Virtual Private Network (VPN)

---

A virtual private network (VPN) is a secure tunnel created between two endpoints connected via an unsecure transport network.

• facilitates remote access

Use Cases

• allows you to remotely connect to a network in a secure, encrypted manner
  • to access the internal resources of their organization
  • device acts as though it is connected to the organization’s internal network
• send sensitive traffic over insecure networks
• Use VPNs to protect or anonymize the traffic you’re sending over untrusted connections
• Keep ISP from logging the contents of traffic
• stop people on same network from eavesdropping
• obscure geographical location
• by-pass location-based blocking
• hide traffic and IP addresses when using peer-to-peer (P2P) file sharing services

How it Works

• client and server concept
• create a connection using
  • a VPN client application on one end
  • and a VPN concentrator on the other end
    • aka remote access server (RAS)
    • accepts connections from Internet
• client uses the VPN client application to authenticate to the VPN concentrator
• once connection is established,
  • all traffic exchanged from the network interface connected to the VPN flows through the encrypted VPN tunnel
  • remote computer becomes part of the local network
    • still restricted by the bandwidth available over the Internet connection
• tunneling encapsulates one protocol within another to ensure transmission is secure

Example

The VPN described above is for remote access to the LAN by teleworkers and roaming users.

• VPNs can also be used
  • to connect sites over public networks
    • such as linking branch offices to a head office
  • or within a local network as an additional security mechanism

Tunneling

A tunnel is an encrypted connection between two points.

• requires a protocol that can create a secure tunnel for private communications through the Internet
• hosts are on the same logical network but connected via different physical networks
  • encapsulates the packet for the local network within a public network packet
    • local network packet is encrypted
  • When the packet is delivered
    • remote access server strips the public packet headers
    • extracts and decrypts the local packet
    • forwards it over the local network
• types:
  • full-tunnel VPN
    • all network traffic leaving the connected device is routed through the VPN tunnel
  • split-tunnel VPN
    • only traffic destined for the corporate network is sent through the VPN tunnel
    • other traffic is routed directly over the Internet from the client’s network

Tunneling Protocols

 A VPN protocol determines how the tunnel is created.

• Each protocol provides a different solution to privacy requirements
• Point-to-Point Protocol (PPP)
• Generic Routing Encapsulation (GRE)
• Internet Protocol Security (IPSec)
• Transport Layer Security (TLS) Tunneling
• Layer 2 Tunneling Protocol (L2TP)
  • is a mechanism for setting up VPN tunnels at the data link layer
  • does not provide encryption by default
  • is typically used in conjunction with IPSec at the network layer
  • can be used in dissimilar layer 3 (L3) networks
  • created by Cisco

Types of VPNs

• Client-to-Site VPNs
• Clientless VPNs
• Site-to-Site VPNs

Info

A third topology is a host-to-host tunnel. This is a means of securing traffic between two computers where the private network is not trusted.