A virtual private network (VPN) is a secure connection within a public (non-secure) network. This security is typically implemented by some form of user and/or device authentication and encryption of the data stream creating a secure, private tunnel between a remote endpoint and a gateway. The sensitive nature of some communications requires the help of VPNs to provide the following three services:
Ensures that only the intended recipient can read the transmitted data while, at the same time, thwarting efforts by other parties that might intercept it. Confidentiality is provided by encryption algorithms, such as DES or 3DES.
Verification of the identity of a person or process that sent the data. Authentication is provided by mechanisms, such as exchanging digital certificates.
Ensures the data received is exactly what was transmitted from the source without alterations or additions. Integrity is provided by hashing algorithms, such as MD5 or SHA.
While many VPN strategies and technologies exist, let’s start by defining some basic terminology that can help describe VPNs. VPNs come in two basic types:
Each of these two VPN types can be further broken down into either of the following categories:
Remote access involves connecting individual users to a LAN to provide secure, encrypted network access for telecommuters, traveling employees, and one-person offices of consultants, contractors, brokers, vendors, and so forth.
Early remote-access VPN often involved contracting (outsourcing) with enterprise service providers (ESPs), such as CompuServe. The ESP provided the network infrastructure and client software for the user computers. Many of these systems used dial-up (modem) services called virtual private dial-up networks (VPDN). ESPs were often too expensive for small to medium-sized organizations or they weren’t interested in supporting that size client.
Today, many companies provide their own VPN connections through the Internet, allowing access to remote users running VPN client software through their Internet service providers (ISPs). The rapid expansion of cable modems and DSL has made it possible for telecommuters and other fixed location users to replace slower modem and ISDN services with fast connections, at a fraction of the cost of dedicated lines. Fast Internet connections offered in many hotels and the new wireless access facilities in many public places, such as airports and convention centers, means traveling employees can also use fast secure remote VPN connections. Examples in Figure 9-2 show two common types of remote-access VPN.
The three basic types of VPN connections include
Access VPNs allow the organization’s remote users to access company intranet or extranet over a shared infrastructure. Access VPNs provide secure connectivity for mobile users, telecommuters, and small branch offices using analog modems, ISDN, DSL, cable modems, and wireless IP.
Intranet and extranet VPNs are covered in the next paragraphs.
Site-to-site, or LAN-to-LAN, VPNs involve a secure connection between two end devices such as routers, firewalls, or VPN hardware devices. The hosts on each LAN connected to those end devices can access the other LAN via the secure connection based on the organization security policy and the placement of shared resources. Common examples of site-to-site VPN implementation could include connecting branch offices, vendor sites, dealer sites, or customer offices to the corporate network. Figure 9-3 shows the types of connections that might be VPN candidates.
Intranet VPN would involve allowing the remote user or connected site to have access to the company internal network and resources. A typical example might be a branch office connecting to the corporate network allowing all branch employees access to e-mail and other corporate resources. Individual telecommuters and traveling employees would be candidates to use a VPN to connect to the company intranet.
Extranet VPN might be one or more special networks established to share resources with vendors, suppliers, customers, consultants, business partners, and other nonemployee groups. The extranet creates a shared environment for collaborative efforts. An example might be a company web server network that allows dealers to check inventory, place orders, and track deliveries. This limits access and exposure to only those resources needed by the shared, while protecting the others.
Extranet access could be either site-to-site or a remote-access connection to a nonemployee, such as a consultant or a broker.
The extranet could be a DMZ on the network that requires some level of authentication to access and is, therefore, unavailable to the general public. If anyone could access it, this would be an Internet. Figure 9-4 shows VPN connection types supported by Cisco technologies.
In an effort to provide secure connections through the public networks, service providers developed their own proprietary technologies or combinations of technologies. Some of these early VPN implementations were Layer 2 technologies, while others were Layer 3.
Using the broad definition of a VPN as “a private network built upon or within a public network,” public X.25, Frame Relay, and ATM networks’ use of virtual circuits within their public networks can be considered VPNs. The shared nature of these technologies allowed them to be less expensive than comparable dedicated circuits. These types of VPNs are generically referred to as Layer 2 VPNs. Unfortunately, these services don’t address universal access because they are unavailable in many parts of the country and world.
The dominant emerging form of VPNs are those networks constructed across shared IP backbones, called IP VPNs. Because the Internet is the largest and most widely accessible of the public networks, this is where the greatest research and development is aimed. The early Layer 3 VPN implementations were provided by private companies that developed security implementations on top of the published TCP/IP and Internet standards. Cisco encryption technology (CET) was an early Cisco proprietary Layer 3 VPN technology.
The biggest drawback to these early efforts was the lack of interoperability between different manufacturers. While a strong case can be made for a single vendor end-to-end solution, the reality is this: all-too-common business mergers and acquisitions often mean companies are forced to merge different vendor VPN strategies and technologies.
A second issue is that not all vendors make products for all implementations within the network. For example, a vendor might have a strong VPN line for connecting branch locations and could even have client software for individual remote users, but they might lack a solution for small multiuser connections using cable modems or DSL service.
IP Security (IPSec) is a standards-based suite of protocols developed by the Internet Engineering Task Force (IETF) to provide secure exchange of packets at the IP layer (Layer 3). IPSec is rapidly becoming the most widely deployed VPN implementation. Cisco has adopted IPSec for its VPN products.
The single biggest problem with using the Internet—or any TCP/IP network—for private communication is the lack of security. The underlying protocols simply weren’t designed with security as a high priority. While it’s easy to place blame using hindsight, a fair analysis would recognize that not only was the technology brand new, but also that no one involved could have visualized the masses from every corner of the Earth individually accessing the resulting network.
The evolution of the World Wide Web as a more or less unregulated playground for every interest and activity has lead to a growing number of miscreants bent on causing problems. Add to this the technologically incompetent and those who see the Internet as a tool for political and religious warfare, and you can understand why the neighborhood has become an unfriendly place.
The security concerns in using the Internet for conducting private communications can fall into the following categories:
Loss of privacy
Loss of data integrity
The ultimate goal in developing an IPSec standard is to address these threats without the need for expensive host hardware or application modifications and changes.
Remember, IPSec is a new and still-evolving pool of standards and protocols. The IETF working group for IPSec has dozens of draft proposals they’re working on to extend the capabilities and interoperability of IPSec with other common network technologies, such as NAT/Firewall traversal and MIB standards.
The mandate is for IPSec to be in IP Version 6 when it’s finally implemented. Once this occurs, we’ll all be using IPSec in its latest form. For more information on the IPSec working group and its current activities go to the following site: http://www.ietf .cnri.reston.va.us/html.charters/ipsec-charter.html.
While this book is current at press time, probably no other features warrant constant monitoring of Cisco documentation and releases covering IOS and device upgrades more than IPSec and VPNs. Each new release seems to bring expanded support for technologies like wireless, firewalls, and even basic IPSec protocols supported.
Data security can be performed at many levels, including having the user applications encrypt the data. This was a feature supported on many user applications, such as Microsoft Excel and Word. In each case, the users supplied a password when they saved a document and, next, the data was scrambled using the password as an encryption key. The recipient then needed to supply exactly the same password to open the document. While somewhat effective, this method relied on the user to implement it, forward the password in a secure fashion to the recipient, and never forget the password for the life of the document. Many corporate disasters occurred when an employee left the company, for whatever reason, and critical data was unavailable.
In an effort to remove user involvement from the process, technologies were developed that operated at the application layer, but remained invisible to the end user. Some of these applications provided only partial solutions to the problem. Secure Sockets Layer (SSL) is an example of application encryption for web browsers that protects the confidentiality of data sent from supported applications, but it doesn’t protect data sent from other applications. Each host system on the network and all applications must be SSL installed and configured to work efficiently. While this is better than having the user manage encryption, too many opportunities still exist for the system to fail. SSL typically requires increased administrator involvement when computers or applications are added or changed.
VPN benefits to the organization can include significant cost savings because the service provider network supplies the brunt of the hardware and support for the WAN connections. The savings can be substantial, especially when comparing the price of bandwidth available from DSL and cable connections to the Internet versus the cost of dedicated or frame relay links.
Particularly in supporting remote users, the Internet provides a low-cost alternative for enabling access to the corporate network, instead of maintaining large modem banks and paying costly phone bills. With just a local phone call to an ISP in many places around the world, a user can have access to the corporate network. In some cases, VPNs enable organizations to save between 30 and 70 percent over competing remote-access solutions.
An organization might see improved geographical coverage, especially in communities or regions where dedicated links or frame relay links are unavailable or prohibitively expensive. The rapid deployment of cable modems, DSL service, and even some public wireless networks can allow the telecommuter opportunities that would be impractical at modem speeds. High-speed data ports in hotels and motels that can be secured through VPN connections mean traveling employees can often do more tasks on the road than simply checking their e-mail. In many cases, VPNs mean simplified WAN operations and increased networking reliability.
A network with remote sites can be thought of as a group of islands served by a public ferry system. While this internetwork of ferries allows residents to move from place to place at a reasonable cost, there’s no privacy and any scheduling, routing, and rules are up to the ferry provider.
An alternative would be to build bridges among the islands, but the cost would be high and some islands might have too few residents to make the cost worthwhile. These dedicated links, as in WANs, would provide privacy and more freedom of movement. Unfortunately, like WANs, where distance determines the cost of the bridge, it’s possible to create situations where connecting a distant small site with even minimal service could cost many times that of servicing a much larger and closer group.
Another alternative could be personal watercraft of some type. These boats could provide private transportation, routing, and scheduling at the direction of their owner. Even if the people on the ferry see a boat, they have no idea what’s going on inside, or even its source or destination. Relative to building bridges, adding more boats as needed would be inexpensive.
With all the variety in boat types—from canoes and kayaks to luxury yachts—at least it’s possible that some marinas might not support all types, thereby limiting the boat owner’s ability to make connections. If a single standard was adopted by all marinas, such as power boats between 15 and 35 feet, then the boat owner would be free to choose from many vendors as long as they met the standard. The marinas, as service providers, could still support other options in addition to the standard.