Virtual Private Networks
Virtual Private Networks
Virtual private networks (VPNs) are systems that use public networks to carry private information and maintain privacy through the use of a tunneling protocol and security procedures. By using the shared public infrastructure, these virtual private networks are far more cost effective than were early real private networks which companies built using costly private lines and systems. In a VPN some of the parts of the network are connected using the Internet (the public infrastructure). Data that travel over the Internet are encrypted, so the entire network is "virtually" private. This allows users to share private information over a public infrastructure. A typical VPN application would be one created by a company with offices in different cities. By setting up a VPN the company uses the Internet as the connector between the networks in its two offices effectively merging their networks into one. Encryption is used on all transmissions within the network that use the Internet link, making it a private network.
The public infrastructure that provides the backbone for most VPN systems is the Internet. VPNs can connect remote users and other off-site users (such as vendors or customers) to a larger centralized network. Before the Internet, and the easy availability of high-speed or broadband connections to the Internet, a private network required that a company install proprietary and very expensive communication lines. The expense of such an investment put private networks out of the reach of most mid- to small-size firms. This is no longer the case. This fact, along with the universal appeal of the Internet, has enabled the rapid spread of VPN technology. The result is remote access that is quicker, more secure, and wider in scope.
STRUCTURAL OVERVIEW OF VPN SYSTEMS
In the most basic terms, a computer network is a group of computers that are connected with cable. Usually, one or more computers acts as a server within the group. A network may also be formed with computers that communicate through wireless connections but the wireless signal must be caught and transmitted by hardware that is located reasonably near both the sending and receiving machines.
Companies have long networked computers. Until the advent of the Internet, however, the entire infrastructure of these networks had to be built by the companies themselves. They had to purchase and lay cables to connect their computers. They had to purchase and install boosters or repeaters to augment the signals transmitted through cables when large distances were involved. They had to lease high-capacity, dedicated phone lines in order to connect computers or networks in remote locations. They had to build or lease transmission towers in order to send wireless signals long distances and they had to purchase and install the systems used to send and receive these signals. Not surprisingly, most companies did not go far beyond networking computers in a single building since the cost of the infrastructure requirements for anything larger were prohibitive.
With the advent of the Internet and the growth in availability of high speed, broadband communication lines, new technologies were developed to use the Internet as the conduit through which to connect remote computers or networks. A company no longer had to absorb the full cost of building the infrastructure needed for wide area networks (WANs).
The communications protocols that regulate and make the Internet possible are also the basis for the protocols necessary to operate virtual private networks. The underlying collection of protocols is called transmission control protocol/Internet protocol or TCP/IP for short. The protocols for VPNs are called IPSec.
A virtual private network is, basically, a network in which some of its components are connected to one another through the Internet. Software written to use IPSec is used to establish these Internet connections. The connections created in this way are called tunnels, through which all transactions between the two authenticated computers on either end of the tunnel may transmit privately across the public Internet.
VPN can be set up to connect single-client PCs with a company's local-area network (LAN) This sort of VPN is usually called a client-to-LAN VPN. This enables companies that have employees who travel extensively or work remotely to equip those employees with a computer that uses the VPN to access the company network and work on it like any other employee from just about anywhere, as long as they have access to the Internet. Small companies may set up a client-to-LAN VPN through which all the employees access a central server from their home offices.
A LAN-to-LAN VPN is one that connects two networks together instead of individual client computers being connected to a single LAN. The mechanisms behind these two types of VPN is the same. A LAN-to-LAN system is useful for connecting a branch office network to a corporate headquarters network, or a warehouse network to a supplier's network. The options are many.
THE COST OF VIRTUAL PRIVATE NETWORKS
The costs of implementing a virtual private network are reasonable for any company that already has a network and high-speed access to the Internet. The two biggest components of a VPN, for those with networks in place, are the software and set-up of the same, and the need in many cases to upgrade the Internet connection service. Because a VPN uses the Internet address of the network server as the access for those logging on the system through the Internet, a company must have a static IP address. Internet Service Providers usually charge slightly more for a service that holds the IP address static.
The software needed to manage a VPN is commonly sold as a part of many network operating systems. Setting up this software takes networking knowledge but can be done by any competent network administrator or network outsourcing supplier.
When a business decides to use an outside provider, it is immediately eliminating any costs for purchasing and maintaining the necessary equipment. The most the business will have to do is maintain security measures (usually a firewall) as well as provide the servers that will help authenticate users. Of course, this too can be done by an outside provider for an additional price. Outsourcing also cuts down on the number of employees that would be required to manage and maintain the virtual private network.
For a firm that does not already have a computer network with Internet access, the task of setting up a VPN is a much larger undertaking.
VIRTUAL PRIVATE NETWORKS AND SECURITY
Virtual private network systems are constantly evolving and becoming more secure through four main features: tunneling, authentication, encryption, and access control. These features work separately, but combine to deliver a higher level of security while at the same time allowing all users (including those from remote locations) to access the VPN more easily.
Tunneling creates the connection between a user (either from a remote location or separate office) to the main LAN. This connection is called a tunnel and is essentially the circuit-like path that transfers encrypted private information through the Internet. This requires an IP address which is an Internet address to which the client PC can direct itself, a pointer to the company network. Unlike other IP addresses, this one is not open to the public but is rather a gateway through which VPN users may enter, and after authentication and logging on, have access to the network.
To avoid crowded connections, a tunneling feature called "switching" was developed. This feature helps differentiate between direct and remote users to determine which connections should receive the highest priority. The switching can either be programmed directly into the virtual private network or upgraded so that the hardware recognizes each connection on an individual basis.
Incoming callers to the virtual private network are identified and approved for access through features called authentication and access control. These features are usually set up by the IT manager who enters a user's individual identification code or password into the main server, which cuts down on the chances that the network can be manipulated from outside the company. Authentication also offers the chance to regulate access to the material on the LAN so that users can be provided access to specific information only.
Encryption is the security measure that allows information on virtual private networks to be scrambled so that it becomes meaningless to unauthorized users. Encrypted data is eventually unscrambled at the end of the tunnel by a user with the proper authorization. This process is usually done via a private IP address that encrypts the information before it leaves the LAN or a remote location.
Despite these precautions, some companies are still hesitant to transfer highly sensitive and private information over the Internet via a virtual private network and still resort to tried-and-true methods of communication for such data.
THE PERFORMANCE OF VIRTUAL PRIVATE NETWORKS
The latest wave of virtual private networks features self-contained hardware solutions (whereas previously they were little more than software solutions and upgrades to existing LAN equipment). Since they are now self-contained, this VPN hardware does not require an additional connection to a network and therefore cuts down on the use of a file server and LAN, which makes everything run a bit more smoothly. These new VPNs are small and easy to set up and use, but still contain all of the necessary security and performance features.
In order for a virtual private network to perform properly, the server must have enough bandwidth to accommodate the number of users active at any one time. The number of remote users can also affect a VPN's performance. In addition, new technology that requires more bandwidth is bound to come out from time to time, and this should be planned for in advance to avoid a potential disruption in performance.
High volumes of traffic are also known to adversely affect the performance of a virtual private network, as is encrypted data. Since encryption technology is often added on via software, this may cause the network to slow down, hindering performance. A more desirable solution is to incorporate encryption technology that uses hardware solutions to keep the network running at the proper speed. New technologies are also constantly emerging that help to decide just how sensitive certain material is (and therefore how intensive the encryption needs to be).
THE FUTURE OF VIRTUAL PRIVATE NETWORKS
As virtual private networks continue to evolve, so do the number of outlets that can host them. Several providers have experimented with running VPNs over cable television networks. This solution offers high bandwidth and low costs, but less security. Other experts see wireless technology as the future of virtual private networks.
A new protocol for VPN systems has emerged in recent years and shows promise for enhancing the flexibility of VPNs. The traditional VPN system was based on Internet protocol security. The new protocol is based on Secure Sockets Layer or SSL. According to an article in Network World, "The biggest difference between SSL VPNs and traditional IP Security VPNs is that the IP Security standard requires installation of client code on the end user's system, while SSL VPNs focus on making applications available through any Web browser."
The popularity of VPNs continues to grow and evolve, providing companies of all sizes a means with which to leverage the Internet to reduce the costs of communication.
see also Communication Systems; Local Area Networks; Mobile Office; Wide Area Networks
Administrator's Guide to TCP/IP. Second Edition. Tech Republic, June 2003.
Binsacca, Rich. "Virtual Private Networks." Builder. June 2000.
Goldberger, Henry. "The Migration from Frame Relay to IP VPN and VPLS Services." In-Stat Alerts. 2 February 2006.
Hayes, Jim. "Managed Data Services." Communicate. July 2000.
Schnider, Joel. "SSL VPN Gateways." Network World. 12 January 2004.
Winther, Mark. "Avoiding the Challenges of Do-it-Yourself Broadband VPNs." Business Communications Review. February 2006.
Hillstrom, Northern Lights
updated by Magee, ECDI
Virtual Private Network
Virtual Private Network
Corporations have traditionally leased transmission capacity or contracted bandwidth services from common carriers to create their own privatewide area network (WAN) . However, a WAN is expensive to create and maintain. The economics and technology justifying a WAN drastically changed in the 1990s due to the following factors:
- Decreasing costs for Internet connectivity;
- Increasingly higher bandwidth connections to the Internet; and
- Mature encryption technology for secure Internet communications.
These changes made feasible a new type of network called a Virtual Private Network (VPN) which provides all the features of a private WAN for a fraction of the cost.
A Virtual Private Network is simply a secure system of connectivity over a public network—a private network on a public network infrastructure (the Internet). A VPN is "virtual" in the sense that it has no corresponding physical network but rather shares physical circuits with other traffic. A VPN is "private" in the sense that it isolates and secures Internet traffic using routing and encryption respectively.
How Does It Work?
There are different types of VPNs corresponding to the different layers within the TCP/IP protocol suite : Data Link, Network, Transport, and Application Layers. The most common VPN in use provides secure dial-up (data link) access. Here, a remote user connects to the Internet through an Internet Service Provider (ISP) . Software on the user's computer creates a secure, virtual circuit or tunnel to the company's VPN gateway. The benefits include lower costs through the elimination of long distance telephone charges, improved security through the integration of the latest security technology, and unparalleled flexibility, since any Internet connection from dial-up can be used as a VPN connection.
The key to a VPN is tunneling . VPN traffic is logically routed separately from other traffic by tunneling mechanisms which repackage data from one network to another. Tunneling at the network layer between a source and a destination wraps (encapsulates) packets with a new header and forwards them into a tunnel with a destination address of the tunnel endpoint. When the packet reaches the tunnel endpoint, the header is unwrapped (unencapsulated) and the packet is forwarded to its original destination. A VPN can thus be created by a collection of tunnels.
Tunneling does not ensure privacy since even encapsulated IP packets are typically transported in plain text. This is clearly a problem if a corporation wants to use the Internet to transmit important business information. Privacy is ensured by cryptography . "End-to-end" encryption to individual end systems provides for the highest level of security. "Tunnel mode" encryption is performed between intermediate routers leaving traffic between the end system and the first hop router in plain text. Any corruption of operation or interception of traffic at tunnel endpoints will compromise the entire VPN. Hackers foiled in attempts to crack network traffic may instead target client machines. To help maintain security and privacy, a Certificate Authority (CA) is needed to issue and manage digital certificates to VPN devices and users.
VPNs have been implemented for both data and voice. The idea of using a public network to create the illusion of a private network devoted exclusively to VPN subscribers is not new. The first packet network VPN was created in 1975 when BBN delivered the first Private Line Interface (PLI) packet encryption devices to protect classified data for transmission over the U.S. Department of Defense's ARPANET. Another example is CENTREX service, which has been offered for many years by local telephone companies as a central office switch service providing private data and voice networks. In 1985 AT&T began offering software-defined networks (SDNs) for private voice networks based on dedicated and later switched connections; users were billed differently for on-net and off-net calls.
There are several strong motivations for building VPNs: (1) to make a standard corporate computing environment "transparent" to users; (2) to secure communications; and (3) to take advantage of the cost efficiencies of a common public infrastructure versus building and operating a private WAN. A VPN also increases flexibility since global Internet connections can be established and released on-demand. Internet connectivity is also a VPN's major disadvantage: it is difficult to guarantee quality-of-service (QoS) over the Internet since aggregate traffic flows can be unpredictable. Service Level Agreements (SLAs) between Internet Service Providers (ISPs) and corporations are an evolving contractual solution designed to guarantee QoS based upon throughput, availability, and response time thresholds. One example of a large VPN is the U.S. State Department, which is implementing a VPN to connect all its embassies around the world.
see also E-commerce; Network Design; Networks; Telecommunications; Security; World Wide Web.
William J. Yurcik
Comer, Douglas E. The Internet Book: Everything You Need to Know About Computer Networking and How the Internet Works, 3rd ed. Upper Saddle River, NJ: Prentice Hall, 2000.
In 2002 the U.S. State Department was developing a Virtual Private Network (VPN) to coordinate the government's thirty agencies with overseas offices. This network will allow Internet access to e-mail and other communications between agencies, as well as the distribution of information— unclassified, of course.