Virtual Private Networks

Computers & TechnologyNetworking

  • Author Nancy Simon
  • Published December 27, 2017
  • Word count 2,008

In the modern business settings, there is an increasing demand to connect to internal company networks from diverse locations (Natarajan, Muthiah, &Nachiappan, 2010). It is a common need that employees connect to private networks via the internet from home, field stations, or while on transit in the airport, or external networks. The nature of the internet is insecure (Stewart, 2013; Lim et al., 2001). Hence, security is the principal issue of concern to companies when employees, customers, and business partners have frequent connections to internal networks from distant locations. Virtual private networks provide a technology that protects that data being transferred via the internet. VPNs allow users to set a virtual private tunnel through which to access data, resources, and communications in internal networks via the internet (Paul, 2000). This essay provides an overview of VPN and the core tunneling protocols used to enhance security, with a focus on Layer 2 Tunneling Protocol.

Introduction

Virtual Private Network (VPN) is a type of private network that utilizes public telecommunication, such as the internet, rather than leased lines, to communicate (Natarajan, Muthiah, &Nachiappan, 2010). Virtual private networks became popular with the increase in the number of employees working in remote locations. Virtual means not physically-present, private means not public, which network is a system of electronic communication between two or more devices. The internet is the backbone for virtual private networks. The motivating factors for the introduction of VPNs by firms are that virtual private networks save costs tremendously and reduce maintenance and equipment costs (Rubin, 2003). The two fundamental features of VPNs are security and scalability. Modern virtual private networks overcome threats to security through the use of special tunneling protocols.

How VPNs Operate

Virtual private networks require an internet connection as the foundational platform for sharing resources, communications and data (Stewart, 2013). Virtual Private Network transmits data through a mechanism called tunneling. Prior to transmission, a packet wrapped or encapsulated in a new packet that has a new header. The header has routing information that allows it to traverse a public or shared network amidst before reaching the endpoint of the tunnel. A tunnel is logical route or path through which encapsulated packets travel.

Packets are de-capsulated when they reach the endpoint of the tunnel, and are forwarded to the final destination (Stewart, 2013). The two tunnel endpoints must support the same tunneling protocol. Tunneling protocols run or operate at either of the layers of Open System Interconnection (OSI), i.e. data-link (layer two) or network layer(layer three). There are four commonly used tunneling protocols, i.e. PPTP, IPsec, L2TP, and SSL. A packet that has a private non-routable IP address can be sent wrapped in a packet with globally unique IP address, hence extending a private network over the internet.

In relation to security, VPN applies encryption to ensure the confidentiality of data (Bacon et al., 2002). The virtual private network applies the tunneling mechanism to wrap or encapsulate encrypted data into a secure tunnel with open headers that have the potential to cross public networks. Packets of data passed communicated through a public network through this method cannot be read without proper decryption keys. Hence, the mechanism ensures that data is not changed or disclosed amid transit through the public network.

Virtual private networks also provide data integrity check (Stewart, 2013). Typically, the check is performed in the form of a message-digest that ensures that data has not been altered or tampered within the process of transmission. The default nature of virtual private networks is that it does not enforce or provide a strong user authentication. Hence, users can use simple usernames and passwords to gain entry into internal networks from different geographically dispersed locations or other networks. However, virtual private networks support add-on authentication such as tokens, smart cards, etc.

Deployment of VPNs

Enterprises and organizations deploy VPNs through Remote Access VPN, Intranet VPN, Extranet VPN, or WAP Replacement(Bacon et al., 2002).

Remote Access VPN

Remote access VPN is a user-to-network connection for the home or mobile user connecting to corporate networks from a remote location. It permits encrypted connections between remote users and corporate private network.

Intranet VPN

Intranet VPN is a connection among fixed locations. Intranet VPN is LAN-to-LAN VPN connection that joins remote locations such as branch offices into a single private network. LAN stands for Local Area Network.

Extranet VPN

Extranet VPN is a type of connection that links businesses partners such as customers and suppliers, allowing the different parties to work, communicate, or share data within a shared environment.

WAN replacement

In WAN replacement, VPNs provide an option for Wide Area Networks (WAN)(Bacon et al., 2002). However, maintaining WANs are expensive, particularly in cases where networks are dispersed geographically. The application of VPNs reduces costs and eliminates administrative overhead. In addition, it provides improved scalability compared to traditional private networks. However, the performance and reliability of networks can become a problem, especially when connections and data are tunneled via the internet.

Tunneling Protocols

Four tunneling technologies are commonly used in virtual private networks. For this discussion, extensive description is given for L2TP.

Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol is an old protocol that has largely been replaced by SSL/TSL and IPSec VPNs in the production environments (Stewart, 2013). However, the protocol may still be in service in certain environments in which backward compatibility may be an issue. Hence, it is possible to come across it in the academic literature. L2TP was applied extensively in traditional VPN solutions but lost its popularity as other protocols became more usable as industry standards developed. For the first time, L2TP was included in a Microsoft server product with the introduction of Windows 2000 server (Ibid).

L2TP combines Point-to-Point Tunneling Protocol and Layer 2 Forwarding (Popescu, 2010). L2TP can encapsulate PPP required to be sent through IP, ATM networks, or Frame Relay. In this protocol, multiple connections are allowed via one tunnel. In a similar way as PPTP and L2F, Layer-Two tunneling protocol operates on OSI layer two. Layer two VPN protocols wrapped data in PPP frames and can transmit non-IP protocols via an IP network.

Layer-two tunneling protocol applies the same mechanisms of authentication as PPP connections, such as PAP, EAP, and others (Bacon et al., 2002). Tunneling that applies L2TP is realized through multiple levels of encapsulation. PPP data is wrapped or encapsulated in an L2TP header and a PPP header (Stewart, 2013). The L2TP wrapped packet is additionally encapsulated within a UDP header with the source port and destination port set to 1701. The final packet is wrapped with an IP header with the server and client’s source and destination IP addresses (Bacon et al., 2002). There is always a lack of confidentiality with the use of L2TP. L2TP only provides a mechanism for creating tunnels via IP network, but does not provide a mechanism for the encryption of data being channeled. Hence, L2TP is typically used together with IPSec and, hence, referred to as L2TP/IPSec. Security services are offered by IPSec, ESP, and AH, when L2TP is operating over IPSec. L2TP data and controls appear as homogeneous data packets to the IPSec system.

It is rare to encounter L2TP in modern production environments (Stewart, 2013). However, the basic concepts of the protocol are essential for understanding the relative significance of the protocols common in modern environments and understanding virtual networks in general.

Other Tunneling Protocols

IPSec (Internet Protocol Security)

The Internet Engineering Task Force, IETF, created IPSec for secure transfer of data at the OSI layer three through the internet or other unprotected public IP networks (Popescu, 2010). IPSec allows a network to select and negotiate the necessary security protocols, secret keys, and algorithms to be utilized. IPSec provides basic authentication, encryption, and data integrity to ensure unauthorized viewing or modification of data. IPSec uses two security protocols, i.e. ESP (Encapsulated Security Payload) and AH (Authentication Header) for the necessary services. However, IPSec is limited to sending only IP packets.

Point-to-Point Tunneling Protocol (PPTP)

Point-to-Point Tunneling Protocol is an OSI layer-two protocol built on Point-Point Protocol (PPT) (Popescu, 2010). Point-to-Point protocol is a dial-up protocol that uses multiple protocols to connect to the internet. Users connecting to VPN from remote locations can access the internet through PPTP. However, they should first dial into the local ISP. PPTP allows a PPP session with protocols that are non-TCP/IP for tunneling via an IP network. The same mechanism of authentication applied for PPP connections is supported in the PPTP-based VPN connection.

SSL/TSL

Secure Sockets Layer (SSL) is a transport layer protocol that applies Transmission Control Protocol (TCP) port 443 (Popescu, 2010). IETF defines SSL protocol and its versions (Fall & Stevens, 2012). The standardized versions of SSL include TSL 1.0, TSL 1.1., and TSL 3.1, which is the same as SSL 3.1 (Bacon et al., 2002). Versions of SSL do not go beyond SSL 3.1. SSL/TSL provides a variety of cryptographic features (Ibid). These features include integrity, confidentiality, and digital signatures. Contrary to IPSec, where the communicating parties agree to cryptographic functions, SSL/TSL applies cipher suites to set or define cryptographic functions for the server and client to use to communicate.

SSN VPN gateways can self-authenticate to the web user with the use of an SSL server certificate signed by a credible Certification Authority (CA), in order for the user to prove that the server he or she is communicating with through a browser is trusted (Stewart, 2013). In typical circumstances, some SSL virtual private networks may use a self-signed digital certificate, which is trusted in most web browsers. In similar cases, users can add the SSL virtual private network server certificate to their list of trusted certificates.

Risks and Limitations of VPNs

Risks related to the use of VPNs relate to virus or malware infections, client-side risks, user authentication, and hacking attacks (Bacon et al., 2002).

Hacking: Client machines may become targets of attacks or staging points for attacks from within the staging network. Intruders can exploit wrong configurations or bugs in client machines, and other hacking tools to launch different types of attacks such as VPN hijacking.

User authentication: VPN does not enforce or provide authentication. The VPN connection is only established by the client. Weak authentication could allow unauthorized parties to enter the connected network.

Client-side risks: VPN client machines could be connected to the internet through a broadband connection while, at the same time, connected to a VPN connection to a private network, via split tunneling. Such connections pose risks to private networks involved.

Malware infections: A private network may be compromised if the client side connecting to the network has malware, which may cause leakage of the password for VPN connection.

Conclusion

Virtual Private Networks provide a mechanism to access a secured private network via insecure public networks such as the internet. The common VPN tunneling technologies are IPSec, SSL, L2TP, and PPTP. The focus of this discussion was on L2TP. Although it is possible to open and tunnel a secure communication channel via insecure public networks, the security of the connection should not be overlooked, especially from the client side.

References

Bacon, J., Beduya, L., Mitsuoka, J., Huang, B., Polintan, J. (2002). Virtual Private Network. Northridge, CA: California State University

Fall, K.R. & Stevens, R. (2012). TCP/IP Illustrated, Volume 1: The Protocols. Upper Saddle River, NJ: Pearson Education

Lewis, M. (2006). Comparing, designing and deploying VPNs. Cisco Press

Lim, L.K., et al. (2001). Customizable virtual private network service with QoS. Computer Networks, 36: 137-151

Natarajan, M.C., Muthiah, R., &Nachiappan, A. (2010). Performance investigation of VPNs with different bandwidth allocations. IJCSI, 7(1): 58-63

Paul, B. (2000). MPLS Virtual Private Networks. Enfield, UK: Data Connection Limited

Popescu, G. (2010). A comparative analysis of secure VPN tunneling protocols, JMEDS, II (2): 91-100

Rubin, A.D. (2003) "Wireless Networking Security." Communications of the ACM, 46(5): 29-30

Stewart, M. (2013). Network Security, Firewalls and VPNs. Burlington, MA: Jones & Bartlett Learning

Author is associated with writingcapital.com which is a global custom essay writing service provider. If you would like help in research paper writing service or a research papers, term papers and dissertations, you can visit Writingcapital.com

Nancy Brown is an academic writer and an editor and she offers academic writing help online. Thus, people that doubt their own writing abilities can use the best paper writing service for sale online and forget about their fears and unconfidence

Article source: https://articlebiz.com
This article has been viewed 2,716 times.

Rate article

Article comments

There are no posted comments.

Related articles