VPN

VPN Motivation

Why is it useful to employ virtual private networks for business communication? After all, separate private networks have been set up to serve the specific communication needs of many businesses. What advantages do you gain by converting the existing separate private networks to an Internet-based VPN?
Ubiquitous Coverage

The Internet offers far wider coverage compared with the private data network infrastructures offered by telecommunication providers. Adding new destinations to a private network means adding new circuits.

Unlike the Internet, which has public and private peering points all over the world, few interconnection agreements exist between the service providers. Thus, the coverage of a private network is limited.

The Internet, on the other hand, is a vast interconnection of heterogeneous networks. Any host connected to a network that is connected to the Internet is in turn connected to any other host connected to a network connected to the Internet.

Cost Reduction

Another advantage gained by using an Internet-based VPN is cost reduction based on the system's economy of scale. Simply put, it eliminates the need to purchase and maintain several special-purpose infrastructures to serve the different types of communication needs within a corporation.

Security

VPNs use cryptographic technology to provide data confidentiality and integrity for the data in transit. Authentication and access control restrict access to corporate network resources and services.

In traditional private networks, the security of the data during transit relies on the telecommunication service provider's physical security practices for data confidentiality. For example, frame relay networks have no built-in provision for encrypting data frames. Consequently, data frames, if intercepted, can be easily decoded. In VPNs, you need not trust the perceived physical security of the telecommunication service provider. Instead, data is protected by cryptography.

E-Commerce

More and more business is being conducted using the Internet. Electronic commerce is not only a major new method of retailing merchandise (called "B2C" for business-to-consumer e-commerce), but it is also a way for businesses to trade goods and services among themselves (called "B2B" for business-to-business e-commerce). Interconnectivity of businesses is essential, and the Internet is the logical choice for the interconnection technology.

E-commerce must be secure. Private networks use physical separation for security, but it is impractical to have a separate infrastructure for each customer or B2B partner. Therefore, a closed, inflexible private network is not well suited for supporting e-commerce. A public infrastructure is more flexible but lacks security. VPNs provide both interconnectivity and security.


1.1 Business Communication

There are many types of business communication. Broadly speaking, business communication can be classified into three categories:

· Internal communication The message is limited to selected internal audiences. For example, a corporation may periodically distribute an updated company employee directory to all its employees. Confidentiality is essential.

· Selected external communication The message is intended for selected external audiences. For example, a retail store may want to order a product from its supplier. Although not all communications of this type are considered proprietary, one company's business with another is generally confidential.

· Communication with public and other external audiences The message is intended for general public consumption. Sometimes, the wider audience the message reaches, the better. For example, a company may place a 30-second commercial during a sporting event to reach a large audience. At other times, a targeted message is designed to cater to a specific audience to maximize its impact. This type of communication is generally not confidential.

Businesses have traditionally used specialized technologies for these different types of communication and have managed them separately.

The Convergence of Business Communication

Although businesses have a variety of communication types—and hence the need for different modes of communication—the digitization of information, and the creation of computer networks to deliver it, has been a unifying factor. Internal memos are now emails, and employee directories are kept in databases. Orders can be placed online. The World Wide Web provides a means for publishing sophisticated product brochures. Although there will always be the need for traditional forms of information dissemination, much business communication is converging on a digital network.

The computer networking technologies are also converging. There used to be many types and formats of computer networks, each developed by a different vendor. IBM offered Systems Networking Architecture (SNA) for its mainframe and minicomputers. Digital had DECNET, used in the once-popular VAX computing environment. In the PC environment, Novell's Netware was dominant and still is fairly widely used for PC interconnections. Nonetheless, with the development of the Internet, most computer networks have migrated to an IP-based infrastructure. IP—the Internet Protocol—serves as the common format for all connected network devices on the Internet.

Private Networks

To meet their information infrastructure needs, corporations have invested heavily in internal networks called intranets. Intranets serve the employees at the corporate site, but not employees on the road or telecommuting from home. To accommodate the remote access needs of "road warriors" and telecommuters, companies have set up remote access servers to extend intranets into the field. Usually, a bank of modems allows these users to dial in through public switched telephone networks (PSTNs). Furthermore, employees at branch offices require access to the same information and the same resources, so private lines are used to interconnect the various sites to make one corporatewide intranet.

Special arrangements are sometimes made to allow business partners to have limited access to some part of the corporate intranet.2 These networks, usually called extranets, provide the means to improve the efficiency of business information flow.

Each form of access to the intranet, is a separate private networking solution. This is true even when some aspects of each solution, such as the underlying networking protocols used, are the same. Each form of access also has its own requirements for privacy—requirements that are met by keeping data transmission on separate dedicated channels.

Public Networks

t is also imperative for a corporation to exchange information outside the established private networks. This requires access to a public networking infrastructure such as the Internet.


In addition, the public network opens a new avenue of commerce. It is now unthinkable for a corporation not to have a presence in the World Wide Web. For many companies, such as Amazon.com, there is no "brick and mortar" storefront. The only place where they face customers is in cyberspace.

Virtual Private Networks

Protection of private corporate information is of utmost importance when designing an information infrastructure. However, the separate private networking solutions are expensive and cannot be updated quickly to adapt to changes in business requirements.

The Internet, on the other hand, is inexpensive but does not by itself ensure privacy. Virtual private networking, is the collection of technologies applied to a public network—the Internet—to provide solutions for private networking needs. VPNs use obfuscation through secure tunnels, rather than physical separation, to keep communications private.

This introduction to VPNs covers the evolution of the VPN market, and the latest technologies and solutions.










189 Two Types of VPN Tunneling

VPN supports both voluntary and compulsory tunneling. Both types of tunneling can be found in practical use.

In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP) (also Network Access Server (NAS) or Point of Presence (POS) servers). Compusory tunneling hides the details of VPN server connectivity from the VPN clients and effectively moves control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEPs.

VPN Tunneling Protocols

Several interesting network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP)
Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. The initial releases of PPTP for Windows by Microsoft contained security features that some experts claimed were too weak for serious use. Microsoft continues to improve its PPTP support, though.

Layer Two Tunneling Protocol (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, the best features of it and PPTP were combined to create new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI models -- thus the origin of its name.

Internet Protocol Security (IPsec)

IPsec is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution, or it can used simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) in OSI.

Virtual private networks (VPN) provide an encrypted connection between a user's distributed sites over a public network (e.g., the Internet). By contrast, a private network uses dedicated circuits and possibly encryption. This page describes IP-based VPN technology over the Internet, though an organization might deploy VPN's on its internal nets (Intranets) to encrypt sensitive information. We also have some peformance members. The basic idea is to provide an encrypted IP tunnel through the Internet that permits distributed sites to communicate securely. The encrypted tunnel provides a secure path for network applications and requires no changes to the application.







190 Advantages of VPNs


VPNs promise two main advantages over competing approaches -- cost savings, and scalability (that is really just a different form of cost savings).

The Low Cost of a VPN

One way a VPN lowers costs is by eliminating the need for expensive long-distance.

One way a VPN lowers costs is by eliminating the need for expensive long-distance leased lines.

With VPNs, an organization needs only a relatively short dedicated connection to the service provider. This connection could be a local leased line (much less expensive than a long-distance one), or it could be a local broadband connection such as DSL service. Another way VPNs reduce costs is by lessening the need for long-distance telephone charges for remote access.

Recall that to provide remote access service, VPN clients need only call into the nearest service provider's access point. In some cases this may require a long distance call, but in many cases a local call will suffice.

A third, more subtle way that VPNs may lower costs is through offloading of the support burden. With VPNs, the service provider rather than the organization must support dial-up access, for example. Service providers can in theory charge much less for their support than it costs a company internally because the public provider's cost is shared amongst potentially thousands of customers.

Scalability and VPNs

The cost to an organization of traditional leased lines may be reasonable at first but can increase exponentially as the organization grows. A company with two branch offices, for example, can deploy just one dedicated line to connect the two locations. If a third branch office needs to come online, just two additional lines will be required to directly connect that location to the other two.

However, as an organization grows and more companies must be added to the network, the number of leased lines required increases dramatically. Four branch offices require six lines for full connectivity, five offices require ten lines, and so on. Mathematicians call this phenomenon a "combinatorial explosion," and in a traditional WAN this explosion limits the flexibility for growth. VPNs that utilize the Internet avoid this problem by simply tapping into the geographically-distributed access already available.

Compared to leased lines, Internet-based VPNs offer greater global reach, given that Internet access points are accessible in many places where dedicated lines are not available.