A Virtual Private Network (VPN) is an extension of a private network into the public network domain. The public network would act as a private network and the user would be able to perform every function as if logged in to the private network. It also helps to allow a remote user to work with the same security and management policies defined by the administrator of the private network. This connection is established by a virtual point-to-point connection through a set of assigned connections and encryption, or a combination of both, depending on the business requirements.
VPNs allow employees to securely log in to their private network, even if they are not in their office premises. It is secure and cost-effective.
Any kind of network connection over an untrusted network, such as the internet, would benefit from implementing a VPN. Even inside an organization's premises, in order to implement a VPN, you need to create a secure private channel between network devices (site-to-site VPN), as well as between people and network devices (remote-access VPN).
Benefits of a VPN
A VPN can benefit an organisation in the following ways:
Eliminating the need for long-distance leased lines: Organizations need to rent network capacity, such as T1/E1 lines, to achieve full, secured network connectivity between their office locations. A VPN would allow the user to log in to the private network using the public network, so there is no requirement for the company to procure a leased line. These connections can be tapped into the virtual network through much cheaper internet-connectivity options, such as broadband connections.
Reducing long-distance call charges: A VPN would also enable the user to use VoIP services in a secured manner, thereby skipping logging in to the remote-access server by the business travelers who need to access the company's intranet. For example, with an internet VPN, clients need to connect to the nearest service provider's access point.
A site-to-site VPN allows offices in multiple fixed location to establish a secure connection with each other over a public network, as shown in the following topology, with a lot of security measures bundled in. This enables the company's resources and data to be available to branch offices in other locations.
The two sites, using their VPN edge devices, set up the IPSEC VPN tunnel, which includes security parameters such as encryption algorithm, hashing algorithm, and authentication. Once the tunnel is established, the data from the LAN of the head office would be sent through the secured tunnel to the LAN of the branch office.
There are two types of site-to-site VPN:
Internet-based: When a company has several branches located in different areas and they wish to join all of them as one private network, then they can connect each LAN to a single WAN.
Extranet-based: When a company has to work very closely with their partners, vendors, or customers, then they can have an extranet VPN to build a connection that would require LAN connectivity. In this scenario, they can work in a secured manner by ensuring that all the data required is accessible and it also prevents access to their internal network.
A Remote-access VPN is also called a VPDN, or virtual private dial-up network.
Similar to the site-to-site access evolution from WAN technologies, remote access has evolved from dial-up technology. The differentiating factors between these two types of VPN are:
Remote-access VPN clients initiate the VPN on-demand
The remote-access client requires the Cisco VPN client software to connect
Remote-access uses a server client mechanism where the server authenticates first
This can be very flexible when implemented as a software solution on a remote user's PC. The teleworker can benefit from the same confidentiality, integrity, and authentication services of a site-to-site VPN.
It allows individual users to establish a secure connection with a remote computer network. They can access only the secured resources or data on that particular network, as if they were directly connected with the network.
There are two components in a remote-access VPN:
Network access server (NAS): Also known as media gateway or remote-access server. NAS is a dedicated server that has multiple applications running in it. Users initially connect to the NAS server in order to get connected to the VPN. NAS also provides its own authentication services.
VPN client software: This helps users to access their data via VPN. The client software establishes and maintains the connection with the NAS server. The modern operating system comes with a few built-in VPN applications; others must install third-party software specific to their organization's VPN configurations. The NAS, using a third-party Certificate Authority (CA), gets its digital certificate, which it will use to prove its identity to the client. Once successfully authenticated, the client software creates a tunnel connection to the NAS server, which is indicated by the user's IP address. The client software maintains the security level by using encryption standards, such as Secure Socket Layer (SSL).
Published on Wed 21 March 2012 by Daisy Batty in Networking with tag(s): vpn