|
VPN
VPN Motivation
Why is it useful to employ virtual
private networks for business
communication? After all, separate
private networks have been set up to
serve the specific communication needs
of many businesses. What advantages do
you gain by converting the existing
separate private networks to an
Internet-based VPN?
Ubiquitous Coverage
The Internet offers far wider
coverage compared with the private data
network infrastructures offered by
telecommunication providers. Adding new
destinations to a private network means
adding new circuits.
Unlike the Internet, which has public
and private peering points all over the
world, few interconnection agreements
exist between the service providers.
Thus, the coverage of a private network
is limited.
The Internet, on the other hand, is a
vast interconnection of heterogeneous
networks. Any host connected to a
network that is connected to the
Internet is in turn connected to any
other host connected to a network
connected to the Internet.
Cost Reduction
Another advantage gained by using an
Internet-based VPN is cost reduction
based on the system's economy of scale.
Simply put, it eliminates the need to
purchase and maintain several
special-purpose infrastructures to serve
the different types of communication
needs within a corporation.
Security
VPNs use cryptographic technology to
provide data confidentiality and
integrity for the data in transit.
Authentication and access control
restrict access to corporate network
resources and services.
In traditional private networks, the
security of the data during transit
relies on the telecommunication service
provider's physical security practices
for data confidentiality. For example,
frame relay networks have no built-in
provision for encrypting data frames.
Consequently, data frames, if
intercepted, can be easily decoded. In
VPNs, you need not trust the perceived
physical security of the
telecommunication service provider.
Instead, data is protected by
cryptography.
E-Commerce
More and more business is being
conducted using the Internet. Electronic
commerce is not only a major new method
of retailing merchandise (called "B2C"
for business-to-consumer e-commerce),
but it is also a way for businesses to
trade goods and services among
themselves (called "B2B" for
business-to-business e-commerce).
Interconnectivity of businesses is
essential, and the Internet is the
logical choice for the interconnection
technology.
E-commerce must be secure. Private
networks use physical separation for
security, but it is impractical to have
a separate infrastructure for each
customer or B2B partner. Therefore, a
closed, inflexible private network is
not well suited for supporting
e-commerce. A public infrastructure is
more flexible but lacks security. VPNs
provide both interconnectivity and
security.
1.1 Business Communication
There are many types of business
communication. Broadly speaking,
business communication can be classified
into three categories:
· Internal communication The message
is limited to selected internal
audiences. For example, a corporation
may periodically distribute an updated
company employee directory to all its
employees. Confidentiality is essential.
· Selected external communication The
message is intended for selected
external audiences. For example, a
retail store may want to order a product
from its supplier. Although not all
communications of this type are
considered proprietary, one company's
business with another is generally
confidential.
· Communication with public and other
external audiences The message is
intended for general public consumption.
Sometimes, the wider audience the
message reaches, the better. For
example, a company may place a 30-second
commercial during a sporting event to
reach a large audience. At other times,
a targeted message is designed to cater
to a specific audience to maximize its
impact. This type of communication is
generally not confidential.
Businesses have traditionally used
specialized technologies for these
different types of communication and
have managed them separately.
The
Convergence of Business Communication
Although businesses have a variety of
communication types—and hence the need
for different modes of communication—the
digitization of information, and the
creation of computer networks to deliver
it, has been a unifying factor. Internal
memos are now emails, and employee
directories are kept in databases.
Orders can be placed online. The World
Wide Web provides a means for publishing
sophisticated product brochures.
Although there will always be the need
for traditional forms of information
dissemination, much business
communication is converging on a digital
network.
The computer networking technologies
are also converging. There used to be
many types and formats of computer
networks, each developed by a different
vendor. IBM offered Systems Networking
Architecture (SNA) for its mainframe and
minicomputers. Digital had DECNET, used
in the once-popular VAX computing
environment. In the PC environment,
Novell's Netware was dominant and still
is fairly widely used for PC
interconnections. Nonetheless, with the
development of the Internet, most
computer networks have migrated to an
IP-based infrastructure. IP—the Internet
Protocol—serves as the common format for
all connected network devices on the
Internet.
Private
Networks
To meet their information
infrastructure needs, corporations have
invested heavily in internal networks
called intranets. Intranets serve the
employees at the corporate site, but not
employees on the road or telecommuting
from home. To accommodate the remote
access needs of "road warriors" and
telecommuters, companies have set up
remote access servers to extend
intranets into the field. Usually, a
bank of modems allows these users to
dial in through public switched
telephone networks (PSTNs). Furthermore,
employees at branch offices require
access to the same information and the
same resources, so private lines are
used to interconnect the various sites
to make one corporatewide intranet.
Special arrangements are sometimes
made to allow business partners to have
limited access to some part of the
corporate intranet.2 These networks,
usually called extranets, provide the
means to improve the efficiency of
business information flow.
Each form of access to the intranet,
is a separate private networking
solution. This is true even when some
aspects of each solution, such as the
underlying networking protocols used,
are the same. Each form of access also
has its own requirements for
privacy—requirements that are met by
keeping data transmission on separate
dedicated channels.
Public
Networks
t is also imperative for a
corporation to exchange information
outside the established private
networks. This requires access to a
public networking infrastructure such as
the Internet.
In addition, the public network opens a
new avenue of commerce. It is now
unthinkable for a corporation not to
have a presence in the World Wide Web.
For many companies, such as Amazon.com,
there is no "brick and mortar"
storefront. The only place where they
face customers is in cyberspace.
Virtual
Private Networks
Protection of private corporate
information is of utmost importance when
designing an information infrastructure.
However, the separate private networking
solutions are expensive and cannot be
updated quickly to adapt to changes in
business requirements.
The Internet, on the other hand, is
inexpensive but does not by itself
ensure privacy. Virtual private
networking, is the collection of
technologies applied to a public
network—the Internet—to provide
solutions for private networking needs.
VPNs use obfuscation through secure
tunnels, rather than physical
separation, to keep communications
private.
This introduction to VPNs covers the
evolution of the VPN market, and the
latest technologies and solutions.
Advantages of
VPNs
VPNs promise two main advantages over
competing approaches -- cost savings,
and scalability (that is really just a
different form of cost savings).
The Low Cost
of a VPN
One way a VPN lowers costs is by
eliminating the need for expensive
long-distance.
One way a VPN lowers costs is by
eliminating the need for expensive
long-distance leased lines.
With VPNs, an organization needs only
a relatively short dedicated connection
to the service provider. This connection
could be a local leased line (much less
expensive than a long-distance one), or
it could be a local broadband connection
such as DSL service. Another way VPNs
reduce costs is by lessening the need
for long-distance telephone charges for
remote access.
Recall that to provide remote access
service, VPN clients need only call into
the nearest service provider's access
point. In some cases this may require a
long distance call, but in many cases a
local call will suffice.
A third, more subtle way that VPNs
may lower costs is through offloading of
the support burden. With VPNs, the
service provider rather than the
organization must support dial-up
access, for example. Service providers
can in theory charge much less for their
support than it costs a company
internally because the public provider's
cost is shared amongst potentially
thousands of customers.
Scalability
and VPNs
The cost to an organization of
traditional leased lines may be
reasonable at first but can increase
exponentially as the organization grows.
A company with two branch offices, for
example, can deploy just one dedicated
line to connect the two locations. If a
third branch office needs to come
online, just two additional lines will
be required to directly connect that
location to the other two.
However, as an organization grows and
more companies must be added to the
network, the number of leased lines
required increases dramatically. Four
branch offices require six lines for
full connectivity, five offices require
ten lines, and so on. Mathematicans call
this phenomenon a "combinatorial
explosion," and in a traditional WAN
this explosion limits the flexibility
for growth. VPNs that utilize the
Internet avoid this problem by simply
tapping into the
geographically-distributed access
already available.
Compared to leased lines,
Internet-based VPNs offer greater global
reach, given that Internet access points
are accessible in many places where
dedicated lines are not available.
Disadvantages
of VPNs
With the hype that has surrounded
VPNs historically, the potential
pitfalls or "weak spots" in the VPN
model can be easy to forget. These four
concerns with VPN solutions are often
raised.
1. VPNs require an in-depth
understanding of public network security
issues and taking proper precautions in
VPN deployment.
2. The availability and performance
of an organization's wide-area VPN (over
the Internet in particular) depends on
factors largely outside of their
control.
3. VPN technologies from different
vendors may not work well together due
to immature standards.
4. VPNs need to accomodate protocols
other than IP and existing ("legacy")
internal network technology.
Generally speaking, these four
factors comprise the hidden costs of a
VPN solution. Whereas VPN advocates tout
cost savings as the primary advantage of
this technology, detractors cite hidden
costs as the primary disadvantage of
VPNs
What Exactly
Is A VPN?
A VPN supplies network connectivity
over a possibly long physical distance.
In this respect, a VPN is a form of WAN.
The key feature of a VPN, however, is
its ability to use public networks like
the Internet rather than rely on private
leased lines. VPN technologies implement
restricted-access networks that utilize
the same cabling and Routers as a public
network, and they do so without
sacrificing features or basic security.
A VPN supports at least three
different modes of use:
Remote access client connections
LAN-to-LAN internetworking
Controlled access within an intranet
VPN Pros and
Cons
Like many commercialized network
technologies, a significant amount of
sales and marketing "hype" surrounds
VPN. In reality, VPNs provide just a
simple few clear potential advantages
over more traditional forms of wide-area
networking. These advantages can be
quite significant, but they do not come
for free.
The potential problems with the VPN
outnumber the advantages and are
generally more difficult to understand.
The disadvantages do not necessarily
outweigh the advantages, however. From
security and performance concerns, to
coping with a wide range of sometimes
incompatible vendor products, the
decision of whether or not to use a VPN
cannot be made without significant
planning and preparation.
Technology Behind VPNs
Several network protocols have become
popular as a result of VPN developments:
PPTP
L2TP
IPsec
SOCKS
These protocols emphasize
authentication and encryption in VPNs.
Authentication allows VPN clients and
servers to correctly establish the
identity of people on the network.
Encryption allows potentially sensitive
data to be hidden from the general
public.
Many vendors have developed VPN
hardware and/or software products.
Unfortunately, immature VPN standards
mean that some of these products remain
incompatible with each other.
The Future of
VPN
The success of VPNs in the future
depends mainly on industry dynamics.
Most of the value in VPNs lies in the
potential for businesses to save money.
Should the cost of long-distance
telephone calls and leased lines
continue to drop, fewer companies may
feel the need to switch to VPNs for
remote access. Conversely, if VPN
standards solidify and vendor products
interoperate fully with other, the
appeal of VPNs should increase.
The success of VPNs also depends on
the ability of intranets and extranets
to deliver on their promises. Companies
have had difficulty measuring the cost
savings of their private networks, but
if it can be demonstrated that these
provide significant value, the use of
VPN technology internally may also
increase.
VPN technology is based on the idea
of tunneling. Network tunneling involves
establishing and maintaining a logical
network connection (that may contain
intermediate hops). On this connection,
packets constructed in a specific VPN
protocol format are encapsulated within
some other base or carrier protocol,
then transmitted between VPN client and
server, and finally de-encapsulated on
the
For Internet-based VPNs, packets in
one of several VPN protocols are
encapsulated within IP packets. VPN
protocols also support authentication
and encryption to keep the tunnels
secure.
Two Types of
VPN Tunneling
VPN supports both voluntary and
compulsory tunneling. Both types of
tunneling can be found in practical use.
In voluntary tunneling, the VPN
client manages connection setup. The
client first makes a connection to the
carrier network provider (an ISP in the
case of Internet VPNs). Then, the VPN
client application creates the tunnel to
a VPN server over this live connection.
In compulsory tunneling, the carrier
network provider manages VPN connection
setup. When the client first makes an
ordinary connection to the carrier, the
carrier in turn immediately brokers a
VPN connection between that client and a
VPN server. From the client point of
view, VPN connections are set up in just
one step compared to the two-step
procedure required for voluntary
tunnels.
Compulsory VPN tunneling
authenticates clients and associates
them with specific VPN servers using
logic built into the broker device. This
network device is sometimes called the
VPN Front End Processor (FEP) (also
Network Access Server (NAS) or Point of
Presence (POS) servers). Compusory
tunneling hides the details of VPN
server connectivity from the VPN clients
and effectively moves control over the
tunnels from clients to the ISP. In
return, service providers must take on
the additional burden of installing and
maintaining FEPs.
VPN Tunneling
Protocols
Several interesting network protocols
have been implemented specifically for
use with VPN tunnels. The three most
popular VPN tunneling protocols listed
below continue to compete with each
other for acceptance in the industry.
These protocols are generally
incompatible with each other.
Point-to-Point Tunneling Protocol
(PPTP)
Several corporations worked together to
create the PPTP specification. People
generally associate PPTP with Microsoft
because nearly all flavors of Windows
include built-in client support for this
protocol. The initial releases of PPTP
for Windows by Microsoft contained
security features that some experts
claimed were too weak for serious use.
Microsoft continues to improve its PPTP
support, though.
Layer Two Tunneling Protocol
(L2TP)
The original competitor to PPTP for VPN
tunneling was L2F, a protocol
implemented primarily in Cisco products.
In an attempt to improve on L2F, the
best features of it and PPTP were
combined to create new standard called
L2TP. Like PPTP, L2TP exists at the data
link layer (Layer Two) in the OSI models
-- thus the origin of its name.
Internet Protocol Security (IPsec)
IPsec is actually a collection of
multiple related protocols. It can be
used as a complete VPN protocol
solution, or it can used simply as the
encryption scheme within L2TP or PPTP.
IPsec exists at the network layer (Layer
Three) in OSI.
Virtual private networks (VPN)
provide an encrypted connection between
a user's distributed sites over a public
network (e.g., the Internet). By
contrast, a private network uses
dedicated circuits and possibly
encryption. This page describes IP-based
VPN technology over the Internet, though
an organization might deploy VPN's on
its internal nets (Intranets) to encrypt
sensitive information. We also have some
peformance members. The basic idea is to
provide an encrypted IP tunnel through
the Internet that permits distributed
sites to communicate securely. The
encrypted tunnel provides a secure path
for network applications and requires no
changes to the application.
http://www.justvb.net/it/ |