Virtual private network
|
A Virtual Private Network, or VPN, is a private communications network usually used within a company, or by several different companies or organizations, communicating over a public network. VPN message traffic is carried on public networking infrastructure (e.g. the Internet) using standard (often insecure) protocols.
Generally, a firewall is an access control device that sits between user's workstation or client and the host network or server. The firewall may pass authentication data to authentication service in host network. A known trusted person with privileged access may be allowed to access resources not available to general users. That's why the user feels that the network is private, even though it is not.
Secure VPNs use cryptographic tunneling protocols to provide the necessary confidentiality (preventing snooping), sender authentication (preventing identity spoofing), and message integrity (preventing message alteration) to achieve the privacy intended. When properly chosen, implemented, and used, such techniques can provide secure communications over unsecured networks.
Because such choice, implementation, and use are not trivial, there are many insecure VPN schemes on the market.
Secure VPN technologies may also be used to enhance security as a 'security overlay' within dedicated networking infrastructures.
Secure VPN protocols include the following:
- IPsec (IP security), an obligatory part of IPv6.
- SSL used either for tunneling the entire network stack, such as in OpenVPN, or for securing what is essentially a web proxy. Allthough the latter is often called a "SSL VPN" by VPN vendors, it is not really a fully-fledged VPN.
- PPTP (point-to-point tunneling protocol), developed by Microsoft.
Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic. Multi-protocol label switching (MPLS) is commonly used to build trusted VPNs. Other protocols for trusted VPNs include:
- L2F (Layer 2 Forwarding), developed by Cisco.
- L2TP (Layer 2 Tunnelling Protocol), including work by both Microsoft and Cisco.
- L2TPv3 (Layer 2 Tunnelling Protocol version 3).
A well-designed VPN can greatly benefit a company. For example, it can:
- Extend geographic connectivity.
- Improve security where data lines have not been ciphered.
- Reduce operational costs versus traditional WAN.
- Reduce transit time and transportation costs for remote users.
- Improve productivity.
- Simplify network topology in certain scenarios.
- Provide global networking opportunities.
- Provide telecommuter support.
- Provide broadband networking compatibility.
- Provide faster ROI (return on investment) than traditional carrier leased/owned WAN lines.
- Show a good economies of scale.
- Scale well, when used with a PKI (Public Key Infrastructure).
However, since VPNs extend the "mother network" by such an extent (almost every employee) and with such ease (no dedicated lines to hire), there are certain security implications that have to receive special attention:
- Security on the client side has to be tightened and enforced. Keywords: Central Client Administration, Security Policy Enforcement.
- The scale of access to the target network may have to be limited.
- Logging must be evaluated and in most cases revised.
External links:
- RFC 2764 - A Framework for IP Based Virtual Private Networks
- Virtual Private Networks (http://www.windowsnetworking.com/articles_tutorials/vpn.html) - a basic article on how VPNs work
- VPN Client Security Issues (http://www.windowsecurity.com/articles/VPN_Client_Security_Issues.html)
- Virtual Private Network Consortium (http://www.vpnc.org/)
- Configure a VPN Connection Using Windows XP (http://www.windowsecurity.com/articles/Configure-VPN-Connection-Windows-XP.html)
- VPN resources (http://vpn.shmoo.com/)
- VPN software information (http://www.vpn-software.info/)
- VPN Labs (http://www.vpnlabs.org/)
- Virtual Private Networking (http://www.windowsecurity.com/articles/Virtual_Private_Networking.html) - What is VPN?
- Use your VPN with a dynamic i.p. address (http://www.TZO.com/)de:Virtual Private Network
es:Red privada virtual fr:Réseau privé virtuel nl:VPN it:Virtual private network ja:Virtual Private Network fi:VPN pt:Virtual Private Network zh:虛擬私人網絡 vi:Mạng riêng ảo