This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In some organizations, the users are given facility to work from home or from any remote location. The remote users may need to have access to some of the resources, such as line of business application, of the organization's internal network for the official purposes. In addition to this, geographically dispersed offices of an organization may need to establish a secure medium for communication and transmission of data.
To accomplish the preceding business requirements of an organization, Virtual Private Network (VPN) can be used. VPN is a technology used by the users to connect to remote sites from different remote locations through Internet. VPN can also be used to connect two different remote sites with each other in a secure manner.
An organization may have different branch offices at different physical locations. Previously, the standard method used by the organizations to connect different branch offices was through leased lines. Using leased lines for the connection between sites is very expensive. To provide a cost effective method to connect two different remote sites, VPN technology can be used by the organization.
The following scenarios can be used to identify the need of VPN from different business perspective:
VPN is used when an organization may need to allow their authorized customers access to product specifications, availability, and online ordering.
VPN can also be used in a university or a college, which can allow distance learning students access to the computer labs after their passwords have been checked.
Many organizations provide VPN connection to their employees to give them facility to access the centralized database of the company's internal network from a remote location for different business purposes.
VPN provides extremely secure connections between private networks linked through the Internet. It allows remote computers to act as though they were on the same secure local network.VPN supplies network connectivity over a possibly long physical distance. In this respect, a VPN is a form of Wide Area Network (WAN). VPN enables the features, such as file sharing and video conferencing and allows users to be at home and access their company's computers in the same way as if the user were sitting at work. It is almost impossible for someone to tap or interfere with data transmitting during a VPN connection.
VPN provides connectivity between two geographically dispersed offices of the same organization or two business partners. The following figure shows the standard VPN setup.
Standard VPN Setup
Types of VPN
Types of VPN Solution
VPN Service from an ISP
Selecting a VPN Solution
Types of VPN Connection
The different types of VPN are:
Remote Access VPN
Remote Access VPN
A remote access VPN, known as a private virtual dial-up network (PVDN), differs from a site-to-site VPN in that end users are responsible for establishing the VPN tunnel between their workstation and their remote office. An alternative to connecting directly to the corporate VPN is connecting to an enterprise service provider (ESP) that ultimately connects them to the corporate VPN.
In either case, users connect to the Internet or an ESP through a point of presence (POP using their particular VPN client software (see Figure 3.3). Once the tunnel is set up, users are forced to authenticate with the VPN server, usually by username and password.
A remote-access VPN is a great solution for a company with several employees working in the field. The remote-access VPN allows these employees to transmit data to their home offices from any location. RRAS offers an easy solution for creating a remote access VPN.
Remote Access VPN
Site-to-site VPNs are normally established between corporate offices that are separated by a physical distance extending further than normal LAN media covers. VPNs are available in software (such as Windows VPN available on Windows NT and Windows 2000) and hardware (firewalls such as Nokia/Checkpoint and SonicWALL) implementations. Generally speaking, software implementations are easier to maintain. However, hardware implementations are considered more secure, since they are not impacted by OS vulnerabilities. For example, Company XYZ has offices in Boston and Phoenix. As seen in â€¦, both offices connect to the Internet via a T1 connection. They have implemented VPN-capable firewalls in both offices, and established an encryption tunnel between them.
The first step in creating a site-to-site VPN is selecting the protocols to be used. Common protocols associated with VPN are PPTP, L2TP, SSH, and IPSec. PPTP and L2TP are used to establish a secure tunnel connection between two sites.
Once a tunnel is established, encryption protocols are used to secure data passing through the tunnel. As data is passed from one VPN to another, it is encapsulated at the source and unwrapped at the target. The process of establishing the VPN and wrapping and unwrapping the data is transparent to the end-user.
Most commercially available firewalls come with a VPN module that can be set up to easily communicate with another VPN-capable device. Microsoft has implemented site-to-site VPN tools on the Windows 2000 platform using either Routing and Remote Access Service (RRAS) or the newest rendition of Microsoft's Proxy server, Microsoft ISA Server 2000. Whichever product or service is chosen, it is important to ensure that each end of the VPN is configured with identical protocols and settings.
The following figure displays a Site-to-Site VPN.
VPN Protocols (Syngress Comptia Security Study Guide)
PPTP's popularity is mainly because it was the first encapsulation protocol on the market, designed by engineers at Microsoft. Thus it is supported in all Windows OSs (L2TP is not supported in Windows 9x/ME or NT 4.0, although these OSs (except Windows 95) can create L2TP connections using the Microsoft L2TP/ IPSec VPN client add-on. PPTP establishes point-to-point connections between two computers by encapsulating the PPP packets being sent. Although PPTP has helped improve communications security, there are several issues with it.
PPTP encrypts the data being transmitted, but does not encrypt the information being exchanged during negotiation. In Microsoft implementations, Microsoft Point-to-Point Encryption (MPPE) protocol is used to encrypt the data.
PPTP is protocol-restrictive, meaning it will only work over IP networks.
PPTP cannot use the added benefit of IPSec.
As with TACACS+, Cisco believed they could design a better tunneling protocol, which was the creation of the Layer 2 Forwarding (L2F) protocol. Unfortunately, L2F was not much better than PPTP. Specifically, L2F provided encapsulation (tunneling) but it did not encrypt the data being encapsulated. To use the features of both PPTP and L2F, L2TP was developed through a joint venture between Microsoft and Cisco. L2TP was a major improvement, but still did not offer encryption. To remedy this, L2TP was designed to use IPSec for encryption purposes. The differences between PPTP and L2TP that you need to know for the Security+ exam are:
L2TP requires IPSec in order to offer encryption.
L2TP offers RADIUS and TACACS+, where PPTP does not.
L2TP is often implemented as a hardware solution, where PPTP is not.
L2TP can run on top of protocols such as IP, IPX, and SNA, where PPTP can work only on IP networks.
Using L2TP with IPSec provides per-packet data origin authentication (proof that the data was sent by an authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without an encryption key).
L2TP/IPSec connections require two levels of authentication: computer-level authentication using certificates or pre-shared keys for IPSec sessions, and user-level authentication using PPP authentication protocol for the L2TP tunnel.
The IPSec protocol, as defined by the IETF, is "a framework of open standards for ensuring private, secure communications over Internet Protocol networks, through the use of cryptographic security services."This means that IPSec is a set of standards used for encrypting data so that it can pass securely through a public medium, such as the Internet. Unlike other methods of secure communications, IPSec is not bound to any particular authentication method or algorithm, which is why it is considered an "open standard." Also, unlike older security standards that were implemented at the application layer of the OSI model, IPSec is implemented at the network layer.
In this lesson, you learned that:
Summary level 1
Summary Level 2
Summary Level 2
Summary level 1