The Basics of Virtual Private Networks (VPN)

Discuss the article at Agnitum blog

Abstract

This document introduces the concept of a VPN – Virtual Private Network - and provides some initial insight into how these tools are used in the context of an overall security framework.

Introduction

VPN is a term we hear quite often these days, but many people probably have little idea what it means. It’s often associated with enterprise connectivity - when remote workers connect to the corporate network - but the concept is also now gaining popularity with home users and small businesses.

With a VPN, two or more remote computers or networks can connect securely to each other to form a virtualized local network that uses a public infrastructure, such as the Internet, as a means to transmit intranet data. It’s called a virtual private network because the network is not physical but has all the characteristics of a dedicated LAN. VPNs benefit people and organizations by allowing them to establish trusted network connections and use conventional tools like file and printer sharing, network conferencing, collaboration tools, etc., from anywhere where there is Internet access.

Besides providing network connectivity, VPNs have one very important security implication: they can keep data private when you’re using insecure (public) Internet access hubs such as WiFi hotspots or unfamiliar local ISPs .

There are a number of ways in which a VPN can be set up and used to provide secure shared access and exchange of data:

• Peer-to-peer access, where all members join a trusted network and use this network’s shared resources. You can be a thousand miles away from each other and still see your colleague’s files as if they were on a local computer. Typically, this requires that each connecting member has Internet access and runs special VPN software that allows remote networking via the Internet. VPNs can be used this way to, for example, remotely access documents stored on your work PC while using your home PC.

• Client access VPNs, where a company’s employee connects to the corporate network from a remote location, for example while on a business trip. This requires the deployment of a VPN server at the corporate gateway and VPN client software running on the employee’s laptop.

• Site-to-site VPN, where the remote networks of multiple branch offices, for instance, can be linked together to create one larger homogenous network.

• Intranet VPN, where computers belonging to the same physical network are placed in a protected VPN to secure data in transit or to assign specific privileges to a particular group of users.

Principles

The Internet is a transparent network, meaning that if a person has the right tools and knowledge, any unencrypted communication can be intercepted and viewed by unauthorized third parties. To transmit private data over the public networks securely, the VPN protocols encrypt communications at the sending end and decrypt them at the receiving end, so that it cannot be deciphered while in transit.

This ‘tunneling’ of data, the main principle of the VPN, deserves further explanation. The word ‘tunneling’ refers to the establishment of a secure transmission channel over the Internet which enables data to travel through an imaginary isolated tunnel where it cannot be accessed by unauthorized parties. Tunneling is a multi-stage process:

1. The original packet of data is ready to be sent. This packet is called the passenger packet because it’s going to be transmitted through the tunnel.

2. An encapsulating protocol, usually IPSec or L2TP, is applied to the original packet to wrap it with a new (outer) packet that will store and transport the passenger packet through the tunnel. The process of encapsulation is akin to placing a letter inside an envelope for to protect it while it is in transit through the postal system.

3. In the process of encapsulation the package is encrypted to one of several common encryption standards. The strongest standard currently available is AES-256.

4. The package is transmitted over a public network, typically the Internet, and decrypted and de-encapsulated at the receiving end.

VPN protocols provide a variety of authentication methods to verify the identities of the sender and recipient of passenger packets so that the data is transmitted to the right destinations. The strongest authentication method is currently SHA2 – 512 bit.

Benefits of a VPN

The core benefits of a Virtual Private Network from the home user’s perspective are:

1. Secure transmission of data over an insecure infrastructure.

   The use of WiFI and other untrusted networks represents a huge risk to the confidentiality of information sent through them. This risk can be eliminated by setting up a VPN and using it when traveling. Even though the data can be visible to prying eyes such as sniffers and other tools, it’s not accessible to anyone except the designated recipient because of the encryption and authentication requirements. Unauthorized third parties will only be able to see the external wrapper (the outer packet) - they won’t be able to taste the candy (the original packet) inside.

   The VPN in this case is the secured intranet, where WiFi data is transmitted over the secure link of a VPN tunnel inside the insecure physical network (wireless network).

   There are many commercial services providing Intranet VPN security for WiFi users; JiWire is a particular favorite of mine. If you’ve had a good experience with a WiFi VPN service, we invite you to share your experience on our blog.

2. The ability to create a trusted network and share resources.

   The Internet can connect people, and a VPN can complement it to provide a safe and convenient way to set up a private network and access stored data from any location in the world. There are many free and easy-to-use solutions to help you set up and share a VPN with your friends; Hamachi and OpenVPN are my favorites.

Conclusion

VPNs bring security, scalability and connectivity to an inherently insecure communications medium - the Internet - by creating an isolated encrypted channel that both individuals and companies can use. But of course, wherever legitimate data can go, so can unwanted communications. So you still need to use your firewall and anti-malware solutions and follow safe Internet use practices.