Wednesday, March 8, 2023

Virtual Private Network (VPN) overview

History of VPN

  • The history of VPN began in the late 1990s, when a software engineer at Microsoft developed a secure way for a client to connect to a server.
  • The engineer developed Point-to-Point Tunneling Protocol, which is the forerunner of today’s VPNs.
  • Microsoft included VPN capabilities, in their operating systems for anyone to use.
  • However, during that time, only businesses were using VPN technology.
  • Eventually, home users started to embrace the idea of protecting their data, and e-commerce sites began to use SSL VPNs to secure credit card transactions.
  • Concurrently, businesses expanded the use of VPN technology to protect communications of the growing number of remote workers.
  • After the initial setup, using a VPN is transparent to the client, as they access network resources in the same way they would as if they were sitting in the private network, but remotely using cryptographic tunneling protocols.
  • VPN technology has improved and are adaptable for all types of internet users, from desktop to laptop, and mobile operating systems.
  • A VPN uses technology such as IPsec and transport layer security to secure network traffic between sites.

Benefits of VPN

Today, there are many reasons to have a VPN.
A VPN protects your communication and can protect your identity while traversing the internet.
VPNs provide confidentiality by encrypting the data, authentication to ensure only authorized entities are communicating, and integrity by detecting any message modification.

VPNs provide four main benefits over setting up a private WAN network, such as those used by Frame Relay, point-to-point circuits, and ATM:

  • Security: It is provided through data encryption to protect confidentiality, data integrity checking to validate packets, and authentication to prevent unauthorized access.
  • Cost: Public networks, such as the Internet, can be used instead of building a private WAN infrastructure, greatly reducing a company’s WAN Infrastructure cost.
  • Bandwidth: Inexpensive high-bandwidth connections, such as DSL and cable, can be used to interconnect offices to allow for fast and secure access to corporate resources.
  • Scalability: Companies can easily add large numbers of users and offices without building a significant WAN infrastructure.

Virtual Private Network

A virtual private network (VPN) is a private network that is built over a public infrastructure.
Security mechanisms, such as encryption, allow VPN users to securely access a network from
different locations via a public telecommunications network, most frequently the Internet.

  • A VPN is a secure channel or tunnel between two endpoints that encrypts and keeps data confidential as it crosses through an insecure network.
  • VPNs can protect at different layers of the OSI model from data link all the way to the application layer.
  • There are choices in the way you create a VPN, such as IPsec, SSL/TLS, and browser-based VPNs for consumers.

When the VPN connection is established between 2 parties (between a VPN client and vpn gateway or between 2 VPN gateways), a secured virtual tunnel will be created with capability to encrypt the data (so no hacker can see the data content), preserve data integrity (no data change during transmission) and ensure the communication only happen between that 2 authenticated parties.

In Short, how does a VPN work?
A VPN masks your IP address by acting as an intermediary and rerouting your traffic. It also adds encryption, or a tunnel around your identity, as you connect. The combination of the VPN server and the encryption tunnel blocks your ISP, governments, hackers, and anyone else from spying on you as you navigate the web.

Types of VPNs

  • IPsec VPN
    • An internet protocol security or IPsec VPN, works by creating a secure channel, using the internet key exchange protocol or IKE to first authenticate the secure connection.
    • Then IPsec uses symmetric encryption, such as AES, to secure the data between the endpoints.
    • An IPsec VPN is a solid choice; however, it can run into trouble with network address translation and firewall rules.
  • Secure Shell (SSH)
    • Secure Shell offers VPN tunneling and built-in username and password authentication to establish a connection to a single computer.
    • It uses port 22 to authenticate the process.
    • PuTTY is something that you can use to create the connection for Secure Shell.
  • SSL/TLS VPN
    • SSL/TLS-based VPNs have been around since the early 1990s and were first developed by Netscape and eventually adopted by nearly everyone to create tunnels between specific applications, primarily in web browsers.
    • SSL/TLS VPNs provide encryption and reliability for the upper layers of the OSI model.
    • We use an SSL/TLS VPN for transmitting sensitive information, such as banking or credit card information to a server using HTTPS.
    • Businesses will most likely use an SSL certificate to reassure clients.
    • Unlike SSH, it doesn’t require any authentication and typically uses port 443 to make a connection.
  • Multiprotocol Label Switching VPN
    • Multi-protocol label switching includes various methods for creating VPNs, using MPLS, and it provides a flexible way to route traffic through an MPLS network.

Now, there are other solutions as well.

  • Open VPN, which is an open-source solution that has many security and control features. Open VPN uses SSL/TLS so it’s able to cross network address translation and firewalls with minimal problems.

In some cases, you might simply want or need a browser-based VPN, and you can go online to select a couple of them.

  • HTTPS Everywhere
  • ZenMate – You can browse anonymously when a secure connection is not available.

VPN Topologies

A VPN topology defines the way we configure devices to support the VPN.
An organization decides to implement a VPN according to business needs.
In general, we group VPN topology in three main categories:

  • Remote Access VPN
    • A classic concept of a VPN is a remote access VPN, which allows users to have the ability to securely access internal resources.
    • When using a remote access VPN, users must be part of the corporate network and the network administrator invites mobile and small office/home office employees to join by setting up a VPN so they can access the corporate network anytime, anywhere.
  • Intranet VPN
    • Intranet is either a confined private network withing the LAN or it may be globally interconnected LANs that use WAN technologies to communicate.
    • We limit access to the internet to people, processes, and devices that are part of the organization’s directory.
    • We use an intranet site to site VPN to link branch offices.
  • Extranet VPN
    • An extranet is an internet or private network that only authorized outsiders can access.
    • That could include subcontractors, temporary workers, or business-to-business communication.
    • The network administrator sets up a secure tunnel so they can securely access the corporate network anytime.

Physical Topologies

Physical topologies include hub and spoke, mesh and hybrid configuration.

  • A common configuration is the hub and spoke topology.
  • The hub is the central office, as we see on the left, and the remote offices are the spokes.
  • Many organizations use this hierarchy design, such government, retail, and banks.
  • A hub and spoke configuration work well when sites must communicate with the central office but not to each other.
  • Hub and spoke topology might not work for everyone, sometimes because of prohibitive cost associated with international links, or an organization may require peer communication, where they must talk with one another.
  • As a result, an organization may choose a mesh or partial-mesh topology.
  • With a full mesh, all links communicate with one another.
  • With a partial mesh, sites may only have communication with certain other sites.

  • Here we see a partial mesh where Boston will be able to communicate with New York, and New York will be able to communicate with London, but New York is unable to communicate directly with Madrid.
  • Large multinational companies may have a hybrid formation that combines hub and spoke with a partial mesh topology.
  • Here we see Boston and Paris using hub and spoke topology, and the rest of the network is using a partial mesh topology.

An external access VPN can be remote access or site-to-site.

Remote Access VPN

  • A remote access VPN connects client on the outside to the corporate network.
  • Clients include outside sales staff and teleworkers that need access to corporate resources.
  • For a remote access VPN to work, such as a remote access full tunnel, the remote worker must install VPN client software on their device.
  • A remote access VPN can also include clientless SSL VPN, which provides access without requiring client software on the remote device.
  • When accessing the corporate boundary, the client initiates a connection, and the request passes through the internet.
  • Once it reaches the corporate boundary, the VPN server received the request and either accepts or rejects the request to connect.
  • The VPN server will many times pass the request through a radius server.
  • The radius server consults a list of policies, such as connection request policies.
  • This includes checking authentication and authorization conditions along with any accounting policies.
  • Health policies assess the health of a device prior to joining the network, includes the status of a client’s Window updates and possible malware.
  • Network policies include the set of conditions, constraints, and settings that allow clients to join according to parameters, such as time of day, geolocation, and how long they can be on the network.

Site-to-Site VPN

  • A site-to-site VPN connects entire networks.
  • For example, a hub and spoke topology, where the hub is the central office, and the remote offices are the spokes.
  • When using a site-to-site VPN, the individual hosts do not have client software.
  • The connection is transparent in that clients are unaware that they are connecting via a VPN.
  • Clients send traffic via normal TCP/IP connections through a VPN gateway.
  • When setting up a VPN, the network administrator has choices.
  • A common secure tunneling protocol is IPsec encapsulating security payload as a full tunnel or site-to-site VPN.
  • The encapsulating security payload protocol provides confidentiality, authentication, integrity, and anti-replay service for IPv4 and IPv6.
  • The network administrator may also use an SSL/TLS as a full tunnel or clientless VPN.
  • With a clientless VPN, the client doesn’t have to have any VPN client software.
  • They simply connect through a web browser.

The Cisco ASA offers choices in how to configure the VPN.

  • We could use an IPsec site-to-site VPN, a full tunnel SSL VPN, clientless SSL VPN, or a full tunnel IPsec VPN.
  • Whether an external access VPN is a remote access or site-to-site, the network administrator has choices as to how to configure the VPN, so that clients can securely connect and communicate with the network.

VPN Implementation

There are two types of VPN implementation:

  • Route-Based: A route-based VPN creates a virtual IPsec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPsec settings.
    • A route-based VPN is created with two policies, one for inbound and another for outbound with a normal Accept action.
    • If the VPN connection requires redundancy, a route-based VPN is normally required.
    • Numbers of VPN tunnels are limited to either route entries or number of tunnel interface specified which are supported by the device.
    • Traffic flowing through the VPN tunnel can be NATTed since it passes through either the tunnel interface or gateway IP address specified as next-hop in routing.
  • Policy based: In a policy-based VPN, the tunnel is specified within the policy itself with an action of IPsec. 
    • Also, for a policy-based VPN, only one policy is required.
    • Remote access VPN can be implemented with policy-based VPN.
    • Traffic flowing through the VPN tunnel can’t be NATTed.
    • Numbers of VPN tunnels are limited by the number of policies specified

VPN Protocol Types

  • Internet Protocol Security (IPsec): Internet Protocol Security, known as IPsec, is used to secure Internet communication across an IP network. IPSec secures Internet Protocol communication by verifying the session and encrypts each data packet during the connection. IPsec runs in 2 modes:
    • Transport mode
    • Tunneling mode
  • Layer 2 Tunneling Protocol (L2TP): L2TP or Layer 2 Tunneling Protocol is a tunneling protocol that is often combined with another VPN security protocol like IPsec to establish a highly secure VPN connection. L2TP generates a tunnel between two L2TP connection points and IPsec protocol, encrypts the data and maintains secure communication between the tunnels.
  • Point–to–Point Tunneling Protocol (PPTP): PPTP or Point-to-Point Tunneling Protocol generates a tunnel and confines the data packet. Point-to-Point Protocol (PPP) is used to encrypt the data between the connection. PPTP is one of the most widely used VPN protocol and has been in use since the early release of Windows. PPTP is also used on Mac and Linux apart from Windows.
  • SSL and TLS: SSL (Secure Sockets Layer) and TLS (Transport Layer Security) generate a VPN connection where the web browser acts as the client and user access is prohibited to specific applications instead of entire network. Online shopping websites commonly uses SSL and TLS protocol. It is easy to switch to SSL by web browsers and with almost no action required from the user as web browsers come integrated with SSL and TLS. SSL connections have “https” in the initial of the URL instead of “http”.
  • Secure Shell (SSH): Secure Shell or SSH generates the VPN tunnel through which the data transfer occurs and also ensures that the tunnel is encrypted. SSH connections are generated by a SSH client and data is transferred from a local port on to the remote server through the encrypted tunnel.

  • MPLS VPN is the VPN solution that is used by Service Providers. It is the most used VPN types used by Service Providers. MPLS VPN is a complex and expensive solution for home users. 

    There are different types of MPLS VPNs. Mainly there are two types MPLS VPNs. These are:
    • Layer 2 VPNs
      • VPLS (Virtual Private LAN Service)
      • VPWS (Virtual Private Wire Service) (Pseudowire)
    • Layer 3 VPNs
  • SSTP (Secure Socket Tunneling Protocol): A VPN protocol developed by Microsoft that uses SSL to secure the connection, but only available for Windows.
  • IKEv2 (Internet Key Exchange version 2): A VPN protocol that provides fast and secure connections, but not widely supported by VPN providers.
  • OpenVPN: An open-source VPN protocol that is highly configurable and secure, widely supported by VPN providers and considered one of the most secure VPN protocols.
  • WireGuard: A relatively new and lightweight VPN protocol that aims to be faster, simpler, and more secure than existing VPN protocols.

VPN Tunneling Types

Tunneling is the technique of putting an integrated data packet into another packet (which contains routing information) and sending it over the internet. The packets travel through a path which is known as tunnel. To secure a tunneled transmission against interception, all traffic over a VPN is encrypted for safety. Virtual Private Network (VPN) supports 2 types of tunneling which are as follows:
  • Voluntary tunneling
    • VPN client in the voluntary tunneling handles all the connection setup. 
    • For the setup of connection through tunnel both the tunnel client and the tunnel server have to accept the same tunneling protocol. 
    • In voluntary tunneling, client-first form a connection to the ISP or carrier network provider. 
    • Then the tunnel on a VPN server builds by the VPN client application using this live connection. 
    • Two step procedure is required to set up the VPN connection in voluntary tunneling.
  • Compulsory tunneling
    • The carrier network provider in the voluntary tunneling handles all the connection setup required for VPN. 
    • It is a one step process as compared to the two steps in voluntary tunneling. 
    • In compulsory tunneling, the client first establishes a normal connection to the carrier then the carrier works as an intermediary to make a connection between a VPN server and that client. 
    • Compulsory tunneling provides complete management control of the tunnels to the ISP and hides the details of the connectivity of VPN server from the clients.
    • Broker devices are used in compulsory tunneling for the verification of clients. 
    • The logic build in the broker device are used to associates the client with the different VPN servers.
    • This network device is also called as the following:
      • VPN Front End Processor (FEP)
      • Network Access Server (NAS)
      • Point of Presence Server (POS)

VPN: Key Components

The purpose of a VPN is to secure network communication and as a critical component of an organization’s overall security plan.
Today, the market has multiple VPN choices, and the networking team must ensure the best possible solution for the organization.
Now, there are several key components to ensure an effective VPN and those include:

  • VPN platform: Hardware or Software
  • Cryptographic techniques: Ensure confidentiality, integrity, and authentication.
    • Confidentiality – Use symmetric encryption algorithms that include AES and AES-CBC
    • Data Integrity – Use hash algorithms that include SHA-224 and SHA-256
    • Authentication – Use either a PSK or the asymmetric encryption algorithm RSA.
  • Key exchange: so that both parties have the same shared key. Choices for Key exchange include:
    • RSA (Rivest-Shamir-Adleman)
    • Internet Key Exchange (IKE) – method use in IPsec.
    • Pre-shared key (PSK)

Applications of VPN

  • VPN can easily bypass geographic restrictions on websites or streaming audio and video.
  • Using a VPN, we can protect ourselves from snooping from untrustworthy Wi-Fi hotspots.
  • One can gain privacy online by hiding one’s true location.
  • One can protect themselves from being logged while torrenting.

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)