Page | 2
I. Introduction
It has been a few decades since the Internet has been founded. Even though the Internet was originally established for military purpose only, it has been expanding itself boldly from time to time that IPv4, which provides about 4.3 billion addresses, is getting gobbled up, whereas IPv6 is succeeding the reign. As a consequence, alongside with that, people are depending more and more on the Internet ranging from everyday social life to office works. Not to mention about the flow of businesses. As business grows bigger, it needs an more effective and of course secured mean to communicate from a particular branch to main office for everyday business, and communication for their e-business flow. In addition, traveling employees like salespeople need an equally secure and reliable way to connect to their business's computer network from remote locations from either their laptop, PDA, smartphone or whatever. Not only business but also normal users like us crave for a more reliable browsing method. Particularly, we want a better way to use our credit card, send and receive our emails, and do other daily tasks on the Internet.
Therefore, internet security has become a hot topic in computer field. So far, there are countless approaches by researchers from different places for the Internet security technologies such as IPsec protocol, SSL, security token, firewall, and so on. Among those, during the last decade there is one substantial technology for normal users and enterprises to use the Internet in a more reliable environment, Virtual Private Network (VPN).
VPN is literally a private network that utilizes a public network which is normally the Internet to virtually provide a secured way of communication between remote hosts. It is a combination of many existing technologies like SSL, IPsec, Tunneling, and Public Key, firewall, and others in accordance to each type of the VPN. .
II. Why VPN?
Despite the fact that there have been number of technologies created for similar purpose of securing the connection through public internet, VPN singles itself out of the crowd as it provide several handy functions for users as following.
- Secure Remote Network to Extranet: By using the VPN, clients can have a
secure line which can connect clients to VPN server at anywhere in the world as long as it is connected to the Internet. The VPN server after a must-success authentication give the client, which can be a single remote user or a whole office LAN, the privilege to be a part of the network as if the client is the same LAN, and
Page | 3
the client can do everything the local server offer from a distance virtually and securely. In other words, VPN allow remote host to be a part of a private network virtually by taking the Internet as backbone.
- Data Security and Integrity: VPN provide authentication (user authentication,
computer authentication, data authentication) and data encryption. With the cryptology and the tunneling protocol, it is difficult to argue that VPN is actually the most reliable technology.
- Virtual Firewall: Having a VPN server is like deploying another firewall. The VPN
server itself acts like a second layer firewall that helps ensure that no illegal packet can get through to the local server. Also, VPN server can help prevent all kind of direct attach as it does the Networking Address Translation (NAT) and routing work when there is request through tunnel from outside.
- Anonymous Surfing: As more people are concerned about their privacy on the
Internet, VPN provide a handy function for those users. By using VPN, those users can do all the surfing on the Internet anonymously. More importantly, VPN encrypt everything in the channel it is using; users can rest assure that their identity is never going to be exposed to unintended third parties.
- Hotspot Sniffing Prevention: More and more people want to check email, do
e-transaction, or access to their workplace server when they are out of office at home, in a coffee shop, or airport terminal using hotspot. It is very unsafe to do so. Particularly, users can be vulnerable to the password sniffing. Easily, there could be a man in the middle waiting to sniffing all confidential information of the users. However, if users use VPN for their surfing, the case of sniffing is very unlikely to occur.
- Break the DNS Policy: Proxy also provide the same function of breaking the DNS
policy. However, being better than proxy, VPN let users to browse anonymously and securely as in VPN data is encrypted in the tunnel, about which will be explain later. Therefore, users no longer have to afraid that they can access facebook in China mainland anymore!
III. Type of VPN
VPN can be classified in a variety of ways. We can say there are Intranet, Remote Access, and Extranet VPN. Similarly, it can be PC-to-PC, LAN-to-LAN, and remote access VPN. We can also classify it as IPsec VPN, SSL VPN, PPTP VPN, L2TP
Page | 4
VPN, and MPLS VPN, where IPsec and the SSL VPN are most common. But if we consider the underlying technology, we can classify virtual networks as following.
(Source: PepeInjak Ivan, & Guichard Jim. (2001). “MPLS and VPN Achitectures.” Indianaplois: Cisco Press.
.)
However, VPN can be comprehensively categorized as following.
1. Dial-up VPN (PPTP / L2TP VPN): It is the most commonly and widely used VPN.
Dial-up VPN requires no VPN client hardware on client side. Instead, client can access to the VPN server solely by the existing Internet connection. By using the existing internet connection, a secure tunnel is established and then clients have to provide a valid VPN authentication in order to log on to server. Layer 2 Tunneling Protocol (L2PT) and Point-to-Point Tunneling Protocol (PPTP) are two most frequently used Dial-up VPN. They are quite similar; they are both Dial-up VPN and both use PPP protocol to do encryption. However, L2PT is superior to PPTP to the extent that L2PT is more secure; it requires certificate.
Page | 5
(Source: www.skullbox.net)
2. Site-to-Site VPN: Normally using IPsec or GRE technology, this VPN is used for
a secure connection between two sites that each site is connected to the internet. It is normally used to connect two offices which do not have to be on the same ISP. Unlike point-to-point VPN, each site needs hardware (router), and the routers at both sides do all works.
(Source: www.skullbox.net)
3. Point-to-Point VPN: It is a leased-line VPN. Each site of the network is
dedicated to a common ISP. It does not go over the public internet so their performance is not affected routing problem, latency, and external connection. Using this VPN each site can transmits rapidly a large in a very secure way. The only bad thing is that, as quality goes up, it is also more expensive.
Page | 6
4. Multiprotocol Label Switching (MPLS) VPN: MPLS VPN is normally used for
connection between multiple sites and include even data center. Comparing to site-to-site VPN, MPLS VPN is better since the routing between sites is optimized by static routes from ISP. It is the most sophisticated VPN which require a lot of engineering works in order to create and maintain.
(Source: www.skullbox.net)
5. Hybrid VPN: This kind of VPN is a combination of features of other type of VPN
in order to match the customized needs of clients and to catch with the new trend of internet. Normally, hybrid VPN make VPN server to be able to accept connection from multiple type of VPN client.
Each type of VPN has its own pros and cons, so there must be a tradeoff to decide which one is suitable to use considering the scale of server and client, bandwidth, topology, and so on.
IV. VPN Concept: Tunneling & Encryption
There are variety kinds of VPN, which was created to for different topology, scale, business purpose, and other causes. However, all types of VPN all share common characteristics: tunneling and encryption. They are the two main armor of VPN, which make VPN the most secure line until today.
Page | 7
1. Tunneling
Loosely, VPN utilize the tunneling protocol to create a tunnel (secure channel) for packet to be transmitted. Again, of course, there is not only one type of tunneling technology. For example, there are Secure Socket Tunneling Protocol (SSTP), Point-to-Point Tunneling Protocol (PPTP), and Secure Shell Tunneling. However, what they do is similar, just they do it a differently.
Tunneling protocol seek for the most suitable route through all routers available on the public internet. After finding the most suitable (the shortest and most secure channel) route for the data package to be travel, it encrypts the channel. The tunnel is made almost impossible for all hackers to penetrate. Also, the tunneling protocol keeps tracking the channel while packets are still being transmitted along the channel. This is very vital and makes the VPN tunnel even more secured. Because, in case that there is a sophisticated hacker can penetrate the tunnel, the tunneling protocol will detect the penetration, which is normally done by examining the sudden slowdown of packet travelling speed. Then it will shut the tunnel down the tunnel immediately and create another tunnel, which make it impossible for hacker to hijack the data.
More than that, the tunnel also plays an important role as a potential virtual firewall for a server. Hence, as mentioned above, deploying a VPN is like have another level of firewall for corporate network. Every time a remote host claims for the connection through its public IP address to a network which has VPN server, it has to go through the VPN server first. If we deploy VPN server, we can make the local LAN have only internal private IP address which unreachable from outside, and only the VPN server has the public IP address. Therefore, each time a remote VPN client
Page | 8
want to connect to the server, it has to 1) seek and establish the most secure tunnel to get to connect to VPN server, 2) authenticate with the VPN server, 3) pass through the VPN server’s firewall, 4) VPN server will decrypt the data packet and send it to the destined LAN.
The VPN server also does similar process in backward direction to send data back from a local server with VPN server to a remote host using routing table.
2. Encryption
The tunnel technology itself already makes VPN very secured, but encryption is another armor of VPN. Again, there are many different types of VPN encryption; example IPsec encryption, GRE encryption, SSL encryption, and so on. Therefore, even though there might be chances that a sophisticated hacker can penetrate an encrypted VPN tunnel which is also almost impossible, there is still not chance for the hacker to get the message being sent as the message is encrypted using unbreakable algorithm. Simply, there are two levels of encryption with the VPN technology, tunneling and encryption; everything being sent through encrypted tunnel is encrypted starting the source IP address and destination IP address to the Payload. Ip:1.2.3.4 Ip:192.168.0.1 Ip:192.168.0.X Tunnel - Client authentication - Virtual firewall - Router - Decryption
Page | 9
Encryption of L2TP traffic with IPsec ESP (Microsoft) (Source:http://technet.microsoft.com)
V. The Rise of Mobile VPN (mVPN)
As more and more people care about their e-security and e-privacy, VPN expands itself from just benefiting the big corporate for office-to-office, remote client-to-office, or office-to-headquarter connection. VPN start to target the need of normal individual user who needs VPN just to make a secure connection to the internet.
Everyone start to know how vulnerable the Internet from a security stand point. Here comes the start the bomb of business which provide VPN as a service for individual users to access to the internet from personal computer at home, laptop using public WIFI, smart phone through GPRS, CDMA, HSPDA, and so on.
How it is done is not very different from the normal VPN. The VPN server provider has VPN deployed in many places around the world, and its clients will be connected to the VPN server first before going out to the internet. Also, the same thing happens backward from the internet through the VPN server and the client. By doing this like this, client of the VPN service can surf the internet, do e-transaction, send and receive email, and do everything securely through the internet on their device even though there are on public WIFI or cellular data connection. Another advantage is that we can even more privacy since they will go onto the Internet perfectly anonymous without any IP address, and there is going to be no chance that their IP address will be uncovered. This is because, as explained above, there is the tunnel and the IP address and everything is encrypted securely unlike proxy. Of course, because VPN client can go to the internet anonymously, it means that they can also break the DNS rule. For example, by using the mVPN, client will be able to use facebook even in China mainland despite the government’s restriction.
Page | 10
VI. Conclusion
VPN itself is also not perfect that sometime it never make it to create a tunnel due the cable speed which makes tunneling protocol assume that it is penetrate and keep drop the tunnel. Also, there might be some old-time routers which do not allow VPN to pass through. However, we cannot refuse the enormous upside of this technology.
Utilizing PPTP, L2TP, IPsec protocol and other technologies, VPN provide us the strongest armor for web:
Authentication – validates that the data was sent from the sender.
Access control – limiting unauthorized users from accessing the network.
Confidentiality – preventing the data to be read or copied as the data is being transported.
Data Integrity – ensuring that the data has not been altered
Comparing to the traditional private network, VPN is superior. VPN enable a remotely accessible network with secure channel (scalability), and at the same time reduce the cost equipment and maintenance.
Based on this reason, it is not difficult to understand why VPN is famous not only with the corporate-oriented purpose but also normal user-oriented purpose as mobile VPN. Ip:5.6.7.8 Ip:1.2.3.4 Tunnel Internet Anonymous Random IP: X.X.X.X
Page | 11
Reference:
PepeInjak Ivan, & Guichard Jim. (2001). “MPLS and VPN Achitectures.” Indianaplois: Cisco Press.
Shneyderman Alex, & Casati Alessio. (2003). “Mobile VPN: Delivering Advacned Servies in Next Generation Wireless Systems.” Indiana: Wiley Publishing, Inc. 피터전. (2011). “가상사설망.” Seoul: (주) 네버스탑
