[Dr.WoW] [No.23] Introduction to VPN Technology

Latest reply: Aug 14, 2019 09:27:21 4609 3 3 1
The wireless access needs of large companies are not limited only to those of the company HQ network―branch companies, offices, mobile employees and partner entities also require access to company HQ network resources. Everyone knows that these circumstances require the use of Virtual Private Network (VPN) technology, but choosing which VPN technology to use still requires quite a bit of skill and knowledge, and therefore I, Dr. WoW, will share some of my knowledge about this below.

VPNs refer to private, dedicated virtual communications networks established on public networks, and are extensively used in corporate network scenarios where branch organizations and mobile employees connect to their company's HQ network.

How are VPN networks and VPN technologies generally classified?

1 VPN Classification

1.   By the entity that builds them

This kind of classification is made according to whether the VPN network's endpoint equipment (key equipment) is provided by a carrier or by the enterprise itself.

  • Leasing carrier VPN lines to build a corporate VPN network: as shown in Figure 1-1, this primarily refers to leasing a carrier's Multiprotocol Label Switching (MPLS) VPN line services. Examples of this include the MPLS VPN line services offered by China Unicom and China Telecom. The main advantage of MPLS VPN lines compared with more traditional leased transmissions lines, such as E1 or Synchronous Digital Hierarchy (SDH) lines, is that line leasing costs are lower.

Figure 1-1 Leasing carrier VPN lines to build a corporate VPN network

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-1

 

  • User-built VPN networks: As shown in Figure 1-2, the most commonly used method at present is to build an Internet-based corporate VPN network, using technology such as GRE, L2TP, IPSec, DSVPN, SSL and VPN. When using this sort of plan, a company only needs to pay for equipment purchases and Internet access fees―there is no VPN line leasing fee. In addition, companies enjoy more decision-making power over network control, and can carry out network adjustments more conveniently. The VPNs that I'll be introducing are exactly this class of VPNs.

Figure 1-2 User-built enterprise VPN network

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-2

 

2.   By the method of network organization

  • Remote access VPNs: Figure 1-3 shows a scenario used when a mobile employee connects to the network using a VPN dial up. The employee can simply access the enterprise's internal network at any place with an Internet connection through a remote dial-up, allowing him/her to access internal network resources.

Figure 1-3 Remote access VPN

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-3

 

  • Site-to-site VPN: As shown in Figure 1-4, this kind of VPN is used when interconnecting the LANs of two of an enterprise's branches from different locations.

Figure 1-4 Site-to-site VPN

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-4

 

3.    By type of use

  • Access VPNs (remote access): targeted towards mobile employees, these permit a mobile employee to "step-over" the public network to obtain remote access to a company's internal network.
  • Intranet VPNs: intranet VPNs use a public network to interconnect a corporation's various internal networks.
  • Extranet VPNs: an extranet VPN uses a VPN to extend a company's network to include its partners' offices, allowing different companies to set up a VPN together using the Internet. The difference between intranet VPNs and extranet VPNS primarily lies in the extent to which access is granted to a company's HQ network resources.

Figure 1-5 Remote access VPN/intranet VPN/extranet VPN

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-5

 

4.   By the network layer on which VPN technology operates

  • Data link layer-based VPNs: L2TP, L2F, and PPTP. Of these, L2F and PPTP have already been replaced by L2TP, and this chapter will not further detail these two technologies.
  • Network layer-based VPNs: GRE, IPSec, and DSVPN
  • Application layer-based VPNs: SSL

2 Key VPN Technologies

The common point of Internet-based VPN technologies is that they must solve the VPN network's security problems:

  • The geographical location from which mobile employees connect to a network is not fixed, and the location at which they are located frequently is not protected by their company's information security measures, so there needs to be strict access authentication for mobile employees. This involves identity authentication technology. In addition, there also needs to be precise control over the resources that can be accessed by mobile employees and the authority given to them.
  • Authorization needs to be given flexibly to partner companies/individuals based upon new operational developments, and limits also need to be placed on the extent to which partners can access the network and on the categories of data they can transmit. It is recommended that identity authentication be conducted for partners. After successful authentication, security policies can be used to limit partner's access privileges.
  •  In addition, data transmission between HQ and its branch organizations, partners, and mobile users must be secure, and the process of achieving this involves data encryption and data validation technologies.

A brief explanation of several key technologies that VPNs use in resolving the aforesaid problems is made below:

1.  Tunneling technology

Tunneling technology is a fundamental VPN technology, and is similar to point-to-point connection technologies. As shown in Figure 1-6, after VPN gateway 1 receives the original packet, it "encapsulates" the packet, and then transmits it over the Internet to VPN gateway 2. VPN gateway 2 then "decapsulates" the packet to obtain the original packet.

Figure 1-6 Tunneling technology

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-6

 

The process of "encapsulation/decapsulation" itself provides security protections for the original, 'raw' packets, and so when encapsulated packets are transmitted on the Internet, the logical path they travel is called a "tunnel". The processes of encapsulation/decapsulation used by different VPN technologies are completely different, and specific encapsulation processes will be explained below in detail for each VPN technology.

2.   Identity authentication technologies

These are primarily used in remote connections by employees working remotely. HQ's VPN gateways authenticate users' identities to confirm that users connecting to the internal network are legitimate, and not malicious, users.

Different VPN technologies provide different methods for user identity authentication:

  • GRE: does not support user identity authentication technology.
  • L2TP: relies on PPP-provided authentication (for example, CHAP, PAP, or EAP). When authenticating users accessing the network, it can use either local authentication methods or a third-party RADIUS server to verify the users' identities. Following successful authentication, users are assigned internal IP addresses, and authorization and management of the users is conducted using these IP addresses.
  • IPSec: supports EAP authentication of users when IKEv2 is used. Authentication can be made using local authentication methods or using a third-party RADIUS server. Following successful authentication, users are assigned internal IP addresses, and authorization and management of the users is conducted using these IP addresses.
  • DSVPN: does not support user identity authentication technology.
  • SSL VPN: supports local authentication, certificate-based authentication and server-based authentication of access users. In addition, users seeking to connect to a network can also authenticate the identity of the SSL VPN server to confirm the SSL VPN server's legitimacy.

3.  Encryption technology

Encryption is the process of making a plaintext message into a ciphertext message. As shown in Figure 1-7, this makes it so that even if hackers intercept and capture a packet, they have no way of knowing the packet's real meaning. The target of encryption can be either data packets or protocol packets, allowing for improved protocol security for both protocol packets and data packets.

Figure 1-7 Data encryption

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-7

 

  • GRE and L2TP protocols do not provide encryption technology themselves, so these are generally combined with IPSec protocols, relying on IPSec's encryption technology.
  • IPSec: supports encryption of data packets and protocol packets.
  • DSVPN: supports encryption of data packets and protocol packets after an IPSec security framework is configured.
  • SSL VPN: supports encryption of data packets and protocol packets.

4.  Data validation technologies

Data validation technology conducts inspections of packet integrity, and discards counterfeit packets and packets that have been tampered with. How is this validation conducted? By using a kind of "digest" technology, shown in Figure 1-8 (the figure only shows the validation process; under normal circumstances, validation is used together with encryption). "Digest" technology primarily uses the hash function to convert a long packet into a short packet. Packet validation is conducted both at the sending and receiving ends, with only packets with identical digests being accepted.

Figure 1-8 Data validation

[Dr.WoW] [No.23] Introduction to VPN Technology-1333945-8

 

  • GRE: only provides simple checksum validation and keyword validation, but it can be used together with the IPSec protocol, allowing IPSec's data validation technology to be used.
  • L2TP: doesn't provide data validation technology itself, but can be used together with IPSec protocols, allowing IPSec data validation technology to be used.
  • IPSec: supports complete data validation and data source validation.
  • DSVPN: supports complete data validation and data source validation after an IPSec security framework is configured.
  • SSL VPN: supports complete data validation and data source validation.

3 Summary

Table 1-1 is a brief summary of the commonly used security technologies and use scenarios for GRE, L2TP, IPSec, and SSL VPNs.

Table 1-1 Comparison of commonly used VPN technologies

Protocol

Scope of Protection

Use Scenario

User Identity Authentication

Encryption and Validation

GRE

Data at the IP layer and above

Intranet VPN

Not supported

Simple keyword validation and checksum validation supported

L2TP

Data at the IP layer and above

Access VPN

Extranet VPN

PPP-based CHAP, PAP, and EAP authentication supported

Not supported

IPSec

Data at the IP layer and above

Access VPN

Intranet VPN

Extranet VPN

Pre-shared key or certificate-based authentication and IKEv2's EAP authentication supported

Supported

DSVPN

Data at the IP layer and above

Intranet VPN

Extranet VPN

Not supported

Supported after an IPSec security framework is configured

SSL VPN

Specific application-layer data

Access VPN

User name/password or certificate authentication supported

Supported

 

 

 

This section has provided a simple introduction to VPNs. If these basics are not enough, a more detailed introduction to the use, configuration, and principles behind each kind of VPN technology is below.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jun 19, 2015 07:28:46 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

alba11
Created Apr 3, 2016 20:50:46 Helpful(0) Helpful(0)

Here is a link where some VPN services are explained: https://securitycatch.com/vpn-reviews/ ¿Someone kmows which of this services is better?

  • x
  • convention:

little_fish
Admin Created Aug 14, 2019 09:27:21 Helpful(0) Helpful(0)

very helpful
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login