to build VPN might include

  • Desktop software client for each remote user
  • Dedicated hardware such as a VPN concentrator or secure PIX firewall
  • Dedicated VPN server for dial-up services
  • NAS (network access server) used by service provider for remote-user VPN access
  • VPN network and policy-management center


  • Most VPNs rely on tunneling to create a private network that reaches across the Internet
  • Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network.
  • The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.
  • Tunneling requires three different protocols
  • Carrier protocol – The protocol used by the network that the information is traveling over
    Encapsulating protocol – The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
    Passenger protocol – The original data (IPX, NetBeui, IP) being carried
  • You can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet
  • Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique IP address to extend a private network over the Internet

Tunneling: Site-to-Site

  • In a site-to-site VPN, GRE (generic routing encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based.

Tunneling: Remote-Access

  • In a remote-access VPN, tunneling normally takes place using PPP