Virtual Private Network
aliases:
VPN
A type of network that uses encryption to forward IP traffic over a TCP/IP network.
Tunneling protocols are used to encrypt packet contents and wraps them in an unencrypted packet. Tunnel endpoints are allowed to encrypt and decrypt VPN packets. Two endpoints create a secure virtual communication channel, where only the destination endpoint is allowed to decrypt and unravel packets.
Normal network routers are allowed to use the unencrypted VPN packet headers to forward the packet through the network, but they aren't allowed to read the contents of the encrypted VPN packet contained.
Implementations
There are three main implementations of a VPN.
- Host to Host: two hosts have a secure channel and communicate direct with one another
- Site to Site: routers on the edge of each network create the secure channel, and the inner hosts within each network aren't aware that a VPN is being used.
- Remote Access: a server on the edge of a network is configured to accept incoming VPN connections using a client-to-site configuration. Allowed hosts are accepted into the VPN.
Protocols
There are five common VPN protocols in use.
| Protocol | Description | Encryption? | Authentication? |
|---|---|---|---|
| Point to Point Tunneling Protocol (PPTP) | Microsoft owned. TCP/IP only. 1723/tcp. Supported by most OS's. |
no | yes, using CHAP and PAP |
| Layer Two Tunneling Protocol (L2TP) | Open source. Not commonly supported. 1701/tcp and 500/udp |
yes, using IPsec | no |
| Internet Protocol Security (IPsec) | Developed by the Internet Engineering Task Force. Usable with L2TP or by itself. | yes, using it's Encapsulating Security Payload | yes, using it's Authentication Header |
| Secure Sockets Layer (SSL) | Often used to secure traffic for HTTP, FTP, IMAP and POP3. Sometimes also used as a VPN solution. | yes, the entire communication session | yes, using public key cryptography and digital certificates |
| Generic Routing Encapsulation (GRE) | Developed by Cisco. Used to route any Layer 3 protocol across an IP network. | no | no |
Connection Management
How do we manage an outbound connection that's coming from a client connected to the network via VPN? Two ways, either split tunnel or full tunnel.
Split tunnel management has the client only use the VPN connection for communications with hosts in the private LAN.
Full tunnel management has Internet access be mediated by the private network itself. Usually this is done using a screened subnet, often containing a DNS server and a content filter.
- [i] While full tunnel offers better security, it can cause latency issues and cloud service connectivity issues due to the network address translation and DNS operations needed.
Clientless VPNs
Basically we exploit WebSockets and the HTML5 Canvas element to access a remote desktop and use web apps and other web-based services. This is epic because WebSockets don't make any extra HTTP requests, so it's fast and cheap.
#VIII