VPN

The Virtual Private Network - VPN - has attracted the attention of many organizations
looking to both expand their networking capabilities and reduce their costs.
The VPN can be found in workplaces and homes, where they allow employees to safely
log into company networks. Telecommuters and those who travel often find a VPN a
more convenient way to stay connected to the corporate intranet. No matter your
current involvement with VPNs, this is a good technology to know something about.
This VPN tutorial involves many interesting aspects of network protocol design, Internet
security, network service outsourcing, and technology standards.

What Exactly Is A VPN?

A VPN supplies network connectivity over a possibly long physical distance. In this
respect, a VPN is a form of Wide Area Network (WAN).

The key feature of a VPN, however, is its ability to use public networks like the Internet
rather than rely on private leased lines. VPN technologies implement restricted-access
networks that utilize the same cabling and routers as a public network, and they do so
without sacrificing features or basic security.

A VPN supports at least three different modes of use:

 Remote access client connections

 LAN-to-LAN internetworking
 Controlled access within an intranet
Read more - About VPN Applications

VPN Pros and Cons

Like many commercialized network technologies, a significant amount of sales and

marketing hype surrounds VPN. In reality, VPNs provide just a few specific potential
advantages over more traditional forms of wide-area networking. These advantages can
be significant, but they do not come for free.

The potential problems with the VPN outnumber the advantages and are generally more
difficult to understand. The disadvantages do not necessarily outweigh the advantages,
however. From security and performance concerns, to coping with a wide range of
sometimes incompatible vendor products, the decision of whether or not to use a VPN
cannot be made without significant planning and preparation.
A VPN supplies network connectivity over a possibly long physical distance. In this
respect, a VPN is a form of Wide Area Network (WAN). VPNs enable file sharing, video
conferencing and similar network services. Virtual private networks generally don't
provide any new functionality that isn't already offered through alternative mechanisms,
but a VPN implements those services more efficiently / cheaply in most cases.
A key feature of a VPN is its ability to work over both private networks as well as public
networks like the Internet. Using a method called tunneling, a VPN use the same
hardware infrastructure as existing Internet or intranet links. VPN technologies includes
various security mechanisms to protect the virtual, private connections.

Specifically, a VPN supports at least three different modes of use:

 Internet remote access client connections

 LAN-to-LAN internetworking
 Controlled access within an intranet

Internet VPNs for Remote Access

In recent years, many organizations have increased the mobility of their workers by
allowing more employees to telecommute. Employees also continue to travel and face a
growing need to stay connected to their company networks.

A VPN can be set up to support remote, protected access to the corporate home offices
over the Internet. An Internet VPN solution uses aclient/server design works as follows:

1. A remote host (client) wanting to log into the company network first connects to any
public Internet Service Provider (ISP).

2. Next, the host initiates a VPN connection to the company VPN server. This
connection is made via a VPN client installed on the remote host.

3. Once the connection has been established, the remote client can communicate with
the internal company systems over the Internet just as if it were a local host.
Before VPNs, remote workers accessed company networks over private leased lines or
through dialup remote access servers. While VPN clients and servers careful require
installation of hardware and software, an Internet VPN is a superior solution in many
situations.

VPNs for Internetworking

Besides using virtual private networks for remote access, a VPN can also bridge two
networks together. In this mode of operation, an entire remote network (rather than just
a single remote client) can join to a different company network to form an extended
intranet. This solution uses a VPN server to VPN server connection.
Intranet / Local Network VPNs

Internal networks may also utilize VPN technology to implement controlled access to
individual subnets within a private network. In this mode of operation, VPN clients
connect to a VPN server that acts as the network gateway.
This type of VPN use does not involve an Internet Service Provider (ISP) or public
network cabling. However, it allows the security benefits of VPN to be deployed inside
an organization. This approach has become especially popular as a way for businesses
to protect their WiFi local networks.
A VPN - Virtual Private Network - is one solution to establishing long-distance and/or
secured network connections. VPNs are normally implemented (deployed) by
businesses or organizations rather than by individuals, but virtual networks can be
reached from inside a home network. Compared to other technologies, VPNs offers
several advantages, particularly benefits for wireless local area networking.
Answer: For an organization looking to provide a secured network infrastructure for its
client base, a VPN offers two main advantages over alternative technologies: cost
savings, and network scalability. To the clients accessing these networks, VPNs also
bring some benefits of ease of use.

Cost Savings with a VPN

A VPN can save an organization money in several situations:

 eliminating the need for expensive long-distance leased lines
 reducing long-distance telephone charges
 offloading support costs
VPNs vs leased lines - Organizations historically needed to rent network capacity such
as T1 lines to achieve full, secured connectivity between their office locations. With a
VPN, you use public network infrastructure including the Internet to make these
connections and tap into that virtual network through much cheaper local leased lines or
even just broadband connections to a nearby Internet Service Provider (ISP).
Long distance phone charges - A VPN also can replace remote access servers and
long-distance dialup network connections commonly used in the past by business
travelers needing to access to their company intranet. For example, with an Internet
VPN, clients need only connect to the nearest service provider's access point that is
usually local.

Support costs - With VPNs, the cost of maintaining servers tends to be less than other
approaches because organizations can outsource the needed support from professional
third-party service providers. These provides enjoy a much lower cost structure through
economy of scale by servicing many business clients.

VPN Network Scalability

The cost to an organization of building a dedicated private network may be reasonable
at first but increases exponentially as the organization grows. A company with two
branch offices, for example, can deploy just one dedicated line to connect the two
locations, but 4 branch offices require 6 lines to directly connect them to each other, 6
branch offices need 15 lines, and so on.

Internet based VPNs avoid this scalability problem by simply tapping into the the public
lines and network capability readily available. Particularly for remote and international
locations, an Internet VPN offers superior reach and quality of service.

Using a VPN

To use a VPN, each client must possess the appropriate networking software or
hardware support on their local network and computers. When set up properly, VPN
solutions are easy to use and sometimes can be made to work automatically as part of
network sign on.
VPN technology also works well with WiFi local area networking. Some organizations
use VPNs to secure wireless connections to their local access points when working
inside the office. These solutions provide strong protection without affecting
performance excessively.

Limitations of a VPN

Despite their popularity, VPNs are not perfect and limitations exist as is true for any
technology. Organizations should consider issues like the below when deploying and
using virtual private networks in their operations:

1. VPNs require detailed understanding of network security issues and careful

installation / configuration to ensure sufficient protection on a public network like the
Internet. 

2. The reliability and performance of an Internet-based VPN is not under an

organization's direct control. Instead, the solution relies on an ISP and their quality of
service. 

3. Historically, VPN products and solutions from different vendors have not always been
compatible due to issues with VPN technology standards. Attempting to mix and match
equipment may cause technical problems, and using equipment from one provider may
not give as great a cost savings.

Virtual private network technology is based on the idea of tunneling. VPN

tunnelinginvolves establishing and maintaining a logical network connection (that may
contain intermediate hops). On this connection, packets constructed in a specific VPN
protocol format are encapsulated within some other base or carrier protocol, then
transmitted between VPN client and server, and finally de-encapsulated on the
receiving side.
For Internet-based VPNs, packets in one of several VPN protocols are encapsulated
withinInternet Protocol (IP) packets. VPN protocols also support authentication and
encryption to keep the tunnels secure.

Types of VPN Tunneling

VPN supports two types of tunneling - voluntary and compulsory. Both types of
tunneling are commonly used.

In voluntary tunneling, the VPN client manages connection setup. The client first makes
a connection to the carrier network provider (an ISP in the case of Internet VPNs).
Then, the VPN client application creates the tunnel to a VPN server over this live
connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup.
When the client first makes an ordinary connection to the carrier, the carrier in turn
immediately brokers a VPN connection between that client and a VPN server. From the
client point of view, VPN connections are set up in just one step compared to the two-
step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN
servers using logic built into the broker device. This network device is sometimes called
the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of
Presence Server (POS). Compulsory tunneling hides the details of VPN server
connectivity from the VPN clients and effectively transfers management control over the
tunnels from clients to the ISP. In return, service providers must take on the additional
burden of installing and maintaining FEP devices.

VPN Tunneling Protocols

Several computer network protocols have been implemented specifically for use with
VPN tunnels. The three most popular VPN tunneling protocols listed below continue to
compete with each other for acceptance in the industry. These protocols are generally
incompatible with each other.

Point-to-Point Tunneling Protocol (PPTP)

Several corporations worked together to create the PPTP specification. People

generally associate PPTP with Microsoft because nearly all flavors of Windows include
built-in client support for this protocol. The initial releases of PPTP for Windows by
Microsoft contained security features that some experts claimed were too weak for
serious use. Microsoft continues to improve its PPTP support, though.

More - About PPTP

Layer Two Tunneling Protocol (L2TP)

The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented
primarily in Cisco products. In an attempt to improve on L2F, the best features of it and
PPTP were combined to create a new standard called L2TP. Like PPTP, L2TP exists at
the data link layer (Layer Two) in the OSI model -- thus the origin of its name.

Internet Protocol Security (IPsec)

IPsec is actually a collection of multiple related protocols. It can be used as a complete

VPN protocol solution or simply as the encryption scheme within L2TP or PPTP. IPsec
exists at the network layer (Layer Three) of the OSI model.

PPTP - Point-to-Point Tunneling Protocol - extends the Point to Point Protocol (PPP)
standard for traditional dial-up networking. PPTP is best suited for the remote access
applications of VPNs, but it also supports LAN internetworking. PPTP operates at Layer
2 of the OSI model. (See below)

Sponsored Links
Network: Router Ssl VpnClientless Remote Network Access for Enterprises; View
Free Demo!Juniper.net/Router+Ssl+Vpn
Watch US TV AnywhereGet Hulu and other great US TV sites anywhere in the
worldmy-private-network.co.uk
AutoDoc for WatchGuardCreate your WatchGuard config documentation
automatically.www.autodoc.com
Using PPTP
PPTP packages data within PPP packets, then encapsulates the PPP packets within IP
packets (datagrams) for transmission through an Internet-based VPN tunnel. PPTP
supports data encryption and compression of these packets. PPTP also uses a form
of General Routing Encapsulation (GRE) to get data to and from its final destination.

PPTP-based Internet remote access VPNs are by far the most common form of PPTP
VPN. In this environment, VPN tunnels are created via the following two-step process:

1. The PPTP client connects to their ISP using PPP dial-up networking (traditional
modem or ISDN).
2. Via the broker device (described earlier), PPTP creates a TCP control
connectionbetween the VPN client and VPN server to establish a tunnel. PPTP uses
TCP port 1723 for these connections.

PPTP also supports VPN connectivity via a LAN. ISP connections are not required in
this case, so tunnels can be created directly as in Step 2 above.

Once the VPN tunnel is established, PPTP supports two types of information flow:

 control messages for managing and eventually tearing down the VPN

connection. Control messages pass directly between VPN client and server.
 data packets that pass through the tunnel, to or from the VPN client
PPTP Control Connection
Once the TCP connection is established in Step 2 above, PPTP utliizes a series
ofcontrol messages to maintain VPN connections. These messages are listed below.

Number Name Description

1 StartControlConnectionReques Initiates setup of the VPN session; can be

t sent by either client or server.

2 StartControlConnectionReply Sent in reply to the start connection request

(1); contains result code indicating success or
failure of the setup operation, and also the
protocol version number.

3 StopControlConnectionReques Request to close the control connection.

t

4 StopControlConnectionReply Sent in reply to the stop connection request

(3); contains result code indicating success or
failure of the close operation.

5 EchoRequest Sent periodically by either client or server to

"ping" the connection (keep alive).

6 EchoReply Sent in response to the echo request (5) to

keep the connection active.

7 OutgoingCallRequest Request to create a VPN tunnel sent by the

client.

8 OutgoingCallReply Response to the call request (7); contains a

Number Name Description

unique identifier for that tunnel.

9 IncomingCallRequest Request from a VPN client to receive an

incoming call from the server.

10 IncomingCallReply Response to the incoming call request (9),

indicating whether the incoming call should be
answered.

11 IncomingCallConnected Response to the incoming call reply (10);

provides additional call parameters to the
VPN server.

12 CallClearRequest Request to disconnect either an incoming or

outgoing call, sent from the server to a client.

13 CallDisconnectNotify Response to the disconnect request (12); sent

back to the server.

14 WANErrorNotify Notification periodically sent to the server of

CRC, framing, hardware and buffer overruns,
timeout and byte alignment errors.

15 SetLinkInfo Notification of changes in the underlying PPP

options.

With control messages, PPTP utlizes a so-called magic cookie. The PPTP magic
cookie is hardwired to the hexadecimal number 0x1A2B3C4D. The purpose of this
cookie is to ensure the receiver interprets the incoming data on the correct byte
boundaries.

PPTP Security
PPTP supports authentication, encryption, and packet filtering. PPTP authentication
uses PPP-based protocols like EAP, CHAP, and PAP. PPTP supports packet filtering
on VPN servers. Intermediate routers and other firewalls can also be configured to
selectively filter PPTP traffic.

PPTP and PPP

In general, PPTP relies on the functionality of PPP for these aspects of virtual private
networking.
 authenticating users and maintaining the remote dial-up connection
 encapsulating and encrypting IP, IPX, or NetBEUI packets

PPTP directly handles maintaining the VPN tunnel and transmitting data through the
tunnel. PPTP also supports some additional security features for VPN data beyond what
PPP provides.

PPTP Pros and Cons

PPTP remains a popular choice for VPNs thanks to Microsoft. PPTP clients are freely
available in all popular versions of Microsoft Windows. Windows servers also can
function as PPTP-based VPN servers.

One drawback of PPTP is its failure to choose a single standard for authentication and
encryption. Two products that both fully comply with the PPTP specification may be
totally incompatible with each other if they encrypt data differently, for example.
Concerns also persist over the questionable level of security PPTP provides compared
to alternatives.

VPN Tunneling is a network technology that encapsulates packets at the same level or
below. One type of packet is encapsulated within the datagram (packet in TCP/IP or
UDP containing source and destination address) of a different protocol. Since multiple
protocols are pushed through a given network it is said to tunnel. Multiple Protocols that
support encryption and authentication make up a Virtual Private Network. Tunneling is
used to transport a network protocol through a network; which it normally does not
support. 

A VPN tunnel software has a management protocol that creates, maintains and
terminates a tunnel. After the VPN tunnel is established data can be sent. How does
tunneling work? A client or server uses the data transfer protocol to prepare the data
transfer. Data is transferred through the VPN tunnel using a datagram based protocol.
When a tunnel session is created both end points must agree to various parameters
such as address assignment, encryption or compression parameters. PPTP-Point to
point tunneling protocol/L2TP-Layer 2 Tunneling protocol encapsulates private network
traffic in packets to be transmitted over public networks (TCP/IP). The tunnel thus does
three things

1. It creates and maintains a virtual link.

2. encrypts and decrypts data to reduce snooping by others
3. It guarantees the authenticity of the sender and receiver
These together make a virtual private network. Some software's have all the three
components where as other have only two components (one establishing a virtual link
and the second to provide communication across it).

Types of Tunnels
Tunnels are basically of two types; Voluntary tunnels and Compulsory tunnels.

Voluntary Tunnel
Voluntary tunnels where a client or user issues the VPN request to configure and create
a voluntary tunnel. In this case the user's computer is the end point and acts as a VPN
client. Voluntary tunnels require an IP connection either a LAN or a dial up connection.
In a LAN case there is already a network that routes the encapsulated payloads to the
tunnel server. For a dial up connection the computer must be connected to the internet
to establish a voluntary tunnel. The initial establishing of IP connectivity is not a part of
VPN and the client needs VPN tunnel client software to create a voluntary tunnel.

Compulsory tunnel

A VPN remote access server configures and creates a tunnel where the user computer
is not the end point. The end points are therefore the VPN remote access server and
the VPN tunneling (LAN) server. A number of ISP vendors that have dialup servers are
now offering VPN services. The server (NAS-Network Access Server) creating and
providing the tunnel for the client is known as the FEP-Front End Processor for PPTP
and LAC-L2TP Access Concentrator for L2TP. The FEP must have the appropriate
VPN tunneling software protocol and should be capable of establishing the tunnel when
the client requires. The client is compulsorily availing the service of the FEP hence the
terminology compulsory tunneling. Separate tunnels are created for Multiple voluntary
Dial up clients where as a single compulsory tunnel can be used to multiple clients. The
tunnel is existent as long as there is some client using the tunnel. 

Point to Point Tunneling Protocol

This encapsulates PPP-Point to point protocol into IP datagram so that data can be
transmitted on IP networks. The IETF-Internet Engineering Task Force in its RFC-
Request for Comments database describes PPTP in RFC-2637.

 PPTP control connection creates, maintains and terminates the tunnel. This is
done using various management messages. PPTP Echo-Request and PPTP
Echo- Reply-detect, connectivity failure between serve and client. PPTP control
packet consists of IP header, TCP header, PPTP control message and a data
link trailer. For more information about the exact structure of PPTP control
messages search for RFC 2637 in the RFC database.
 GRE-Generic Routing Encapsulation is used to encapsulate PPP frames as
tunneled data. The initial PPP payload is encrypted and encapsulated with PPP.
This PPP frame is then encapsulated with a modified GRE header. GRE is
 described by RFC 1701 and RFC 1702. The Packet now has a Data link header,
IP header, GRE Header, PPP Header, Encrypted PPP payload and Data link
trailer.
 PPTP payloads that have been encapsulated can be either encrypted or
compressed. Sometimes both encryption and compression are done.
 Authentication mechanisms in PPP connections are used by PPTP. EAP-
Extensible Authentication protocol, MS-CHAP- Microsoft Challenge Handshake
Authentication Protocol, SPAP-Shiva Password Authentication protocol and
PAP- Password Authentication Protocol are the other authentication protocols
that can be used.
 For encryption that uses MPPE-Microsoft Point to Point Encryption of PPP, EAP-
TLS, MS-CHAP or MS-CHAPv2 authentication must be used. PPTP inherits
encryption as well as compression from PPP. These can be implemented
independently or both together. This only is a link and end-to-end encryption is
not provided by PPTP.

Layer 2 Tunneling Protocol

IETF describes L2TP in RFC 2661. L2TP represent the best features of PPTP and L2F-
Layer 2 Forwarding protocols. It encapsulates PPP frames to be sent over IP, X.25,
Frame relay or ATM networks. If IP network is used L2TP frames are encapsulated as
UDP-User Datagram Protocol. L2TP can be used over the internet as well as over
private intranets.

 L2TP control messages are sent over the IP network between an L2TP client and
L2TP server as UDP messages. Even data uses UDP messages. For Windows
UDP port 1701 is used. For Windows server 2003 UDP datagrams are sent as
an encrypted payload of IPSec. The packet consists of data link header, IP
Header, IPSec ESP Header, UDP header, L2TP message, IPSec ESDP trailer,
IPsec ESP Auth trailer and Data Link trailer.
 Payloads of PPP can either be encrypted or compressed. Both Encryption and
compression can be done.
 ESP- Encapsulating Security Payload of IPSec provides the encryption for L2TP
in Transport mode. IPSec is used for both authentication and encryption. Non-
encrypted L2TP connections can be established by windows based software.
Authentication here involves PPP authentication mechanisms.
 An Internet-based L2TP server is an L2TP-enabled remote access server with
one interface on the Internet and a second interface on a private intranet.
 L2TP tunnel maintenance and tunneled data have the same packet structure and
it supports multiple calls for each tunnel. L2TP control message and header for
data is the tunnel ID that identifies the tunnel.
  L2TP encapsulation involves the encapsulation of a PPP payload with a PPP
header and a L2TP header. UDP encapsulation is done on the L2TP packet
which provides a UDP header and source and destination ports are set to 1701.
The UDP message is encrypted and encapsulated with an IPSec 'ESP header
and trailer' and ESP authentication trailer.
 IPSec provides two protocols Authentication Header AH and ESP.

IPSec (IP Security)

IPsec (IP security) is an evolving internet standard for securing Internet Protocol (IP)
communications by encrypting and/or authenticating all IP packets. IPSec provides
security at the network layer. It is a part of IPv6 (Internet protocol version6) and can be
used with IPv4. RFCs 2401-2412 define IPsec protocols. IKE- Intenet Key Exchange
protocol is the most recent update of IPSec.

 IPSec creates and maintains its own tunnel in tunnel mode where portal to portal
communications security is provided.
 IPSec's transport mode only provides authentication and encryption for end to
end communications.
VPN's can be created in either mode. Implementations in either mode have different
security implications. IPSec protocols are to secure packet flows and key exchange
(IKE).

 Encapsulation Security Payload provides authentication, Data confidentiality and

message integrity.
 Authentication Header provides for authentication and message integrity but
does not offer confidentiality.
 Sending and receiving devices must share a public key; the implementation of
which is done by a protocol known as Internet Security Association and Key
Management Protocol/Oakley (ISAKMP/Oakley). This allows the receiver to
obtain a public key and authenticate the sender using digital certificates.
IPSec tunnels can be any of several types.

 IPSec/PPTP tunnels use PPTP tunnel protocol with IPSec encryption.

 IPSec/L2TP tunnels use L2TP (Level-2 Tunnel Protocol) to establish the tunnel
and then run IPSec encryption on it.
 IPSec/GRE tunnels layer IPSec directly onto plain GRE tunnels
SSL VPN protocol
SSL- Secure Sockets Layer and TLS- Transport Layer Security a successor to SSL are
cryptographic protocols for secure communications over the internet. SSL tunneling
usually applies to both the protocols

 SSL provides endpoint authentication and privacy for communications.

 In typical use only server is authentication while the client is not. Mutual
authentication requires PKI- Public Key infrastructure deployment to the Client.
 Public Key Encryption (RSA, Diffie-Hellman, DSA or Fortezza;) and certificate
based authentication is followed by SSL
 Traffic encryption is based on a symmetric cipher (RC2, RC4, IDEA, DES, Triple
DES or AES).
 Split tunneling for end users to have access to internet and intranet
simultaneously. VPN split tunneling security is important in VPN servers.

Choose your VPN Protocol

The best choice of protocols for your organization depends on a number of factors:
server and client operating systems deployed, network resources to which access is
needed, level of security required, performance issues, administrative overhead and so
forth.

PPTP
PPTP is the most widely supported VPN method among Windows clients.

 It is link layer protocol which has a low overhead making it faster than other VPN
methods.
 EAP authentication uses digital certificates for mutual authentication and
eliminates the earlier security flaws of PPTP.
 Public Key Infrastructure is not required
Many firewall based enterprise level software support PPTP. (ISA server, CISCO PIX,
SonicWALL). The other operating systems that incorporate them or can incorporate
them are

 For windows based clients, the software's already incorporate PPTP.

 For Linux PPTP client see http://pptpclient.sourceforge.net/
 Mac OS X 10.2 see http://www.rochester.edu/its/vpn/tunnelbuilder.html
 OS X see http://www.gracion.com/vpn/
L2TP
L2TP's main advantage is that it can be used over non-IP networks such as ATM,
Frame relay, and X.25. It operates at the data link layer.

 L2TP uses digital certificates and also provides computer authentication. This
adds an extra level of security. User authentication can be performed via the
same PPP authentication mechanisms as PPTP.
 L2TP gives you data confidentiality which is not present in PPTP. Data integrity,
'authentication of origin' and replay protection are added advantages.
 Extra Security measures slightly slow the performance when compared to PPTP.
 IPSec's Encapsulating Security Payload protocol, provides the encryption for
L2TP tunnels.
Many Firewall products support L2TP VPNs. (including ISA Server, CheckPoint, Cisco
PIX, and WatchGuard)

 Windows 2000, XP and 2003 is incorporated with L2TP protocol. It can be

downloaded for the other versions of Windows.
 Software that supports L2TP for Linux and MAC OS can be down loaded from
the internet.

IPSec
IPsec is known for its use with L2TP for encryption. It can be considered as a VPN
solution for a VPN gateway-to-gateway. IPSec operates at the network layer.

 IPSec works only in IP based networks

 It requires that the client computer have the required software
 Authentication is done by IKE- Internet Key Exchange protocol with either digital
certificates or with pre shared keys.
 IPSec protects against most common attack methods including Denial of Service
and “man-in-the-middle” attacks.
Many hardware VPN appliances use an implementation of IPSec (Cisco's VPN
Concentrators and PIX firewalls, NetScreen, SonicWall, and WatchGuard appliances)

 Windows 2000/XP/2003 support IPSec. ISA server also supports IPSec.

 CheckPoint and Symantec Enterprise Firewall also support IPSec VPNs.
SSL
Secure Sockets Layer (SSL) VPN is growing in popularity because it does not need
special VPN client software on the VPN clients. SSL VPN uses the Web browser as the
client application and so is called as “clientless” solution.

 Clients do not have access to the whole network or subnet as with other
protocols.
 Custom programming is necessary in Java or Active-X to enable other
applications to access VPN through the Web Browser.
 The disadvantage is client browser settings need to be opened up to active
content which exposes the browser to malicious content. Unsigned active content
can be blocked and plug-ins is digitally signed.

Virtual private networking is a cost effective way to provide remote access to your
company network. Selection of the proper tunneling method decides your level of
security.

Remote users have been able to connect servers using a variety of applications like
outlook web access connection through the Exchange server. Wireless users
connecting over the internet are more susceptible to security problems. VPN in a
wireless environment provides the necessary security for wireless data transfer as the
information sent is encrypted. VPN technologies have brought about a secure logical
connection between two end points in a network. Setup for VPN may not require you to
buy any extra hardware device or software. You may already have the technology that
makes it possible to setup a VPN service. Sometimes you may just have to purchase a
few accessories like VPN routers. 

Hardware VPN vendors vouch that their products are safer and the software VPN
vendors are not far behind. Whatever are the claims VPN is growing steadily and many
attempts at increasing it security and performance is making it a lucrative solution to
adapt. VPN solutions can either be hardware oriented or software oriented. The
difference is very basic. It depends upon where the protocols are executed in the
hardware device or on the computer system (where the operating system software of
VPN client-server software is used). SSL VPN is a relative new clientless VPN
technology that is come up as a challenge to IPSec VPN technology. 

The thought behind VPN technology is very similar to QR codes. The goal of both
services is to pass on a message which needs to be deciphered before returning the
final information to the user. The process is different for the VPN and the QR code but
the end result is the same.

VPN Software Setup

VPN setup depends upon a number of factors like what systems are involved in the
end-to-end connection, servers or clients. Big corporations have a number of servers to
improve on performance in various tasks that are carried out. Implementation of VPN for
them will depend on the amount of work and the administrator's solution offered to
them. For client buy a software that the server is compatible with and setup VPN
service. Some operating systems already give you the ability for VPN and all you need
to know is how to setup VPN. Microsoft is a market leader and has monopoly over the
market. It has incorporated VPN requirements into its operating systems or has
provided service packs that could help you optimize your PC for VPN.

Requirements for VPN setup

In every setup you look at the requirements first and see whether it is possible to
implement it with the available resources. If not ask yourself, what are the additional
resources? For a windows based client-server system; the requirements would be a
server (running server software, example Windows 2003) and a client (running client
software, example Windows XP). For large corporations that have a secure network you
would require additional servers.

 A server is required to supports the infrastructure of your network. It will act as a

domain controller, DNS server, Certificate authority and DHCP-(Dynamic Host
Configuration Protocol) server. Most networks already have this and the next
step is setting up a certificate authority which is described in this article.
 A server that separately acts as your VPN server can prevent attacks or
disruption of services within the network. It is best to place a firewall in front of
the VPN server such that only VPN traffic is allowed into this server. The specific
hardware that this server needs is two network interface cards; one to connect to
the internet and the second to connect to the private corporate network.
 A server is needed to authenticate all the remote users attempting to access the
private corporate network. RADIUS- Remote Authentication Dial In User Service
is one mechanism, IAS-Internet Authentication Service is another mechanism
that comes with the Server operating system. In other cases you could purchase
additional software for authentication purpose. This is in case it does not come
with the operating system you purchased. Authentication is done by VPN
hardware products as well. These usually come bundled with software that does
the work.

Implement DHCP Services 

If your network already has domain controller and DNS servers then you can configure
the domain for DHCP services. This is achieved from the control panel. Choose 'add
Windows components'.

 Networking services provide a list

 this list choose DHCP
  DHCP is installed go to the administrative tools
 ee for authorization within the DHCP console (right click on the server)
 Select the new scope (range of IP addresses) option to run the new scope wizard
(right click on the server's listing within the console).
 need to enter the IP address range you are using
 IP address of the router (Default Gateway)
 IP Address of the DHCP server needs to be entered
 Activate your scope option and you are finished with implementation of the
DHCP service

Enterprise Certificate Authority

This is the most confidential part of the setup. Knowledge of this can give a person
access to the whole network and if the certificate authority server crashes then it can be
devastating. Achieve this operation with the following steps.

 Go to the certificate services of the windows component from the control panel
 A warning message telling you that you will not be able to rename the machine or
change its group membership after the certificates are installed will appear
 Click yes in the next window
 Choose 'Enterprise Root CA' as the certificate authority you want to install
 While entering the common name for certificate authority you must select a
validity period (1 or 2 years depending on your corporate security policy)
 The default period for a certificate to be valid is 5years
 Windows will generate the cryptographic keys and will ask you to give a location
for the certificate database
 Dependent on the performance and fault tolerance you can choose a different
location or just go ahead with the default location
 'Restart the IIS services' to install the necessary components.

Internet Authentication Service- Installation and Configuration

Users who enter the corporate network through VPN connection need to be
authenticated. The internet authentication server is a member server in one of the
domains. The installation of this service is achieved by adding windows components.
You can access this from the control panel.
  For configuration of IAS you need to select this option from the administrative
tools
 Registering the IAS server in the active Directory is the first step
 For this right click on the Internet Authentication service(local) container
 Select 'register server I active directory'
 Complete the registration and right click on RADIUS client's container to enter
new RADIUS clients by giving the IP address or the DNS name of the client
machine
 Click next and you will be asked for a shared secret (the encryption key used by
RADIUS Server and the client
 Set the client vendor option to RADIUS standard to finish the configuration
process.

Remote Access Policy

To set up a remote access policy

 The remote access policies container is to be right clicked to get the new remote
access policy option
 Select 'Typical policy for a common scenario' option
 Enter 'VPN access' as the policy name and continue
 Select the VPN option and continue to apply policy to users or groups
 The next option will be the Authentication Methods screen on which select MS
CHAPV2
 The next screen will give you options of encryption, confirm the strongest
encryption option and finish configuring the remote access policy.

VPN server configuration

This it to configure the VPN server with the RADIUS server, DHCP server and the
Remote client

 Open the server's networks connection folder. Go to administrative tools, select

routing and remote access. Right click the VPN server console tree and launch
“Routing and Remote Access' by enabling it to open the server wizard. After
selection of Remote Access (Dial-up or VPN) mark the checkbox for VPN. This
shows you the connections to the internet via VPN. Enable the 'Security'
checkbox. Select 'automatically' and proceed to setup the server to work with a
RADIUS server by entering the IP Address of the RADIUS server and the shared
secret between the VPN server and the RADIUS server.
  Associate the VPN server with the DHCP server by navigating through the
console tree to the option 'IP routing - DHCP Relay Agent'. Right click on the
DHCP Relay Agent and select properties. Now enter the IP Address of the DHCP
server and click 'Add'.
 This is done by creating a special security group for any user who is accessing
the network over VPN connections. This is done when configuring VPN
connections

VPN Client Configuration

If you have a Windows XP based client then configure it by opening Network and
Internet connections option from the control panel.

 Select create a connection to the Network at your work place' and next select the
VPN connection option.
 Give the name of company of any name to describe your connection.
 Next you will be asked for an external IP address. This IP address is the address
of the connection that is connected to the VPN server.
 Enter this and your VPN connection is ready.
 Test the connection once it is ready by connecting to the server.
 When you dial-up set the type of VPN to PPTP VPN.
 There are variations in the VPN client connection due to various encryption and
authentication technique. Only some have been outlined above.

VPN Hardware Setup

VPN routers are sold by many companies. Their set up is dependent on the product of
the respective company. In any case the required software and instructions of the setup
are provided along with the purchase. Many of these companies also offer service to
setup and configure your VPN connection. 

VPN setup is a process that needs to be discussed with the Network administrator.
Many a time you are guided by the network administrator in the setup at your remote
access client network. VPN may be setup but always be on the safe side. Get a good
antivirus and install a good firewall to protect your computer from unwanted attacks.
VPN solutions: Technology protecting your Privacy

Information is the important asset of any organization. It should be protected

from its competitors and from outsiders at the same time it should be
communicated and exchanged among various sources. So the organizations are
often in fix .Is there a way out? Certainly is. The based technology shows the way
out. Read more. The article covers

 Various connections that require secured access

 The Considerations for Design Architecture of an effective VPN
 VPN solutions and investment considerations
Rapid technological advances make information the most valuable assent of a
company. Keeping information secure is vital for business and enterprises. Yet
communication of necessary information is essential to business and enterprises and
solution, VPN based gives secure communications. Private Networks used to be the
way of broad scale communication. Expensive, difficult to expand, difficult to maintain
and manage; these networks were exclusively setup by business that could afford them.
The internet offered an inexpensive alternative for communication but had problems of
security of information. Site to site solutions, VPN solutions offered to take care of
secure data transmission between various intranets and extranets. Roaming solutions,
VPN gives clients better performance in security and confidentiality. 

An authenticated and encrypted data transmission between two systems is what a VPN
is all about. User's privacy, Data Integrity and data authenticity is achieved through the
various protocols adopted by VPN. Combining advances in tunneling, encryption and
firewall technologies with good authentication mechanism we have an optimum solution
in VPN. Tools of transparent setup and management along with flexibility and scalability
have emphasized VPN's gradual acceptance by business and enterprises. Intranets,
Extranets or private networks VPN technology could be integrated seamlessly into the
network. Secure access should be provided for connections like

 Network-to-network (site to site solution is needed)

 Desktop-to-desktop (Client solution of VPN is needed)
 Client-to-server (Server and Client VPN solution is needed)
 Dial-up for home office or traveling users (roaming solution of VPN is needed)
The Design Architecture of an effective VPN should consider

 Remote Access is essential in a tele working or home-office scenario. Secure

tunnels through a dial-up or any other connection to the office is necessary
 Authentication of user's identity is done by a variety of methods like passwords,
smart cards, digital signatures, digital certificates etc. however none of them are
entirely fool proof.
 Encryption to make information unreadable without special knowledge of a key or
code. E-commerce, mobile telephony, automatic teller machines and private data
need confidentiality. Encryption techniques can be emulated and cracked but it
requires expert knowledge and takes a lot of time.
 Tunneling to establish a communication channel between two users such that no
one else on a public domain can get access to the data transmitted. Even though
there are protocols for tunneling, the idea of security in a tunnel exists; if it is truly
from your machine to the other machine and does not end before your machine.
 Firewall is necessary to keep your computer or internal network segments secure
from snooping or intruders or any other threat. It helps users to safely connect to
the internet as well and implements security by allowing necessary traffic and
blocking unnecessary traffic into and out of a network.
 Quality of Service (QoS) is necessary to guarantee that business critical
applications get the required priority over non-critical usage like surfing the Web.
This is done by 'Bandwidth Shaping' in VPN to enable quality of service to the
many organizations that migrate from private networks.
 Digital Certificates and PKI solutions require ongoing management. This is a
critical process due to sensitive nature of digital certificates as they are related to
authentication and logging into the resources of the network. The overwhelming
task of management can often offset the desired benefits expected. Automated
digital certificate management provides an efficient means of management of
digital certificates while ensuring enforcement of security policies.
 Encryption is computationally intensive software and hardware components
should not affect the network's throughput performance. In case of any server
being affected in performance then a separate VPN server may be needed to
improve the latency factor (time taken by the server to respond to a request).
 Management, monitoring, alerting, reporting, and helping is done at various
levels in a given network by the administrator. The various log files help
determine the user and the applications that have accessed VPN. These are
separate and many software's are coming out with performance management
system for VPN's
 Management features can be bettered to eliminate daily operations by
incorporating automatic Key management, Auditing and Logging, SNMP-Simple
Network Management Protocol and centralized management for security.
Long term planning is necessary as VPN is not a one time investment in software or
hardware. Maintenance and support are two essential features. The areas that require
to be examined are

 User and database management

 Tunnel management
 Key management
 Software Management
 Support management
Look at every angle in the beginning as VPN is dynamic and is still an evolving
technology; that is being tested by unscrupulous elements on the internet. Flaws that
crop up need to be dealt with. See that the VPN you buy is able to grow along with your
business. Some of the areas that will continue to see new developments are

 Encryption algorithms have changed and will continue to change.

 Tunneling protocols as well.
 Flexibility of current systems to adapt to the changes.
 Software upgrade to support any new changes
 More expensive hardware or upgrades
 Expansion of the user base that makes the network scalable.
 Larger bandwidth to accommodate more and more VPN sessions.
The Major components that need to be taken into account for a VPN are

 Internet (connection and the speeds to determine the amount of information to be

transferred and the effectiveness of the bandwidth offered)
 Security Gateways (routers, firewalls, integrated VPN hardware and integrated
VPN software)
 Security policy servers (RADIUS to control access control list and user related
information)
 Certificate authorities (outside certificate authority may need to be used in case
you have to verify users from business partners when there is a mutual business
environment.
Internet is growing and so are the many threats on the internet. A flaw in some software
or hardware may completely expose the privacy of users on the VPN network. Regular
monitoring and policing is the most effective solution.