Virtual Private Network

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


Today's highly global market place remote access to a network is imperative. Over the years there have been many options from which customer could choose. Recently Virtual Private Network (VPN) technology has proved to be the most beneficial for the enterprise customers. There are IPSec, Secure sockets layer (SSL) and Transport layer security (TLS). SSL and TLS has evolved and gaining steady momentum in recent years and luring customers away from the traditions IPSec networks.


In the early 1990's, there were limited options for remote access with the ubiquity of the internet and the developments in communication technology. The public internet was increasingly used for accessing private information and required security for this private communication channels. A virtual private network (VPN) can be defined as a public telecommunication infrastructure to provide individual users or remote offices with secure access to their organization's network. It could be built between two organizations or between multiple organizations or between two end- systems or between several ends-systems across the global internet, between individual applications or any of the above. In the same organization it provide same capabilities, but at a much lower cost. It is more economical than using making long distance data calls via modem or private leased lines.


There are several motivations for building VPNS. The base motivation for VPNS is in the economics of communications. Today's communications system is typically exhibit a high fixed-cost component and smaller variable cost components which may vary the transport capacity or bandwidth of the system.

The second motivation for VPNs is that communications privacy. The level of the privacy depends on the risk assessment by the subscriber organization; if the privacy is low then the simple abstraction of discretion may serve for the purpose. However if the privacy requirement is high then strong security applied for corresponding and data passed over the common network.

The third motivation for VPNS is for scalability. New users can be added to the network vary easily; corporate network availability can be scaled quickly with minimal cost.


The OSI model was introduced in 1984. The International Organization for Standardization (ISO) developed OSI model . This reference model (Fig. 1) discribe how information is transferred from one mechine to another when a user enter information by keyboard, that information is convertered to electrical signal and transferred a radio waes or piece of wire through the air. Over a network each layer performs a specific fuctions in the process of communication.

The network layer is concerned with the exchange of data between the network and end system. The sending computer must provide the address to the destination computer so that the network may route the data in proper destination. In this layer specific software is used based on type of netwrok is used, There are different standards have been developed for packet switching, circuit switching LANs etc. IP is used to allow data to pass through if the destination computer is connected to a different network. VPN is used both sysmmetric and asymmetric cryptography Asymmetric cryptography is mainly used to authenticate the identities of the parties are involved, where symmetric cryptrography is used to encrypt the data ofr their greater speed.


Most of the vendors of VPN solutions identified three usage scenarios that most of placed in corporate Internet that is securely connected to friendly 'entities' over the Internet. In this scenarios all the entities connected: remote users, branch office networks or partners or suppliers. But only network layer is enough to handle all three scenarios.

  • Remote access network - Remote offices, mobile workers and telecommuters with minimal WAN bandwidth can benefit from remote access VPNs. Todays remote access VPNs are the primary type of VPN. Remote users are enables to wok as if (s)he was at a workstation in the office. In this scenarios, Authentication, transparency and ease of use are the crucial factor for remote users. Figure 2 shows types of remote access VPNs. For example A medical company in florida, they use remote access VPN over the internet to check on customer orders, record sales transactions and eheck e-mail from any location. This solution provides sales reps with secure remote access to do their job effectively.
  • Branch office connection network - Two or more trusted Internets are connected and Intenets are protected by firewalls. Client workstation not to worry about the VPN and network manager can be sure that all the tnternet traffic exchange between two intranets is secured. Although this is vary simple but problem arise from managing unregistered (private) IP addresses. Figure 3 shows a typical intranet VPN network. For example An Airline company established a VPN connecton between their 3 sites (New york, Miami and Colorado), allowing their employees to view flight schedules, exchange files and communicate financial information. Hey used AIX firewall in each of their locations.
  • BUSINESS PARTNER / SUPPLIER NETWORKS - This scenario give corporate network access to suppliers, customers, business parners or other communities who are not employees of the corporate. Companies grant their partners for limited access to their intranet. IP-VPN technology shall allow fully in e-business applications such as contact of customer, sales negotiation, on-going suport and order fulfillment. Figure 4 shows extranet VPN connection. For example Automotive Exchange Initiative (ANX) links all their partners using Virtual Private Networks(VPNs) for their automotive trading. Using VPN connections, exchange between the supplier and the manufactures is cost effective and it accessible from any locations. The automotive industry is estimating they could be savings of $1 billion a year an industrywide.


IPSec - IPSec evolved from the IPv6 development and is being finalized by the Internet Engineering Task Force(IETF) for real-timecommunication security. It is located in Network layer and it is open architecture for IP-packet encryption and authentication. IPSec adds additional headers to an IP packet and can tunnel IP packets in new ones. IPSec seperated in three protocols, one is the authentication through AH header the other one is encryption through ESP and the final one is automated key management through the IKE protocol. IKE also called ISAKMP is the most complex IPSec protocol. Each protocol AH,ESP or combination of both used in either tunnel mode or transport mode. Tunnel mode places a secue channel between two gateways, such as a firewall or router. In this mode, the original IP datagram that does not change in transit is encrypted and encapsulated with in the AH, and a new IP header is generated by this gateway. The new source IP address is the address of source gateway and the destination IP address is the address of the destination gateway. The destination gateway is responsible for decrypting the packet and forwarding it to the host whose IP address appears in the decrypted packet. Figure 5 shows AH in tunnel mode.

The transport mode retains the original IP header, while all other unchanged fields in the original packet are encrypted. This mode does not hide the IP addresses of the communicating hosts. Transport mode providing a secure channel end-to-end between two hosts. In this case, authentication or confidentiality is protecting the entire path. Figure 6 shows AH in transport mode.

Benefits - On the IP network layer, IPSec provide security directly and secure everything that is put on top of the IP network layer. This protocol has been proven a secure and trusted mothod for securing data and also been an Internet standard. IPSec support nested tunnels that is if a user pass through the data two or moe secure gateways then the tunnels can be double encrypted.

Limitations - IPSec has more features than SSl/TSL. It is more difficult to implement and require special support in routers. Client software required on end-user computer. Support costs is vary high and may not work remote locations. It may not work with all ISPs, NAT firewalls or home networks.


Secure socket layer also called Transport layer security(TLS) VPNs. The IETF has retitled SSL as TLS (Dierks and Allen 1999). The most common use of TLS is in the HTTP protocol which combines web browsing protocol HTTP with TLS. SSL/TLS is designed to run in user level process and run on top of TCP . Layer 4 allows deployment of SSL/TLS in a user level process rether then any changes required in OS. The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications.

         The goal of TLS protocol in order of their priority are:

  • Cryptographic security - TLS should used to esablish a secure connection between two parties.
  • Interoperability - Programmers should be able to developed applications utilizing TLS that can be able to exchange cryptographic parameters without knowledge of one another's code.
  • Extensibility - TLS seeks to provide a framework where bulk encryption methods and new public key can be incorporate as necessary. This will accomplish two subgoals, to prevent to create a new protocol and to avoid to need to implement an entire new security library.
  • Relative efficiency - In public key operations, Cryptography operations tend to be highly CPU intensive. For that reason, TLS protocol has incorporated to reduce the number of connections that need to be established from scratch.

The TLS potocol is composed of two layers above of TCP/IP protocol.

These layers have two protocols, One is TLS Record Protocol and the other one is TLS Handshake Protocol. TLS Record Protocol provides connection security that also has two basic properties:

  1. The Connection is private - Symmetric crypography is used for data encryption. The keys are generated uniquely for each connection and are based on secrat negotiation by another protocol. The Record protocol can also be used without encryption.
  2. The connection is reliable - MAC key is used for checking Message transport includes a message integrity . Secure hash functions (SHA,MD5 ect) are used for MAC computations. The record protocol is operate without a MAC, but is generally used when another protocol is using record protocol as a transport for negotiationg security parameters.

The TLS Record Protocol is mainly used for encapsulation of various high level protocols. One Such encapsulated protocol is TLS Handshake Protocol. It allows the server and client to negotiate and authenticate each other an encryption algorithm and cryptographic keys before the application protocol transmit or receives its first bite of data.

TLS Handshake protocol - Provides connection security. In this setup, the master secrat is established using expensive public key cryptography. Multiple connections can be subsequently derived from that master secret by doing a handshake that involves sending nonces but avoids public key operations. "SSL/TLS also provides for client authentication where server requests and the client authentication and the client responds with its certificate and signature on hash of the handshake messages, proving it knows the private key associated with the public key in the certificate."

         A client can configured with public keys of various trusted organizations. The user at client machine can modify the list by adding or deleting the keys. The client will receive a certificate from server, and client will accept the certificate if it is signed by one of Certificate Authorities(CA) on the client's list. If a server present a certificate which is sighned by someone not on the list then the user couldn't be varified because it was signed by an unknown authority. It will block as popup box. The user then given the chance to look at certificate or import the signer on the list of trusted root CAs.

An SSl/TLS handshake record contains the following messages: ClientHello, ServerHello, ClientKeyExchange, Certificate, ServerHelloDone, handshakeFinished, certificateRequest, CertificateVerify, and ServerKeyExchange.

Benefit - TLS/SSL is designed to be transparent to higher level protocols.


  1. OSI model in computer Networking, Available at: [Accessed 12th November, 2009]
  2. OSI reference Model, Available at: model.html [accessed 12th November,2009]
  3. Analysis of Enterprise VPNs by A. Basha, ECE543, Project reports, 2005. Available at: [Accessed 12th November, 2009]
  4. CCSP Cisco Secure VPN by John F. Roland and Mark J. Newcomb. 2006, Pages 21 - 27, Available at: [Accessed 13th November, 2009]
  5. Virtual Private Network Architecture by T.Braun, M. Gunter, M. Kasumi and I. Khalil, IAM - 99 -01, 1999. Available at: [Accessed 13th November, 2009]
  6. Virtual Private Networks (VPN) by Martin.W.Murhammer, IBM Corporation, 1999, Pages 25 - 26. Available at: [Accessed 13th November, 2009]
  7. Remote access network and services by Oliver C.Ibe 1999, Pages 172 - 174 [Accessed 13th November, 2009]
  8. Security Firewalls and VPNs Principles and practices by Richard Tibbs, Edward Oakes. 2005. [Accessed 14th November, 2009]
  9. Design of an enhancement for SSL/TSL protocols by Ashraf Elgohary, tarek S.Sobh, M. Zaki, 2006, pages 297 -306, Available at: [Accessed 14th November, 2009]