Virtual Private Network
The networking buzz-phrase VPN (virtual private network) varies across the board and often references a set of different technologies depending on who you ask or what you read. In effort to better define what a VPN actually is, I want to give a general overview of what the term means. Essentially, a VPN is a private network that uses a public network for users to connect, send and received data over a secure channel while traversing a public network as if they were directly connected to a private network.
Perhaps an easier way would be to look at each acronym (VPN) individually. Let's start by examining what a network is – keeping things simple, let's say a network is a collection devices that are capable of communicating with each other and successfully transmitting and receiving data. The word private is intricately linked to the concept of virtualization, but first let's summarize what private means in VPN. The term private refers in some fashion to secret communications between two or more devices. Those outside the secret communication are not privy to the communicated content, and are unaware of the private communication altogether. Virtualization is a bit harder to nail down, but it can be thought of as something that’s simulated while performing functions of something that isn’t really there. In effort to expand a bit more; when private communications are sent across a shared network, a virtual network is constructed using the common foundation rather than using dedicated physical circuits, ie. “the virtual private network has no corresponding physical communications system – instead, the private network is a virtual creation” (3).
Leading up to VPN’s
Over the past couple decades companies have spread out facilities across the country and across continents. Regardless of a companies physical location, one thing they all required is a secure and reliable way to communicate with one another. In an effort to do so, many companies used leased lines to maintain a wide area network (WAN). “Leased lines such as ISDN (integrated services digital network, 128Kbps ) and OC3 (Optical Carrier-3, 155Mbs) fiber are private network connections that a telecommunication's company could lease to its customers” (2). Leased lines provided the company a way to expand its private network beyond its immediate geographic area (6). The biggest advantages came down to reliability, performance, and security. However, the downside came with the rising costs of leased lines as the distance between companies and offices increased.
As ISPs (internet service providers) continued to develop faster more reliable services, at lower costs than leased lines, many big business turned to it as a means of extending their own network (2). “First came intranets, a private internal network designed for use only by company employees, while distant colleagues could work together through technologies such as desktop sharing” (2). As more and more companies connected across the internet, the demand for a more sophisticated security system arose. While “anti-virus and related software were effective for the end-user level, but what was really needed was to improve the security of the connection itself” (8). That’s where VPNs came in. In 1996 Gurdeep Singh-Pall (Microsoft) invented the PPTP ( Point-to-Point Tunneling Protocol), a method for implementing virtual private networks. With the introduction of a VPN, business could safely and securely extend all of its intranet resources to its employee’s working from remote offices all over the world, or from the comfort of their own homes.
Virtual Private Network
Rather than using a leased line a VPN uses a virtual connection routed through the internet, while “the discrete nature of VPNs allows privacy and virtualization. While VPNs are not separate from the network, “the distinction is that they operate in a secrete fashion across a shared infrastructure, providing exclusive communications environments that do not share any points of interconnection” (3). Additionally, VPNs can be built in a multitude of combinations such as; remote-access, between two organizations, between several end systems within a single organization, or between multiple organizations across the global internet. One of the biggest motivations for VPN implementation is the common requirement to virtualize some portion of an organizations communications into a common infrastructure while making them invisible to external viewers. The simple economics of pooling communications over virtual networks on a single system is much more economical than the same equivalent on a many physical infrastructures. We’ll talk more about privacy and security later on in this paper.
VPN Types
VPNs can be classified into two common types, remote-access and site-to-site. With a remote-access VPN, an employee can access the company’s intranet from home, or while traveling outside the office. Remote-access VPNs permit secure, encrypted connections from a remote location to a company’s private network. Large scale services may be set up by a ESP (enterprise service provider) who sets up a NAS (network access server) and provides client software. With dedicated equipment and large-scale encryption, company’s can connect multiple sites over a public network to share one cohesive virtual network. Additionally, site-to-site VPN’s can be broken into two categories; intranet-based, and Extranet-based. In a intranet-based VPN a company can connect one or more remote locations as a single private network ie., separate LANs (local area network) to a single WAN (wide area network). In a extranet-based VPN companies can work in a shared environment with separate companies, such as suppliers, manufactures, and shipping and connect those companies LANs, while preventing access to their separate intranets.
Extended History
Before VPNs, security concerns, and anti-virus software there first had to be the internet. While there were computers and computer networks before the internet, it was work done by the DOD (Department of Defense) that led us to the internet we know today. “Research on an electronic method of communicating with remote locations began in the 1960’s by US military intelligence” (8). ‘They created a packet switching network called ARPANET (Advanced Research Projects Agency Network) and the first use of TCP/IP” (Transfer Control Protocol/Internet Protocol) which set the standard for computer networking that we know today. This research eventually led to the institution of the Internet Protocol Suite as a standard military communication and later by the computer industry (8) “Corporations such as IBM and AT&T adopted the new technology quickly even though their own internal networks were different because it made interconnectivity of disparate networks a reality, and easy “(8).
The TCP/IP details how all information is packetized, addressed, transmitted and received across the Internet. It operates in 4 layers; link, internet, transport and application. The link layers is where devices within one network operate and where they are safest. The internet layer is where local networks and devices connect to other websites and the Internet at-large and where they are at the most risk. When data packets are sent from a local network to a destination network the packet is marked with information identifying where it originated and where it is going. The system works well but is flawed in that prying eyes can monitor traffic, intercept data and even follow the flow of data back to the source and identify it.
Security technology was first reach in 1993 by John Ioannidis. His work let to the Software IP Encryption Protocol (SWIPE), the earliest form of a VPN. Shortly following, Wei Xu started research in 1994 focusing on IP security and enhanced protocols that eventually led to the IPsec system. IPsec is a security protocol that authenticates and encrypts each pack of information across the internet. In 1995 the IPsec working group was created within the IETF (Internet Engineering Task Force), a global community of Internet engineers, developers, and programmers concerned with the evolution of the Internet. This task force created a standardized set of freely available protocols addressing the components, extensions and implementation of IPsec.
The IPsec protocol utilizes three sub-protocols for implementation; Authentication Headers, Encapsulating Security Payloads and Security Associations.Authentication Headers provide connectionless data integrity and authentication for IP Packets as well as protection from certain types of network attacks. Authentication is important because it ensures that the data packets you send and receive are the ones you want, not malware or other potentially harmful attack. There are several versions with varying degree of protection at different levels. In all cases the IP Packet Payload, your data/content etc., is protected. The Encapsulating Security Payload provides confidentiality for those packets as well as data origin integrity, safety from attacks and some security for traffic-flow. When used in Tunnel Mode provides security for the entire IP Packet.Security Associations are the algorithms and data that allow the AH and ESPs to function. Basically, data is encrypted into packets at the source and then transferred anonymously over the Internet to be received, authenticated and decrypted at the destination. Associations are created based on the Internet Security Association And Key Management Program (ISKAMP) using a series of numbers. If used within a group Association Keys can be modified per individual per security levels within the group.Two modes of operation are available: Transport Mode and Tunnel Mode. In Transport Mode only the IP Payload is typically encrypted, securing the data but leaving the originating information visible. In Tunnel Mode the entire IP Packet is encrypted and encapsulated, given a new Authentication Header, and then sent on. Tunnel Mode is the technology that drives today’s VPN.
The tunneling protocol, Tunnel Modes, is what allows VPNs to function as they do. It allows, among other things, a user to connect remotely to a network with an IP address that is not part of the local network. Tunneling works by altering the form of data, i.e. encrypting and encapsulating, which provides a third and highly sought after benefit: anonymity and privacy. The way it works is a little complex, the packets which contain the information that run the encryption and delivery service are held within the payload of the original message but operate at a higher level than the payload itself, creating a shield formed from within and safe from outside influence. The very best services will encrypt the entire packet, identifying marker and all, then re-encapsulates it with a new IP address and identifying mark for complete privacy
Summary
References
1. Cisco. (2008, October 13). How Virtual Private Networks Work. Retrieved from https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14106-how-vpn-works.html
2. Crawford, S., & Tyson, J. (2011, April 14). How VPNs Work. Retrieved from https://computer.howstuffworks.com/vpn.htm
3. Ferguson, P & Huston, G. (1998, April). What is a VPN? Retrieved from https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-18/what-is-a-vpn.html
4. Singh, K. & Gupta, H. (2016). A New Approach for the Security of VPN. 1-5. Retrieved from https://www.researchgate.net/publication/307090754_A_New_Approach_for_the_Security_of_VPN
5. Spengler, E. (2008). Virtual Private Networks (VPNs) Simplified. Retrieved from https://www.cisco.com/c/dam/en_us/training-events/le21/le34/downloads/689/academy/2008/sessions/BRK-134T_VPNs_Simplified.pdf
6. Tyson, J. (2001). How Virtual Private Networks Work. Retrieved from http://www.armchairpatriot.com/How%20Stuff%20Works/How%20Virtual%20Private%20Network.pdf
7. Unknown author. IPSec, VPN, and Firewall Concepts. Retrieved from http://www.cs.unh.edu/~it666/reading_list/Networking/firewall_concept_terms.pdf
8. Unknown / guest. (2019, August 17). The History of VPN. Retrieved from https://www.le-vpn.com/history-of-vpn/
9. Wikipedia contributors. (2018, November 30). Virtual Private Network. In Wikipedia,
Retrieved December 1, 2018 from https://en.wikipedia.org/wiki/Virtual_private_network