Virtual Private Networks
Greg Whalin
As wide area networks (WANs) become increasingly prevalent among corporations and educational organizations, network and systems administrators should expect pressure from management to find low-cost, reliable, and secure networking solutions. Unfortunately, with telecommunications costs remaining fairly high, meeting network demands by throwing a slew of leased lines at the problem is just not a viable solution. A corporation with branch offices in ten cities will quickly be swamped by a massive telecommunications bill if the WAN consists of a mesh of T1 lines between all of the offices. Fortunately, a solution exists, and has existed for some, time. in the form of Virtual Private Networks.
A virtual private network (VPN) can be thought of, in the simplest sense, as a tunnel that may or may not span several networks. Often this tunnel incorporates some form of encryption, but that is not absolutely required. Using the concept of a VPN, a company or organization can simply pay for a local connection to an ISP, and then create a "tunnel" through the Internet to the branch offices. Rather than paying for a full mesh of long-distance leased lines between offices, the corporation can create a virtual mesh using the available capacity of the Internet. By adding encryption to this tunnel, this mesh can become very secure, providing worry-free data transmission between all offices at a fraction of the cost of a full, meshed leased-line approach. An added benefit is seen when a new site is brought into the picture. Rather than having to add n-1 leased lines (where n is the number of offices), the new office only needs to add one leased line and then tunnel to all of the existing offices. This provides for quick, easy, secure, and cheap expansion.
Virtual private networking can be beneficial to a corporation in yet another way. More and more companies are seeing an influx of telecommuting employees. These workers may even be located across several remote countries. Before virtual private networks, this could mean excessive dial-up costs, because the telecommuter would have to dial into the company intranet. By using the VPN, the telecommuter need only pay for a dialup with a local ISP and then tunnel through the Internet into the company intranet. Here again, encryption can provide for a secure link. VPNs are revolutionizing the way that systems and network administrators are attacking networking growth.
As we know from experience, there is never only one way to do anything in the computer world. The same holds true for VPN implementation. However, the many types of VPN technology can be broken down into two main categories, on-demand and permanent.
On-Demand An on-demand VPN is basically one that does not exist 100% of the time. It is traditionally used for dial-up uses or application specific uses. In these cases, the secure tunnel is created before use and destroyed after use of the network. Often this setup is the cheapest and easiest to implement. An example can be demonstrated with the security package called SSH. SSH is, for the most part, an encrypted terminal application that is used primarily by UNIX administrators for securely accessing remote servers. However, the developers added a very nice perk to SSH. It has the ability to forward (or tunnel) TCP services from the client to the server over an already existent, encrypted TCP connection. Thus, SSH allows the user to create a very simple VPN. It may not be tunneling all network activity, but often that is not needed. For example a user needs to connect to a remote POP server over the Internet, but, the company restricts all POP access to the server except from the local network.
The user has two options. He or she can either dial into the company access server and pay long distance rates (perhaps from an expensive hotel line), or the user can dial into a local provider, and, using SSH, connect through the Internet to a secured SSH server on the Company's local network. The built-in forwarding feature of SSH can forward all POP requests through the encrypted tunnel to the company POP server. SSH does this by binding to the POP port (Port 110) on the local host and forwarding all packets through to the remote end. Then, all the user has to do is open the connection, point the mail reader to localhost (for the POP server), and check mail. Additionally, SSH will allow the user to create as many forwarding entries as he or she needs. This allows the user to securely tunnel several different TCP services through the encrypted SSH connection. SSH is available on several platforms (including most variants of UNIX, as well as Windows NT/95) and is freely available from http://www.cs.hut.fi/ssh. A commercial version is available from http://www.datafellows.com. Documentation is available in several locations throughout the Internet.
Another popular on-demand VPN technology is available from Microsoft. This is a subset of Microsoft's Dial-Up Networking (DUN) package and is called Point to Point Tunneling Protocol (PPTP). This method allows the user to dial in to a local provider and tunnel through to an internal Windows NT 4.0 RAS server. Like SSH, it provides for an encrypted tunnel to an internal network. However, it differs from SSH in that it forwards all TCP/IP packets through the tunnel, whereas SSH only forwards specific TCP ports. The downfall to this approach is that it relies on Windows technology and is not portable to other variants of UNIX. However, Cisco and several other vendors (3COM, Ascend, US Robotics) have announced support for PPTP, so the possibility for more porting does exist. PPTP provides an excellent on-demand VPN from a remote Windows client to an internal Windows NT 4.0 server. For more information, refer to http://www.microsoft.com.
Permanent A major downfall to almost all variants of the on-demand type of VPN software is that it locks the user into a point-to-point connection. A much more flexible VPN is one that relies on a permanent connection. This connection always exists, allowing for transparent access to the users of the entire LAN. The users are not made aware that they are using an encrypted tunnel, because the encryption, setup, and routing issues are handled by a completely separate system. This system is either an existing router (using the router OS), or a separate server running specific software (firewall software or VPN software). This type of VPN is often used in the case of multiple office networks that need to be internetworked in some manner.
One way to implement a VPN is to use your existing router and simply update the OS on that router and its peers to include support for encrypted tunneling. I will use Cisco Systems as an example, because their routers make up most of the Internet; however, several other router vendors also support this approach. Using the appropriate Cisco IOS software, it is quite simple to set up a tunnel interface from one branch office router in one state, to another branch office router in a different state. This allows the corporation to purchase local access for both routers and create a virtual link between both routers through the Internet.
If encryption is applied to the tunnel, the company now has a virtual, secure link between both offices, which is transparent to the users at both locations. The tunnel is created by linking a stable interface on one router to a stable interface on the remote router (with Cisco, the loopback interface is used). This results in a new tunnel interface, which is affectively a point-to-point link between both offices. Using routing rules, the network administrator can specify that all network traffic between the two offices uses the newly created tunnel interface. Then, the administrator can apply an encryption scheme to the tunnel. The users can pass internal data straight to the other office just as if the company had a permanent, internal leased circuit between the offices. Hence, the Virtual Private Network.
Another way the company can create a VPN between offices is to purchase a dedicated server for each location. This server will handle the creation of the tunnel and the encryption/decryption of all packets destined to pass through it. This server may also handle the firewall application for that office. In fact, firewall vendors often include VPN functionality into their firewall applications. This provides for intranet security and also provides the needed VPN capabilities in one software package. The VPN setup used with the Cisco router is basically the same for almost any vendor. However, the underlying technology is somewhat different. Several firewall and VPN vendors are incorporating a new technology called S/WAN, which is an early implementation of a new standard called IPsec.
IPsec is an addition to the TCP/IP protocol that provides for IP layer encryption. IPsec is actually part of the proposed IPv6 scheme, but, rather than waiting for wide deployment of IPv6 over the Internet, a group of vendors led by RSA Data Securities created S/WAN. Products that offer VPN technology based on S/WAN provide one major advantage over on-demand VPN technology or tunneling VPN technology: the setup of the VPN link is automatic and dynamic. That means, if a user at Site A wants to browse off a Web server at Site B, the connection would automatically become encrypted as long as both ends passed through a VPN or firewall server with S/WAN capabilities. This provides for an almost dynamic host-to-LAN, host-to-host, or LAN-to-LAN virtual private network. This method also removes the necessity of purchasing the same software on both ends of the link. Since S/WAN is being developed by a very large group of vendors, we now have the ability to have a multi-vendor VPN with little or no setup concerns.
Integration Into Existing Network The first step for any network or systems administrator before implementing a VPN into their current setup is forming a plan. The administrator should consider the following questions. What is the final goal? Is the VPN meant to handle dial-up solutions, or inter-office networking? What is important (cost, bandwidth, security)? For dial-up users, does the entire PPP session need to be encrypted, or just a few important services? Is there already a Windows NT server available to handle PPTP connections, or will one need to be purchased? For inter-office networking, is your main concern cost or bandwidth and reliability of the connection? If reliability of the connection and speed of the link are the main concerns, then the best solution may be to actually purchase a dedicated link between offices rather than relying on the stability of the Internet as a whole. If reliability and bandwidth can be sacrificed, then a VPN may be the better choice.
In the case of the VPN, would the company be better off just adding the capability to the existing routers, or should a dedicated VPN server be purchased? Obviously, several issues must be considered and much research needs to be done to answer this question. There is no one solution to encompass every situation that can arise in a growing network. Some organizations may find that a hybrid approach is the best way to implement a VPN. For others, SSH tunneling for remote telecommuters coupled with tunneling and encryption for inter-office networks may be the way to go. Every situation will be different, and only after much consideration and thought will the best solution be found.
Conclusion This article is intended to provide a general idea of how a VPN works, and where the use of a VPN is applicable. This article only touches on the surface of VPN technology. There is enough information on the subject that whole books have been written about virtual private networks and their use. There is also a wealth of information available on the Internet concerning the use of several different methods of VPN technology. As the Internet continues to grow, and more employees telecommute to work everyday, I think we will see a greater need for VPN technology. How this technology will evolve will be answered only by the continuous work done by firewall vendors, router vendors, and VPN vendors. And, of course, when IPv6 is widely deployed, virtual private networks will encompass most of the Internet. All packets will be encrypted and secured throughout the entire Internet. But until then, network and systems administrators must continue to make due with the current methods of creating cheap and secure data pathways.
Resources
http://lybra.cybersurf.net/cns/pptpfaq.htm
http://www.microsoft.com/windows/common/nrpptp.htm
http://www.busn.ucok.edu/tips/info_hrd/vpn.HTM
http://www.cs.hut.fi/ssh/
http://www.cisco.com n
About the Author
Greg is currently is currently in charge of all enterprise-wide networking issues and is the head systems administrator for a diverse number of development servers (Linux, Solaris, SunOS, HP-UX, IRIX, AIX SP/2, NT) for his company. He is also in charge of all Internet/Intranet-related security, which includes the widespread use of virtual private networks and the maintenance of several firewall systems. He can be reached at: gwhalin@net66.com.
|