| A VPN supports at least three different modes of use: | | | | end of the tunnel without strong authentication is |
| · Remote access client connections | | | | incorporated, information may be shielded as it crosses |
| · LAN-to-LAN internetworking | | | | the network only to fall into the wrong hands. |
| · Controlled access within an intranet | | | | However, RSA Security’s authentication solutions |
| However, it would be better to find to discuss about | | | | greatly reduce this risk by forcing external users to |
| the types of VPNs before analyzing the things where | | | | present multiple forms of identity to provide assurance |
| it can accommodate. | | | | that they are who they claim to be before they are |
| Secure VPNs use cryptographic tunneling protocols to | | | | granted access. |
| provide the necessary confidentiality (preventing | | | | VPNs for Remote Access- A VPN can support the |
| snooping), sender authentication (preventing identity | | | | same intranet/extranet services as a traditional WAN, |
| spoofing), and message integrity (preventing message | | | | but VPNs have grown in popularity for their ability to |
| alteration) to achieve the privacy intended. When | | | | support remote access service. In recent years, many |
| properly chosen, implemented, and used, such | | | | organizations have increased the mobility of their |
| techniques can provide secure communications over | | | | workers by allowing more employees to telecommute |
| unsecured networks. Because such choice, | | | | where Employees continue to travel and face an |
| implementation, and use are not trivial, there are many | | | | increasing need to stay plugged in to the company |
| insecure VPN schemes on the market. Secure VPN | | | | network. Typically, a corporation that wishes to set up |
| technologies may also be used to enhance security as | | | | a large remote-access VPN provides some form of |
| a 'security overlay' within dedicated networking | | | | Internet dial-up account to their users using an Internet |
| infrastructures | | | | Service Provider (ISP). The telecommuter can then dial |
| Trusted VPNs do not use cryptographic tunneling, and | | | | a 1-800 number to reach the Internet and use their |
| instead rely on the security of a single provider's | | | | VPN client software to access the corporate network. |
| network to protect the traffic. Multi-protocol label | | | | It can be better utilized when a company needs a |
| switching (MPLS) is commonly used to build trusted | | | | remote-access for a large firm with hundreds of sales |
| VPNs | | | | people in the field. Remote-access VPNs permit |
| Technology Behind VPNs | | | | secure, encrypted connections between a company's |
| Several network protocols have become popular as a | | | | private network and remote users through a third- |
| result of VPN developments: | | | | party service provider. The overhead of maintaining |
| · PPTP | | | | such a system internally, coupled with the possibility of |
| · L2TP | | | | high long distance charges incurred by travelers, make |
| · IPsec | | | | VPNs an appealing option here. |
| · SOCKS | | | | VPNs INTERNETWORKING |
| These protocols emphasize authentication and | | | | VPN remote access architecture’s extension |
| encryption in VPNs. Authentication allows VPN clients | | | | provides an entire remote network to join the local |
| and servers to correctly establish the identity of people | | | | network. A server-server VPN connection joins two |
| on the network. Encryption allows potentially sensitive | | | | networks to form an extended Intranet or extranet |
| data to be hidden from the general public. Many | | | | rather than a client-server connection. To implement |
| vendors have developed VPN hardware and/or | | | | limited access to individual subnets on the private |
| software products. Unfortunately, immature VPN | | | | network, Intranets use VPN technology. In this mode, |
| standards mean that some of these products remain | | | | VPN clients hook up to a VPN server, which acts as a |
| incompatible with each other. | | | | gateway to computers behind it on the subnet, |
| | | | | However, it takes benefits of the security features |
| VPN Tunneling: VPN technology is based on the idea | | | | and handiness of VPN technology. |
| of tunneling. Network tunneling involves establishing and | | | | ADVANTAGES |
| maintaining a logical network connection .On this | | | | VPNs promise two main advantages over competing |
| connection, packets constructed in a specific VPN | | | | approaches – Cost Savings-One way a VPN |
| protocol format are encapsulated within some other | | | | lowers costs is by eliminating the need for expensive |
| base or carrier protocol, then transmitted between | | | | long-distance leased lines, with the help of VPNs, an |
| VPN client and server, and finally de-encapsulated on | | | | organization needs only a relatively short dedicated |
| the receiving side). | | | | connection to the service provider could be a local |
| Two Types of VPN Tunneling | | | | leased line (much less expensive than a long-distance |
| VPN supports both voluntary and compulsory tunneling. | | | | one). |
| Both types of tunneling can be found in practical use. In | | | | Another way VPNs reduce costs is by |
| voluntary tunneling, the VPN client manages connection | | | | lessening the need for long distance telephone charges |
| setup. The client first makes a connection to the | | | | for remote access where VPN clients need only call |
| carrier network provider (an ISP in the case of Internet | | | | into the nearest service provider's access point but in |
| VPNs). Then, the VPN client application creates the | | | | some cases it require a long distance call, but in many |
| tunnel to a VPN server over this live connection. In | | | | cases a local call will suffice. |
| compulsory tunneling, the carrier network provider | | | | A third, subtler way that VPNs may lower costs is |
| manages VPN connection setup. When the client first | | | | through offloading of the support burden with VPNs, |
| makes an ordinary connection to the carrier, the carrier | | | | the service provider rather than the organization must |
| in turn immediately brokers a VPN connection | | | | support dial-up access, where Service providers can in |
| between that client and a VPN server. From the client | | | | theory charge much less for their support than it costs |
| point of view, VPN connections are set up in just one | | | | a company internally because the public provider's cost |
| step compared to the two-step procedure required for | | | | is shared amongst potentially thousands of customers. |
| voluntary tunnels. | | | | Scalability -The cost to an organization of traditional |
| Compulsory VPN tunneling | | | | leased lines may be reasonable at first but can |
| authenticates clients and associates them with specific | | | | increase exponentially as the organization grows. A |
| VPN servers using logic built into the broker device. | | | | Company with two branch offices, for example, can |
| This network device is sometimes called the VPN | | | | deploy just one dedicated line to connect the two |
| Front End Processor (FEP) (also Network Access | | | | locations. If a third branch office needs to come online, |
| Server (NAS) or Point of Presence (POP) servers). | | | | just two additional lines will be required to directly |
| Compulsory tunneling hides the details of VPN server | | | | connect that location to the other two. However, as an |
| connectivity from the VPN clients and effectively | | | | organization grows and more companies must be |
| moves control over the tunnels from clients to the ISP. | | | | added to the network, the number of leased lines |
| In return, service providers must take on the additional | | | | required increases dramatically. Four branch offices |
| burden of installing and maintaining FEPs. | | | | require six lines for full connectivity, five offices require |
| VPN Tunneling Protocols | | | | ten lines, and so on. Mathematicians call this |
| Several interesting network protocols have been | | | | phenomenon a "combinatorial explosion," and in a |
| implemented specifically for use with VPN tunnels. The | | | | traditional WAN this explosion limits the flexibility for |
| three most popular VPN tunneling protocols listed | | | | growth. VPNs that utilize the Internet avoid this problem |
| below continue to compete with each other for | | | | by simply tapping into the geographically distributed |
| acceptance in the industry. These protocols are | | | | access already available. |
| generally incompatible with each other. | | | | Compared to leased lines, Internet-based VPNs offer |
| Point-to-Point Tunneling Protocol (PPTP) | | | | greater global reach, given that Internet access points |
| Several corporations worked together to create the | | | | are accessible in many places where dedicated lines |
| PPTP specification. People generally associate PPTP | | | | are not available. The only way to properly deploy the |
| with Microsoft because nearly all flavors of Windows | | | | appropriate VPN for any organization is to evaluate |
| include built-in client support for this protocol. The initial | | | | the needs of your operation and it’s remote clients. |
| releases of PPTP for Windows by Microsoft | | | | At that point you must evaluate the hardware involved |
| contained security features that some experts claimed | | | | on both ends, the operating systems on both ends, the |
| were too weak for serious use. Microsoft continues to | | | | Internet service on both ends, the applications |
| improve its PPTP support, though. | | | | software involved and more. Performance, security, |
| Layer Two Tunneling Protocol (L2TP) | | | | and limitations of the existing infrastructure always |
| The original competitor to PPTP for VPN tunneling | | | | dictate how you move ahead. Often this process is |
| was L2F, a protocol implemented primarily in Cisco | | | | short and simple but there are a variety of unforeseen |
| products. In an attempt to improve on L2F, the best | | | | problems that can crop up if you do not carefully |
| features of it and PPTP were combined to create | | | | evaluate these elements. Whether in-house or through |
| new standard called L2TP. | | | | a vendor it is important to evaluate your existing |
| Internet Protocol Security (IPsec) | | | | systems and requirements first, to save time and |
| IPsec is actually a collection of multiple related | | | | money later. Once you have finished this part of the |
| protocols. It can be used as a complete VPN protocol | | | | evaluation it will be a much simpler task to choose |
| solution, or it can used simply as the encryption | | | | among various VPN approaches. Often something in |
| scheme within L2TP or PPTP. IPsec exists at the | | | | the initial evaluation will mandate a certain VPN |
| network layer (Layer Three) in OSI. | | | | approach, if this is the case your choices will be easily |
| VPN SECURE | | | | defined. If you have very few limitations placed by |
| The most important part of a VPN solution is security, | | | | your existing technology the decision becomes one of |
| the nature of VPNs — putting private data on public | | | | ROI, performance, and security demands. |
| networks — raises concerns about potential threats | | | | DISADVANTAGES |
| to that data and the impact of data loss, where a | | | | With the hype that has surrounded VPNs historically, |
| Virtual Private Network must address all types of | | | | the potential pitfalls or weak spots in the VPN model |
| security threats by providing security services in the | | | | can be easy to forget. These four concerns with VPN |
| areas of: | | | | solutions are often raised like 1. VPNs require an |
| Authentication - Authentication is the process of | | | | in-depth understanding of public network security |
| ensuring that a user or system is who the user claims | | | | issues and taking proper precautions in VPN |
| to be, there are many types of authentication | | | | deployment. 2. The availability and performance of an |
| mechanisms, all work off of one or more of the | | | | organization's wide-area VPN (over the Internet in |
| following principles: a login name, a password, a token, | | | | particular) depends on factors largely outside of their |
| a card key, fingerprint, retinal scan. A weak | | | | control. 3. VPN technologies from different vendors |
| authentication makes use of one of these | | | | may not work well together due to immature |
| components, usually a simple login/password sequence | | | | standards. 4. VPNs need to accommodate protocols |
| but a strong authentication combines at least two | | | | other than IP and existing ("legacy") internal network |
| authentication components from different areas. | | | | technology. Generally speaking, these four factors |
| Presentation - Encryption is based on two | | | | comprise the hidden costs of a VPN solution. Whereas |
| components: an algorithm and a key, a cryptographic | | | | VPN advocates tout cost savings as the primary |
| algorithm is a mathematical function that combines | | | | advantage of this technology, detractors cite hidden |
| data with the string of digits contained in a key to | | | | costs as the primary disadvantage of VPNs. |
| produce encrypted text. There are several major | | | | CONCLUDING REMARKS: |
| types of encryption of varying degrees of complexity, | | | | The success of VPNs in the future depends mainly on |
| as measured by lengths (bits) of cryptographic keys | | | | industry dynamics. Most of the value in VPNs lies in the |
| like Advanced Encryption Standard (AES), RSA, Elliptic | | | | potential for businesses to save money. Should the |
| Curve Cryptosystems (ECC). | | | | cost of long-distance telephone calls and leased lines |
| Transportation - The modification of data packets in a | | | | continue to drop, fewer companies may feel the need |
| network is an attack on data integrity. Message | | | | to switch to VPNs for remote access. Conversely, if |
| authentication is the procedure used to verify that | | | | VPN standards solidify and vendor products |
| received messages come from the alleged source | | | | interoperate fully with other, the appeal of VPNs should |
| and have not been altered | | | | increase. The success of VPNs also depends on the |
| Non repudiation - Non-repudiation is a means to verify | | | | ability of Intranets and extranets to deliver on their |
| that an electronic message has been sent and | | | | promises. Companies have had difficulty measuring the |
| received by the specified parties. This protects both | | | | cost savings of their private networks, but if it can be |
| parties to ensure that neither the sender nor the | | | | demonstrated that these provide significant value, the |
| recipient can later claim the transaction did not take | | | | use of VPN technology internally may also increase. |
| place, which is a vital not only while dealing contracts, | | | | VPNs do not offer any network services that aren't |
| but also for online sales of digital goods such as music | | | | already offered through alternative mechanisms. |
| and entertainment. | | | | However, a VPN does use a unique mix of |
| Unfortunately, VPN technology alone does not provide | | | | technologies that promises to improve on the traditional |
| reliable proof about who is accessing the data at either | | | | approaches. |