VIRTUAL PRIVATE NETWORK
Virtual Private Networking or VPN is a group of two or more computer systems connected to a private network with limited public-network access that communicates securely over a public network, such as the Internet. VPNs may exist between an individual machine and a private network (client-to-server) or a remote LAN and a private network (server-to-server). Most VPNs include encryption, strong authentication of remote users or hosts, and mechanisms for hiding or masking information about the private network topology from potential attackers on the public network.
There are two basic ways to create a VPN connection:
Gateway to gateway
Host to gateway
A gateway is a device that features VPN server capabilities. An example of a gateway is the Cable/DSL VPN Router. The Router functions as a VPN server, creating a “tunnel” or channel between itself and a remote location, so that data transmissions between them are secure. A host is a device, such as a computer, with VPN host software installed. Microsoft 2000 and XP have built-in VPN host software; other versions of Microsoft operating systems require additional, third-party software applications to be installed.
Gateway to Gateway
An example of a gateway-to-gateway VPN would be a Cable/DSL VPN Router (gateway) linked to the central office’s VPN server (gateway). At home, a telecommuter uses his Cable/DSL VPN Router for his always-on Internet connection. His Router has a built-in VPN server configured with his office’s VPN settings. He starts up the Router’s utility and connects to the VPN server at the central office 40 miles* away. Using the VPN, the telecommuter now has a secure connection to the central office’s network, as if he were physically connected.
Host to Gateway
An example of a host-to-gateway VPN would be a notebook computer (host) linked to the central office’s VPN server (gateway). In her hotel room, a traveling business person dials up their ISP. Their notebook computer has VPN host software configured with their office’s VPN settings. The person starts up the VPN host software and connects to the VPN server at the central office 4000 miles* away. Using the VPN, the business person now has a secure connection to the central office’s network, as if they were physically connected.
There are three broad categories of VPN products:
• hardware-based systems.
• firewall-based VPNs.
• standalone VPN application packages.
*Distances are examples only; VPNs have no distance limitations.
The majority of hardware-based VPN systems are encrypting routers. They are secure and easy to use, since they provide the nearest thing to “plug and play” encryption equipment available. Since they don’t waste processor overhead in running an operating system or applications, they provide the highest network throughput of all VPN systems. However, they may not be as flexible as software-based systems.
The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices.
Firewall-based VPNs take advantage of the firewall’s security mechanisms, including restricting access to the internal network. They also perform address translation; satisfy requirements for strong authentication; and serve up real-time alarms and extensive logging. Most commercial firewalls also “harden” the host operating system kernel by stripping out dangerous or unnecessary services, providing additional security for the VPN server. OS protection is a major plus, since very few VPN application vendors supply guidance on OS security. Performance may be a concern, especially if the firewall is already loaded – however, some firewall vendors offer hardware-based encryption processors to minimize the impact of VPN management on the system.
Software-based VPNs are ideal in situations where both endpoints of the VPN are not controlled by the same organization (typical for client support requirements or business partnerships), or when different firewalls and routers are implemented within the same organization. Currently, standalone VPNs offer the most flexibility in network traffic management. Many software-based products allow traffic to be tunneled based on address or protocol, unlike hardware-based products, which generally tunnel all the traffic they handle, regardless of protocol. Tunneling specific traffic types is advantageous in situations where remote sites may see a mix of traffic – some that may need transport over a VPN (such as entries to a database at headquarters) and some that do not (such as Web surfing). In situations where performance requirements are modest (such as users connecting over dial-up links), software-based VPNs may be the best choice.
In a summary, a VPN is a private connection between two machines or networks over a shared or public network. In practical terms, VPN technology lets an organization securely extend its network services over the Internet to remote users, branch offices, and partner companies. In other words, VPNs turn the Internet into a simulated privateWAN.
The Internet’s appeal is its global presence, and its use is now standard practice for most users and organizations. As the need for communication links continue to grow, VPNs become increasingly relevant as they provide security, are cost-efficient and quick to implement.