A Virtual Private Network Breakdown
Author: Enigma (enigma@fatelabs.com)
www.fatelabs.com


Table of Contents
  1. Introduction
  2. Understanding What A VPN Is
  3. Reasons For Implementing A VPN Solution
  4. Types Of VPN’s
  5. Basic VPN Components
  6. The Concept Of Tunneling
  7. Options In VPN Setup
  8. Conclusion

Introduction
This paper was written to educate the average reader on the basics of the VPN (Virtual Private Network). This paper will be the first in a series of papers that will cover a spectrum of VPN issues. In this issue the reader will be introduced to some of the basic ideas and technologies that play into the world of Virtual Private Networking.

Understanding What a VPN Is
The working definition of a VPN is the following: a combination of tunneling, encryption, authentication, and access control technologies, and services used to carry traffic over the Internet, a managed IP network, or a provider's backbone. That traffic that flows to the VPN can be delivered using many of the current access technologies, including T1, T3, frame relay, ISDN, ATM, fiber optic technologies, or a simple dial up access. Of course this is a very basic definition. But for the purposes of this paper it gives you a basic understanding of what you’re dealing with. In the following papers these topics will be broken down into explicit detail.

Reasons For Implementing A VPN Solution
The basic reason for a VPN is to save money on communications. The VPN allows users to access the network safely over the Internet from locations all over the world. When a network wants to expand into a WAN their needs to be a way to safely transfer data between them without a point-to-point connection. The VPN allows the networks to do this in a secure manner over the Internet. This technology gives companies an edge on their competitor. VPN’s have been known to increase sales, productivity, partner relationships, and save time.

Types Of VPN’s
There are many types of VPN implementations, each with its specific set of technology requirements. However, VPN deployments can be grouped into three categories:
  1. Intranet VPN’s
  2. Remote Access VPN’s
  3. Extranet VPN’s
The Intranet VPN is most often used to facilitate communications within a company’s info structure and separate departments. Interlinking different offices in different cities or different buildings. The most important of the technologies requirements are strong data encryption to protect the information being transferred along the network. Other important factors of the Intranet VPN are to prioritize the crucial applications on the network such as, sales and customer database management, and document exchange. Scaleable management of the VPN is also very important to ensure that the number of users applications and offices are easily accommodated.

Remote Access VPN’s are usually used to link the remote network to mobile users. The users can connect to the VPN through any ISP if they have the proper access and technology. The most important thing to consider in a remote access VPN is to ensure strong authentication is applied to verify remote and mobile users identities in the most accurate and efficient manner possible. These VPN’s can benefit companies with employees that travel on a regular basis.

The Extranet VPN implements multiple technologies to create a larger scale VPN with more flexibility and options to the users. It uses the Internet as the large backbone. For example you could have an extranet VPN that allows several branch offices, suppliers, and customers access to the VPN. The most used and accepted standard to the Internet based VPN is the Internet Security Protocol (IPSec).

Basic VPN Components
There are three basic components to any good VPN. These are as follows:

  1. Security
    Including access control, authentication and encryption technologies to guarantee the security of network connections, authenticity of users, and privacy and integrity of data communications

  2. Traffic Control
    Including bandwidth management, Quality of Service and hardware-based VPN acceleration to guarantee the reliability and performance of the VPN

  3. Enterprise Management
    Including true policy-based guarantee the integration of VPN’s within the enterprise security policy, local or remote centralized management of that policy, and scalability of the solution.

Security
Most VPN vendors provide some security within the structure of the VPN. Authentication and encryption are two technologies that are provided but those technologies only protect data on the network. The following three technologies ensure the privacy of the VPN and the security. If all three of these technologies are in place the VPN will be more secure than most. But there is no such thing as full security. The three technologies are:

Access control
Access control on a VPN controls the privileges that a user on the VPN has. Everything from rights to files or programs and folders on the network can be protected. Without access control on a network you are only protecting your data not your physical network from local intruders. Most VPN distributors usually ignore access controll. Access control should be set to allow users access to the folders files and programs the need but nothing more.

Authentication
This technology verifies that a sender or receiver is someone who he actually says he is. Making sure that there is proper authentication on a network protects the gateway-to-gateway and client-to-gateway communications. Many authentication methods are available to ensure authentication in a VPN, including traditional username/password authentication, RADIUS or TACACS/TACACS+ servers, LDAP-compliant directory servers, X.509 digital certificates, and two-factor schemes such as those involving hardware tokens and smart cards. Only one or two of these technologies to authenticate are usually viable for the type of VPN, for example a VPN with outside connections have to take into consideration that the IP address might be dynamic.

Encryption
Encryption scrambles the data so that only those who have the key to read the information are able to decode the message. Encryption algorithms ensure that it is mathematically impossible to decode the data without possession of the proper encryption key. Once the encryption key length is selected and implemented, the next step is to ensure that the keys are protected through a key management system. Key management is the process of distributing the keys, refreshing them at specific intervals and revoking them when necessary. Public Key Infrastructures (PKIs) are essential to VPNs utilizing digital certificates for authentication and encryption.

Traffic Control
Traffic control is needed to ensure that programs and other such applications do not starve the network out. Traffic control divides the bandwidth up between the applications to ensure that the users have the amount off access to the specific programs that are used more often. The division of bandwidth ensures that user will not be lagged out and starved of the speed that a VPN can provide to its users. By providing quarries of such events the network can control the amount of use and speed at witch the users can access.

The act of encryption and decryption of data on the VPN is one of the most CPU draining events preformed by the network. It is possible to have a separate CPU or server that handles only the encryption and decryption of data. This will decrease the amount of lag that is endured on the CPU.

Enterprise Management
Enterprise management is one of the most overlooked factors in the world of VPN’s. Although the act of setting up a VPN and tunneling is important it is still necessary to make sure the physical network is secure. The larger the VPN is the more security problems there could be. If a local network is not secure then there is vulnerability in the VPN info structure. Ensuring that the separate nodes no the networks are secure is the first step. There should also be an easy and secure way to resolve and manage the VPN. Actions like adding and removing users and sending and revoking public and private encryption keys. Managing the VPN properly will ensure that the security of the VPN stays tight.

The Concept of Tunneling
The best way to describe tunneling is with an analogy. Picture that you’re in an open market full of people rushing to buy the latest VPN technologies. You see someone you know across the market and you speak to him or her in a normal everyday voice. Although you and your friend are hundreds of feet away he or she hears you and replies. Everyone around you in the market didn’t hear or understand a word you said to you friend but you two can completely understand.

The market is the Internet, full of people and data. The person you’re speaking to is a node on your VPN. You can exchange messages in the form of speech or dada over the VPN. The reason that the people around you can hear you is that you connected through the market to your pal with a tunnel, a link that sends encrypted data that you and your friend can only understand. “Tunneling” is the act of connecting through the Internet to the other networks or users on the VPN and creating a secure link that you and your “friend” can only understand.

Options In VPN Setup
There are four different kinds of VPN’s you can set up within the 3 types. The three types are Intranet, Remote Access, and Extranet. Within each of those types you can set up 4 kinds of VPN’s, they are:

  1. Hardware Based
    Use dedicated processors or encryption routers to control the VPN in turn with a software client to create the VPN connection between the specific nodes on the network. They offer high security and flexibility to the users and managers of the VPN. They produce high-speed results and usually more ridged in similar software systems.

  2. Software Based
    These VPN’s use already existing server platforms. Since the owner of the VPN is using the already pre-owned technology the price for software VPN’s are considerably different. The software VPN system is perfect for the situation where both ends of the VPN are controlled by different organizations. Standalone VPN’s offer more flexibility over the control of network traffic. The catch is that most software based VPN’s are placing additional demands on the server’s processor, degrading performance.

  3. Firewall Based
    The firewall based VPN has been called the “pioneer” of virtual private networks. The firewall VPN is one of the most secure of the 4 types of VPN implementations. The firewall VPN will include address translation, restricting access to the network, and strong authentication. These systems are complex (VPN tasks have to share a processor with the server running the firewall)

Conclusion
VPN’s have come along way over the last 5 years but there are still leaps and bounds to be made. VPN technology is expanding and being used by more and more corporations to increase productivity. There is a lack of people in the IT world with the skills and knowledge to implement and troubles shoot these devices. The technology presented here was designed to give the reader a basic swimming lesson be for they jump of the peer. Check out the rest of the papers in this series at: http://www.fatelabs.com/