Virtual Private Networks or VPNs are called "virtual" because they form temporary connections that have no real physical presence.
They consist of packets routed over various machines on an as-needed basis. VPNs make use of public connections, such as the Internet, to create secure private networks. VPNs might be used to connect two different company sites by means of the Internet, for example, or to connect a remote user to a site.
VPNs are a more cost-effective means of point-to-point secure communication than the use of dedicated secure phone lines.
Before the VPN protocol, expensive lines were dedicated between users, or companies, to minimize access to others.
The VPN protocol achieves the same level of security over public line (the Internet) using enhanced encryption techniques. The security techniques involved include encryption, authentication, and firewalls--and an additional concept, packet tunneling.
Packet tunneling enables encapsulation of one data packet within another data packet (or of one IP packet within another IP packet) to accommodate incompatible protocols. The following are some commonly used tunneling protocols:
AltaVista Tunnel
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Forwarding Protocol
IP Security (IPSec) tunnel mode
Data Flow from Internet to LAN
Here’s a breakdown of how data flows through the following network elements in a typical network setup:
Internet:
The data starts its journey from the internet, which is an interconnected network of servers, routers, and devices. This data could be a request or a response to some service.
Data is typically routed through various nodes across the internet, with each node determining the best path to send the data.
In our example, the destination would be your proxy server.
Proxy Server:
A proxy server acts as an intermediary between the client and the internet. It handles requests from clients seeking resources from other servers.
When a client from the LAN makes a request, it first goes to the proxy server.
The proxy server forwards the request to the destination on the internet. Once the response is received, it forwards it back to the client.
Proxy servers can also cache content, meaning they may serve frequently requested data directly without reaching out to the internet again.
Firewall:
The data passes through a firewall, which enforces network security by controlling the incoming and outgoing traffic based on predefined security rules.
Firewalls block unauthorized or potentially harmful data packets while allowing legitimate traffic to pass through.
The firewall filters traffic at different layers (usually Layer 3/4 of the OSI model, which corresponds to the network and transport layers).
Packet Filter:
A packet filter is a specific part of the firewall or sometimes a separate network component that analyzes packets and allows or blocks them based on the source and destination IP addresses, port numbers, and other packet-level information.
Packet filtering operates at a low level and doesn’t maintain session state (like a stateful firewall), which means it checks each packet independently.
Only packets that match certain rules (e.g., allowed IP addresses, protocols, and ports) can proceed.
LAN (Local Area Network):
Once the data has passed through the proxy, firewall, and packet filter, it reaches the internal LAN, which could consist of your internal servers, workstations, or devices.
Data that passes all these checks is either delivered to the intended device in the network or responds to a specific request that was originally made from the LAN.
The LAN is where devices like computers, printers, and servers are interconnected and communicate within a localized environment.
Summary of Data Flow:
Internet → The initial data is routed from the internet.
Proxy Server → Intermediary that handles data requests/responses between the LAN and the internet.
Firewall → Security check to ensure unauthorized data does not enter the network.
Packet Filter → Low-level filtering of packets based on header information (IP addresses, ports, etc.).
LAN → Data is delivered to the intended device in the internal network.
This setup helps secure the internal network (LAN) by enforcing multiple layers of protection, ensuring that only valid and authorized data reaches the LAN while preventing unauthorized access.
Virtual Private Network
VPN is a generic term used to describe a communication network that uses any combination of technologies to secure a connection tunnelled through an otherwise unsecured or untrusted network. Instead of using a dedicated connection, such as leased line, a "virtual" connection is made between geographically dispersed users and networks over a shared or public network, like the Internet. Data is transmitted as if it were passing through private connections.
VPN transmits data by means of tunnelling.
Before a packet is transmitted, it is encapsulated in a new packet, with a new header.
This header provides routing information so that it can traverse a shared or public network, before it reaches its tunnel endpoint.
This logical path that the encapsulated packets travel through is called a tunnel. When each packet reaches the tunnel endpoint, it is decapsulated and forwarded to its final destination. Both tunnel endpoints need to support the same tunnelling protocol. Tunnelling protocols are operated at either the
OSI (Open System Interconnection)
layer two (data-link layer), or
layer three (network layer).
The most commonly used tunnelling protocols are IPsec, L2TP, PPTP and SSL.
A packet with a private non-routable IP address can be sent inside a packet with globally unique IP address, thereby extending a private network over the Internet.
VPN Security
VPN uses encryption to provide data confidentiality. Once connected, the VPN makes use of a tunnelling mechanism described above to encapsulate encrypted data into a secure tunnel, with openly read headers that can cross a public network.
Packets passed over a public network in this way are unreadable without proper decryption keys, thus ensuring that data is not disclosed or changed in any way during transmission. VPN can also provide a data integrity check. This is typically performed using a message digest to ensure that the data has not been tampered with during transmission. By default, VPN does not provide or enforce strong user authentication. Users can enter a simple username and password to gain access to an internal private network from home or via other insecure networks.
Nevertheless, VPN does support add-on authentication mechanisms, such as smart cards, tokens and RADIUS.
The process of converting a legible message to an unreadable message
The process of converting a legible message to an unreadable version able to be interpreted only by the sender and recipient.
The process of verifying the identification of an entity such as a person or piece of software.
A combination of hardware and software that defends intranets against intruders by filtering inbound or outboud data, by authenticating users, and by encrypting data.
The process of transmitting data using a tunneling protocol that encapsulates encypted data in a secure container packet to be sent over the internet.
