The concept of virtual private networks
Local area networks (LANs) are the internal networks of organizations, meaning connections between the machines that belong to a particular organization. These networks are becoming more and more frequently connected to the Internet, using interconnection equipment. Very often, companies have a need to communicate over the Internet with subsidiaries, customers, or even staff who may be geographically distant.
However, data transmitted through the Internet is much more vulnerable than when it is travelling over an organization's internal network, as the path taken is not defined in advance, which means that the data has to go through a public network infrastructure belonging to different entities. For this reason, it is not impossible that somewhere along the line, a nosy user might listen to the network or even hijack this signal. Therefore, information which is sensitive for an organization or business should not be sent under such conditions.
The first solution to fulfill this need for secure communications involves linking remote networks using dedicated lines. However, as most businesses aren't able to link two remote local area networks with a dedicated line, it is sometimes necessary to use the Internet as a transmission medium.
A good compromise involves using the Internet as a transmission medium with a tunneling protocol, which means that the data is encapsulated before being sent in an encrypted manner. The term Virtual Private Network (VPN for short) is used to refer to the network artificially created in this way.
This network is said to be virtual because it links two "physical" networks (local area networks) using an unreliable connection (the Internet), and private because only computers which belong to a local area network on one end of the VPN or the other can "see" the data.
The VPN system, then, can provide a secure connection at a lower cost, as all that is needed is the hardware on either end. On the other hand, it cannot ensure a quality of service comparable to a leased line, as the physical network is public and therefore not guaranteed.
Operation of a VPN
A virtual private network relies on a protocol called a tunneling protocol; that is, a protocol that encrypts the data which runs from one end of the VPN to the other.
The word "tunnel" is used to symbolise the fact that, between the moment the data enters the VPN and when it leaves, it is encrypted, and therefore incomprehensible to anyone not located at either end of the VPN, as if the data were travelling through a tunnel. In a two-machine VPN, the VPN client is the part which encrypts and decrypts the data on the user's end, and the VPN server (or more often remote access server) is the element that decrypts the data on the organization's end.
That way, whenever a user needs to access the virtual private network, his/her request is transmitted unencrypted to the gateway system, which connects to the remote network using the public network's infrastructure as an intermediary, then transmits the request in an encrypted manner. The remote computer then provides the data to the VPN server on its network, which sends the reply encrypted. When the user's VPN client receives the data, it is decrypted, and finally sent to the user.
The main tunneling protocols are:
- PPTP (Point-to-Point Tunneling Protocol) is a layer 2 protocol developed by Microsoft, 3Com, Ascend, US Robotics and ECI Telematics.
- L2F (Layer Two Forwarding) is a layer 2 protocol developed by Cisco, Northern Telecom and Shiva. It is now nearly obsolete.
- L2TP (Layer Two Tunneling Protocol), the outcome of work by the IETF (RFC 2661), brings together the features of PPTP and L2F. It is a layer 2 protocol based on PPP.
- IPSec is a layer 3 protocol created by the IETF that can send encrypted data for IP networks.
The PPTP protocol
The principle of PPTP (Point To Point Tunneling Protocol) involves creating frames with the protocol PPP and encapsulating them using an IP datagram.
Thus, with this kind of connection, remote machines on two local area networks are connected with a point to point connection (including an authentication/encryption system), and the packet is sent within an IP datagram.
This way, the local area network's data (as well as the addresses of the machines found in the message's header) is encapsulated within a PPP message, which is itself encapsulated within an IP message.
The L2TP protocol
L2TP is a standard tunneling protocol (standardized in an RFC) which is very similar to PPTP. L2TP encapsulates PPP frames, which are themselves encapsulating other protocols (such as IP, IPX or NetBIOS).
The IPSec protocol
IPSec is a protocol defined by the IETF which is used to make data transfers secure on the network layer. It is actually a protocol which makes security improvements to the IP protocol in order to ensure the privacy, integrity, and authentication of data sent.
IPSec is based around three modules:
- IP Authentication Header (AH), which involves integrity, authentication and protection from replay attacks on packets.
- Encapsulating Security Payload (ESP), which defines packet encryption. ESP provides privacy, integrity, authentication and protection against replay attacks.
- Security Association (SA) which defines key exchange and security settings. SAs include all information on how to process IP packets (the AH and/or ESP protocols, tunnel or transportation mode, the security algorithms used by the protocols, the keys used, etc.) The key exchange is done either manually or with the exchange protocol IKE (most of the time), which enables both parties to hear one another.