As a business grows, it might expand to multiple shops or offices across the country and around the world. To keep things running efficiently, the people working in those locations need a fast, secure and reliable way to share information across computer networks. In addition, traveling employees like salespeople need an equally secure and reliable way to connect to their business's computer network from remote locations.
One popular technology to accomplish these goals is a VPN (virtual private network). A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. The VPN uses "virtual" connections routed through the Internet from the business's private network to the remote site or employee. By using a VPN, businesses ensure security -- anyone intercepting the encrypted data can't read it.
VPN was not the first technology to make remote connections. Several years ago, the most common way to connect computers between multiple offices was by using a leased line. Leased lines, such as ISDN (integrated services digital network, 128 Kbps), are private network connections that a telecommunications company could lease to its customers. Leased lines provided a company with a way to expand its private network beyond its immediate geographic area. These connections form a single wide-area network (WAN) for the business. Though leased lines are reliable and secure, the leases are expensive, with costs rising as the distance between offices increases.
Today, the Internet is more accessible than ever before, and Internet service providers (ISPs) continue to develop faster and more reliable services at lower costs than leased lines. To take advantage of this, most businesses have replaced leased lines with new technologies that use Internet connections without sacrificing performance and security. Businesses started by establishing intranets, which are private internal networks designed for use only by company employees. Intranets enabled distant colleagues to work together through technologies such as desktop sharing. By adding a VPN, a business can extend all its intranet's resources to employees working from remote offices or their homes.
This article describes VPN components, technologies, tunneling and security. First, let's explore an analogy that describes how a VPN compares to other networking options.
Analogy: Each LAN is an Island
Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The common means of travel between islands is via ferry. Traveling on the ferry means that you have almost no privacy: Other people can see everything you do.
Let's say that each island represents a private local area network (LAN) and the ocean is the Internet. Traveling by ferry is like connecting to a Web server or other device through the Internet. You have no control over the wires and routers that make up the Internet, just like you have no control over the other people on the ferry. This leaves you susceptible to security issues if you're trying to connect two private networks using a public resource.
Continuing with our analogy, your island decides to build a bridge to another island so that people have an easier, more secure and direct way to travel between the two islands. It is expensive to build and maintain the bridge, even if the islands are close together. However, the need for a reliable, secure path is so great that you do it anyway. Your island would like to connect to yet another island that is much farther away, but decides that the costs are simply too much to bear.
This scenario represents having a leased line. The bridges (leased lines) are separate from the ocean (Internet), yet are able to connect the islands (LANs). Companies who choose this option do so because of the need for security and reliability in connecting their remote offices. However, if the offices are very far apart, the cost can be prohibitively high -- just like trying to build a bridge that spans a great distance.
So how does a VPN fit in? Using our analogy, suppose each inhabitant on your island has a small submarine. Let's assume that each submarine has these amazing properties:
- It's fast.
- It's easy to take with you wherever you go.
- It's able to completely hide you from any other boats or submarines.
- It's dependable.
- It costs little to add additional submarines to your fleet once you've purchased the first one.
Although they're traveling in the ocean along with other traffic, the people could travel between islands whenever they wanted to with privacy and security. That's essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much more easily than a leased line. In fact, scalability is a major advantage that VPNs have over leased lines. Moreover, the distance doesn't matter, because VPNs can easily connect multiple geographic locations worldwide.
Next, we'll look at what constitutes a good VPN, including its benefits and features.
What Makes a VPN?
A VPN's purpose is providing a secure and reliable private connection between computer networks over an existing public network, typically the Internet. Before looking at the technology that makes a VPN possible, let's consider all the benefits and features a business should expect in a VPN.
A well-designed VPN provides a business with the following benefits:
- Extended connections across multiple geographic locations without using a leased line
- Improved security for exchanging data
- Flexibility for remote offices and employees to use the business intranet over an existing Internet connection as if they're directly connected to the network
- Savings in time and expense for employees to commute if they work from virtual workplaces
- Improved productivity for remote employees
A business might not require all these benefits from its VPN, but it should demand the following essential VPN features:
- Security -- The VPN should protect data while it's traveling on the public network. If intruders attempt to capture the data, they should be unable to read or use it.
- Reliability -- Employees and remote offices should be able to connect to the VPN with no trouble at any time (unless hours are restricted), and the VPN should provide the same quality of connection for each user even when it is handling its maximum number of simultaneous connections.
- Scalability -- As a business grows, it should be able to extend its VPN services to handle that growth without replacing the VPN technology altogether.
One interesting thing to note about VPNs is that there are no standards about how to set them up. This article covers network, authentication and security protocols that provide the features and benefits listed above. It also describes how a VPN's components work together. If you're establishing your own VPN, though, it's up to you to decide which protocols and components to use and to understand how they work together.
The next two pages describe two common types of VPN. We'll start with the type that's most synonymous with the term VPN.
A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Another name for this type of VPN is virtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing in to a server using an analog telephone system.
There are two components required in a remote-access VPN. The first is a network access server (NAS, usually pronounced "nazz" conversationally), also called a media gateway or a remote-access server (RAS). (Note: IT professionals also use NAS to mean network-attached storage.) A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.
The other required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most operating systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure. You can read more about tunneling and encryption later in this article.
Large corporations or businesses with knowledgeable IT staff typically purchase, deploy and maintain their own remote-access VPNs. Businesses can also choose to outsource their remote-access VPN services through an enterprise service provider (ESP). The ESP sets up a NAS for the business and keeps that NAS running smoothly.
A remote-access VPN is great for individual employees, but what about entire branch offices with dozens or even hundreds of employees? Next, we'll look at another type of VPN used to keep businesses connected LAN-to-LAN.
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.
There are two types of site-to-site VPNs:
- Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
- Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.
Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.
Now that you know the two types of VPNs, let's look at how your data is kept secure as it travels across a VPN.
Keeping VPN Traffic in the Tunnel
Most VPNs rely on tunneling to create a private network that reaches across the Internet. In our article "How does the Internet work?" we describe how each data file is broken into a series of packets to be sent and received by computers connected to the Internet. Tunneling is the process of placing an entire packet within another packet before it's transported over the Internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel.
This layering of packets is called encapsulation. Computers or other network devices at both ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen incoming packets. Users (at one end of the tunnel) and IT personnel (at one or both ends of the tunnel) configure the tunnel interfaces they're responsible for to use a tunneling protocol. Also called an encapsulation protocol, a tunneling protocol is a standardized way to encapsulate packets [source: Microsoft]. Later in this article, you can read about the different tunneling protocols used by VPNs.
The purpose of the tunneling protocol is to add a layer of security that protects each packet on its journey over the Internet. The packet is traveling with the same transport protocol it would have used without the tunnel; this protocol defines how each computer sends and receives data over its ISP. Each inner packet still maintains the passenger protocol, such as Internet protocol (IP) or AppleTalk, which defines how it travels on the LANs at each end of the tunnel. (See the sidebar for more about how computers use common network protocols to communicate.) The tunneling protocol used for encapsulation adds a layer of security to protect the packet on its journey over the Internet.
To better understand the relationships between protocols, think of tunneling as having a computer delivered to you by a shipping company. The vendor who is sending you the computer packs the computer (passenger protocol) in a box (tunneling protocol). Shippers then place that box on a shipping truck (transport protocol) at the vendor's warehouse (one tunnel interface). The truck (transport protocol) travels over the highways (Internet) to your home (the other tunnel interface) and delivers the computer. You open the box (tunneling protocol) and remove the computer (passenger protocol).
Now that we've examined data in the tunnel, let's look at the equipment behind each interface.
Equipment Used in a VPN
While a VPN can be configured on generic computer equipment such as standard servers, most businesses opt for dedicated equipment optimized for the VPN and general network security. A small company might have all of its VPN equipment on site or, as mentioned earlier, might outsource its VPN services to an enterprise service provider. A larger company with branch offices might choose to co-locate some of its VPN equipment, meaning that it will set up that equipment in a co-location facility (or colo). A colo is a large data center that rents space to businesses that need to set up servers and other network equipment on a very fast, highly reliable Internet connection.
As mentioned earlier, there is no standard that all VPNs follow in terms of their setup. When planning or extending a VPN, though, you should consider the following equipment:
- Network access server -- As previously described, a NAS is responsible for setting up and maintaining each tunnel in a remote-access VPN.
- Firewall -- A firewall provides a strong barrier between your private network and the Internet. IT staff can set firewalls to restrict what type of traffic can pass through from the Internet onto a LAN, and on what TCP and UDP ports. Even without a VPN, a LAN should include a firewall to help protect against malicious Internet traffic.
- AAA Server -- The acronym stands for the server's three responsibilities: authentication, authorization and accounting. For each VPN connection, the AAA server confirms who you are (authentication), identifies what you're allowed to access over the connection (authorization) and tracks what you do while you're logged in (accounting).
One widely used standard for AAA servers is Remote Authentication Dial-in User Service (RADIUS). Despite its name, RADIUS isn't just for dial-up users. When a RADIUS server is part of a VPN, it handles authentication for all connections coming through through the VPN's NAS.
VPN components can run alongside other software on a shared server, but this is not typical, and it could put the security and reliability of the VPN at risk. A small business that isn't outsourcing its VPN services might deploy firewall and RADIUS software on generic servers. However, as a business's VPN needs increase, so does its need for equipment that's optimized for the VPN. The following are dedicated VPN devices a business can add to its network. You can purchase these devices from companies that produce network equipment, such as Cisco:
- VPN Concentrator -- This device replaces an AAA server installed on a generic server. The hardware and software work together to establish VPN tunnels and handle large numbers of simultaneous connections.
- VPN-enabled/VPN-optimized Router -- This is a typical router that delegates traffic on a network, but with the added feature of routing traffic using protocols specific to VPNs.
- VPN-enabled Firewall -- This is a conventional firewall protecting traffic between networks, but with the added feature of managing traffic using protocols specific to VPNs.
- VPN Client -- This is software running on a dedicated device that acts as the tunnel interface for multiple connections. This setup spares each computer from having to run its own VPN client software.
So far, we've looked at the types of VPNs and the equipment they can use. Next, let's take a closer look at the encryption and protocols that VPN components use.
Encryption and Security Protocols in a VPN
Encryption is the process of encoding data so that only a computer with the right decoder will be able to read and use it. You could use encryption to protect files on your computer or e-mails you send to friends or colleagues. An encryption key tells the computer what computations to perform on data in order to encrypt or decrypt it. The most common forms of encryption are symmetric-key encryption or public-key encryption:
- In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.
- In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.
In a VPN, the computers at each end of the tunnel encrypt the data entering the tunnel and decrypt it at the other end. However, a VPN needs more than just a pair of keys to apply encryption. That's where protocols come in. A site-to-site VPN could use either Internet protocol security protocol (IPSec) or generic routing encapsulation (GRE). GRE provides the framework for how to package the passenger protocol for transport over the Internet protocol (IP). This framework includes information on what type of packet you're encapsulating and the connection between sender and receiver.
IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server. IPSec consists of two sub-protocols which provide the instructions a VPN needs to secure its packets:
- Encapsulated Security Payload (ESP) encrypts the packet's payload (the data it's transporting) with a symmetric key.
- Authentication Header (AH) uses a hashing operation on the packet header to help hide certain packet information (like the sender's identity) until it gets to its destination.
Networked devices can use IPSec in one of two encryption modes. In transport mode, devices encrypt the data traveling between them. In tunnel mode, the devices build a virtual tunnel between two networks. As you might guess, VPNs use IPSec in tunnel mode with IPSec ESP and IPSec AH working together [source: Friedl].
In a remote- access VPN, tunneling typically relies on Point-to-point Protocol (PPP) which is part of the native protocols used by the Internet. More accurately, though, remote-access VPNs use one of three protocols based on PPP:
- L2F (Layer 2 Forwarding) -- Developed by Cisco; uses any authentication scheme supported by PPP
- PPTP (Point-to-point Tunneling Protocol) -- Supports 40-bit and 128-bit encryption and any authentication scheme supported by PPP
- L2TP (Layer 2 Tunneling Protocol) -- Combines features of PPTP and L2F and fully supports IPSec; also applicable in site-to-site VPNs
Throughout this article, we've looked at the types of VPNs and the components and protocols that they use. Over time, people have developed new and better technologies to use in networks, which improves the features of existing VPNs. VPN-specific technologies, though, such as tunneling protocols, haven't changed much in that time, perhaps because current VPNs do such a good job at to keep businesses connected around the world. Tunnel on to the next page for lots more information about virtual private networks.
More Great Links
- Cisco. "How Virtual Private Networks Work." Oct. 13, 2008. (April 4, 2011)http://www.cisco.com/application/pdf/paws/14106/how_vpn_works.pdf
- Friedl, Stephen J. "Steve Friedl's Unixwiz.net Tech Tips: An Illustrated Guide to IPSec." Aug. 24, 2005. (April 4, 2011)http://www.unixwiz.net/techtips/iguide-ipsec.html
- Microsoft. "TechNect: VPN Tunneling Protocols." 2011. (April 3, 2011)http://technet.microsoft.com/en-us/library/cc771298(WS.10).aspx
- Pandya, Hiten M. "FreeBSD Handbook: Understanding IPSec." The FreeBSD Documentation Project. (April 4, 2011)http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html