VPNs

Networks on the Net

How Do Virtual Private Networks

Virtual private networks allow secure access to corporate network as well as the link between corporate sites over public IP networks. At the market you'll find this special routers, switches or appliances, but also pure software solutions. In addition, companies can take appropriate VPN services from service providers to complete.

what is of course now would be a few years ago was unthinkable: the transmission of sensitive corporate data through shared lines - or even over the public Internet.The previously used dedicated Mietverbindungen per se offered a degree of data security and were additionally

combined with encryption techniques. Shared IP networks do offer such a significant cost advantage, flexibility and general availability, an early provider of solutions that sought to make them safe for the high demands of business. The solution is Virtual Private Network, VPN shortly. It represents a dynamic, virtual office network via the public network in which the company data from any other IP traffic on the same lines and routers are shielded. VPNs connect not only company locations with each other directly, they make the local company network from anywhere accessible: via DSL (Digital Subscriber Line) from the Home Office, the WLAN hotspot (Wireless Local Area Network) at the airport or from a customer meeting on the local network and the Internet. For the user, the VPN is always transparent. He works as if he were in the LAN of the company, because the VPN is only one logical connection over the public network

manufactures. The importance of VPNs continues to grow, now they are finding themselves in the private sector. The term VPN is available for a variety of different techniques and is not clearly defined. Although the application of virtual private networks is not limited to IP networks, so it goes below mainly to the dominant contemporary IP-VPNs. The developed some 30 years of Internet Protocol Version 4 has no security mechanisms.Confidential data is exposed at the time of transmission over public networks, a variety of attack options, which can aim to come into their possession or to change it. VPNs provide a secure transmission must therefore comply with three requirements: ensuring the authenticity, confidentiality and integrity.Authenticity means of identifying authorized users of the VPN and reviewing that data originates only from there and not from other sources. Confidentiality means that the confidentiality and secure data encryption. Eventually be taken to ensure that third parties do not change the data - the so-called data integrity.

In the tunnel on the way

VPNs make a logical connection from any starting point (VPN client) to a VPN server (also VPNGateway, VPN concentrator or VPN termination point) on. They are called tunnel so as not the content of data transferred for the remainder of the IP world is visible. There are two main application scenarios for the use of VPNs: the link between corporate locations and the "dial" of employees. The former is known as site-to-site VPN, the local networks of two or more business locations on each one VPNGateway

are connected. Remote-access VPNs to mobile workers - increasingly, customers or suppliers - from any location via the Internet and a VPN server to access the corporate network

. allow A lesser role to play point-to-point VPNs, so the direct VPN connection between two

Computers, such as for remote maintenance. The technical principle is the same for all three types: The gateways encrypt IP packets and encapsulate it all into another package. While the header of the new package the way through the internet has to destination, the header disappears wrapped package in the data part, the Internet router can

The information contained in it can not see and therefore do not evaluate. The most popular VPN (or tunnel) protocols, the Point-to-Point Tunneling Protocol (PPTP), are the Layer-2 Tunneling Protocol (L2TP) and IP Security Protocol (IPSec). PPTP and L2TP are from the Windows world, and lose significance. The PPTP encryption is already for a long time as no longer safe enough.L2TP does not have its own encryption mechanism, but can be combined with different encryption methods. It takes but one with huge overhead and leads to lower net data rates. L2TP is an advantage but vorzuweisen at least on Windows yet: It does not require a separate VPN client, it brings the operating system already. In Windows XP and Vista, Microsoft is building a protocol L2TP over IPSec, which combines both the IPsec protocols and does not in the existing L2TP encryption. While PPTP and L2TP operate at the level of the Ethernet protocol, ie on the OSI layer 2 (Open Systems Interconnection), IPSec uses IP-level or OSI layer 3 (see Figure 2).It is also the youngest tunnel protocol. It was created as encryption and authentication mechanism for IP version 6 (IPv6), then back ported to the developer as a separate protocol to the still prevailing IPStack Version 4 (IPv4).It offers the most advanced encryption methods and can be integrated seamlessly into existing IP networks. Therefore, it has become the de facto standard for IP-based VPN connections developed. The demand for authenticity, confidentiality and integrity IPSec met by two methods of data security: Authentication Header (AH) and Encapsulated Security Payload (ESP). The authentication header is used for authentication of IP packets. It is the sender of the original packet and a secret key known only to sender and receiver, a checksum.The

Receiver also calculates a checksum and compares it with the package attached to the transmitter. In this way he can ensure that the packet comes from the specified sender and has not been altered. ESP, however authenticates and encrypts the packets. Only the recipient who has the same

Key that the sender has to decrypt the data. Both methods are independent of the cryptographic methods used to determine how to create the checksum or how the data is encrypted. This independence makes IPSec extremely flexible and future-proof. To ensure interoperability between VPN solutions that support the IPSec standard, different procedures: For Authentica -

tion, the headers are the hash algorithms MD5 and SHA, the most widely used for ESP 3DES and AES encryption standards. The methods differ primarily in the key length. A key can be too short, just like a weak password, crack by simple arithmetic operations. The increasing computing power shortens the time required for this rapidly. Increasingly powerful hardware allows one hand, the use of ever larger key - this also makes it necessary, since shortened with more computing power available to decrypt the time. The Data Encryption Standard (DES) with 56-bit keys is the oldest method and has long been regarded as not safe enough. His successor (3DES or Triple DES) to encode the data using three keys of 56 bits in length in succession, claiming that the second key, as with the

Decoding applies vice versa - it refers to the process as EDE (Encrypt-Decrypt-Encrypt). As a result,

is an effective key length of only 128 bits. Although 3DES provides much greater security than DES, is

but in the criticism, especially because let's advanced cracking algorithms for DES to 3DES port. Furthermore, the process is increasingly proving to be too slow to handle ever larger data sets. The art of today is therefore also in the WPA2 encryption for wireless networks used Advanced Encryption

Standard (AES). It encrypts data blocks of 128 bits with keys of 128, 192 or 256 bits in length. The advantage of DES lies in the high speed of the algorithm, but also in the simple implementation in hardware or software. Currently, the 128-bit keys are considered secure against brute-force attacks, since two high 128 possible keys already require the use of supercomputers.But thanks to graphics cards with high-performance GPUs (graphical processing units) and the smaller one soon move into homes.

Obstacles

in tunnel

By combining the modular-designed mechanisms IPSec protocol is considered extremely safe, but also as complicated to configure. Some manufacturers try to counter by offering coordinated servers and clients as well as graphical tools to facilitate the establishment. IPSec provides encryption and different operating procedures that must be set for a VPN connection. Moreover, the VPN tunnel setup when participants authenticate each other and the secret key to generate the following data backup and exchange. All these tasks meet with IPSec-based VPNs two components: the Security Associations and Key Management. The Security Associations (SA) describe the exact configuration of the IPSec protocols. They specify, among other things, whether AH is used and / or ESP, which encryption algorithms are used and how long the keys are valid. A valid Security Association is required for each IPSec connection. The Key Management is responsible for the creation and management

The key responsibility. The system used IPSec Key Exchange protocol (IKE) authenticates the participants against each other, exchanging the established security policies in the SAs and provides key exchange for data encryption. The IKE negotiation is divided into two phases. During the first phase of the

Setting up secure connection is built, only the second - already encrypted - the actual VPN tunnels. Special authentication procedures ensure that at no time in negotiating a password or key in clear text over the network goes. The recording setup a VPN using IPSec security there is no price-sensitive information. The complex connection leads to conflict with the routers used in Access-NAT (Network Address Translation), ie the implementation of private into public IP addresses, which are also supported by some devices, the IPSec pass-through method does not resolve completely. Only because of the specially developed and standardized IPSec NAT-Traversal extension will resolve these difficulties. Because IPSec - as

L2TP and PPTP - on the layers of communication protocols operates, it operates independently of the respective

Application protocols, which it transmits. For the home office or small branch office IPSec is also interesting because it conveys about as VoIP data transparently.And IPSec tunnels are pretty efficient, since all applications use only a tunnel and obtained no additional overhead for each individual application. On the other hand, IPSec needs in host-to-LAN connections on the terminal as a special Windows client software, but now stands at a greater selection. In principle, the interoperability between VPN clients and VPN servers is given by different manufacturers, but the use of special features is a look at the compatibility lists recommended by the manufacturer.

Also, applications

can build tunnels

A special case of VPNs is the Secure Sockets Layer (SSL), respectively, the Transport Layer Security (TLS), which is often not as full-fledged VPN solution. As an Application Layer protocol SSL / TLS operates at the level of application protocols and is thus bound to individual applications. The development is due to Netscape, which had integrated the mid-90s for the first time in its Navigator browser. According to the version 3.0 (SSLv3) took over the IETF (Internet Engineering Task Force) the development and standardization. Under the name Transport Layer Security, there is now launching a secure AES or RSA encryption. The current TLS version 1.2 is dated August 2008. Now dominate all browsers support SSL / TLS. This raises the protocol is by far the most widely used VPN technology ever dar. Transferred because most Internet users - in many cases unwittingly - their personal data via SSL: All Web services that operate on confidential data, such as web shops or banks, build on such a connection automatically - the user often perceived only by a small notification window. Since the Secure Sockets Layer on the level of application protocols sit, it must be integrated into each of them. Features SSL / TLS protocols have the respective get a new TCP / UDP port and a new name with the word "Secure" from HTTP has HTTPS (HyperText Transfer Protocol Secure). The same fate befell other now: The SSL-enhanced mail protocols POP3, IMAP and SMTP are called now about POP3S, IMAPS and SMTPS. Although you need to use SSL / TLS or separate client programs

more VPN gateways, it has all software that use the service over SSL / TLS or provide

want to show the extension - on the one side, about every browser and email client, on the other, each web,

SMTP, POP and IMAP server implementation. Solutions like OpenVPN do it, not individual applications,

but handle all communications via TLS, but only with a trick: they push their way between the - non-TLSfähige - application and the TCP layer. Another extension of the TLS access works with Java servlets. In this case the browser will download the Servlet, which works mostly as a generic TCP / UDP proxy and thus also opens access to all UDP-enabled applications. The use of the browser as a client discloses a further advantage of this approach: Almost every device that is about smart phones with browsers and proprietary operating system - can use as for remote access.

Light and shadow

If you read the benefits of TLS, such as usage directly from the application, cost-effective implementation through

Use TLS-enabled server, so the question arises, why it is not for all VPN connections are used. The reason lies in the specific limitations: First, it only encrypts the data, but not all the communication. Second, they support only allows access to the services that use SSL / TLS. Third, allowing

TLS access from anywhere and unsecured computer. That's just for banks but TSL and interesting Websites: Regardless of location and configuration of the computer the customer build a TLS-enabled browser an - application-specific - to tunnel to them.However, IPSec protects the whole connection and allows access only from devices or systems which are authorized to do so. It can enforce access and security policies and prevents any attempted attacks like spoofing or flooding on the network.

Thus, it is a right to exist for both protocols differed according to the union use cases:

IPSec access and networking for companies and SSL for secure Internet transactions. Both protocols are considered secure because they use symmetric encryption algorithms, authentication and key management. While there are always two sides to IPSec certificates, this is optional for SSL on the client side. For more safety always use more website owners called Extended Validation SSL Certificates (EVSSL certificate) from an external CA such as VeriSign. The thickness of Layer 2 VPNs such as PPTP or L2TP,

transport and other network protocols than IP to be able - as IPX -, has the almost complete extinction

just lost in importance of these protocols. Since the term VPN is not clearly defined, some publications also describe VLANs (Virtual LANs) as so-called intranet VPNs. The Dividing a LAN into multiple virtual

is the task of Layer 2 switches, which separate the data streams at the port level. This shortens the data streams

separate instance of working groups, financial or human resources departments at the port level and thereby complicate interception. Since neither encryption nor authentication are used to distinguish VLANs, but basically the method described above.

Pure

Formality

VPN in hardware, software or

but as a service?

As diverse as the technical variations of Virtual Private Networks is the number of products available that can be used to establish VPNs. Competition to get the software and appliance vendors also from service providers.

A nwendungsszenarien for the use of Virtual Private Networks (VPNs) are many: they are usually used but

to connect business locations, and access by employees of the road or at home to the corporate-

LAN. In the former, the Siteto-site VPN to link two or more company locations VPNGateways together.

Remote-access VPNs connect the computer as a mobile employee using the Internet to the corporate network.

While VPN clients for remote access VPNs always occur as a software on the device, are available on the company network side completely different versions of the VPN implementation. The simplest solution is provided by appliances - a black box that puts the VPNGateway-functions.

With and without

nesting

Another variant is the integration of the VPN gateway function to other network components dar. Routers and firewalls are already in a complex data processing and integrate more and more security features.

As it stands, the VPN server as a service to let it run directly. Besides the hardware solutions you can find pure software packages for Windows, Linux and other Unix derivatives. They give the user the freedom of hardware choice and open up to him, many configuration options. But do not need the, appliances are often the easiest solution, especially as the software and required hardware is not always cheaper. Alternatively you can set up VPNs with on-board means of server operating systems, such as with

the tools supplied the Linux, Solaris or Windows - Windows server. In addition, open-source software is available, such as the operating system across OpenVPN - Linux, Mac OS X, Windows and various Unix derivatives used.As the VPN server as a single point of failure and pose in the event no access to the entire network exists, it should be redundant, or it should at least several VPNGateways in your network. Whatever solution is used depends primarily on the requirements for performance and scalability, but also aspects of design. If one looks at the specialized network security providers for VPN solutions, one finds this more often under the heading of Unified Threat Management (UTM). The manufacturers want to emphasize that provide individual security measures do not provide adequate protection.

A good placement

is asked

Among the security features of UTM to count out VPNs including firewalls, virus protection, intrusion detection and prevention, content and spam filters. As this definition are devices, which specialize in only one task, as Specialized Security Appliance (SSA).Another key word marketing for the centralized management and flexible as possible, access to corporate networks is the Network Admission (or Access)

Control (NAC), which refers in the strict sense but only to the access permissions. As in corporate networks, VPNs

to protect traffic from outside the VPN gateway is placed sensibly on the edge of its own network. From there, can guide the router traffic unencrypted by the local company network, so that the accessing all local staff through the tunnel functions such as Quality of Service (QoS) use. This applies to the combination of state firms - as well as locations for accessing remote devices. Since VPNGateways the transition of the corporate network to the Internet form, they are often found directly on the firewall or the Access Router. Separate VPN gateways and appliances are generally connected directly to the Access Router. Larger companies have more than one VPNGateways upon and their arrangement for the administrators of the regional distribution, scalability and availability requirements than. Accesses a remote, via VPN to the corporate network connected PC on the public Internet sites, he could take the direct route or via the VPN. Even if the latter complicated at first glance, it is recommended nonetheless always: First, the data of the first part of the way - from Internet access to corporate networks - via an encrypted line, which increases considerably especially when using a wireless LAN security. Second, the traffic always happens after the corporate firewall, so that all can access there implemented protection mechanisms, such as virus protection or intrusion detection.

Everything at home

A side effect from the complete encapsulation of the IPHeaders results in terms of IP addresses. No longer visible is the original, usually assigned by the provider, but only to help establish the VPN assigned address. This may in some cases lead to problems when service checks the IP address of origin or specific address ranges. Conversely, this effect can however use, for example by the use of an American VPN provider to a U.S. IP address leads. Thus can be called Geolocation-

Services deal and read websites in the U.S. only. There remains the question of possible performance degradation when using VPNs. The practice shows that today's hardware provides enough computing power available to the VPN encryption for the user to perform without being noticed.When accessing the corporate network from outside, the throughput is limited more by the Internet access technology like DSL. Although technically not suggesting the simple matter that VPNs are only slightly for corporate networks. Nevertheless, they are increasingly interesting for home networks. This is obvious about the fact that more and more integrated manufacturer of home routers, a corresponding function. Reasons are always faster Internet access alongside new features need to convert them for example by connecting a USB hard drives in so-called Integrated Access Devices (IAD). So you can access from the Internet, for example on the local hard disk to store the photos, or a glance

throw on the surveillance camera. Represent the only hurdle after 24 hours by forced separation changing dynamic IP addresses dar. There are corresponding solutions like DynDNS (www.dyndns.de) to deposit the current IP address on a web server. Does the home routers now have the functions of a VPNServers, via the Internet so you can securely access the home network, as if you were at home.

The AVM Fritz box in the integrated VPN solution can be regarded as exemplary in this respect, as it not only brings a standard strong AES encryption, but also offers a wizard that generates the configuration of routers and client automatically.In addition to its own implementation in the corporate network

shopping is a VPN service complete with a service provider. This is particularly useful if the provider not only provides access to the line, but also a managed service that includes the operation of the access router. All the major providers that have business connections in the program, provide a managed VPN service - to which there are specialized provider VPNs.

My VPN, your VPN

In addition to the agreement of the protocols and technical parameters such as throughput and number of tunnels are taken into account the operating parameters such as availability, response and recovery time or monitoring

Tools. For the operation and management of the VPN service is up to the service provider. Instead of specifying the individual nodes, paths and parameters, ie service providers use Pro - visioning tools with which they simply define the end points and attributes and use it to create an automatic configuration of network elements. Some providers make it available to the customer directly (self-provisioning). A VPN service solution freed

therefore not entirely of technical know-how, but it is compared to a self-realization considerably more flexibility

Respect to extensions or modifications. A special feature MPLS VPN (Multi Protocol Label Switching) represents the only service provider - can deliver - especially with its own IP / MPLS infrastructure. MPLS has become the standard, service providers use it to the IP traffic on their networks efficiently handle huge IP: Instead of each router examines each packet and again, adds an edge (edge) of the network packets with a mark (label), so that all packets arrive from a session in the same stream. So how MPLS works, tunnels, and is suitable for use as a VPN. The advantage of MPLS networks is, above all,

that they can provide certain services for a throughput guarantee that they treat different data streams (such as video or voice over IP) separately (CoS Class of Service) and prioritize. MPLS VPNs are well suited for the connection of company locations around the telepresence and / or IP telephony are in use. For the customer, is an MPLS VPN acts like a leased line, and since this is entirely foreclosed by the provider network, it also offers no encryption is already a degree of data security. However, a better combination with IPSec for data encryption - also because MPLS only within the network of service providers available. View of carrier MPLS is also the tool of choice to migrate legacy platforms,

but it offers the possibility to switch over so-called Virtual Private Wire Services also tunnel for ATM and frame relay data directly or Ethernet packets over the IP network. CoS also facilitates the migration of previously separate Voiceund video networks.