History Of The Virtual Private Network

History Of The Virtual Private Ne devilrkA VPN supplies realistic electronic net linkivity everywhere a possibly long physical distance. The key feature of a VPN, however, is its ability to use public engagements like the ne cardinalrk rather than imprecate on personal leased lines which consume valuable recourse and extra cost . VPN technologies implement restricted- regain net whole kit that utilize the same(p) cabling and r starters as a public profit, and they do so without sacrificing features or basic security , a simple cooperation office and opposed branched VPN shown in below diagram .Sonicw solely_VpnA VPN supports at to the lowest degree three different modes of use as shown aboveRemote access client friendships.LAN-to-LAN inter mesh topologying .Controlled access within an intranet .A several network protocols have go popular as a result of VPN developments state as following PPTPL2TPIPsecThese protocols emphasize authentication and encryption in VPNs. Aut hentication allows VPN clients and hordes to correctly establish the identicalness of people on the network. Encryption allows potentially sensitive data to be concealed from the general public. Many vendors have developed VPN ironware and/or software program products. Unfortunately, immature VPN standards mean that some of these products remain incompatible with each former(a) till now.Virtual semi reclusive networks have grown in popularity as businesses to dispense with m un bear uponabley on remote network access for employees. Many corporations have as well as adopted VPNs as a security solution for private Wi-Fi piano tuner networks. Expect a continued gradual expansion in use of VPN technology to continue in the coming years.Objectives-A virtual private network can resolve many of the issues associated with todays private networks.Cost The cost of such links is high especially when they involve international locations. Even when VPNs are use on a provider private ne twork, it would still be less expensive.Mobility of workforce Many companies are encouraging telecommunications to reduce their investment in tangible estate, reduce traffic, and reduce pollution from automobileE-commerce applications However, in traditional private networks, this kind of special access provision is difficult to incorporate because it is not unproblematic to install dedicated link to all suppliers and business partners, nor it is flexible because a change in the supplier would quest de- episode the link and installing another mavin to the new vendor.Advantages of VPNVPNs promise two main payoffs everyplace competing approaches cost savings, and scalability (that is really just a different form of cost savings).The Low Cost of a VPNOne track a VPN lowers costs is by eliminating the need for expensive trunk bawl leased lines. With VPNs, an transcription ask only a relatively goldbrick dedicated connection to the service provider. This connection could be a topical anesthetic anaesthetic leased line (much less expensive than a long-distance one), or it could be a local broadband connection such as DSL service.Another way VPNs reduce costs is by lessening the need for long-distance telephone charges for remote access. Recall that to provide remote access service, VPN clients need only call into the nearest service providers access straits. In some cases this may require a long distance call, but in many cases a local call will suffice.A third, more subtle way that VPNs may lower costs is by means of offloading of the support burden. With VPNs, the service provider rather than the organization must(prenominal) support dial-up access for example. Service providers can in theory charge much less for their support than it costs a federation indwellingly because the public providers cost is shared amongst potentially thousands of guests.Scalability and VPNsThe cost to an organization of traditional leased lines may be reasonable at first but can increase exponentially as the organization grows. A party with two branch offices, for example, can position just one dedicated line to connect the two locations. If a third branch office needs to come online, just two additional lines will be required to directly connect that location to the other two.However, as an organization grows and more companies must be added to the network, the number of leased lines required increases dramatically. Four branch offices require six lines for full connectivity, five offices require ten lines, and so on. Mathematicans call this phenomenon a combinatorial explosion, and in a traditional WAN this explosion limits the flexibility for growth. VPNs that utilize the Internet avoid this problem by manifestly tapping into the geographically-distributed access already visible(prenominal).Disadvantages of VPNsWith the hype that has surrounded VPNs historically, the potential pitfalls or weak spots in the VPN model can be easy to forg et. These four concerns with VPN solutions are often raised.1. VPNs require an in-depth pinch of public network security issues and proper deployment of precautions.2. The availability and surgery of an organizations wide-area VPN (over the Internet in particular) depends on factors largely outside of their control.3. VPN technologies from different vendors may not work well together due to immature standards.4. VPNs need to accomodate protocols other than IP and existing internal network technology.Generally speaking, these four factors comprise the hidden costs of a VPN solution. Whereas VPN advocates tout cost savings as the primary advantage of this technology, detractors cite hidden costs as the primary disadvantage of VPNs cyberspace VPNS FOR REMOTE ACCESSIn recent years, many organizations have increased the mobility of their workers by allowing more employees to telecommute. Employees also continue to travel and face a ripening need to stay connected to their lodge netwo rks. A VPN can be organise up to support remote, protected access to the corporate home offices over the Internet. An Internet VPN solution uses a client/ waiter design works as follows1. A remote host (client) wanting to log into the company network first connects to any public Internet Service supplier (ISP).2. Next, the host initiates a VPN connection to the company VPN server. This connection is made via a VPN client installed on the remote host.3. Once the connection has been established, the remote client can communicate with the internal company systems over the Internet just as if it were a local host.Before VPNs, remote workers accessed company networks over private leased lines or through dialup remote access servers. While VPN clients and servers careful require installation of hardware and software, an Internet VPN is a superior solution in many situations.VPNS FOR INTERNETWORKINGBesides using virtual private networks for remote access, a VPN can also noseband two net works together. In this mode of operation, an full remote network (rather than just a single remote client) can join to a different company network to form an extended intranet. This solution uses a VPN server to VPN server connection.Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be one of two oddballsIntranet-based If a company has one or more remote locations that they wish to join in a single private network, they can manufacture an intranet VPN to connect LAN to LAN.Extranet-based When a company has a close relationship with another company (for example, a partner, supplier or client), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.vpn-typeINTRANET / LOCAL NETWORK VPNSInternal networks may also utilize VPN technology to implement controlled access to individual subnets within a private network. In this mode of operation, VPN clients connect to a VPN server that acts as the network gateway. This type of VPN use does not involve an Internet Service Provider (ISP) or public network cabling. However, it allows the security benefits of VPN to be deployed inside an organization. This approach has become especially popular as a way for businesses to protect their WiFi local networks.TUNNELING SITE-TO-SITEIn a site-to-site VPN, GRE (generic routing encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of software system you are encapsulating and information about the connection betwixt the client and server. Instead of GRE, IPSec in dig mode is sometimes used as the encapsulating protocol. IPSec works well on both remote-access and site-to-site VPNs. IPSec must be sup ported at both burrow interfaces to use.TUNNELINGMost VPNs rely on tunneling to create a private network that reaches across the Internet. Es displaceially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is lowstand by the network and both points, called tunnel interfaces, where the packet enters and exits the network.Tunneling requires three different protocolsCarrier protocol The protocol used by the network that the information is traveling overEncapsulating protocol The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original dataPassenger protocol The original data (IPX, NetBeui, IP) being carriedTunneling has amazing implications for VPNs. For example, you can posterior a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable ) IP address inside a packet that uses a globally unique IP address to extend a private network over the Internet.COST SAVINGS WITH A VPNA VPN can save an organization money in several situationsEliminating the need for expensive long-distance leased linesReducing long-distance telephone chargesOffloading support costsVPNS VS LEASED LINESOrganizations historically needed to rent network capacity such as T1 lines to achieve full, secured connectivity between their office locations. With a VPN, you use public network infra organize including the Internet to make these connections and tap into that virtual network through much cheaper local leased lines or even just broadband connections to a nearby Internet Service Provider (ISP). dour DISTANCE PHONE CHARGESA VPN also can replace remote access servers and long-distance dialup network connections commonly used in the past by business travelers needing to access to their company intranet. For example, with an Internet VPN, clients need only connect to the nearest service providers access point that is usually local.SUPPORT COSTSWith VPNs, the cost of containing servers tends to be less than other approaches because organizations can outsource the needed support from professional third-party service providers. These provides enjoy a much lower cost structure through economy of scale by servicing many business clients.VPN NETWORK SCALABILITYThe cost to an organization of building a dedicated private network may be reasonable at first but increases exponentially as the organization grows. A company with two branch offices, for example, can deploy just one dedicated line to connect the two locations, but 4 branch offices require 6 lines to directly connect them to each other, 6 branch offices need 15 lines, and so on.Internet based VPNs avoid this scalability problem by simply tapping into the public lines and network capability readily available. peculiarly for remote and international locations, an Internet VPN of fers superior reach and quality of service.USING A VPNTo use a VPN, each client must possess the leave networking software or hardware support on their local network and computers. When set up properly, VPN solutions are easy to use and sometimes can be made to work automatically as part of network sign on. VPN technology also works well with WiFi local area networking. both(prenominal) organizations use VPNs to secure wireless connections to their local access points when working inside the office. These solutions provide strong protection without affecting performance excessively.VPN SECURITY IPSECInternet communications protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.vpn-diagram2Photo courtesy Cisco Systems, Inc.A remote-access VPN utilizing IPSecIPSec has two encryption modes tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encry pts the payload. Only systems that are IPSec compliant can expect advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such asRouter to routerFirewall to routerPC to routerPC to serverLIMITATIONS OF A VPNDespite their popularity, VPNs are not utter(a) and limitations exist as is true for any technology. Organizations should consider issues like the below when deploying and using virtual private networks in their operationsVPNs require detailed understanding of network security issues and careful installation / configuration to ensure sufficient protection on a public network like the Internet.The reliability and performance of an Internet-based VPN is not under an organizations direct control. Instead, the solution relies on an ISP and their quality of service.Historically, VPN products and solutions from different vendors have not alway s been compatible due to issues with VPN technology standards. Attempting to mix and match equipment may cause technical problems, and using equipment from one provider may not give as great a cost savings.TYPES OF VPN TUNNELINGVPN supports two types of tunneling wilful and compulsory. Both types of tunneling are commonly used. In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.Compulsory V PN tunneling authenticates clients and associates them with specific VPN servers using logical system built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access innkeeper (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.VPN TUNNELING protocolSSeveral computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.POINT-TO-POINT TUNNELING PROTOCOL (PPTP)Several corporations worked together to create the PPTP specification. People generally associat e PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. The initial releases of PPTP for Windows by Microsoft contained security features that some experts claimed were too weak for serious use. Microsoft continues to improve its PPTP support, though.LAYER TWO TUNNELING PROTOCOL (L2TP)The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, the best features of it and PPTP were combined to create new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI model thus the origin of its name.INTERNET PROTOCOL SECURITY (IPSEC)IPsec is really a collection of multiple related protocols. It can be used as a complete VPN protocol solution, or it can used simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model.Using PPTPPPTP packages data within palatoph aryngoplasty packets, then encapsulates the palatopharyngoplasty packets within IP packets (datagrams) for transmission through an Internet-based VPN tunnel. PPTP supports data encryption and compression of these packets. PPTP also uses a form of General Routing Encapsulation (GRE) to get data to and from its final destination.PPTP-based Internet remote access VPNs are by far the most common form of PPTP VPN. In this environment, VPN tunnels are created via the following two-step processThe PPTP client connects to their ISP using PPP dial-up networking (traditional modem or ISDN).Via the broker device (described earlier), PPTP creates a TCP control connection between the VPN client and VPN server to establish a tunnel. PPTP uses TCP port 1723 for these connections.PPTP also supports VPN connectivity via a LAN. ISP connections are not required in this case, so tunnels can be created directly as in Step 2 above.Once the VPN tunnel is established, PPTP supports two types of informatio n flowControl messages for managing and eventually tearing down the VPN connection. Control messages pass directly between VPN client and server.Data packets that pass through the tunnel, to or from the VPN clientPPTP CONTROL CONNECTIONOnce the TCP connection is established in Step 2 above, PPTP utliizes a series of control messages to maintain VPN connections. These messages are listed below.No.NameDescription1StartControlConnectionRequestInitiates setup of the VPN session can be sent by either client or server.2StartControlConnectionReplySent in reply to the start connection take (1) contains result code indicating success or failure of the setup operation, and also the protocol magnetic variation number.3StopControlConnectionRequestRequest to close the control connection.4StopControlConnectionReplySent in reply to the stop connection request (3) contains result code indicating success or failure of the close operation.5EchoRequestSent periodically by either client or server to ping the connection (keep alive).6EchoReplySent in response to the echo request (5) to keep the connection active.7OutgoingCallRequestRequest to create a VPN tunnel sent by the client.8OutgoingCallReplyResponse to the call request (7) contains a unique identifier for that tunnel.9IncomingCallRequestRequest from a VPN client to receive an submission call from the server.10IncomingCallReplyResponse to the incoming call request (9), indicating whether the incoming call should be answered.11IncomingCallConnectedResponse to the incoming call reply (10) provides additional call parameters to the VPN server.12CallClearRequestRequest to disconnect either an incoming or outgoing call, sent from the server to a client.13CallDisconnectNotifyResponse to the disconnect request (12) sent back to the server.14WANErrorNotifyNotification periodically sent to the server of CRC, framing, hardware and buffer overruns, timeout and byte alignment errors.15SetLinkInfoNotification of changes in the underl ying PPP options.With control messages, PPTP utlizes a so-called magic biscuit. The PPTP magic cookie is hardwired to the hexadecimal number 0x1A2B3C4D. The purpose of this cookie is to ensure the receiver interprets the incoming data on the correct byte boundaries.PPTP SECURITYPPTP supports authentication, encryption, and packet filtering. PPTP authentication uses PPP-based protocols like EAP, CHAP, and PAP. PPTP supports packet filtering on VPN servers. Intermediate routers and other firewalls can also be configured to selectively filter PPTP traffic.PPTP AND PPPIn general, PPTP relies on the functionality of PPP for these aspects of virtual private networking.authenticating users and maintaining the remote dial-up connectionencapsulating and encrypting IP, IPX, or NetBEUI packetsPPTP directly handles maintaining the VPN tunnel and transmitting data through the tunnel. PPTP also supports some additional security features for VPN data beyond what PPP provides.PPTP PROS AND CONSPPTP remains a popular choice for VPNs thanks to Microsoft. PPTP clients are freely available in all popular versions of Microsoft Windows. Windows servers also can function as PPTP-based VPN servers.One drawback of PPTP is its failure to choose a single standard for authentication and encryption. Two products that both fully comply with the PPTP specification may be in all incompatible with each other if they encrypt data differently, for example. Concerns also persist over the questionable level of security PPTP provides compared to alternatives.RoutingTunneling protocols can be used in a point-to-point topology that would generally not be considered a VPN, because a VPN is expected to support arbitrary and changing sets of network nodes. Since most router implementations support software-defined tunnel interface, customer-provisioned VPNs often comprise simply a set of tunnels over which conventional routing protocols run. PPVPNs, however, need to support the coexistence of multiple VPNs, hidden from one another, but operated by the same service provider.Building blocksDepending on whether the PPVPN runs in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combinations of the two. Multiprotocol give chase teddy (MPLS) functionality blurs the L2-L3 identity.While RFC 4026 generalized these terms to cover L2 and L3 VPNs, they were introduced in RFC 2547.Customer edge device. (CE) In general, a CE is a device, physically at the customer premises, that provides access to the PPVPN service. Some implementations treat it purely as a demarcation point between provider and customer responsibility, while others allow customers to configure it.Provider edge device (PE) A PE is a device or set of devices, at the edge of the provider network, which provides the providers view of the customer site. PEs are apprised of the VPNs that connect through them, and which maintain VPN state.Provider device (P) A P device operates inside the prov iders core network, and does not directly interface to any customer resultant. It might, for example, provide routing for many provider-operated tunnels that belong to different customers PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal office is allowing the service provider to scale its PPVPN offerings, as, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of provider.Categorizing VPN security modelsFrom the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the sure delivery network runs only among physically secure sites, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.Some Internet service providers as of 2009update offer managed VPN ser vice for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. Managed VPNs go beyond PPVPN scope, and are a contracted security solution that can reach into hosts. In addition to providing remote workers with secure access to their employers internal network, other security and management services are sometimes included as part of the package. Examples include keeping anti-virus and anti-spyware programs updated on each clients computer.Authentication forrader VPN connectionA known trusted user, sometimes only when using trusted devices, can be provided with appropriate security privileges to access resources not available to general users. Servers may also need to authenticate themselves to join the VPN.A wide variety of authentication mechanisms exist. VPNs may implement authentication in devices including firewalls, access gateways, and others. They may use passwords, biometrics, or cryptographic me thods. Strong authentication involves combining cryptography with another authentication mechanism. The authentication mechanism may require apparent user action, or may be embedded in the VPN client or the workstation.Trusted delivery networksTrusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single providers network to protect the traffic. In a sense, they elaborate on traditional network- and system-administration work.Multi-Protocol Label Switching (MPLS) is often used to overlay VPNs, often with quality-of-service control over a trusted delivery network.Layer 2 Tunneling Protocol (L2TP) which is a standards-based replacement, and a agree taking the good features from each, for two proprietary VPN protocols Ciscos Layer 2 Forwarding (L2F) (obsolete as of 2009update) and Microsofts Point-to-Point Tunneling Protocol (PPTP).Security mechanisms situate VPNs use cryptographic tunneling protocols to provide the intend confidentiality (blocking int ercept and thus packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy.Secure VPN protocols include the followingIPsec (Internet Protocol Security) A standards-based security protocol developed originally for IPv6, where support is mandatory, but also widely used with IPv4.Transport Layer Security (SSL/TLS) is used either for tunneling an entire networks traffic (SSL VPN), as in the OpenVPN project, or for securing individual connection. SSL has been the foundation by a number of vendors to provide remote access VPN capabilities. A practical advantage of an SSL VPN is that it can be accessed from locations that restrict external access to SSL-based e-commerce websites without IPsec implementations. SSL-based VPNs may be vulnerable to Denial of Service attacks mounted against their TCP connections because latter are inherently unauthenticated.DTLS, used by Cisco for a next generation VPN product ca lled Cisco AnyConnect VPN. DTLS solves the issues found when tunneling TCP over TCP as is the case with SSL/TLSSecure Socket Tunneling Protocol (SSTP) by Microsoft introduced in Windows Server 2008 and Windows Vista Service Pack 1. SSTP tunnels Point-to-Point Protocol (PPP) or L2TP traffic through an SSL 3.0 channel.L2TPv3 (Layer 2 Tunneling Protocol version 3), a newupdate release.MPVPN (Multi Path Virtual Private Network). Ragula Systems Development Company owns the registered trademark MPVPN.Cisco VPN, a proprietary VPN used by many Cisco hardware devices. branded clients exist for all platforms open-source clients also exist.SSH VPN OpenSSH offers VPN tunneling to secure remote connections to a network (or inter-network links). This feature (option -w) should not be confused with port forwarding (option -L). OpenSSH server provides limited number of concurrent tunnels and the VPN feature itself does not support personal authentication.VPNs in mobile environmentsMobile VPNs han dle the special circumstances when one endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points. Mobile VPNs have been widely used in public safety, where they give law enforcement officers access to mission-critical applications, such as computer-assisted dispatch and sorry databases, as they travel between different subnets of a mobile network. They are also used in field service management and by healthcare organizations, among other industries.Increasingly, Mobile VPNs are being adopted by mobile professionals and white-collar workers who need reliable connections. They allow users to roam seamlessly across networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. A conventional VPN cannot survive such events because the network tunnel is disrupted, causing applications to disconnect, tim e out, fail, or even the reason device itself to crash.Instead of logically tying the endpoint of the network tunnel to the physical IP address, each tunnel is bound to a virtual IP address that stays with the device. The Mobile VPN software handles the necessary network logins and maintains the application sessions in a manner transparent to the user. The Host Identity Protocol (HIP), under study by the Internet Engineering Task Force, is designed to support mobility of hosts by separating the role of IP addresses for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access networks.ConclusionSo what is a Virtual Private Network? As we have discussed, a VPN can take several forms. A VPN can be between two end-systems, or it can be between two or more networks. A VPN can be built using tunnels o r encryption (at essentially any layer of the protocol stack), or both, or alternatively constructed using MPLS or one of the virtual router methods. A VPN can consist of networks connected to a service providers network by leased lines, Frame Relay, or ATM, or a VPN can consist of dial-up subscribers connecting to central