Networking - VPN: Introduction

Obtain an Account to Acces the VPN

Obtain VPN Software

Frequently Asked Questions

A virtual private network (VPN), otherwise known as a client tunnel, is an encrypted path through the Internet between two endpoints. The endpoints of the tunnel are a host running a VPN service and a client running an appropriate client software package for that service. The resulting link provides a secure communications channel for computer traffic between the two endpoints.

Figure 1

Figure 1 shows a typical connection through the Internet from a home user system to a target system on a typical network. The network is connected to the Internet thus any system connected to the Internet can gain access to the target system without hindrance. However there is a major problem with this design - lack of security. The network is not secure and must rely upon each individual workstation to provide for authorization.

With the above design, any computer system that is attached to the Internet can gain access to any system on the same network as the target system. This means that any data on the network is vulnerable to being stolen, replaced, or deleted by someone who has no business performing such tasks. Imagine what would happen in such a situation if someone accessed the payroll department computer with malicious intent. Securing each individual system would be one step in helping with this problem.

However, securing all systems on the network involves a great deal of work. Even securing a single system is a lengthy process. As the network grows this task becomes more complex and cumbersome. There is also typically no reason that all of the systems on the network be accessible from the outside world. Although the network systems may have need to connect to the Internet for accessing data, that does NOT mean that the entire Internet should be able to access all of the data on the network.

Figure 2

To help protect internal systems from external harm, firewalls are placed just inside of the border of the network (as close to the Internet as possible). Figure 2 shows a typical installation of a firewall. Any system not on the network attempting to contact a protected system is denied access by the firewall. A firewall may permit limited access to systems on the network such as those providing web, mail, and FTP services while simultaneously blocking all other access. Under most circumstances, this solution works best because it protects internal systems from external harm. Internet users are allowed limited access to resources on the network while being denied access to all other systems.

However, with the advent of mobile computing, many employers are permitting their staff to work on the road (using laptops) or from their homes (using personal computers). In order to gain access to the private network, these systems typically use some sort of dial-up method to connect to an internal system. From there, the remote systems are considered to be part of the network and may perform any work necessary as if they were physically on the network. This solution can be inexpensive when a small number of connections need to be made. It is also a fairly reliable way for employees to perform their duties remotely. The downside of dial-up connections is the speed and costs increase as demand increases.

Even though modem technology has advanced rapidly, federal law prohibits any further gains in data communication speeds using public telephone lines. The current law (as of June 1, 2001) limits communications speeds over public telephone lines to 53 kbs (kilobits per second). Modern modems are rated at 56 kbs but are limited to the 53 kbs speeds by law. Although data compression routines can provide theoretical boosts in speed, compression can only achieve a 50% gain in performance under the best of conditions. This limits large data transfers and prevents many applications from running at acceptable speeds.

The problem can be solved by using private telephone lines (such as ISDN and DSL) or by using an alternative method (such as a cable modem). The use of ISDN lines is beginning to grow, however large-scale use is cost prohibitive. Additionally, the service is not available in all areas of the country. The use of DSL and cable modems are typically less expensive and within the price range of the home user. Many home users are already switching to such services as their primary ISP (Internet Service Provider) in lieu of using telephone lines with slower connection speeds. While the use of satellite modems (systems that download at high speeds from an orbital satellite and upload at low speed via a telephone line) are available for Internet access in all parts of the United States, such systems are not compatible with the VPN client system. This is because the VPN client system requires that their be no latency (delay) in data transmission. By their very nature, the satellite system has a latency on its download link and thus prevents the VPN client system from being able to properly maintain its timing.

Many of these newer technologies are able to make connections to the Internet at speeds equal (or nearly equal) to the speed of a network. With this advent in speed, home users would be able to perform tasks more rapidly than with the use of dial-up lines. In addition, there is a cost savings to the company as the demand for dial-up phone lines decreases.

Of course, there is a problem with these services. The use of such services brings us back to the situation with which we started. How to protect the network from remote users while at the same time permitting a select few access? One solution would be to have static entries for the remote systems Internet address. Unfortunately, an ISP will typically not permit such activity. Address space on the Internet is limited and very valuable. Even if the ISP does permit the leasing of a single address, the address is fixed and not mobile. Mobile users would not be able to use the service and there is typically a premium to pay for such a service.

Figure 3

Enter the VPN. Since the VPN creates a virtual link between the remote client and a VPN server, any user attached to the Internet can use a VPN. However, because VPN requires special software and that software has a private encryption key associated with it, the VPN is secure. Figure 3 shows a typical connection with a VPN service on a router inside of the network.

With a VPN, the remote client makes a connection using special encryption software. That software uses a private encryption key distributed by the network administrator to VPN users authorized to use the network. Additionally, a VPN client must perform a special network login procedure similar to that made with a dial-up connection. This adds a level of security, ensuring that only the authorized user is making the connection. Thus, should the remote user's system be lost or stolen, unauthorized connections are avoided.

Virtual Private Networking (VPN) - Introduction