Virtual private network

Last updated

Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not controlled by the entity aiming to implement the VPN) or need to be isolated (thus making the lower network invisible or not directly usable). [1]

Contents

A VPN can extend access to a private network to users who do not have direct access to it, such as an office network allowing secure access from off-site over the Internet. [2] This is achieved by creating a link between computing devices and computer networks by the use of network tunneling protocols.

It is possible to make a VPN secure to use on top of insecure communication medium (such as the public internet) by choosing a tunneling protocol that implements encryption. This kind of VPN implementation has the benefit of reduced costs and greater flexibility, with respect to dedicated communication lines, for remote workers. [3]

The term VPN is also used to refer to VPN services which sell access to their own private networks for internet access by connecting their customers using VPN tunneling protocols.

Motivation

The goal of a virtual private network is to allow network hosts to exchange network messages across another network to access private content, as if they were part of the same network. This is done in a way that makes crossing the intermediate network transparent to network applications. Users of a network connectivity service may consider such an intermediate network to be untrusted, since it is controlled by a third-party, and might prefer a VPN implemented via protocols that protect the privacy of their communication.

In the case of a Provider-provisioned VPN, the goal is not to protect against untrusted networks, but to isolate parts of the provider's own network infrastructure in virtual segments, in ways that make the contents of each segment private with respect to the others. This situation makes many other tunneling protocols suitable for building PPVPNs, even with weak or no security features (like in VLAN).

VPN general working

How a VPN works depends on which technologies and protocols the VPN is built upon. A tunneling protocol is used to transfer the network messages from one side to the other. The goal is to take network messages from applications on one side of the tunnel and replay them on the other side. Applications do not need to be modified to let their messages pass through the VPN, because the virtual network or link is made available to the OS.

Applications that do implement tunneling or proxying features for themselves without making such features available as a network interface, are not to be considered VPN implementations but may achieve the same or similar end-user goal of exchanging private contents with a remote network.

VPN topology configurations

VPN classification tree based on the topology first, then on the technology used VPN classification-en.svg
VPN classification tree based on the topology first, then on the technology used
VPN connectivity overview, showing intranet site-to-site and remote-work configurations used together Virtual Private Network overview.svg
VPN connectivity overview, showing intranet site-to-site and remote-work configurations used together

Virtual private networks configurations can be classified depending on the purpose of the virtual extension, which makes different tunneling strategies appropriate for different topologies:

Remote access
A host-to-network configuration is analogous to joining one or more computers to a network which cannot be directly connected. This type of extension provides that computer access to local area network of a remote site, or any wider enterprise networks, such as an intranet. Each computer is in charge of activating its own tunnel towards the network it wants to join. The joined network is only aware of a single remote host for each tunnel. This may be employed for remote workers, or to enable people accessing their private home or company resources without exposing them to the public Internet. Remote access tunnels can be either on-demand or always-on. Proper implementations of this configuration require the remote host to initiate the communication towards the central network it is accessing, because the remote host location is usually unknown to the central network until the former tries to reach it
Site-to-site
A site-to-site configuration connects two networks. This configuration expands a network across geographically disparate locations. Tunneling is only done between two devices (like routers, firewalls, VPN gateways, servers, etc.) located at both network locations. These devices then make the tunnel available to other local network hosts that aim to reach any host on the other side. This is useful to keep sites connected to each other in a stable manner, like office networks to their headquarter or datacenter. In this case, any side may be configured to initiate the communication as long as it knows how to reach the other on the medium network. If both are known to each other, and the chosen VPN protocol is not bound to client-server design, the communication can be initiated by either of the two as soon as they see the VPN is inactive or some local host is trying to reach another one known to be located on the other side.

In the context of site-to-site configurations, the terms intranet and extranet are used to describe two different use cases. [4] An intranet site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas an extranet site-to-site VPN joins sites belonging to multiple organizations.

Typically, individuals interact with remote access VPNs, whereas businesses tend to make use of site-to-site connections for business-to-business, cloud computing, and branch office scenarios. However, these technologies are not mutually exclusive and, in a significantly complex business network, may be combined to enable remote access to resources located at any given site, such as an ordering system that resides in a data center.

Apart from the general topology configuration, a VPN may also be characterized by:

A variety of VPN technics exist to adapt to the above characteristics, each providing different network tunneling capabilities and different security model coverage or interpretation.

VPN native and third-party support

Operating systems vendors and developers do typically offer native support to a selection of VPN protocols which is subject to change over the years, as some have been proven to be unsecure with respect to modern requirements and expectations, and some others emerged.

VPN support in consumer operating systems

Desktop, smartphone and other end-user device operating systems do usually support configuring remote access VPN from their graphical or command-line tools. [5] [6] [7] However, due to the variety of, often non standard, VPN protocols there exists many third-party applications that implement additional protocols not yet or no more natively supported by the OS.

For instance, Android lacked native IPsec IKEv2 support until version 11, [8] and people needed to install third-party apps in order to connect that kind of VPNs, while Microsoft Windows, BlackBerry OS and others got it supported in the past.

Conversely, Windows does not support plain IPsec IKEv1 remote access native VPN configuration (commonly used by Cisco and Fritz!Box VPN solutions) which makes the use of third-party applications mandatory for people and companies relying on such VPN protocol.

VPN support in network devices

Network appliances, such as firewalls, do often include VPN gateway functionality for either remote access or site-to-site configurations. Their administration interfaces do often facilitate setting up virtual private networks with a selection of supported protocols which have been integrated for an easy out-of-box setup.

In some cases, like in the open source operating systems devoted to firewalls and network devices (like OpenWrt, IPFire, PfSense or OPNsense) it is possible to add support for additional VPN protocols by installing missing software components or third-party apps.

Similarly, it is possible to get additional VPN configurations working, even if the OS does not facilitate the setup of that particular configuration, by manually editing internal configurations of by modifying the open source code of the OS itself. For instance, pfSense does not support remote access VPN configurations through its user interface where the OS runs on the remote host, while provides comprehensive support for configuring it as the central VPN gateway of such remote-access configuration scenario.

Otherwise, commercial appliances with VPN features based on proprietary hardware/software platforms, usually support a consistent VPN protocol across their products but do not open up for customizations outside the use cases they intended to implement. This is often the case for appliances that rely on hardware acceleration of VPNs to provide higher throughput or support a larger amount of simultaneously connected users.

Security mechanisms

Whenever a VPN is intended to virtually extend a private network over a third-party untrusted medium, it is desirable that the chosen protocols match the following security model:

VPN are not intended to make connecting users neither anonymous nor unidentifiable from the untrusted medium network provider perspective. If the VPN makes use of protocols that do provide the above confidentiality features, their usage can increase user privacy by making the untrusted medium owner unable to access the private data exchanged across the VPN.

Authentication

In order to prevent unauthorized users from accessing the VPN, most protocols can be implemented in ways that also enable authentication of connecting parties. This secures the joined remote network confidentiality, integrity and availability.

Tunnel endpoints can be authenticated in various ways during the VPN access initiation. Authentication can happen immediately on VPN initiation (e.g. by simple whitelisting of endpoint IP address), or very lately after actual tunnels are already active (e.g. with a web captive portal).

Remote-access VPNs, which are typically user-initiated, may use passwords, biometrics, two-factor authentication, or other cryptographic methods. People initiating this kind of VPN from unknown arbitrary network locations are also called "road-warriors". In such cases, it is not possible to use originating network properties (e.g. IP addresses) as secure authentication factors, and stronger methods are needed.

Site-to-site VPNs often use passwords (pre-shared keys) or digital certificates. Depending on the VPN protocol, they may store the key to allow the VPN tunnel to establish automatically, without intervention from the administrator.

VPN protocols to highlight

The life cycle phases of an IPSec tunnel in a virtual private network IPSec VPN-en.svg
The life cycle phases of an IPSec tunnel in a virtual private network

A virtual private network is based on a tunneling protocol, and may be possibly combined with other network or application protocols providing extra capabilities and different security model coverage.

Trusted delivery networks

Trusted VPNs do not use cryptographic tunneling; instead, they rely on the security of a single provider's network to protect the traffic. [24]

From a security standpoint, a VPN must either trust the underlying delivery network or enforce security with a mechanism in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.[ citation needed ]

VPNs in mobile environments

Mobile virtual private networks are used in settings where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points without dropping the secure VPN session or losing application sessions. [28] Mobile VPNs are widely used in public safety where they give law-enforcement officers access to applications such as computer-assisted dispatch and criminal databases, [29] and in other organizations with similar requirements such as field service management and healthcare. [30] [ need quotation to verify ]

Networking limitations

A limitation of traditional VPNs is that they are point-to-point connections and do not tend to support broadcast domains; therefore, communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported as on a local area network. Variants on VPN such as Virtual Private LAN Service (VPLS) and layer 2 tunneling protocols are designed to overcome this limitation. [31]

See also

Related Research Articles

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS).

The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing virtual private networks. PPTP has many well known security issues.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. They can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.

strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers, and Huawei AR G3 routers, and on Unix-like operating systems.

A VoIP VPN combines voice over IP and virtual private network technologies to offer a method for delivering secure voice. Because VoIP transmits digitized voice as a stream of data, the VoIP VPN solution accomplishes voice encryption quite simply, applying standard data-encryption mechanisms inherently available in the collection of protocols used to implement a VPN.

In computer networking, Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel.

In computing, Microsoft's Windows Vista and Windows Server 2008 introduced in 2007/2008 a new networking stack named Next Generation TCP/IP stack, to improve on the previous stack in several ways. The stack includes native implementation of IPv6, as well as a complete overhaul of IPv4. The new TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after a change in settings. The new stack, implemented as a dual-stack model, depends on a strong host-model and features an infrastructure to enable more modular components that one can dynamically insert and remove.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

OpenConnect is a free and open-source cross-platform multi-protocol virtual private network (VPN) client software which implement secure point-to-point connections.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

<span class="mw-page-title-main">Provider-provisioned VPN</span>

A provider-provisioned VPN (PPVPN) is a virtual private network (VPN) implemented by a connectivity service provider or large enterprise on a network they operate on their own, as opposed to a "customer-provisioned VPN" where the VPN is implemented by the customer who acquires the connectivity service on top of the technical specificities of the provider.

References

  1. "virtual private network". NIST Computer Security Resource Center Glossary. Archived from the original on 2 January 2023. Retrieved 2 January 2023.
  2. "What Is a VPN? - Virtual Private Network". Cisco. Archived from the original on 31 December 2021. Retrieved 5 September 2021.
  3. Mason, Andrew G. (2002). Cisco Secure Virtual Private Network . Cisco Press. p.  7. ISBN   9781587050336.
  4. RFC 3809 - Generic Requirements for Provider Provisioned Virtual Private Networks. sec. 1.1. doi: 10.17487/RFC3809 . RFC 3809.
  5. "Connect to a VPN in Windows - Microsoft Support". support.microsoft.com. Retrieved 11 July 2024.
  6. "Connect to a virtual private network (VPN) on Android" . Retrieved 11 July 2024.
  7. "VPN settings overview for Apple devices". Apple Support. Retrieved 11 July 2024.
  8. "IPsec/IKEv2 Library". Android Open Source Project. Retrieved 11 July 2024.
  9. RFC   6434, "IPv6 Node Requirements", E. Jankiewicz, J. Loughney, T. Narten (December 2011)
  10. "Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S - VPN Acceleration Module [Support]". Cisco. Retrieved 9 July 2024.
  11. "VPN overview for Apple device deployment". Apple Support. Retrieved 9 July 2024.
  12. "About Always On VPN for Windows Server Remote Access". learn.microsoft.com. 22 May 2023. Retrieved 9 July 2024.
  13. "1. Ultimate Powerful VPN Connectivity". www.softether.org. SoftEther VPN Project. Archived from the original on 8 October 2022. Retrieved 8 October 2022.
  14. "OpenConnect". Archived from the original on 29 June 2022. Retrieved 8 April 2013. OpenConnect is a client for Cisco's AnyConnect SSL VPN [...] OpenConnect is not officially supported by, or associated in any way with, Cisco Systems. It just happens to interoperate with their equipment.
  15. "Why TCP Over TCP Is A Bad Idea". sites.inka.de. Archived from the original on 6 March 2015. Retrieved 24 October 2018.
  16. "Trademark Status & Document Retrieval". tarr.uspto.gov. Archived from the original on 21 March 2012. Retrieved 8 October 2022.
  17. "ssh(1) – OpenBSD manual pages". man.openbsd.org. Archived from the original on 5 July 2022. Retrieved 4 February 2018.
  18. Salter, Jim (30 March 2020). "WireGuard VPN makes it to 1.0.0—and into the next Linux kernel". Ars Technica. Archived from the original on 31 March 2020. Retrieved 30 June 2020.
  19. "Diff - 99761f1eac33d14a4b1613ae4b7076f41cb2df94^! - kernel/common - Git at Google". android.googlesource.com. Archived from the original on 29 June 2022. Retrieved 30 June 2020.
  20. Younglove, R. (December 2000). "Virtual private networks - how they work". Computing & Control Engineering Journal. 11 (6): 260–262. doi:10.1049/cce:20000602 (inactive 7 December 2024). ISSN   0956-3385.{{cite journal}}: CS1 maint: DOI inactive as of December 2024 (link)[ dead link ]
    • Benjamin Dowling, and Kenneth G. Paterson (12 June 2018). "A cryptographic analysis of the WireGuard protocol". International Conference on Applied Cryptography and Network Security. ISBN   978-3-319-93386-3.
  21. Fuller, Johnray; Ha, John (2002). Red Hat Linux 9: Red Hat Linux Security Guide (PDF). United States: Red Hat, Inc. pp. 48–53. Archived (PDF) from the original on 14 October 2022. Retrieved 8 September 2022.
  22. Titz, Olaf (20 December 2011). "CIPE - Crypto IP Encapsulation". CIPE - Crypto IP Encapsulation. Archived from the original on 18 May 2022. Retrieved 8 September 2022.
  23. Titz, Olaf (2 April 2013). "CIPE - encrypted IP in UDP tunneling". SourceForge . Archived from the original on 8 September 2022. Retrieved 8 September 2022.
  24. Cisco Systems, Inc. (2004). Internetworking Technologies Handbook. Networking Technology Series (4 ed.). Cisco Press. p. 233. ISBN   9781587051197 . Retrieved 15 February 2013. [...] VPNs using dedicated circuits, such as Frame Relay [...] are sometimes called trusted VPNs, because customers trust that the network facilities operated by the service providers will not be compromised.
  25. Layer Two Tunneling Protocol "L2TP" Archived 30 June 2022 at the Wayback Machine , RFC   2661, W. Townsley et al., August 1999
  26. IP Based Virtual Private Networks Archived 9 July 2022 at the Wayback Machine , RFC   2341, A. Valencia et al., May 1998
  27. Point-to-Point Tunneling Protocol (PPTP) Archived 2 July 2022 at the Wayback Machine , RFC   2637, K. Hamzeh et al., July 1999
  28. Phifer, Lisa. "Mobile VPN: Closing the Gap" Archived 6 July 2020 at the Wayback Machine , SearchMobileComputing.com, 16 July 2006.
  29. Willett, Andy. "Solving the Computing Challenges of Mobile Officers" Archived 12 April 2020 at the Wayback Machine , www.officer.com, May, 2006.
  30. Cheng, Roger. "Lost Connections" Archived 28 March 2018 at the Wayback Machine , The Wall Street Journal, 11 December 2007.
  31. Sowells, Julia (7 August 2017). "Virtual Private Network (VPN) : What VPN Is And How It Works". Hackercombat. Archived from the original on 17 June 2022. Retrieved 7 November 2021.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.