The rapid and very fast evolvement of the Internet in the last decade has emerged the need of new types of communications. Organizations and individual people now can communicate, exchange information no matter how far they are from each other. Nowadays the Internet is thought to be the ideal means of exchanging information because of its very low cost of connections it provides.
The Internet though is a shared public network, so we can easily understand that the more people connected together through it, the more machines exist on the same network, the more unsecure the whole environment will be. We are hearing all the time about electronic crime, situation that raised the fear of organizations to make electronic transactions through internet.
The initial weakness of the protocols that the internet used , to satisfy the high data security and the rapid expansion of the companies, contributed to scientific researches to raise the reliability of the internet. One result of these researches is the Virtual Private Networks (VPNs) which practically ensure the virtual connection between companies and organizations with high reliability and very low cost. According to this philosophy we can achieve the communication between geographically remote intranets or generally private networks by using the existing "un-secure" public networks that compose the internet (fig 1.).
Before we proceed to the analysis of the characteristics and the architectures of VPNs it would be very useful to present in general how a VPN work and from what components it consists of (fig.2). On the beginning, some host sends data to a VPN device that is placed on the position that the communication of the VPN is being done (e.g. the offices of the company that holds the public network). This VPN device processes the data it has received, and checks if these data have been formed according to the security rules specified by the network administrator. Next, it secured these data by using some algorithms or it leaves them intact if they are secure already.
When the data are not secure the VPN device "decides" to encrypt them by adding a digital signature on the data packet to be send. Also the IP addresses of the sender and receiver are encrypted. Following, the VPN device "sticks" a new header (digital signature) on the data that contains information for the receiving device on the other side of the network, on how to deal with the data protection mechanisms. After that the VPN device encapsulates the encrypted packet with the IP addresses of the receiving station. With this way a private tunnel is created, through which the secure data are transmitted over the public network. On the final stage, and when the packet reached the receiving station the reverse operation is performed by the receivers VPN device (de-encapsulation), and the packet is decrypted.The Three VPN Models.
As we said before, the type of Virtual Private networks that seem to prevail on the market is the one that is based on the technology and the architecture of the Internet. This architecture is characterized as "open" and "shared" at the same time, as with this way the proper and secure communication over the hundreds and thousands of devices is achieved, which would not be possible if it was not present.
There are three known basic models of VPN and their basic differences are based basically on the location of the two ends communicating (service end points). Another difference criteria is how high is the level of network management that is required. Finally the VPN models are categorized if they support QoS services, and on the level of "trust" that can be achieved through the Network Service Provider (NSP).
According to the first model of VPN which is based on the Service provider (Pure Provider Model), the most load of procedures are being performed by the provider of network services and not the architectural structure of the company's network. With this model, only one network is usually referred - the one of the NSP - , while there is a strict discrimination between the company's network and the NSP's network. The remote access to the company's network is performed through T1 or T3 leased lines. Maybe ATM lines could be used or Frame Relay ones.
The customer or the company has its possession all the equipment and the software that is required by the VPN. On the Pure Provider model the NSP installs VPN-tunnels from end to end of the network by using the private circuits on both ends of the network in order to achieve the secure transmission of data. At the end the NSP controls the whole operation of the VPN, and he is responsible on recovering of any problem that comes out during the communication of the ends.
According to the second model of VPN, which is called hybrid, it is depending of the NSP and the company. The NSP is responsible of the operations of the VPN and the network of the company. During the Hybrid model operation a tunnel is being implemented inside the NSPs premises and is completed inside the company's network. During the operation of the hybrid model the NSP is responsible of creating the VPN tunnels on behalf of the remote users when the identity of these users is confirmed (user authentication). When the authentication is completed successfully the users can have access to the organization data, as they were connected to their local area network LAN.
Finally, according to the third model of VPN, which is known as "end to end", the NSP is there only as a transport of network services that are transmitted through the VPN. Both ends of the network, the ones of the NSP and the ones of the tunnel, can be a personal computer or a simple VPN device that can work as a proxy for multiple PCs. We must also note that both ends of the network are outside of the boundaries that an NSP can manage.Internet-Based VPNs and their advantages.
A modern enterprise has to support many network connection types in order to be competitive, in a world that the speed on transmitting data is very crucial for the development of this company. The employees of the company must have access to the data transmitted inside the premises of the company (intranet), when they travel. They must have the opportunity to access these data remotely when they are outside their office. (fig. 3).
At the same time the associates of the company must communicate with the main office through private external networks (extranets).
The WAN architectures that already exist are insufficient to cover these types of communications. This happens because the leased lines that existed or the frame relay ones are not so flexible as for installation speed, security, and real time teleconference.
On the other side, VPNs that are based on the internet, except the very low cost of connection they demand, they can offer at the same time other advantages that are very beneficial to the company itself. First of all a traditional private network that is based on T1 connections (1.5 Mbps) or T3 ones (45 Mbps), is instantly incurred with standard expenses that have to do with the installation of the network, monthly fee of the lines, fee of the distance of the point connected, and fee of the bigger bandwidth that is required than the usual. The internet VPNs are not incurred with the costs described above, because they are based on the architecture of the "open infrastructure" that the internet is based.
In addition the company that uses a VPN does not require to support or maintain the connections from point to point, containing the cost of the network modem maintenance or the other network devices. So the total cost of the system maintenance can be reduced dramatically, because all the modems and the multiple circuits that are required to connect two LANs together are now replaced with one and only broadband connection that can transmit data from a remote user and between LANs, throughout the internet.
Finally we have to note that the use of internet VPNs can save valuable resources, because the technical support of the installation is not requiredto be performed from the company itself - the service providers are taking over the bigger part of the support of the VPN.Tunnelling and VPN protocols
As it is assumed from the definition of Virtual Private networks, we are referring to virtual connections, or with other words, logical connections which are installed independently from the characteristics of our network, that on most times is the Internet. On the contrary from the leased lines the Virtual VPN connections, are created when there is the need for connection, and they are disconnected as soon as the connection is not required anymore.
The philosophy described above is based on the creation of tunnels every time a virtual connection is created. We are referring on the encapsulation and encryption of the whole transmitting packets of data, in a way that all the data that refer to the routing of the packet are hidden from the other network services of our network (fig. 4).
At both ends of a tunnel a single computer can exist or a whole LAN which has a security gateway. One of the most common combination of end points of a tunnel is the one of the single computer or LAN client and is created every time that a remote user wants to connect with his company network. In this case the application of the user (client software) tries to communicate with the security gateway that protects the LAN on the other side of the tunnel.
As we can see from fig. 5 there are combinations of communication of the application with the security gateway. According to the first image, the client communicates first with a VPN server and through it with the security gateway of the LAN. On the second image, the client communicates first with the security gateway and then with the VPN server.
The second way, is the most common one and the most popular combination of the tunnel end points, and is referring to the communication of two LANs (LAN to LAN). On that case there is a security gateway on both ends of the tunnel.The Protocols
Even though that a great variety of protocols is used, we will refer to the five most popular, as the most protocols are variations of these five, and are due to the different services that different organizations offer for the support of VPNs.
- Point-to-Point Tunnelling Protocol (PPTP).
- Layer-2-Forwarding Protocol (L2F).
- Layer-2-Tunneling Protocol (L2TP).
- IP Security Protocol (IPSec).
- Multiprotocol Layer Switching (MPLS)
The PPTP protocol is one of the first protocols that were developed to support VPNs, especially dial up type VPNs. PPTP is based on the well known PPP protocol, that provides remote access to the internet. Basically PPTP creates tunnels over the Internet. It is very simple on its design, the encapsulation and the encryption of the data, and it can deal with many other protocols of the internet.
On the contrast with PPTP, the L2F protocol is not based on the architecture of the internet, so it can deal with other types of connections, such as frame relay transmission or ATM transmissions. With L2F, each tunnel can support over that one connection of the remote user to his company network.
This protocol was developed on a try of combining the advantages of PPTP and L2F. It can support dial up connections using the Internet and with the tunnelling mechanism, and at the same time it is compatible with packets different than the ones of the internet environment such as Frame relay packets or ATM packets.(Fig. 6).
The IPSec protocol is the most popular protocol on the different VPN connections that already exist, with some variations of course. It is designed to serve the needs of high bandwidth transmissions that the second generation of the internet will support. It allows the opportunity of the one end of the tunnel that sends data, to authenticate or to encrypt the packets or to perform both operations at the same time. Because IPSec is designed on the internet's philosophy, it is considered as the most suitable for IP environments on the contrast with the PPTP and L2TP protocols that are best for different protocols than IP on the internet.
The MPLS protocol is designed with a different philosophy than the IPSec, as it is not focused on the approving of the encryption mechanism, and it is compatible with ATM connections and IP ones. On the contrast with IPSec, the MPLS protocol is basically designed to provide Quality of Service (QoS).VPN Architectures.
The architecture of VPNs that is based on the internet is the most current and powerful VPN model. We have to note that the security gateways play a very important part on the ingredients of a VPN. The gateways are placed between public and private networks and they are used to protect the private network from unwanted or not authorized connections.
They can some other times to play the role of tunnelling mechanisms, and other times to encrypt the important data before they are transmitted through the public network. According to the most recent data we have on the VPN world, the security gateway can be a router, a firewall, a VPN specific hardware and a VPN software.The VPN that is supported by the NSP.
The support of a VPN from the network service provider is one of the most popular strategies that is followed from the current companies on their try to take benefit the services of a VPN as they are connected to the internet.
According to this architecture the NSP usually installs a VPN device on behalf of the company-client that is going to create the tunnels every time that a private connection is required. The packets of information are going to be encrypted and decrypted from this device, that have destination a host computer of the company. Usually a firewall is put in front of the VPN device for the protection of the data.
From the firewall side, the internal router of the companies LAN is connected and from the other side of the firewall an external router exists in order to connect the company to the NSP. (fig. 7).
The VPN that is supported by the NSP is a very good choice for the organizations that are interested for teleconferencing applications, or they want to use IP telephony through the internet.
The only problem with this architecture is that we have limited concerning the possible upgrade we would want to make concerning more services. The NSPs are very big organizations and because they control things to this type of VPN architecture it would be a little difficult and time consuming for them to adapt fast, or add services to their clients that require an upgrade to their VPNs.Firewall based VPNs.
This type of architecture is the most common architecture, because the firewall is very popular the last years, thing that made it the most applied technique of protection of small and large companies.
Because most of the companies have a type of firewall installed, the thing they need is the support of the appropriate software of encryption from the firewall itself. Most of the times the manufacturers of the firewalls provide with their products encryption software for free. If not, the company must buy an encryption software from the many that exist on the market and tail it to its demands.
The good thing with firewalls is that they are compatible with many network architectures (UNIX, Microsoft, etc). The additional thing with firewalls is that the administrators of the network must design the operating system of the machine that is managing the network in a secure way. If there is a problem to the operating system of the LAN, the firewall is unusable!
The firewall as we said, controls the whole traffic of IP packets and they reject or permit the access to data to and from the network, depending on the protection filters administrators have applied to them."Black Box" based VPNs.
According to this architecture, the company can buy a device from the market, called a "black box", that is responsible for creating the tunnels of a VPN, based on the encryption software they run inside them. Most of the times the administration of these "black boxes" can be done from a desktop computer that runs the "black box" client software. On other cases these boxes can be administered by the internet browser of a computer through the LAN.
The good thing about black boxes is that they support most of the protocols that are used for tunnelling. The last "black boxes" that appeared on the market have a firewall software inside them. Otherwise if older devices are purchased, additional firewall software or hardware should be installed.
Most of these devices operate as bridges inside a LAN and they take over the encryption, and they are placed between the routers of the network and the broadband connection.Router Based VPNs.
With this type of architecture, every packet that is transmitted inside the LAN must be checked from the router who is the ultimate controller of each packet, supporting and the encryption of each packet. The manufacturers of router VPN devices provide two ways of VPN support.
By the first way, the appropriate software that is already running on the router, is responsible of encrypting the transmitting packets. According to the second way, an external expansion card is connected to the router (or can be contained by the router). This card (circuit) has an independent CPU that is responsible for the encryption of the packets, thing that makes the router to work easier by routing packets and only that. This situation is recommended when the VPN connections are many and the processing load is very high.Remote access based VPNs.
They are named alternately and dial-up networks (VPDN) and they concern the remote users of the network, usually referred as mobile users. During the past companies supported these types of users through common dial-up connections through telephone networks, with the result the user had to pay much money for the calls especially if the calls were international. With the new way of things, the user makes a local call to the ISP and has access to the internet. By using this internet access he can connect to his companies private LAN.
These types of VPNs are the evolution of the dial-up networks, as a special software that is installed on the user's computer is used to make the secure "call" to the companies private LAN and create the tunnels. The tunnel as described from the fig. 11, can be over a connection different from the internet, such as an ISDN, or DLS, or even X.25.Software based VPNs.
These VPNs are carried out through special software that creates a tunnel with a computer from the other side of the connection, and is responsible for the the encryption of the data. In other words, the creation of the tunnels is connected with the communication of the client's software with the server's software based on a common protocol (e.g. PPTP).
As soon as the transmission of the data from a host computer is started, a connection (session) to a server is automatically created. Afterwards, the data are encrypted and encapsulated before it is routed to its destination. If an external client wants to communicate with the VPN server, first the user is authenticated and after that the encryption process starts.
These types of VPNs provide the less services of all, and they are suitable for small range of systems that do not have the ability to support large amount of traffic.References.
- ATM Theory and applications, by David McDysan and Daren Spohn, McGraw Hill Series 1999.
- A guide to VPNs, by Martin W. Murhammer, Tim A. Bourne, Tamas Gaidosh, Charles Kunzinger, Laura Rademacher, Andreas Weinfurther, Prentice Hall 1998.
- Implementing VPNs, by Steven Brown,McGraw Hill Series 1999.
- Virtual Private Networks, by Morgan Kaufman publications 1999.
- Comparing, designing and deploying VPNs, by Mark Lewis.
- L2TP : Implementation and Operation, by Richard Shea.
- www.motorola.com MPLS VPNS White Pater.
- www.iec.org VPN Overview (The international Engineering Concortium).