What Is A Virtual Private Network

Published Date: 02 Nov 2017

VPN are a very commom and useful way to keep a high level of communication cohesion within a company, even in the case of distant location. It allows any user to access the company’s intranet or any site connected to the VPN, with a great efficiency and security.

Virtual Private Networks are also very useful for private users who desire to improve the security of their action and to stay anonymous as long as they browse the Internet.

Using technical solution such as Tunneling protocols, encapsulation and encryption, such networks provide an excellent solution for a large number of users you desire to keep their information within a certain range.

Keywords: VPN, Privacy, Internet, Security

Introduction

In a world where globalization is part of everything, the impact of communication cannot be underestimated. Companies have of course taken that into account, but sometimes, managing the flux of information within it can be challenging.

For instance, the "distance" factor is a direct consequence of globalization and of the extension of an enterprise on several separate points. It can be complicated to keep a secure, reliable and extendable way of communicate between the different structures of the company.

Where many technologies such as the leased line were developed to achieve these goals, one stand out from the others: the Virtual Protocol Network.

VPN are currently the best method to exchange data, in a way that its efficiency is equivalent to any other solution, but the cost to set it up is very low.

So, in this context of relative ease and need of creating sure a network, and of its great accessibility, we can wonder how secure VPNs are, and in which ways they can assure the privacy of the flux of information between two locations.

1 - What is a Virtual Private Network?

1.1 - Presentation

A VPN can be defined by a private network that uses a public network to connect remote users or sites together. The connections linking up 2 point of this network are routed through the internet. These connections are often encrypted through different methods, providing a secure bridge between the different users. Overall, it allows the same advantages as a private network in terms of security and management.File:Virtual Private Network overview.svg

Basically, a VPN appear to users as a Private Network, but technically it is nothing more than a Wide Area Network (WAN). Figure - VPN Connectivity overview

This is why it is called "Virtual".

1.2 - In which contest is a VPN needed

At this point it seems important to make a distinction between professional and private use of a VPN.

Professional: a growing business may have to expand to different locations that can often be very distant from each other. The need of communication between the people working in these different places is even greater, and in order to keep the affairs running, employees need a solution like a VPN. As matter of fact, a VPN will allow employees to maintain the same level of communication and information in term of computer services.

Thus, any from any branch will be able to access the same data in the same intranet as if they were physically in the main office. By building a VPN, a business can extend all its intranet's resources to employees working from remote offices or their homes.

Private: for a private user the need to use a VPN will be found to gain in privacy. Indeed, the security technologies working behind a Virtual Private Network can allow anyone to work anonymously over the Internet. Moreover, the low cost and the high accessibility of such a solution provide a very adequate and modern answer to the current issue of government and Internet Services Provider (ISP) spying. Additionally, in some country where internet is extremely restricted, VPN can allow to bypass most firewalls and protections, giving access to all the content and functionality of the Internet.

1.3 - What makes a good VPN?

The quality of a VPN can mostly be described by three main factors:

Secure: The system provided must be able to protect the data that are exchange, as they are traveling through a public network. The best way to ensure this is to encrypt information, in a way that in the case where some intruders manage to collect the data, they couldn’t be able to read it, or even to use it.

Reliable: Maybe the most important quality for a majority of companies that require the use of the services provided by a VPN. The transfer of information should be trustworthy at any time, and under any condition, even in the case of handling the maximum number of simultaneous connections.

Scalability: Most business aim at enlarging their structures. The VPN provided to such a company should be able to handle the growth without major modifications in the structure, which could bring about fairly high cost.

2 - What are the technologies behind a VPN?

2.1 - Remote-access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers.

In the set up of a remote-access VPN, two major components are required

Network Access Server (NAS): also called a media gateway or a remote-access server (RAS). A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.

Client software: employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most operating systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure.

http://www.i-system.com.hk/images/remote-access-vpn-network-diagram.jpg

Figure 2 – Remote-access VPN principle

2.2 - Site-to-site VPN

A site-to-site VPN is based on the same principle, but allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. The connection is established between 2 VPN gateways that reside in 2 different networks over the Internet, so that both networks’ computers can exchange the resources.

There are two types of site-to-site VPNs:

Intranet-based: If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

Extranet-based: When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment.

Site-to-Site VPN Network Diagram

Figure 3 – Site-to-site VPN principle

2.3 - Tunneling protocols

Tunneling provides the basic underlying structure for setting up a VPN. It involves the use of various encapsulation technologies and transmission protocols to create secure virtual tunnels over the transit internetwork. Data is transmitted in the form of packets over the Internet. The information contained in a data packet is called the payload. In addition, a data packet contains the routing information required to transmit the packet to a remote destination.

Tunneling involves the use of tunneling protocols to encapsulate the payload of a packet within another header. This header contains routing information that is used to transmit the data packet through a tunnel. The advantage of using tunneling protocols is that data packets of different protocols can be transmitted over the Internet. For example, you cannot transmit Internetwork Packet Exchange (IPX) or a NetBEUI data packet over the Internet. You can use a tunneling protocol to encapsulate these data packets inside the network protocol supported by the transit internetwork. A NetBEUI packet encapsulated within an IP header can be sent through a tunnel created across the Internet.

In a VPN connection, a tunnel provides a secure medium for data exchanged between the corporate intranet, remote users, and networks of branch offices, suppliers, and business partners. The creation of a tunnel requires the following:

Carrier protocol: refers to the network transport protocol supported by the transit internetwork. For example, PPP is used as the carrier protocol in IP-based transit networks.

Encapsulation protocol: refers to the protocol used to encapsulate the payload of a data packet. Generic Routing Encapsulation (GRE), PPTP, L2F, and L2TP are examples of encapsulation protocols.

Passenger protocol: refers to the protocol used by the networks that are connected by the tunnel. It is used by the data packet, which is encapsulated using an encapsulation protocol. IP, IPX, and NetBEUI are examples of passenger protocols.

3 - What defines your privacy in a VPN?

3.1 - Encryption and Security

Encryption is the process of encoding data so that only a computer with the right decoder will be able to read and use it. You could use encryption to protect files on your computer or e-mails you send to friends or colleagues. An encryption key tells the computer what computations to perform on data in order to encrypt or decrypt it. The most common forms of encryption are symmetric-key encryption or public-key encryption:

In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.

In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.

In a VPN, the computers at each end of the tunnel encrypt the data entering the tunnel and decrypt it at the other end. However, a VPN needs more than just a pair of keys to apply encryption. That's where protocols come in. A site-to-site VPN could use either Internet protocol security protocol (IPSec) or generic routing encapsulation (GRE). GRE provides the framework for how to package the passenger protocol for transport over the Internet protocol (IP). This framework includes information on what type of packet you're encapsulating and the connection between sender and receiver.

IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server. IPSec consists of two sub-protocols which provide the instructions a VPN needs to secure its packets:

Encapsulated Security Payload (ESP) encrypts the packet's payload (the data it's transporting) with a symmetric key.

Authentication Header (AH) uses a hashing operation on the packet header to help hide certain packet information (like the sender's identity) until it gets to its destination.

Networked devices can use IPSec in one of two encryption modes. In transport mode, devices encrypt the data traveling between them. In tunnel mode, the devices build a virtual tunnel between two networks. As you might guess, VPNs use IPSec in tunnel mode with IPSec ESP and IPSec AH working together [source: Friedl].

In a remote- access VPN, tunneling typically relies on Point-to-point Protocol (PPP) which is part of the native protocols used by the Internet. More accurately, though, remote-access VPNs use one of three protocols based on PPP:

L2F (Layer 2 Forwarding) -- Developed by Cisco; uses any authentication scheme supported by PPP

PPTP (Point-to-point Tunneling Protocol) -- Supports 40-bit and 128-bit encryption and any authentication scheme supported by PPP

L2TP (Layer 2 Tunneling Protocol) -- Combines features of PPTP and L2F and fully supports IPSec; also applicable in site-to-site VPNs

3.2 - Trusted delivery networks

There is another way to ensure the services provided by a VPN: a trusted delivery network. In this case, the users choose to rely on the security of a single network provider. As a matter of fact, VPNs are built on an underlying network, in which it chooses to trust. The consequences are that the security on such a system is handled by the network provider only, without the use of encryption techniques.

From the security standpoint, VPNs can also provide a certain level of data privacy by using mechanisms in the VPN itself

3.3 - Practical approach

We have seen here the different technologies that can be used to provide a certain kind of privacy to the data being exchanged through the VPN. However, it could be a mistake to concentrate on only purely technical solutions. Indeed, if we lose the focus on the primary goal, we might never reach it. The need of security comes from the need of transferring information safely over a public network. In the case of the use of VPN for private issues, a user will employ it as a proxy to hide the data exchanged or bypass protections.

Nevertheless, a properly configured VPN is secure only between the user and the VPN's head end. It's not secure between the head end and the final destination of the traffic. So, it depends on the user to trust the VPN service to not, for example, log his traffic.

Moreover, when subscribing to a VPN service, there is a big distinction between "privacy by policy" and "privacy by design". VPN providers possibly keeping logs is an example of privacy by policy. They probably aren't keeping logs, but the users have to trust them about that. Privacy by design is using method that allows to encrypt data, in a way that VPN providers cannot even access to the information. For instance, by using .onion sites on Tor, the only information that can be gathered is the website visisted, and for how long.

Additionaly, there are two types of VPNs to consider: ones with split tunneling, and ones without. Split tunneling means that not all traffic goes through the VPN, only traffic destined for certain domains. There are major security risks to that, so a service that doesn't do split tunneling is considered more secure.

And finally, the DNS server used can also represent a privacy threat. If a user is using the same DNS server – from his ISP's for instance - then the traffic, even though it's going to the VPN, will return to this ISP to get DNS information. If someone is trying to avoid his ISP having information on him, then using their DNS server can compromise that.

Conclusion

With the growing strength of the Internet, the privacy in the process of data transfer can be a very challenging issue. However it appears that Virtual Private Networks can satisfy the needs in term of security while providing a very high reliability at a fairly accessible cost.

VPN allow people working in the same company to still have access to its intranet from any part of the world. It is also very useful for private users that are willing to keep their action anonymous.

Through the security, the reliability and the accessibility they provide, VPNs have become an extremely efficient tool that can suits the majority of needs for remote communication, professional or not.

The different technologies allow to adapt a VPN according to the needs. Remote-Access or Site-To-Site, both serves different purpose and widen even more the flexibility of this networking solution.

Several ways of encryption assure the safty of data while it’s traveling through the public network.

However, a VPN in itself doesn't grant a user any greater privacy with regards to his activities on an untrusted Internet, it only moves the trust chain out one node.

To conclude this report, it can be said that VPN are one of the most powerful tool in term of reliability and privacy, but it is only one link of the chain. Security cannot be taken as granted, as long as the previous and next links are not trustworthy.

Annexe