February 18, 2002
A Virtual Private Network (VPN) is essentially a networking system that allows a private network to be accessed over a shared or publicly used network, such as the Internet. This networking solution is used by many companies, both large and small. VPN ensures security by sending its data packets through “tunnels”. It can be implemented and maintained by the company that purchased it, or it is available through outsourcing, where another provider will install and monitor the network. VPN is cost efficient and using it will be able to pay for itself and then some.
According to the Microsoft Corp., “a virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet,” (1). This networking capability allows remote clients the ability to connect to their company’s private network through a public internetwork, most likely the Internet. Companies can also use VPN to connect to branch offices or other companies. The name virtual private network is derived from when the users connect to the network over the Internet, it virtually appears to them that they are on a private network, when in reality they are using the public Internet (1).
Before VPN was established, many companies had to connect their mobile and remote users by using a remote access server (RAS) and having them dial up through a long distance number, or by an 800-number. The costs involved with implementing and maintaining a RAS were costly and the long distance phone charges were even more an inconvenience. Nowadays, with VPN, “remote users can establish dial-up connections to local ISPs and connect, via the Internet, to a VPN server at headquarters,” (ADTRAN 15). To connect remote sites to the headquarters over the Internet, there are two methods to be used: using dedicated lines or using dial-up lines. For using a dedicated line, both the remote site and the corporate hub routers can use a local dedicated circuit and a local ISP to connect to the Internet. From there, the VPN software uses the ISP connections to create a virtual private network between the two sites. For using a dial-up line to connect the offices, the remote site will call up their local ISP to connect to the Internet, and then the VPN software will create a VPN between the remote site’s router and the corporate hub’s router (3).
The essential part to a virtual private network, that makes is “virtually private” is a tunnel. A tunnel is the logical path that encapsulated packets travel through the internetwork. Data that is transferred through a network is known as a payload. These payloads are sent through the network in frames or packets. When a VPN sends the data through, the tunneling protocol encapsulates the packet in an additional header that will provide routing information to where the packet is to go. When a packet reaches its destination on the internetwork, the packet is then decapsulated and forwarded to its final destination. The whole tunneling process includes the encapsulation, transmission, and decapsulation of the packets (Microsoft 6). The tunneling process sounds like it describes a fixed path for the data, but like other Internet traffic, the “VPN tunnel packets may take different paths between the two endpoints” (ADTRAN 4). In, this tunnel, only the recipients at the other endpoint will be able to decrypt the message that a person has sent, giving this idea a sort of a “tunnel vision”.
In order for a tunnel to be established, the tunnel client and the tunnel server must be using the same tunneling protocol. The tunneling technology involved with VPN is based on either a Layer 2 or a Layer 3 tunneling protocol. A Layer 2 protocol, such as Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP), will encapsulate the payload in a Point-to-Point Protocol (PPP) frame to be sent across the internetwork. A Layer 3 protocol, such as Internet Protocol Security (IPSec), will encapsulate the Internet Protocol (IP) packets in an extra IP header before sending it across the IP internetwork. With Layer 2 tunneling technologies, the tunnel is similar to a session, where both endpoints must agree to a tunnel and they must negotiate the configuration variables. These variables include address assignments, encryption, or compression parameters. Then, there will be three phases where the tunnel will have to be created, maintained, and then terminated. With a Layer 3 tunneling technology, it is assumed that all of the configuration concerns are already compiled, so it is possible that the maintenance phase of the tunnel will not even be needed (Microsoft 7). The features of these protocols are based heavily of the Point-to-Point Protocol (PPP).
The Point-to-Point Protocol, according to Microsoft, “was designed to send data across dial-up or dedicated point-to-point connections,” (9). Before the PPP connection is ready to transfer user data, there are four phases that must be completed successfully first. Phase 1 is the PPP link establishment where a Link Control Protocol (LCP) is used and the basic communication options are selected. Also, during this phase, it is negotiated whether to use compression and/or encryption when sending the data. The actual choosing of this option is not until phase 4. In phase 2, the authentication of the client user is performed (9). The network access server (NAS) will validate the user data with its own database to ensure authentication. Phase 3 of the PPP is an optional Microsoft implementation that uses the Callback Control Protocol (CBCP) to ensure an additional level of security. If this protocol is configured, the remote client and the NAS will disconnect after authentication, then the NAS will call the remote client back using a particular phone number. The fourth and final phase of PPP is the invoking of the network control protocols (NCPs). These protocols, such as using data encryption and compression, were what was negotiated during phase 1, and will now be implemented. After these four negotiation phases have been completed, the PPP will begin to forward data to and from the two endpoints (11).
One of the Layer 2 tunneling protocols is known as Point-to-Point Tunneling Protocol (PPTP). This protocol “encapsulates PPP frames in IP diagrams for transmission over an IP internetwork, such as the Internet,” (Microsoft 12). A TCP connection is used for tunnel maintenance and a modified version of the Generic Routing Encapsulation (GRE) is used to encapsulate PPP frames for the payload. These payloads can then be encrypted and/or compressed (12). The encryption of this data is based on the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm that uses 40, 56, or 128-bit encryption keys (13). PPTP can be used on computers running Windows XP, Windows 2000, Windows NT version 4.0, Windows Millennium Edition (ME), Windows 98, and Windows 95 with Dial-Up Networking (14).
The second Layer 2 tunneling protocol is known just as that, Layer Two Tunneling Protocol (L2TP). This protocol is a combination of the best features of both PPTP and Layer 2 Forwarding (L2F), which was developed by Cisco Systems, Inc. L2TP can be used over the Internet when IP is configured as its datagram transport. It will “encapsulate PPP frames to be sent over IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM) networks,” (Microsoft 12). When used over IP internetworks, it uses a User Datagram Protocol (UDP) and a chain of L2TP messages for maintenance on the tunnel. A UDP header is also attached to the payload that is being sent. These payloads can also be encrypted and/or compressed for transmission (12). This type of connection will also use the Data Encryption Standard (DES), which will use either a 56-bit key for DES or three 56-bit keys for 3-DES. “L2TP connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol,” (14). L2TP can only be used on computers with Windows XP and Windows 2000 VPN clients (14).
Internet Protocol Security (IPSec) tunnel mode “is a Layer 3 protocol standard that supports the secured transfer of information across an IP internetwork,” (Microsoft 14). As the Internet standard protocol, it addresses basic usage issues such as access control, connection integrity, data origin authentication, replay protection (prevention from resending a series of packets), and traffic flow confidentiality. This protocol uses two operational modes: Transport mode and Tunnel mode. Transport mode protects everything in the packet behind and not including the IP header. Tunnel mode protects everything behind and including the IP header, which then requires a new pseudo IP header (ADTRAN 10). This tunnel mode uses the negotiated security method to encapsulate & encrypt the entire IP packet for transfer (Microsoft 14). The encrypted payload is encapsulated again and has a plain-text IP header attached before sent onto the internetwork for transport to the tunnel server. The tunnel server will then receive the payload, discard the plain-text IP header, and decrypt the data to get the original payload IP packet. This packet is then routed as normal to its destination on the network (15). As in L2TP, IPSec can only be used on computers with Windows XP or Windows 2000 VPN clients (14).
When a virtual private network is established, an extremely important issue is that of security. Since a VPN is used through an internetwork, such as the Internet, it is important to have the security features of a firewall in place. “A firewall prevents unauthorized users and/or data from getting in or out of your network, using rules to specify acceptable communications from locations, individuals, or in certain protocols,” (ADTRAN 4). Encryption is another key technique for ensuring data and user security. Encryption is the scrambling and unscrambling of data that is to be sent out. When data is scrambled, it is called cipher-text and when data is unscrambled, it is called clear-text. When encryption is chosen as an option when sending through a VPN, the sending location encrypts the information, sends it through the tunnel, and the destination location will decrypt the information into clean-text. The Data Encryption Standard (DES) is a well-known encryption algorithm that is uses 56-bit symmetric keys to encrypt the data. There is also a 3-DES system that will encrypt the data, decrypt it, and then encrypt it again (EDE), which increases the key length to 168 bits (5).
Keys are another important factor in the struggle for security of users and data within a VPN. “A key is the secret code that the encryption algorithm uses to create a unique version of cipher-text,” (ADTRAN 6). The strength of keys depends on the length of the keys, such as 8-bit or 16-bit. For example, 8-bit keys have 256 combinations possible, 16-bits have 65,536 combinations, 56-bit keys have 72,057,594,037,927,900 possible combinations. Since it could be simple for intruders to use computers to crack a 16-bit code, many VPN products today are using 168-bit keys, which creates 374,144,419,156,711,000,000,000,000,000,000,000,000,000,000,000,000 possible combinations. Another good idea when keys are created is to establish a policy where you periodically change the keys, therefore making it even more difficult to be cracked (6). There are usually two types of keys that can be used: symmetrical and asymmetrical. Symmetrical keys, also known as private keys, are used on both ends of the tunnel to both encrypt and decrypt the information (7). Asymmetrical key encryption consists of two keys, a private key and a public key. The private key is used by the sender to decrypt the information, and then public key is used by anyone to decrypt the received information. To secure the reliability of the public key, many times they are published with a certificate. “A certificate...is a data structure that is digitally signed by a certification authority (CA) – an authority that users of the certificate can trust,” (Microsoft 17). Essentially, these public key certificates will ensure the validity of the sender (18). To create, distribute, and track digital certificates on a per-user basis, it is also not a bad idea for larger companies to implement a Public Key Infrastructure (PKI). This will be useful in large companies needing to extend secure, limited network access to their external users (ADTRAN 8).
When a company decides to implement a virtual private network system, they typically have two choices, doing it themselves, or buying VPN services from an outside provider (known as outsourcing). “When implementing your own VPN, there are four basic areas to consider: the Internet service itself, a security policy server, a PKI system, and a VPN gateway solution,” (ADTRAN 17). Some of the products that may be needed would be adding encryption support to a router to keep VPN upgrade costs low, adding a firewall, using Internet security device packages with firewall and other network services included, and the VPN software itself. Adding up all of the costs of these products without the software can cost a company anywhere from $2,000 to $39,000. For the VPN software, it can cost from $21 per seat, up to $2,500 per server. Outsourced VPN is a relatively new option for companies and ISP & VPN providers will be able to setup and maintain the VPN service. Prices for outsourcing can vary dramatically from company to company; it just depends on what types of services are needed. Implementing a VPN may sound like a big investment, but with the savings from long-distance charges alone will pay for the setup costs within a few months and the savings will continue far after (15).
In conclusion, virtual private networking is a networking solution that will allow companies to connect with their remote users or other companies. Its primary usage is through the Internet and it has ensured security by sending information through “tunnels”. A VPN can be implemented and maintained by the company that purchased it, or it is available through outsourcing. The costs for implementing this system may seem high, especially for a small company, but its benefits greatly surpass the cost and it will provide a technological system that will be a convenient solution for remote users and companies.
ADTRAN, Inc. “Understanding Virtual Private Networking”. 2001. Internet. Accessed: 4 Feb 2002. Available: http://www.adtran.com/all/Public/Lookup/Document?id=en286a
Microsoft Corporation. “Virtual Private Networking in Windows 2000: An Overview”. 1999. Internet. Accessed: 7 Feb 2002. Available: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp