This chapter will start with networking solutions used in the past for connecting several branches of a company. Technological advances like broadband Internet access brought about new possibilities and new concepts for this issue, one of them being the Virtual Private Network (VPN). In this chapter, you will learn what the term VPN means, how it evolved during the last decade, why it is necessary to modern enterprises, and how typical VPNs work. Basic networking concepts are necessary to understand the variety of VPN solutions discussed in this chapter.
In former times, information exchange between branches of a company was mainly done by mail, telephone, and later by fax. But today there are four main challenges for modern companies:
The general acceleration of business processes and the rising need for fast, flexible information exchange between all branches of a company has made "old-fashioned" mail and even fax services appear too slow for modern requirements.
Technologies like Groupware, Customer Relationship Management (CRM), and Enterprise Resource Planning (ERP) are used to ensure productive teamwork and every employee is expected to cooperate.
Almost every enterprise has several branches in different locations and often field and home workers. All of these must be enabled to participate in the internal information exchange without delays.
All computer networks have to fulfill security standards to high levels to ensure data integrity, authenticity, and stability.
These four factors have led to the need of sophisticated networking solutions between a company's offices all over the world. With computer networks connecting all desktops within a single location, the need for connections between the sites has become more and more urgent.
In the very beginning, you could only buy dedicated lines between your sites and these lines were expensive, and thus only large companies could afford to connect their branches to enable world-wide teamwork. To reach this goal, fast and expensive connections had to be installed in every site, costing much more than normal enterprise Internet access.
The concept behind this network design was based on a real network between the branches of the company. A provider was needed to connect every location, and a real cable connection between all branches was established. Like the telephone network, a single line connecting two partners was used for communication.
Security for this line was achieved by providing a dedicated network—every connection between branches had to be installed with a leased line. For a company with four branches (A, B, C, and D), six dedicated lines would then become necessary:
Furthermore, Remote Access Servers (RAS) were used for field or home workers who would only connect temporarily to the company's network. These people had to use special dial-in connections (with a modem or an ISDN line), and the company acted like an Internet provider. For every remote worker a dial-in account had to be configured and field workers could only connect over this line. The telephone company provided one dedicated line for every dial-up, and the central branch had to make sure that enough telephone lines were always available.
By protecting the cables and the dial-in server, a real private network was installed at very high costs. Privacy within the company's network spanning multiple branches was achieved by securing the lines and providing services only to hard-wired connection points. Almost all security and availability tasks were handed over to the service provider at very high costs. But by connecting sites directly, a higher data transfer speed could be achieved than with "normal" Internet connections at that time.
Until the middle of the 1990s, expensive dedicated lines and dial-in access servers were used to ensure team work between different branches and field workers of large companies.
In mid 1990s, the rise of the Internet and the increase of speed for cheap Internet connections paved the way for new technologies. Many developers, administrators, and, last but not the least, managers had discovered that there might be better solutions than spending several hundreds of dollars, if not thousands of dollars, on dedicated and dial-up access lines.
The idea was to use the Internet for communication between branches and at the same time ensure safety and secrecy of the data transferred. In short: providing secure connections between enterprise branches via low-cost lines using the Internet. This is a very basic description of what VPNs are all about.
Virtual, because there is no real direct network connection between the two (or more) communication partners, but only a virtual connection provided by VPN Software, realized normally over public Internet connections.
Private, because only the members of the company connected by the VPN Software are allowed to read the data transferred.
With a VPN, your staff in Sydney can work with the London office as if both were in the same location. The VPN Software provides a virtual network between those sites by using a low-cost Internet connection. This network is only virtual because no real, dedicated network connection to the partner is established.
A VPN can also be described as a set of logical connections secured by special software that establishes privacy by safeguarding the connection endpoints. Today the Internet is the network medium used, and privacy is achieved by modern cryptographic methods.
Let's use an example to explain how VPNs work. The Virtual Entity Networks Inc. (VEN Inc.) has two branches, London and Sydney. If the Australian branch in Sydney decides to contract a supplier, then the London office might need to know that immediately. The main part of the IT infrastructure is set up in London. In Sydney there are twenty people whose work depends on the availability of the data hosted on London servers.
Both sites are equipped with a permanent Internet line. An Internet gateway router is set up to provide Internet access for the staff. This router is configured to protect the local network of the site from unauthorized access from the other side, which is the "evil" Internet. Such a router set up to block special traffic can be called a firewall and must be found in every branch that is supposed to take part in the VPN.
The VPN Software must be installed on this firewall (or a device or server protected by it). Many modern firewall appliances from manufacturers like Cisco or BinTec include this feature, and there is VPN Software for all hardware and software platforms.
In the next step, the VPN Software has to be configured to establish the connection to the other side: e.g. the London VPN server has to accept connections from the Sydney server, and the Sydney server must connect to London (or vice versa).
If this step is successfully completed, the company has a working Virtual Network. The two branches are connected via the Internet and can work together like in a real network. Here, we have a VPN without privacy, because any Internet router between London and Sydney can read the data exchanged. A competitor gaining control over an Internet router could read all relevant business data going through the virtual network.
So how do we make this Virtual Network private? The solution is encryption. The VPN traffic between two branches is locked with special keys, and only computers or persons owning this key can open this lock and look at the data sent.
All data sent from Sydney to London or from London to Sydney must be encrypted before and decrypted after transmission. The encryption safeguards the data in the connection like the walls of a tunnel protect the train from the mountain around it. This explains why Virtual Private Networks are often simply known as tunnels or VPN tunnels, and the technology is often called tunneling—even if there is no quantum mechanics or other magic involved.
The exact method of encryption and providing the keys to all parties involved makes one of the main distinguishing factors between different VPN solutions.
A VPN connection normally is built between two Internet access routers equipped with a firewall and VPN software. The software must be set up to connect to the VPN partner, the firewall must be set up to allow access, and the data exchanged between VPN partners must be secured (by encryption). The encryption key must be provided to all VPN partners, so that the data exchanged can only be read by authorized VPN partners.
In the earlier examples, we have discussed several possible scenarios for the use of VPN technology. But one typical VPN solution must be added here: More and more enterprises offer their customers or business partners a protected access to relevant data for their business relations, like ordering formulas or stocking data. Thus, we have three typical scenarios for VPN solutions in modern enterprises:
An intranet spanning over several locations of a company
A dial-up access for home or field workers with changing IPs
An extranet for customers or business partners
Each of these typical scenarios requires special security considerations and setups. The external home workers will need different access to servers in the company than the customers and business partners. In fact, access for business partners and customers must be restricted severely.
Now that we have seen how a VPN can securely connect a company in different ways, we will have a closer look at the way VPNs work. To understand the functionality, some basic network concepts need to be understood.
All data exchange in computer networks is based on protocols. Protocols are like languages or rituals that must be used between communication partners in networks. Without the correct use of the correct protocol, communication fails.
There is a huge number of protocols involved in any action you take when you access the Internet or a PC in your local network. Your Network Interface Card (NIC) will communicate with a hub, a switch, or a router; your application will communicate with its pendant or a server on the other PC, and many more protocol-based communication procedures are necessary to exchange data.
The OSI specification defines seven numbered layers of data exchange, which start at Layer 1 (the physical layer) of the underlying network media (electrical, optical, or radio signals) and span up to Layer 7 (the application layer), where applications on PCs communicate with each other.
1. Physical Layer: Sending and receiving through the hardware.
2. Data Link Layer: Direct communication between network devices within the same medium.
3. Network Layer: Routing, addressing, error handling, etc.
4. Transport Layer: End-to-end error recovery and flow control.
5. Session Layer: Establishing connections and sessions between applications.
6. Presentation Layer: Translating between application data formats and network formats.
7. Application Layer: Application-specific protocols.
This set of layers is hierarchical and every layer is serving the layer above and the layer below. If the protocols of the physical layer could communicate successfully, then the control is handed to the next layer, the Data Link Layer. Only if all layers, 1 through 6, can communicate successfully, can data exchange between applications (on Layer 7) be achieved.
In the Internet, however, a slightly different approach is used.
1. Link Layer: A concatenation of OSI Layers 1 and 2 (Physical and Data Link Layers).
2. Network Layer: Comprises the Network Layer of the OSI model.
4. Application Layer: Concatenation of OSI Layers 5 through 7 (Session, Presentation, and Application Layers). The protocols in the Transport Layer are the basis for protocols of the Application Layer (Layer 5 through Layer 7) like HTTP, FTP, or others.
A network packet consists of two parts: header and data. The header is a sort of label containing metadata on sender, recipient, and administrative information for the transfer. On the networking level of an Ethernet network, these packets are called frames. In the context of the Internet Protocol these packets are called datagrams, Internet datagrams, IP datagrams, or simply packets.
So what do VPNs do? VPN Software takes IP packets or Ethernet frames and wraps them into another packet. This may sound complicated, but it is a very simple trick, as the following examples will show:
Example 1: Sending a (not really) anonymous parcel
You want to send a parcel to a friend who lives in a community with strange people, whom you don't trust. Your parcel has the address label with sender and recipient data (like an Internet packet). If you do not want the commune to know that you sent your friend a parcel, but at the same time you want your friend to realize this before he opens it, what would you do? Just wrap the whole parcel in another packet with a different address label (e.g. without your sender information) and no one in the commune will know that this parcel is from you. But your friend will unpack the first layer and see a parcel still unpacked, and with an address label from you.
Example 2: Sending a locked parcel
OK, now let's distrust the commune still more. Somebody might want to open the parcel in order to find out what's inside. To prevent this, you will use a locked case. There are only two keys to the lock, one for you and one for your friend. Only you and your friend can unlock the case and look inside the packet.
VPN Software uses a combination of the earlier two examples:
Whole Network packets (frames, datagrams) consisting of header and data are wrapped into new packets.
All data including metadata like recipient and sender are encrypted.
The new packets are labeled with new headers containing meta-information about the VPN and are addressed to the VPN partner.
All VPN Software systems differ only in the special way of wrapping and locking the data.
We have learned already that VPN technology often is called tunneling, because the data in a VPN connection is protected from the Internet as the walls of the a road or rail tunnel protect the traffic in the tunnel from the masses of stone of the mountain above. Let's now have a closer look at how VPN Software does this:
The VPN software in the locations A and B encrypts (lock) and decrypts (unlock) the data and sends it through the tunnel. Like cars or trains in a tunnel, the data cannot go anywhere else but the other tunnel endpoint.
The following are put together and wrapped into one new package:
Tunnel information (like the address of the other endpoint)
Encryption data and methods
The original IP packet (or network frame)
The new package is then sent to the other tunnel endpoint. The payload of this package now holds the complete IP packet (or network frame), but in encrypted form and thus not readable for anyone not possessing the right key. The new header of the packet simply contains the addresses of sender and recipient and other metadata necessary for and provided by the VPN software used.
Perhaps you have noticed that the amount of data sent grows during the process of "wrapping". Depending on the VPN software used, this so called overhead can become a very important factor. The overhead is the difference between net data sent to the tunnel software and gross data sent through the tunnel by the VPN software. If a file of 1 MB is sent from user A to user B, and this file causes 1.5 MB traffic in the tunnel, then the overhead would be 50%, a very high level. (Please note that every protocol used causes overhead, so not all of that 50% might be the fault of the VPN solution.) The overhead caused by the VPN Software depends on the amount of organizational data and the encryption used. Whereas the first depends only on the VPN Software used, the latter is simply a matter of choice between security and speed. In other words, the better the encryption you use, the more overhead you will produce. Speed versus security is your choice.
During the last ten years, many different VPN concepts have evolved. You may have noticed that I always added "network frames" in brackets when I spoke of tunneling IP packets. This became necessary, because in principle, tunneling can be done on almost all layers of the OSI model.
The General Routing Encapsulation (GRE) provides a standard for tunneling data, which was defined in 1994 in Request for Comments (RFCs) 1701 and 1702. Perhaps, because this definition is not a protocol definition, but more or less a standard proposal on how to tunnel data, this implementation has found its way into many devices and become the basis for other protocols.
The concept of GRE is pretty simple. A protocol header and a delivery header are added to the original packet and its payload is encapsulated in the new packet. No encryption is done. The advantage of this model are almost obvious—the simplicity offers many possibilities, the transparency enables administrators and routers to look inside the packets and pass decisions based on the type of payload sent. By doing so, special applications can be privileged.
There are many implementations for GRE tunneling software under Linux; only kernel support is necessary, which is fulfilled by most modern distributions.
Encapsulating packages on the OSI Layer 2 has a significant advantage: the tunnel is able to transfer non-IP protocols. IP is a standard used widely in the Internet and in Ethernet networks. However, there are different standards too. Netware Systems, for example, uses the Internetwork Packet Exchange (IPX) protocol to communicate. VPN technologies residing in Layer 2 can theoretically tunnel any kind of packet. In most cases, a virtual Point-to-Point Protocol (PPP) device is established which is used to connect to the other tunnel endpoint. (A PPP device is normally used for modem or DSL connections.)
The Point to Point Tunneling Protocol (PPTP), which was developed with the help of Microsoft, is an expansion of the PPP and is integrated in all newer Microsoft Operating Systems. PPTP uses GRE for encapsulation and can tunnel IP, IPX, and other packages over the Internet. The main disadvantage is the restriction that there can only be one tunnel at a time between communication partners.
The Layer 2 Forwarding (L2F) was developed almost at the same time by companies like Cisco and others and offers more possibilities than PPTP, especially regarding tunneling of network frames and multiple simultaneous tunnels.
The Layer 2 Tunneling Protocol (L2TP) is accepted as an industry standard and is being used widely by Cisco and other manufacturers. Its success is based on the fact that it combines the advantages of L2F and PPTP without suffering from their disadvantages. Even though it provides no own security mechanisms, it can be combined with technologies offering such mechanisms like IPsec (see the section Protocols Implemented on OSI Layer 3).
Other distinguishing factors between the mentioned systems and protocols are:
These features will be discussed in later chapters.
IPsec is probably the most wide-spread tunneling technology. In fact, it is rather a set of protocols, standards, and mechanisms than a single technology. The wide range of definitions, specifications, and protocols are already the main disadvantages about IPsec. It is a complex technology with many different implementations and many security loopholes. IPsec was a compromise accepted by a commission and therefore is something like a least common denominator agreed upon. This means that IPsec can be used in many different setups and environments, ensuring compatibility, but almost no aspect of it offers the best possible solution.
IPsec was developed as an Internet Security Standard on Layer 3, and has been standardized by the Internet Engineering Task Force (IETF) since 1995. IPsec can be used to encapsulate any traffic of application layers, but no traffic of lower network layers. Neither network frames, IPX packets, nor broadcast messages can be transferred, and network address translation is only possible with restrictions.
Nevertheless, IPsec can use a variety of encryption mechanisms, authentication protocols, and other security associations. IPsec software exists for almost every platform, and compatibility with the implementation of other manufacturers is secured in most cases even though there are significant problems resulting from proprietary extensions.
The main advantage of IPsec is the fact that it is being used everywhere. An administrator can choose from an abundant number of hardware devices and software implementations to provide his or her networks with a secure tunnel.
Basically there are two relevant methods that IPsec uses:
Tunnel Mode: The tunnel mode works like the examples listed above; the whole IP packets are encapsulated in a new packet and sent to the other tunnel endpoint, where the VPN software unpacks them and forwards them to the recipient. In this way the IP addresses of sender and recipient, and all other metadata are protected as well.
Transport Mode: In transport mode, only the payload of the data section is encrypted and encapsulated. By doing so, the overhead is significantly smaller than in tunnel mode, but an attacker can easily read the metadata and find out who is communicating with whom. However, the data is encrypted and therefore protected, which makes IPsec a real "private" VPN solution.
IPsec's security model is probably the most complex of all existing VPN solutions and will be discussed in brief in the next chapter.
It is also possible to establish VPN tunnels only on the application layer. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) solutions follow this approach. The user can access the VPN network of a company through a browser connection between his or her client and the VPN server in the enterprise. A connection is simply started by logging into an HTTPS-secured website with a browser. Meanwhile, there are several promising products available, like SSL-Explorer from http://3sp.com/showSslExplorer.do, and products like these offer great flexibility combined with strong security and easy setup. Using the secure connection the browser offers, users can connect network drives and access services in the remote network. Security is achieved by encrypting traffic using SSL/TLS mechanisms, which have proven to be very reliable and are permanently improved and tested.
OpenVPN is a newer and an outstanding VPN solution. It implements Layer 2 or Layer 3 connections, uses the industry standard SSL/TLS for encryption, and combines almost all features of the mentioned VPN solutions. Its main disadvantage is the fact that there are still few hardware manufacturers integrating it in their solutions.
In this chapter, you have learned about techniques that have been and are used in companies that have computer networks spanning over several branches. You have learned network basics like protocols, networking layers, the OSI reference model, and which VPN solutions work on which layer. You have read what tunneling is, how it works, and how different VPN solutions implement it.