The definition of a Virtual Private Network, VPN, is that it is a network that emulates the properties of an actual private network using shared public network infrastructure. VPN providers use descriptive tools such as the OSI reference model to communicate their product for users. There are two types of VPNs, client to site and site to site virtual networks. The different between these VPN types are the technologies in which the virtual private network is accessed. Technologies such as tunneling, encryption, cryptology, and virtual transportation are used by VPN providers to ensure safe and secure use of their products by user companies. The security protocols are the defined uniform applications of the technologies stated above.
VPN was first used by telephone companies to make telephone calls over public providers with public business exchange features (Olifer). VPN is more often applied to data networks. It is favored over public networks such as the internet when more security is needed. More simply, A VPN provides secure communication through insecure and untrusted networks such as the internet. Figure 1 is a visual representation of a virtual private network. In figure 1 the main office is where the VPN originates from. The main office is usually a local area network, LAN. The cloud in the middle represents a public network such as the internet. The other users are able to access the VPN where the internet is accessible.
Virtual Private Networks emulate the characteristics of a private network. A true private network has a completely private infrastructure including cables, channels, switches, routers, and other hardware. Private network channels can also be leased. Instead of using physical connections VPNs use virtual connections routed through the internet or other public networks (Tyson 2001). The advantages of a private network over a public network are greater security, predictable performance, and independent IP address space (Olifer). The performance of a VPN is predictable because there is a guaranteed amount of bandwidth to the network. VPNs also have private IP addresses which can not be routed over public networks.
The OSI reference model shown in figure 2 was developed by the International Standards Organization (ISO). Figure 2 shows the OSI layer and the associated qualities of the layer. It contains seven layers used to distinguish protocols and interfaces (Wilkins 2011). Cisco is an example of a company that uses the OSI reference model to describe its product. When a VPN is created by a service they analyses the needs of the company users and determine which layers of the OSI model to create the VPN. VPNs can be created to emulate the OSI layers one, two, and three also known as the physical, data link, and network layers. The physical layer elements to a VPN include circuits with no data link structure, routing, bridging, and host network elements. The data link layer allows for the creation of virtual private LAN networks. The network layer allows for the transfer of data over the VPN.
Before VPNs businesses used intranets which are password protected websites for employees. Businesses are moving away from intranets and are creating their own VPN to accommodate remote offices (Tyson 2001). The improved security of a virtual network is achieved by authentication, encryption, compression, and tunneling (Rosen 2008). Authentication includes passwords, digital certificates, biometrics, or cryptography that only allows authorized users to access the networks. Encryption makes the data unreadable without the encryption algorithms. Data transmissions are comprised of a header and body section. The header section holds the information explaining what the data is. The body section is the actual data. Tunneling is a technique used in VPNs for security where the data packet header and protocol are within the body of a larger data packet (Rosen 2008). Figure 3 shows the layout of an IPsec tunneled packet. Figure 4 is a visual representation of the tunneling technique used over the internet. The outer data packet header hold the information to where the information is going over the internet creating a tunnel for the smaller data packet located in the body of the larger data packet.
Two different VPN technologies that are currently the most used; site to site and client to site VPNs. Site to site VPNs provide an internet based wide area network, WAN, infrastructure to connect all users of the VPN. Site to site VPNs use IPsec protocol for encryption. Site-to-Site VPNs also use network features such as routing and multicast support ("Virtual Private Networks"). There are two different types of site to site VPNs; intranet and extranet based. An intranet based VPN is a single WAN or Lan VPN. An extranet based VPN is most often used between two close companies with VPNs that decide to build a shared environment.
Remote access VPNs extend data over to the remote desktop emulating the main desktop. Virtual Private Networks that are setup to support remote, protected access to remote offices over the internet are done by using a client to site protocol. The first step in connecting to an established VPN network is for the remote client connects to the internet through the internet service provider. The host then initiates a VPN connection to the VPN server. This connection is made to the VPN client software that has been previously installed to the remote client (Mitchell). Once this connection is made the remote client can communicate with the local host as if they are on the same private network.
Figure 5 is a visual representation of the different types of VPNs that are used and what situations they are most often used under. Business partners use an extranet Site-to-Site VPN. Remote offices would use an intranet Site-to-Site VPN because it is cheaper than an extranet VPN. Home offices and mobile users would use remote access VPNs to connect to the main office.
Since VPN is a virtual private network, its data is transmitted over the internet so that all users can utilize its capabilities, but with this comes added security risks. The line must be secure at all times and this is why people used secure lines before VPN was established. Secure VPN's utilize cryptographic tunneling protocols to provide confidentiality by blocking intercepts and packet sniffing, allowing sender authentication to block identity spoofing, and provide message integrity by preventing message changes. Identity spoofing is when a hacker "determines and uses an IP address of a network, computer, or a network component without being authorized to do so. A successful attack allows the attacker to operate as if the attacker is the entity normally identified by the IP address" (technet). In common terms today, it is what is known as identity theft. There are many security mechanisms that can be used in VPN's such as: IPsec (Internet Protocol Security), SSL/TLS (Transport Layer Security), DTLS (Datagram Transport Layer Security, MPPE (Microsoft Point-to Point Encryption), SSTP (Secure Socket Tunneling Protocol) and SSH (Secure Shell). Each security protocol has its own specific purpose and when all are utilized coherently, it makes for a much safer VPN network for the user to work in.
IPsec is a suite of protocols developed by the Internet Engineering Task Force and has been updated to be implemented in the 2.6 Linux kernel and to handle both IPv4 and IPv6 internet protocols. Using IP security the encryption, compression, and authentication is done at the network level. Figure 6 shows the remote access VPN using an IPsec protocol. It is a useful security protocol because it utilizes two encryption modes: transport mode and tunnel mode. Transport mode encrypts only the data portion of each packet, but leaves the header untouched. Unlike transport mode, as referenced earlier, tunneling encrypts both the header and the data portion of the packet. On the receiving end of the bit stream, an IPsec compliant device decrypts each packet to make sense of the data (IPsec). The IPsec protocol can be used on UNIX/Linux operating systems. Openswan is an open-source project that provides an implementation of user tools for Linux IPsec. Openswan supports 2.0, 2.2, 2.4, and 2.6 Linux kernels (Rosen 2008).
Another security protocol is SSL/TLS because Secure Socket Layer (SSL) was the predecessor to Transport Layer Security (TLS) so they are pretty much identical to one another. They are both cryptographic protocols that provide communication security over the internet specifically for VPN networks. They encrypt the segments of network connections above the transport layer of the OSI reference model seen in figure 2, using symmetric cryptography for privacy and a keyed message authentication code for message safety. Cryptographic protocol is a "protocol executed by several distant agents through a network where the messages or part of the messages are produced using cryptographic functions (encryption, hashing, etc.)" (Formal). This type of protocol usually incorporates at least some of these aspects listed: key agreement, entity authentication, and secured application transport. The benefit of using SSL/TLS function is because it already "exists in modern web browsers; unlike traditional IP security (IPsec) remote-access VPN technology, which requires installation of IPSec client software on a client machine before a connection can be established "(SSL). SSL VPN typically doesn't need client software so it has become what is known as "clientless VPN" or "Web VPN". One other advantage that SSL provides over IPsec is its overall ease of use for end users. IPsec requires specific configuration requirements for each specific system; while SSL requires only a modern web browser. Users can choose any browser they want without being restricted by the operating system. Lastly, another benefit of SSL VPN over IPsec is in the area of outbound connection security. In most environments, outbound traffic, which is also based on SSL, is not blocked. This means that even if a particular local environment does not permit outbound IPsec VPN sessions, SSL VPN is free of such restriction. There has been one major difficult in using SSL/TLS and that has been with tunneling over TCP; so DTLS is used to help fix this problem. This is one issue that the company Cisco has been dealing with and they have decided to use DTLS to fix it. DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented TLS protocol and is intended to provide similar security guarantees.
The next type of security protocol is MPPE or Microsoft Point-to-Point Encryption; which is protocol specifically used for encrypting data across Point-to-Point Protocol (PPP) and VPN links. In order to understand MPPE, one must first understand PPP. PPP is "a data link layer protocol of the OSI reference model that encapsulates other network layer protocols for transmission on synchronous and asynchronous communication lines (Thomas Spencer). PPP was designed for three major design components: 1.) a method for encapsulating datagrams over serial links, 2.) an extensible link control protocol (LCP), and 3.) A family of network Control Protocols (NCP) for establishing and configuring different network layer protocols. Once these design constraints were meant PPP was created and MPPE was then created after to ensure a safe security protocol. MPPE is so secure because it utilizes the standard RSA algorithm for encrypting and it supports 40bit and 128-bit session keys, which are changed to ensure security. One issue with MPPE though is that it does not compress or expand data so it needs to have a pre-determined data length. It was specifically developed for Microsoft windows servers to ensure safety when transmitting data.
The next security protocol is SSTP or Secure Socket Tunneling Protocol; which was also introduced by Microsoft as was the previous security protocol. This is why it's commonly referred to as "Microsoft's SSL VPN". By definition, this type of protocol is part of the application-layer of the OSI reference model unlike the other types of security protocol; which used other layers of the model. SSTP was created based off the previously discussed security protocol SSL, but it is much different than SSL because it is only a tunneling protocol; while SSL incorporates much more. SSTP provides transport-level security with key-negotiation, encryption, and traffic integrity checking, but the main purpose of creating SSTP was to ensure a stable connection for users of the VPN which was severely lacking at the time of its creation. This is because most VPN connections before SSTP were designed for site to site VPN connections, but SSTP was specifically created for client to site VPN connections. (Magalhaes 2007). Figure 7 shows the SSTP connection mechanism and the steps associated with it.
The final security protocol that is typically in use today is SSH or Secure shell and is used in Linux based or Unix based systems to access shell accounts. It is a network protocol in the OSI reference model and allows data to be exchanged using a secure channel between two networked devices. It utilizes public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user when necessary. As the previous statement shows, it is almost always used to log into a remote machine and execute commands, but it can also support tunneling if needed. SSH is constantly being updated to further its safety protocols from the previous versions of the security protocol. Like the previous security protocols talked about, it has a specific purpose and is used in a specific layer of the OSI model.
Finally, all of the security protocols mentioned above are in use in some way, shape, or form today and are common in most people's everyday life without them even noticing. Many web browsers have these security protocols incorporated into their software and even Gmail and lotus notes have security protocols that run throughout their programs. Without these security protocols, safety for VPN's over the internet would be non-existent and people would constantly be subjected to identity spoofing and other forms of hacking.
Implementation of VPNs
Hamachi services are an excellent example of VPNs and are the leaders in VPN computer gaming. LogMeIn Hamachi is a shareware VPN client that requires very little configuration to setup a virtual LAN, is useful for accessing networks, playing LAN games over the internet, and is closed source. Tinc is another free and open source VPN protocol, and uses a mesh network layout.
Tinc contains within it, implementations of OpenSSL (a secure sockets layer protocol), zlib and LZO (lossless compression codecs). Tinc may be transported across IPv4 and IPv6 connections. OpenWRT, a linux distribution designed for use on embedded devices such as routers and residential gateways, supports Tinc natively (Sliepen 2010).
Microsoft offers a VPN software suite by the name of Microsoft Forefront Unified Access Gateway. The suite consists of a VPN server application, and acts as a reverse proxy as well. A reverse proxy sits between a client and the server, and obscures them from each other. UAG incorporates Microsoft's DirectAccess API library, which significantly simplifies VPN access and connection management, removing the burden from the client software developers (Snyder, 2010). A Hamachi network is shown as figure 8.
VPN Use in Industry
VPN is frequently used, any employee who requires access to the company network can use a VPN client to connect and use company network resources as if they were physically connected to the network.
Potential uses include remote upload and download of files, use of company software, mounting of network drives, remote management, etc.
Connection over a VPN will suffer from lag and latency that a LAN connection will not, due to the fact that VPN is an encapsulation of LAN traffic routed over the Internet.
Typically VPN traffic is encrypted before being sent over the internet, but there are protocols that do not encrypt the traffic, this is a potential security risk.
For a VPN service to function, a VPN server needs to be set up. This server handles the encapsulation and encryption/decryption of the network traffic, and assigns virtual IP addresses to all devices connected to the VPN, and may also manage communication between the LAN and the VPN.
In the case of Hamachi, there are free servers hosted by LogMeIn, as well as the ability to purchase a server license.
Inner workings of Hamachi:
Upon first connection to the server, each client is assigned an IP address in the 220.127.116.11/8 range. This is to avoid potential collisions with commonly used LAN IP address ranges. After the initial connection, clients are assigned IPs based on their encryption key. Network traffic from clients is captured by the client software, and sent to the VPN server, which then forwards it along to the other clients on the VPN. (Valencia, Littlewood, & Kolar, 1998)
Inner Workings of Tinc:
Tinc encapsulates nearly all of its data for transmission over UDP, first encrypting the data, and then adding a sequence number, as UDP does not specify an order for packet arrival. This numbering also allows for the recipient to request a retransmission if a packet is lost. UDP also does not have provisions for this by default. One might wonder why not use TCP instead, as it has support for both. The reason for this is ACKs. If the VPN traffic was encapsulated in TCP, then there would be three ACKs per packet instead of one. However, for data that needs to be reliably sent, such as encryption keys, routing information, and the like, Tinc uses TCP, as it is very reliable compared to UDP. This connection is known as the meta-connection, whilst the UDP connection is the Data Connection. (Sliepen, 2010)
Some VPN encryption protocols support the usage of security tokens, which are small, self-contained devices, which have a secret key stored in them and a known algorithm that is run upon that key either periodically or every time the button is pressed. One of these devices is shown as figure 9. The provider of the security token maintains a secure database that contains the initial value for each token, and also implements the algorithm. Upon first receipt of the token, the user pairs the token with their account by entering the serial number on the back of the device. Thereafter, whenever the client wishes to connect to the network, they press the button and a temporary passcode is generated and displayed on the device, which is valid for only one session, and invalidates all previous passcodes. (Kamburugamuva, 2008)