Virtual Private Networks

Have you ever worked from home? Are you a telecommuter? Most companies that let employees work from home or have telecommuters in other states typically use Virtual Private Networks (VPN) to establish a secure connection from their home office to the corporate network. A VPN is any network that extends beyond the physical LAN yet maintains the privacy of that network, through the use of dedicated lines or encrypted tunnels, over a Wide Area Network such as the Internet.

About VPNs

A VPN, or Virtual Private Network, is any network that extends beyond the physical LAN while maintaining the privacy of that network through a Wide Area Network (such as the Internet). Setting up a VPN can be achieved through the use of dedicated lines or encrypted tunnels over the Internet.

Dedicated lines may be leased from phone companies and are usually expensive to implement and maintain but can offer the greatest degree of security as far as privacy is concerned. If you were to Lease a T1 line to connect two offices directly to each other, any and all traffic over that Line would only be visible to either endpoint. Your data would not touch the Internet or any un-trusted network, eliminating the possibility of intruders or eavesdroppers compromising your sensitive data.

Encrypted tunnels can be implemented easily through software to offer the best in privacy and security. There are currently many different ways to achieve an encrypted tunnel from one network or PC to another. The most popular of these methods are IPSec (Internet Protocol Security) [VPN protocol] , PPTP (Point to Point Tunneling Protocol), and L2TP (Layer 2 Tunneling Protocol).

About IPSec

The most secure VPN method is Internet Protocol Security (IPSec), which was originally developed to bridge two private Networks in different locations across unprotected networks such as the Internet. The IPSec protocol is based on a few key concepts such as user authentication, message integrity, and data encryption. Just recently, the US government recognized the Advanced Encryption Standard (AES) as the new premier standard for encrypting data. AES must be used in any new implementations involving government facilities and/or installations. Though IPSec offers the greatest security and privacy over the Internet, setting up IPSec-based VPN tunnels can be pretty intricate and does require an experienced network administrator with a strong background in networking technologies. Most large and enterprise-level companies deploy IPSec VPN tunnels to link remote offices to each other and/or allow remote users to connect to their private resources securely from any available Internet connection.

The very nature of IPSec and message integrity often times causes problems when users must pass through a NAT device. Before each packet is sent through the IPSec tunnel a check-sum is added to verify the source and destination information at the receiving end. If this packet happens to pass through a NAT device, most likely the source and destination IP information will be altered, rendering the check sum invalid. The remote end will immediately discard this packet as it fails to demonstrate one of the fundamental principles of IPSec, message integrity. To get around such an obstacle, IPSec Vendors developed NAT-Traversal for IPSec VPNs. NAT-Traversal simply and quite cleverly encapsulates the encrypted and check-summed IPSec packet in a UDP wrapper. This wrapper can be modified by the NAT device without fear of destroying the integrity of the original message. Both the Server and Client must support NAT-T for this to work.

About PPTP

The Point-to-Point Tunneling Protocol creates VPN tunnels using the Point-to-Point Protocol (PPP) over existing ISP connections. PPTP offers easier setup and maintenance but at a lower level of security than IPSec as the data encryption PPTP supports (Microsoft Point-to-Point Encryption) is not as complex and as secure as AES. PPTP is often deployed by IT departments since it is already built into all Windows Operating systems from Windows® 2000 and up, which makes implementations easier and more cost-efficient. Most home office to small companies (under 20 employees) will deploy PPTP VPN tunnels for the same reasons.

About L2TP

Lastly, Layer 2 Tunneling Protocol (L2TP) is an extension of PPTP and is often used by Service Providers to offer VPN services due to its ability to separate the L2 link from the PPP Authenticator. The L2TP user would establish a Layer 2 link to an ISP L2TP Access Concentrator (DSL modem to DSLAM) at which point the LAC would tunnel individual PPP frames to the Network Access Server. This gives the ISP flexibility in deploying LAC and NAS hardware, as the NAS may now be located in a remote location and service multiple LACs maximizing equipment usage. L2TP also has the added benefit of being able to further secure the tunnel with IPSec encryption methods. L2TP, like PPTP, is built into Windows operating systems from Windows 2000 and up and offers a straightforward setup based on username and password authentication methods. Its integrated IPSec encryption methods are automatically enabled when a LT2P VPN connection is set up.

Next >>