We have talked a fair amount about internal network security at a fairly general level.  Now we need to talk some more about security associated with transmitting packets of information across the Internet.  VPN - Virtual Private Networking gets its name from the idea that certain things should be done to increase the likelihood that information gets to only where it should exactly as it was sent.  It is intended to help VPN users think/feel that they have a private network tunneled within the Internet.

A virtual network gives its user the sense of a direct connection to another location.  The privacy component of VPN is based on encryption of the data as it travels across a wider network.  Putting these together creates the VPN.  VPN can be configured to work through dial up connections or router to router connections on the Internet.

Tunneling.  In order to develop security in VPNs, a tunnel is created which is essentially a logical point to point connection that supports authentication and encryption of data from one endpoint of the tunnel to the other.

Tunneling hides the original packet inside a new packet called the encapsulation packet.  For purposes of ensuring the packet can still reach its intended destination a tunneling endpoint is  included in the containing packet header.   This containing packet header is called encapsulation header.  Since the original destination is still contained within the encapsulation, when the encapsulation reaches the tunneling endpoint it can be opened back up to reveal the original destination address.

Tunnels can be established at different layers of the OSI model.

Layer 2 Tunneling.  Most VPN configurations make use of tunneling protocols that operate at Layer 2, the Data Link Layer.  These protocols provide a virtual link from one point to another.  The PPTP - Point to Point Tunneling Protocol works at this level.  The L2F - Layer 2 Forwarding protocol also operates at this level.  L2F can operate over ATM and Frame Relay because it is not dependent on IP.  Unlike PPTP, L2F can support more than one connection.

Cisco developed L2F, which is supported by the IOS - Internetworking Operating Systems used by Cisco products.  In addition, Nortel and Shiva products support L2F.

L2TP - Layer 2 Tunneling Protocol combines elements of PPTP and L2F.  All of these protocols will be discussed in more detail in the next web page.

Layer 3 Tunneling.  Tunnels can also be developed at Layer 3, the Network Layer.  Thus they can be used for IP based virtual connections.  These connections work by sending packets within IETF specified protocol wrappers.  These wrappers likely make use of the following.

• IPSec - IP Security
• IKE - Internet Key Exchange
• Authentication/Encryption Methods
  • MD5 - Message Digest 5
  • DES - Data Encryption Standard
  • SHA - Secure Hash Algorithm

IPSec can be used in conjunction with L2TP.  L2TP establishes the tunnel and IPSec does the encrypting.  IPSec is said to be operating in transport mode.  IPSec can also provide the tunnel when operating in tunnel mode.  IPSec Layer 3 tunneling can be used in situations where L2TP is not appropriate.

IPSec can provide encapsulation only for IP packets.  L2TP can provide encapsulation for IPX and other protocol packets across an IP network.  Since some gateways don't provide support for one or the other of L2TP or PPTP, then IPSec can be used to provide the tunnel from gateway to gateway.

Operating System Support.  Pretty much all modern operating systems provide support for VPN.  This enables VPN connections to servers as easily as those for dialup connections. 

Windows products after Windows 95 can function as VPN clients using built in components.  Windows 9x and Windows NT support PPTP.  Windows 2000 supports both PPTP and L2TP.

Linux supports supports the use of IPSec and PPTP.  You can also create a pseudo tunnel by running a PPP - Point to Point Protocol through SSH - Secure Shell.  SSH makes use of the RSA public key technology to authenticate and secure the connection.

Why Use VPN?  The first thing we want to do is discuss some different scenarios where VPN might well be useful.  The following outline about some different VPN scenarios should help.

• Provide Remote Access to Mobile or Home Based Employees
  • VPN client must be able to make sue of the same protocols as the VPN server
    • tunneling
    • network
    • transport
    • encryption
  • After VPN components are installed the connection is established using the approach in the diagram.