Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Virtual Private Networks Ryan Joyce Computer Science / Software Engineering University Wisconsin – Platteville [email protected] Abstract The rapid advances in communication technology have allowed companies to conduct business on a global scale. Virtual private networks (VPNs) allow companies a means to extend their secure networks using regular Internet. Companies can now directly link their employees, strategic business partners, and customers to one integrated system. VPNs are far more inexpensive than traditional wide area networks and provide increased accessibility. Such accessibility allows remote access to many users in multiple locations. VPNs are an evolving concept, optimization, securities, scalability and tunneling practices are constantly being upgraded and changed for maximum efficiency. Investigated here is the development of VPNs, the rationale for VPNs, common issues associated with VPNs, and overall benefits VPNs can provide. The world is becoming a more connected place every day, VPNs are just another step forward for fast effective business solutions. Joyce 1 CS 4110 Introduction What is a Virtual Private Network? A Virtual Private Network is an interconnected group of networks. These networks can be both private and public networks, but behave like a single secure private network. For example, by using a Virtual Private Network a company can extend its secure private LAN across the public internet. History of VPNs Before the use of Virtual Private Networks there were just traditional local area networks (LANs) and wide area networks (WANs). In these cases a company or institution had two choices. A company could implement single private LANs for each of company’s facilities. This would provide a secure reliable network but only viable over short distances. With a WAN a company would rent or lease out private lines from and external source for a monthly fee. With this choice a company had a secure private network that ranged over great distance. The disadvantage however with a WAN is that it became too costly for most companies. With the popularity of the internet growing in the late 90s gave rise to a new idea. This was the Virtual Private Network. The first instance of VPN was indirectly shown by academic institutions linking remote buildings or sites through public internet. These early VPNs had limited security and reliability but were a suitable alternative to WANs. Eventually the corporate world decided to investigate the idea as well. In the early 2000s VPN software and hardware started to develop. In addition to hardware and software several protocols were developed and the early process of standardization began. Virtual Private Networks still remains a relatively new concept it was not mainstream until 2004 – 2005. Advantages of VPNs Virtual Private Networks have many advantages. As the world grows into a more interconnected society use of VPNs is a necessary step. VPN can extend communications on a global scale allowing overseas business. These new foreign markets can help a company grow and expand and increase overall profit. Another advantage of VPNs is increase communication with business partners. This translates to connecting your network with a supplier’s network or a retailer’s network. This advantage enables increase efficiency on multiple levels. Inventories can be updated and replenished by use of or real-time information. Sales data can be collected and analyzed for future market projections. Lastly, VPNs are huge cost savers. Instead of using the highly expensive WANs, Internet connections services are far cheaper and affordable. Joyce 2 CS 4110 Types of VPNs VPNs are currently divided into three types: hardware, software, and hardware/software mix. Each of theses types include advantages and disadvantages over each other and depend entirely on an institutions needs and requirements. Hardware based Hardware based VPN consists of VPN firewalls, edge routers, and VPN adapters. These hardware devices are capable of sending a tunneling protocol and translating them. The hardware solutions are generally more reliable but take longer to implement. With the hardware solution a company may be forced to replace all not compatible VPN equipment and add additional routers or firewalls. Overall the hardware solution often becomes significantly more expensive. Hardware VPNs work best for areas of business that have heavy communications and constant data transmissions. Software based Some VPNs do not require new equipment to be installed. VPN clients such as OpenSWAN, Log Me In Hamachi, and OpenVPN reconfigure existing hardware to send and translate a tunneling protocol. Software based VPNs are far more inexpensive than their hardware counter part, but since the converting and translating of the tunneling protocol is done on software level they become slower and less reliable. Another advantage of software based VPNs is that like most software installations it is relatively quick and simple, therefore decreasing setup times. Software VPNs work best in areas of business that have small to moderate data transmissions and systems the require mobility. Hardware/Software Mix Since there are both advantages and disadvantages of hardware based and software based VPNs, some users implement a combination of the two. When a company is communicating from its corporate headquarters to its branch facilities it may tend to use the VPN hardware approach for the most reliable communication. In addition if that same company had mobile users it would most likely use some form of VPN software to supplement their needs as well. When both software and hardware are used in combination a company can prioritize their information transfer and select the most appropriate choice. VPN Setups Remote Users This type of VPN setup refers to communication access of a company’s network to remote or mobile employees (home users). Some examples of remote users would be sales representatives who move from place to place. These representatives may have a Joyce 3 CS 4110 laptop or other device. These employees need access to a company’s intranet via a standard internet connection. With this type of setup company must require monitoring and strong authentication practices. In addition remote user setups must be scalable. With this issue a company must be able to handle larger number of users simultaneously. An example of the remote user setup can be shown below in figure 1. Home user LAN A Figure 1 VPN setup remote users only Intranet Setup In this case a company may not have remote users to worry about but constant branch facilities that need to be linked. Linking internal branches or subsidiaries together in company can help the company effiecny as whole. These VPN setups require high security. Since this type of VPN transmits and receives a significant amount of sensitive information strong authentication practices must be used. Also this VPN setup needs a high degree of reliability so that applications that effect day to day operations run smoothly. Figure 2 shows the connections made in an intranet setup. LANB LAN A Figure 2 VPN setup intranet only Extranet Setup Extranet Setups incorporate remote setups, intranet setups and network connections to suppliers. Strong authentication practices and security measures are needed for this setup as well. In addition this type of setup requires some form of protocol standardization. One of the more common protocols use in extranet configurations is the IPsec protocol. Extranet setups are often very large and expansive. Traffic control as well as congestion control need to be implemented to insure proper network function. Information may also Joyce 4 CS 4110 have to be prioritized in these types of setups. This network setup can be seen in larger companies that rely on various suppliers and other horizontal business partners. Figure 3 is and example of and extranet configuration. Suppliers Lan LAN A Figure 3 VPN setup extranet configuration How VPNS work? Tunneling Tunneling is the process of creating a secure point to point connection over a public network. Tunneling works on the concept of data encapsulation. Tunneling starts out by taking a regular data packet and placing it inside another. Once this is achieved the container packet is encrypted and sent over the network. This adds an additional protocol To the data beings sent leaving if with three defining protocols for transport. The first is the carrier protocol which would be one of the standard internet protocols. The next would be the VPN protocol and lastly it would have the passenger protocol for which its begin carried . Tunneling has many powerful applications not only does it add security but it can also be used to format packets that can not normally be sent over the internet. NetBeui is a protocol not supported on the internet however if you encapsulate into and ip packet it can be transported. Overall tunneling is the foundation for VPN communications. Security Requirements and Approaches Confidentiality Confidentiality refers to the privacy of information being exchanged between communicating parties. If data packets are read or exchanged to unauthorized parties a companies secrets and method of business is at risk. This requirement is usually approached by some form of encryption. Encryption Joyce 5 CS 4110 Encryption is the process of coding data. Encryption consists of two types. This is public key encryption and private key encryption. Private key encryption consists of one secret decryption key that is shared between various computers. Public key encryption consists of both private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. In order to communicate successfully the computer that you are sending information too must use the public key to decrypt the information. One popular form of public key encryption is SSL encryption. SSL or secure sockets layer encryptions used in web browsers for access to secure websites [2]. In addition to standard encryption VPNs use hashing algorithms as another form of encryption. Hashing works on the concept of a mathematical formula that used to encrypt data. Data Integrity Data Integrity ensures that information being transmitted over the public Internet is not altered in any way during transit. If data is altered from unknown parties it can cause failure in company operations. Some ways to ensure data integrity is by using message authentication codes and digital signatures. These are added element of data that are added to the original message and act as proof of authenticity. If they are missing from the message one can assume that message was a fake [2]. Authentication Authentication is the process of ensuring that all the identities of all communicating parties are legitimate. In this security requirement parties must be identified before information can be transmitted. Standard authentication practices include password authentication and digital certificates. Another method of authentications is use of token cards which are created from a time stamp; a user must input a one time code to create a valid connection [2]. VPN Protocols IPSec (Internet Protocol Security) One of the first VPN protocol to be created was the IPSec protocol. It was one developed by Internet Engineering task force and was originally designed to address IP based networks. This protocol was one of the first protocols to use the tunneling concept. PPTP (Point to Point Tunneling Protocol) Another VPN protocol is the PPTP protocol, like IPSec it was one of the first protocols to be used. The original implementation was designed for remote users that needed to access Joyce 6 CS 4110 company networks from home. The PPTP protocol beginning to phase out in today’s VPNs but created a blueprint for more effective protocols. L2TP (Layer 2 tunneling protocol) L2TP protocol is one of the descendant protocols from PPTP. With L2TP protocol has two tunneling options client aware tunneling and client transparent tunneling. In client aware tunneling the other communicating party is conscious of the VPN encryption. In transparent tunneling the other party is unaware of the encryption taking place and would act like normal network communication. Socks5 Socks 5 differ from most VPN protocols, unlike other protocols Socks 5 is a circuit level protocol. This protocol was originally designed to authenticate web protocols. The socks 5 protocol occurs most frequently in extranet configurations. Its greatest strong point is in user level application control. Conclusion Selecting A VPN When selecting a VPN there are variety aspects to consider. The first aspect in selecting is VPN is integration. This refers to the compatibility issues when bringing in the new network. A VPN must work with existing intranets in order to function properly. There is also the choice of using software versus hardware. Another aspect that is needed to be considered is scalability. VPNs can be expansive or limited as user wants them to be. Real World applications of VPNs VPNs are spreading to all different types of industries and users. Some of the industries to take on VPNs are: manufacturing, medical, retail, and finance. Manufacturing has used VPNs by linking factory operations to corporate headquarters to all of its facilities. In the retailing local stores are connected directly to regional offices delivering relevant sales data. On medical front transferring patient data across hospital networks is another example of VPN usage. Online transactions and remote user access to banks has revolutionize how people accessed money. Lastly more people can work at home via VPNs. Problems with VPNs Like all new technologies VPNs have certain setbacks. Currently VPN setup times can be extensive depending on the size of an institution’s network. In addition users have some Joyce 7 CS 4110 difficulty integrating VPNs into very old networks. This can lead to complex trouble shooting issues. Another concern companies have with VPNs is interoperability with other networks. Since there is no VPN standardization at this point companies have to agree and comprise when connecting to external networks. The last concern companies have with VPNs is reliability with their internet service providers. Poor internet connections and constant outage can lead to bandwidth constraints on a company. Optimizing VPNs Though there are many concerns with implementing a VPN there are variety of ways to optimize a VPN to eliminate some of the common problems. One of the first ways to optimize a VPN is to have multiple ISPs. By having multiple internet providers a company decreases its chance of constraining bandwidths. Another way to optimize your VPN is to update in accordance with most popular VPN protocol and work toward standardization. To create and even more optimized VPN a company can also create VPNs that work independently at each branch or subsidiary versus having one main VPN. The Future of VPNs VPNs will become a more integral part of society. In the future VPNs will eventually have a set protocol that will be use in all companies. New hardware and software is being developed everyday with new features that effectively moderate VPNs. The future is bright for VPNs they will become more customizable, cheaper, and more secure for better, more effective business. References [1] Dunigan, Tom. Virtual Private Networks Retrieved October 15, 2007 Posted October 13, 2004 http://www.csm.ornl.gov/~dunigan/vpn.html [2] McDonald, Christopher. Virtual Private Networks An overview RetrievedOctober 16, 2007 from Intranet Journal.com http://www.intranetjournal.com/foundation/vpn-1.shtml [3] Virtual Private Networks. Retrieved October 16, 2007 from Cisco Posted October 12 , 2006. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/vpn.htm [4] Virtual Private Networking Retrieved October 15, 2007 http://www.microsoft.com/technet/isa/2004/help/fw_VPNIntro.mspx?mfr=true Joyce 8 CS 4110