VPN is one of those acronyms that describes a revolutionary technology few people appear to be using. The confusion and misinformation that swirls around VPN (virtual private network) may be the reason for this perception. In this article, we’ll focus on VPN, including the basics about how it works and the definitions of some of the buzzwords that surround this new technology.
VPN is a new way to connect your users to your network. The technology has drawn a good deal of speculation and criticism about its security and reliability. On the flip side, VPN has also received its fair share of exaggeration about its merits, including claims that it is destined to replace all dedicated T1s, frame-relay circuits, and other proven connections.
How VPN works
So what can VPN really do for you? It can provide low-cost, reliable, and secure connections to your local area network (LAN) for commuters and remote office users. How does it work? VPN essentially takes two systems, or networks, connected to the Internet and creates a secure connection using encapsulation and encryption. VPN also uses authentication and routing to further increase security and functionality.
When using a client-to-server VPN (see box below), a remote client requests a resource from its corporate LAN. The computer then dials up an ISP to connect to the Internet and creates a logical connection to the corporate VPN server. This VPN server authenticates the client and manages encapsulation and encryption on the communications between the client and the resources on the corporate LAN.
The graphic above depicts a client-to-server VPN where a remote user connects to a corporate VPN server using point-to-point tunneling protocol (PPTP). The use of PPTP allows enterprises to extend their own corporate network through private “tunnels” over the public Internet. Using this type of interconnection, a company no longer needs to lease its own lines for wide-area communication. Instead, enterprises can securely use the public networks because the communication packets are encrypted before they are sent through the tunnel.The graphic below depicts a basic server-to-server VPN. Both of these diagrams show very simplified solutions. In reality, VPN servers often sit behind a firewall and are part of the corporate network’s “Demilitarized Zone.” Setting up a VPN usually involves some trial and error on the part of both the clients and the server. Once VPN is up and running, however, it is typically reliable if you have a dependable Internet connection on both ends.For more on VPN with Windows products, you can go to Microsoft’s site on Virtual Private Networking or read Nortel’s VPN Tutorial.
Sorting out VPN terminology
A VPN has its own subset of buzzwords, such as tunnels, PPTP, L2TP, GRE, CHAP, IPSec, and other concepts. How do they fit into the VPN picture? Let’s start with the most confusing concept—tunneling.
A VPN tunnel is a logical concept for illustrating the transfer of private data packets on the Internet, which is mostly full of packets anyone can open and read quite easily. A tunnel is not a private, dedicated path of electrons directly crossing the Internet from one spot to another. Hackers can still intercept the packets in your tunnel. But, without your encryption key, the packets are simply a jumbled mess of characters. The tunnel is simply the route taken by encapsulated packets between the two networks. Remember that tunneling encapsulation occurs at the Data Link Layer (Layer 2) of the OSI reference model.
In a Windows environment, VPN tunneling is made possible by one of two protocols—PPTP or L2TP. In a UNIX or Linux environment SSH can be used for VPN. Cisco has a VPN protocol called L2F, and there are others. But we will focus on PPTP and L2TP for Windows networks, with an emphasis on Windows 2000, the most comprehensive Windows platform for VPN.
PPTP provides user authentication and data encryption following a protocol that has been used in Windows NT networks for several years. It accesses TCP port 1723 for communication and encapsulates PPP frames for tunneling using GRE. For authentication, PPTP can use the same authentication protocols as PPP, such as CHAP, PAP, and SPAP. For encryption purposes, however, it is best to use MS-CHAP, which in turn allows for link encryption via MPPE.
Around the same time that Microsoft created PPTP, Cisco created its own L2F protocol for VPN. Microsoft and Cisco collaborated to produce a single VPN tunneling protocol, and the result was L2TP. Like PPTP, L2TP provides user authentication and data encryption. It also provides mutual computer authentication, data authentication, and data integrity. While PPTP provides link encryption via MPPE, L2TP provides more secure end-to-end encryption with IPSec. By using IPSec both the computer and the user are authenticated. Although L2TP is still a virgin technology and Microsoft just began supporting it with the release of Windows 2000, it is clear that the future of VPN is moving in this direction. For more detailed information on this new standard see Request For Comment 2661.
Whether you use PPTP or L2TP, there are a few more core concepts you should understand about setting up a VPN. You can set up a VPN using two general configurations: client-to-server and server-to-server. A server-to-server VPN allows remote office networks to connect to corporate LAN resources. VPN servers on both ends of the Internet connection authenticate each other, create the tunnel between the two networks, and allow a secure exchange between the networks. However, keep in mind that the encapsulation and encryption process can add around 30 percent in protocol overhead. That means that slow dial-up connections will be even a little slower. Nevertheless, they will still function reliably for file transfer and other basic remote access functions.
PPTP—Point to Point Tunneling Protocol
L2TP—Layer 2 Transfer Protocol
TCP—Transfer Control Protocol
GRE—Generic Routing Encapsulation
L2F—Layer 2 Forwarding
CHAP—Challenge Handshake Authentication Protocol
PAP—Password Authentication Protocol
SPAP—Shiva Password Authentication Protocol
MPPE—Microsoft Point-to-Point Encryption
IPSec—Internet Protocol Security
VPN—Virtual Private Network
DSL—Digital Subscriber Line
XML—Extensible Markup Language
ASP—Application Service Provider
RAS—Remote Access Services
ISDN—Integrated Service Digital Network
Summing it all up
VPN can offer some great advantages over traditional remote access and dedicated lines. With the dynamic nature of organizations these days, remote access users and offices can change very rapidly. Rather than investing in expensive RAS ports and expensive dedicated lines (i.e. ISDN and frame-relay circuits), a company can increase the bandwidth of its corporate Internet connection and dynamically support remote VPN servers and clients on an as-needed basis. While this may not be the ideal solution in every case, it does allow companies to be faster and more fluid in setting up remote access when a new need arises. It also allows for a better use of resources since different users and connections can connect at different times and thus share the same infrastructure rather than requiring separate infrastructures. And, for those who are counting, all of this can result in saving some serious money.
If you have familiarity with VPN, we want to know. Drop us a line on your experience with setting up a VPN, and if we use your response for a future article, we will send you a nifty TechRepublic T-shirt. Click here to send the editor an e-mail.