virtual private networks ( VPN ) expand private networks across public networks, and allow users to send and receive data on shared or public networks as if their computing devices are directly connected to a private network. Apps running on VPNs can benefit from functionality, security, and private network management.
VPN technology was developed to allow remote users and branch offices to access enterprise applications and other resources securely. To ensure security, data will travel through secure tunnels and VPN users will use authentication methods - including passwords, tokens, and other unique identification methods - to gain access to VPNs. In addition, Internet users can secure their transactions with VPNs, to overcome geographical and censorship restrictions, or to connect to a proxy server to protect their personal identity and location to remain anonymous on the Internet. However, some internet sites block access to known VPN technologies to prevent circumvention of their geographic restrictions, and many VPN providers have developed strategies to overcome these obstacles.
A VPN is created by establishing a virtual point-to-point connection through the use of special connections, virtual tunneling protocols, or traffic encryption. A VPN available from the public Internet can provide some benefits of a wide area network (WAN). From a user perspective, the resources available in a private network can be accessed remotely.
Traditional VPNs are characterized by point-to-point topologies, and they do not tend to support or link broadcast domains, so services such as Microsoft Windows NetBIOS may not be fully supported or functioning as in local area networks (LANs). Designers have developed VPN variants, such as Virtual Private LAN Service (VPLS), and Layer 2 Tunneling Protocols (L2TP), to overcome these limitations.
Video Virtual private network
Jenis
Initial data networks allow VPN-type remote connections via dial-up modems or via leased line connections using Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits, provided through networks owned and operated by telecom operators. These networks are not regarded as true VPNs as they passively secure data transmitted by the creation of logical data streams. They have been replaced by VPNs based on IP Network and IP/Multi-protocol Label Switching (MPLS), due to significant cost reductions and increased bandwidth provided by new technologies such as digital subscriber line (DSL) and fiber optic networks.
VPN can be either remote access (connecting computer to network) or site-to-site (connecting two networks). In enterprise settings, remote access VPNs allow employees to access their corporate intranets from home or on the move out of the office, and site-to-site VPNs allow employees in different geographically dispersed offices to share a cohesive virtual network. A VPN can also be used to connect two of the same networks through a different central network; for example, two IPv6 networks over an IPv4 network.
VPN systems can be classified by:
- tunneling protocol used to traffic traffic
- the location of the tunnel termination point, for example, at the edge of the customer or the edge of the network provider
- type of connection topology, such as site-to-site or network-to-network
- the security level provided
- the OSI layers they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity
- number of simultaneous connections.
Maps Virtual private network
Security mechanism
VPNs can not make online connections completely anonymous, but they can usually improve privacy and security. To prevent the disclosure of personal information, VPNs usually only allow authenticated remote access using tunneling protocols and encryption techniques.
The VPN security model provides:
- secrecy so that even if network traffic is sniffed at packet level (see network check and deep packet inspection), the attacker will only see encrypted data
- Sender authentication to prevent unauthorized users from accessing VPNs
- message integrity to detect instances of interrupted sent messages.
Secure VPN protocols include the following:
- Internet Protocol Security (IPsec) was originally developed by the Internet Engineering Task Force (IETF) for IPv6, required in all implementations of IPv6 standards before RFCÃ, 6434 made it a recommendation only. This standard-based security protocol is also widely used with IPv4 and Layer 2 Tunneling Protocol. Its design meets most security objectives: authentication, integrity, and confidentiality. IPsec uses encryption, encapsulates IP packets inside an IPsec packet. De-encapsulation occurs at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination.
- Transport Layer Security (SSL/TLS) can deliver overall network traffic (as in OpenVPN projects and SoftEther VPN projects) or secure individual connections. A number of vendors provide remote access VPN capabilities via SSL. An SSL VPN can connect from locations where IPsec is having problems with Network Address Translation and firewall rules.
- Datagram Transport Layer Security (DTLS) - used in Cisco AnyConnect VPN and in OpenConnect VPN to resolve SSL/TLS issues with tunneling over UDP.
- Microsoft Point-to-Point Encryption (MPPE) works with Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms.
- The Microsoft Secure Socket Tunneling (SSTP) protocol connects the Point-to-Point Protocol (PPP) protocol or the Layer 2 Tunneling Protocol over an SSL 3.0 channel. (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1.)
- Multi Path Virtual Private Network (MPVPN). The Ragula System Development Company has registered trademark "MPVPN".
- Secure Shell (SSH) VPN - OpenSSH offers VPN tunneling (different from port forwarding) to secure remote connections to the network or to inter-network links. The OpenSSH server provides a limited number of simultaneous tunnels. The VPN feature itself does not support private authentication.
Authentication
The tunnel endpoint must be authenticated before a secure VPN tunnel can be created. User-generated remote access VPNs can use passwords, biometrics, two-factor authentication or other cryptographic methods. Network tunnels to networks often use passwords or digital certificates. They permanently store the keys to allow the tunnel to build automatically, without any intervention from the administrator.
Route
Tunneling protocols can operate in a point-to-point network topology that would theoretically not be considered a VPN, because VPN by definition is expected to support a random set and change the set of network nodes. But since most router implementations support a software-defined tunnel interface, the VPN provided by the customer is often simply defined as a tunnel running a conventional routing protocol.
Block of VPN builder provided by provider
Depending on whether the provider-provided VPN (PPVPN) operates in layer 2 or layer 3, the building blocks described below may be L2, only L3, or combine the two. Multi-protocol label switching (MPLS) functionality obscures the identity of L2-L3.
RFC 4026 announces the following terms to include L2 and L3 VPNs, but they are introduced in RFC 2547. More information about the device below can also be found at Lewis, Cisco Press.
- Customer Device (C)
The device is in the customer's network and is not directly connected to the service provider's network. Device C does not know about VPN.
- Customer Edge Tool (CE)
A device at the edge of the customer network that provides access to PPVPN. Sometimes it's just a demarcation point between the provider and the customer's responsibility. Other providers allow customers to configure it.
- Provider edge device (PE)
PE is a device, or device, at the edge of a network of providers connected to the customer's network via a CE device and presents the customer's site provider views. PE aware of the VPNs connected through them, and maintaining VPN status.
- Provider device (P)
Device A operates within the provider's core network and is not directly connected to the customer's endpoint. It may, for example, provide routing for many tunnels operated by operators owned by different PPVPN subscribers. While P device is an important part of implementing PPVPN, it is not VPN-aware itself and does not maintain VPN status. Its main role is to allow service providers to scale PPVPN offerings, for example, by acting as aggregation points for multiple PEs. P-to-P connections, in that role, are often high-capacity optical connections between the primary location of the service provider.
PPVPN service visible to users
OSI 2 Layer service
- Virtual LAN
Virtual LAN (VLAN) is a Layer 2 technique that allows for the coexistence of broadcast domains of multiple local area networks (LANs), which are interconnected via trunk using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally security protocol but subset introduced for trunking), and ATM LAN Emulation (LANE).
- Virtual private LAN service (VPLS)
Developed by the Institute of Electrical and Electronics Engineers, VLANs allow multiple LANs to share common trunking. VLANs often only consist of customer-owned facilities. While the VPLS as described in the section above (OSI Layer service 1) supports the emulation of both point-to-point and point-to-multipoint topologies, the methods discussed here extend Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run during transportation such as Metro Ethernet.
As used in this context, VPLS is Layer 2 PPVPN, rather than a private channel, mimicking the full functionality of a traditional LAN. From a user point of view, VPL allows interconnection of multiple LAN segments through packet core, or optical core; transparent cores for users, making remote LAN segments behave as a single LAN.
In VPLS, provider networks emulate learning bridges, which can optionally include VLAN services.
- Pseudo wire (PW)
PW is similar to VPLS, but can provide different L2 protocols at both ends. Typically, the interface is a WAN protocol such as Asynchronous Transfer Mode or Frame Relay. Conversely, when it aims to provide an adjacent LAN view between two or more locations, Virtual Private LAN or IPLS services will be appropriate.
- Ethernet over IP tunneling
EtherIP (RFC 3378) is a specification of Ethernet over IP protocol tunneling. EtherIP only has encapsulation package mechanism. Do not have confidentiality or message integrity protection. EtherIP is introduced in the FreeBSD network stack and SoftEther VPN server program.
- IP-only services such as LAN (IPLS)
Part of VPLS, CE devices must have Layer 3 capabilities; IPLS presents a non-frame package. It can support IPv4 or IPv6.
Layer 3 OSI PPVPN Architecture
This section discusses the main architecture for PPVPN, one in which PE splits duplicate addresses in one instance of routing, and the other, a virtual router, where PE contains virtual router instances per VPN. The previous approach, and its variations, has gained the most attention.
One of the challenges of PPVPNs involves different customers using the same address space, especially the private IPv4 address space. The provider must be able to distinguish overlapping addresses in multiple PPVPN subscribers.
- BGP/MPLS PPVPN
In the method specified by RFC 2547, the BGP extension advertises a route in the IPv4 VPN address family, which is a 12-byte string, beginning with an 8-byte route distinguisher (RD) and ending with a 4-byte IPv4 address. RDs are disambiguate if they do not duplicate addresses in the same PE.
PE understands the topology of each VPN, which is interconnected with the MPLS tunnel, either directly or through a P router. In MPLS terminology, router P is the Label Switch Routers without any awareness of VPN.
- Virtual router PPVPN
Virtual router architectures, as opposed to BGP/MPLS techniques, do not require modifications to existing routing protocols such as BGP. With the provision of a logically independent routing domain, the customer who operates the VPN is entirely responsible for the address space. In various MPLS tunnels, different PPVPN are disambiguated by their labels, but there is no need for routing differentiators.
Unencrypted tunnel
Some virtual networks use an unencrypted tunneling protocol to protect data privacy. Although VPNs often provide security, an unencrypted overlay network is not neatly organized in a secure or trusted categorization. For example, a tunnel arranged between two hosts with Generic Routing Encapsulation (GRE) is a virtual private network, but not secure or trusted.
Native plaintext tunneling protocols termasuk Layer 2 Tunneling Protocol (L2TP) ketika sudah diatur tanpa IPsec dan Point-to-Point Tunneling Protocol (PPTP) atau Microsoft Point-to-Point Encryption (MPPE).
Jaringan pengiriman tepercaya
Trusted VPNs do not use cryptographic tunnels, and instead rely on a single provider's network security to protect traffic.
- Multi-Protocol Label Switching (MPLS) often overlays VPNs, often with quality-of-service control over trusted delivery networks.
- L2TP is a standards-based replacement, and a compromise that takes good features of each, for two proprietary VPN protocols: Cisco Layer 2 Forwarding (L2F) (deprecated since 2009) and Microsoft's Point-to-Point Tunneling Protocol (PPTP ).
From a security point of view, VPN either trusts the underlying delivery network, or has to enforce security with the mechanism on the VPN itself. Unless a trusted delivery network runs between physically secure sites only, trusted and secure models require authentication mechanisms for users to gain access to VPNs.
VPN in mobile environment
Users use virtual private mobile networks in settings where VPN endpoints are not assigned to a single IP address, but roam across networks such as data networks from mobile carriers or between multiple Wi-Fi access points. Mobile VPNs are widely used in public security, where they provide access to law enforcement officers to critical applications, such as computer support and criminal databases, while they travel between different subnets from cellular networks. Field service management and by healthcare organizations, among other industries, also utilize it.
More and more, mobile professionals who need reliable connections adopt mobile VPN. They are used for roaming across the network and in and out of the wireless coverage area without losing an app session or dropping a secure VPN session. Conventional VPNs can not resist such occurrences because network tunnels are interrupted, causing the application to break down, timeout, or failure, or even cause the computing device itself to crash.
Instead of logically binding the endpoint of the network tunnel to the physical IP address, each tunnel is bound to the corresponding IP address permanently on the device. The mobile VPN software takes care of the necessary network authentication and maintains network sessions in a transparent manner for applications and to users. The Host Identity Protocol (HIP), which is researched by the Internet Engineering Task Force, is designed to support host mobility by separating the role of IP addresses for host identification of their locator functions within the IP network. With HIP, the mobile host maintains its logical connection set through the host identity identifier when connecting with different IP addresses when roaming between access networks.
VPN on router
With the increasing use of VPNs, many are beginning to deploy VPN connectivity on routers for added security and data transmission encryption using a variety of cryptographic techniques. Home users typically use VPNs on their routers to protect devices, such as smart TV or game consoles, that are not supported by genuine VPN clients. Supported devices are not limited to those capable of running VPN clients.
Many router manufacturers provide routers with built-in VPN clients. Some use open-source firmware such as DD-WRT, OpenWRT and Tomato, to support additional protocols such as OpenVPN.
Setting up a VPN service on the router requires a deep knowledge of network security and careful installation. A small VPN connection configuration error can make the network vulnerable. Performance will vary depending on the ISP.
Network limitations
One of the major limitations of traditional VPNs is that they are point-to-point, and do not tend to support or connect broadcast domains. Therefore, communications, software, and networks, based on layer 2 and broadcast packets, such as NetBIOS used in Windows networks, may not be fully supported or functioning properly on the actual LAN. Variants on VPNs, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome these limitations.
See also
- Anonymizer
- Comparison of virtual private network services
- Dynamic Multipoint Virtual Private Network
- Internet privacy
- VPN Mediation
- Optionistic encryption
- Split tunneling
- Virtual private server
References
Further reading
- Kelly, Sean (August 2001). "Needs are the parent of the VPN invention". Communication News : 26-28. ISSNÃ, 0010-3632. Archived from the original in 2001-12-17.
Source of the article : Wikipedia
0 Comments