The Internet has grown in the last few years larger than anyone ever imagined it could be. As it is now widely recognized that the Internet is the simplest way of communication and data sharing, more and more companies rely on it for connecting their offices worldwide.
The first implementation for sharing information between global offices was the use of lease lines for maintaining a Wide Area Network (WAN). Leased lines (ranging from ISDN to OC12), provided a company with a way to expand its private network beyond its geographic area.
The WAN had answered the needs of each company – secure, better performance, reliability etc., but maintaining a WAN with an OC3 connection can become quite expensive. The cost is a function of distance – as the distance increases, the cost rises and vise versa. Another solution was the famous intranet.
Basically, if a company wanted to use an intranet to share information between global or local offices, it set up a password-protected (usually basic HTTP authentication) site the use by the employees. Once again, this method had answered all the needs of the company except security.
Nowadays, more and more companies are creating their own virtual private network to accommodate their needs. VPN, or virtual private network, is an Internet service network that establishes a private connection over shared public facilities. VPN acts as a bridge between two or more Local Area Networks (LANs) across the Internet. VPN connections manage authentication between servers and clients using data encryption. VPNs were created, so an access is permitted to authorized users only. VPNs allow users to have access to the same network resources, addresses, and so forth as if they were connected locally. VPNs provide a secure service, because data is sent in an encrypted form between the client and the VPN server – it makes harder to capture sensitive information, but not impossible. Companies and other global services use one of the following VPN types:
Virtual Private Dial-up Network
VPDN, or Virtual Private Dial-up Network, is used to allow a user, or users, to connect to a remote LAN from any place in the world. A connection to a LAN via VPDN uses the Network Access Server (NAS) of the regional service provider (RSP). A login name and password are sent to the NAS is the format login@domain, e.g. firstname.lastname@example.org. Next, if VPDN is enabled, NAS authorized the domain portion. If domain authorization fails, NAS authenticates the user as a non-VPDN user; if it succeeds, a tunnel is established (using tunnel ID and home gateway IP address). Now the user must be authenticated.
Site-to-site (STS) based VPN is a private network utilizing the Internet. This type of application provides levels of security, privacy and manageability that are similar to networks based upon private leased lines (see above). Site-to-Site VPN can be either:
Intranet-based Site-to-Site VPN
This type of application is used to connect two, or more, networks over the intranet using a Router-to-Router VPN connection. It mainly used if there are networks that are hidden or contain sensitive information (secure networks). It is also used to enable a remote connection over the intranet to a network that is hidden or secure, and is physically disconnected from the intranet.
Extranet-based Site-to-Site VPN
This type of application is used when two LANs wish to join in a single private network and to work in a shared environment, for example, partners, customers etc.
In the beginning of the article I have written that VPN provides a secure environment for a company. In this section I´ll discuss three major methods to secure the connection.
AAA Server, or Authentication, Authorization and Accounting Server, is a server program that handles user requests for access. Networks interface with the AAA server via RADIUS – Remote Authentication Dial-in up Service.
The first process – authentication – provides a way to identify the user, typically by having the user to enter a valid login name and password. Each user has a unique set of criteria, which stored in a database. Following the authentication, a user must gain authorization for doing certain task (what the user is allowed to do). Each user has his/her own policies, which determine what commands could be executed, what type of resources and services a user is permitted to use etc. The last step, accounting, acts as a logger. It logs data, sessions, usage information etc.
VPN requires two factors to create a secure connection – tunneling and encryption. Encryption has the major role when creating a secure connection. Tunneling creates the network, encryption makes it secure – scrambles data so that only those who have the right key can decode it. Most of the computer systems use either Symmetric-key encryption or Public-key encryption (for more details see below).
IPSec, or Internet Protocol Security, provides IP network-layer encryption. IPSec provides two operation modes – transport and tunnel. In transport mode, only the IP payload is encrypted, and IP headers are left intact. This mode doesn´t provide defense against spoofing attack or network analysis. An attacker can pass the IP header in the clear, so the transport mode allows him to perform an attack. In tunnel mode, the entire datagram is encrypted.
A word about tunneling
Tunneling lets the two ends of the VPN communicate across the Internet. Since the Internet doesn´t speak the same language as your network does, a tunnel packages the data you´re sending so that the Internet can understand it.