An Overview of Enterprise VPN – Virtual Private Network

A VPN (Virtual Private Network) is a concept which helps enterprise companies with distributed offices to connect to each other securely over the Internet – In this article, we would touch upon the introduction and advantages of VPN, popular ways of establishing a VPN, types of VPN, advantages of SSL/TLS and IPSec VPN. Read on…

In case you are looking for a short presentation (screen cast) for this article, and you are short of time but have a fast Internet connection, you could also refer to our Youtube presentation (about 10 minutes).

What is a VPN and what are its advantages?

A Virtual Private Network (VPN) is a way to extend the Local Area Network to branch locations and remote locations via the public network (Internet) using technologies like encryption (hence forming secure tunnels between the locations) so that people in the branch/remote locations could access the corporate resources (in head office) in a secure and efficient manner. VPN Networks can be extended from the head office to branch office, home office and even telecommuters/ traveling personnel across the world through the Internet.

Actually, when we send data through the public network (Internet), it mostly travels in clear text, which is easy to sniff by hackers and intruders. That’s why companies connect their various branches by using Leased Lines or MPLS Circuits (which are private networks). But extending such private networks to all the branches could turn out expensive. So, companies have adopted to creating VPN’s between branch and head office networks through the public network (Internet), as Internet can be accessed by a variety of methods (Internet Leased Line, Fixed Broadband Networks, Mobile broadband Networks etc) and is easily available in all locations. The cost of Internet Lines are less when compared to private links like Leased Lines etc.

Advantages of VPN (Virtual Private Networks):

• Since the messages are encrypted, VPN is secure.
• VPN’s are scalable – Thousands of users can connect to the head office simultaneously through the VPN.
• VPN can be extended to any branch/ individual user who has access to Internet via Internet Leased Lines/ Fixed Broadband/ Mobile Broadband etc.
• VPN’s are cost effective, when compared to private networks like Leased Lines and MPLS Circuits.
• VPN helps to centralize all IT resources and allows for centralized administration of critical IT resources at Data Center’s in the head office.
• Remote/ travelling personnel just need to install a VPN client software to access any corporate resources from any location with basic access to Internet (With SSL VPN technologies, even the client software may not be required, just a standard browser will do).
• VPN’s allow for business continuity and faster response from employees during after office hours, holidays and even disasters.
• VPN’s allow for selective access to vendors and partners via an external portal in order to increase their efficiency and get work done faster.

What are the various methods of creating / establishing a VPN?

There are primarily three methods of creating / establishing a Virtual Private Network – With Routers/ VPN Concentrators, With UTM (Unified Threat Management) devices, With Wireless Controllers and Remote Access Points. We have given the architecture diagram for all the three methods of establishing VPN, below:

The above diagram shows a scenario where there are four locations (From top, clockwise) – One is the head office (accessing Internet through Internet Leased Lines), another is the branch office (accessing Internet through Internet Leased Lines), yet another is a home office (accessing Internet through Fixed Broadband connection) and we also have telecommuter/ traveling personnel (Accessing Internet through mobile broadband technologies like CDMA/ EVDO/ 3G/ HSDPA etc).

Creating a VPN with Routers/ VPN Concentrators: We can create a Virtual Private Network (VPN) between the head office and other offices either with Routers (at head office and brach office, with VPN Licenses), or through a dedicated VPN Concentrator/ Appliance at these two locations in case the VPN volume is too high and it needs dedicated hardware processing units. For the home office, a VPN client software is loaded to the PC that establishes a VPN with the head office Router/ VPN Concentrator (over the Internet) and we can do the same for the telecommuters/ traveling personnel as well.

Creating a VPN with UTM (Unified Threat Management Appliance): Like how we created the site to site VPN between the head office and branch office using routers (or VPN Concentrators), we can also use certain UTM appliances (which come with inbuilt VPN Licenses) for establishing site to site VPN. The home office/ traveling personnel can establish a VPN similarly by connecting to the UTM appliances in the head office (through the VPN Client).

Creating a VPN using Wireless Controller: This is an interesting alternative to above two methods. Here, an enterprise wireless controller (used for centralized management of multiple wireless access points in the enterprise) can itself act as a VPN concentrator (with appropriate licenses) and establish VPN Tunnels with other controllers, remote access points (home office) and VPN Clients (telecommuters/ traveling personnel).

The VPN connections need not always be from the head office to the branch offices / traveling personnel etc as shown in the above diagrams. It can be established from one site to another site, one site to multiple sites and multiple sites to multiple sites depending upon the configuration, models and connection types supported by the various VPN devices. Of course both Site to Site as well as Site to Client VPN’s can be established.

What are the types of VPN?

There are mainly two types of Virtual Private Networks – IPSec VPN and SSL/TLS VPN.

IPSec VPN:

IPSec VPN or Internet Protocol Security VPN is one of the most popular technologies available for establishing VPN over the Internet. It establishes this by using technologies like tunneling, encryption and authentication. This type of VPN assumes that a trusted relationship is present between the various sites or individual computers forming the VPN and it defines procedures to provide data integrity, authenticity and confidentiality across the public network (Internet). IPSec VPN operates in the Network layer.

Advantages of IPSec VPN:

• IPSec VPN is an established and field tested technology and has been in use by majority of the customers for a long period now.
• IPSec VPN is a client based VPN technology and connects to only those sites/ devices which can prove their integrity (This is more applicable for home offices and remote offices where the VPN software client needs to be installed before-hand to establish a secure connectivity back to the head office). So, administrators can be quite sure that the devices connecting to the network are trusted ones.
• Since IPSec VPN inspects and drops a packet at a lower level in the protocol stack (network layer), the packet drop performance is better thereby enabling smooth functioning even in a high capacity usage scenario.
• IPSec VPN’s are the preferred choice of companies for establishing Site to Site VPN and IPSec has found more implementations in this segment. IPSec VPN’s can also establish a Site to Client VPN with devices installed with IPSec clients.
• IPSec VPN basically gives full access to all the head office Intranet applications to branch office/ remote personnel establishing the VPN to HO. So, the user feels as if they are at the office even though they may be working from home. Certain solutions allow selective blocking of certain applications/ devices from being accessed over a remote network.
• IPSec supports multiple methods of authentication and also demonstrates flexibility on choosing the appropriate authentication mechanism thereby making it difficult for intruders to perform attacks like ‘Man in the Middle’ attacks etc.
• Centralized management options for VPN settings are available with IPSec VPN.
• IPSec can implement automatic fail over to another VPN device in case the original one fails.

SSL/TLS VPN:

An SSL VPN uses the Secure Sockets Protocol (SSL) technology to create a virtual private network between various sites and sites to clients using encryption and authentication over the network. Much of this protocol was adapted to Transport Layer Security (TLS) standard as well and hence it is some times referred to as TLS VPN. SSL VPN can provide authentication, authorization, accounting and network access. SSL VPN can provide secure access through standard web browsers enabling VPN’s to be established from any computer connected to Internet. SSL VPN can also provide Site to Site VPN. SSL/TLS VPN operates in the Application Layer.

Types of SSL VPN:

Client-less Access: SSL/TLS VPN’s can provide secure VPN access to the head office from any computer with a standard web browser (with out the need for a pre-installed client on the computer). But this may be limited to accessing web based applications that support browser access.

Client-based Access: To offset the above disadvantage and provide fuller access to applications, SSL/TLS VPN’s automatically download a light weight client upon initial connection to the VPN gateway.

Advantages of SSL/TLS VPN:

• Since SSL/TLS VPN’s support browser based access, corporate resources can be accessed by employees/ partners from any computer with Internet access after proper authentication.
• SSL/TLS VPN’s allow for host integrity checking (checking if the computers trying to establish a VPN connection subscribe to certain standards – like latest OS version with patches, latest version of anti-virus software etc) and remediation (if required) to ensure secure network access.
• Easier to deploy and maintain across a large number of traveling personnel/ remote users as there is no need to install and maintain a VPN client for each machine connecting to the network.
• SSL/TLS VPN can provide granular network access controls for each user/ group of users to limit remote user access to certain designated resources or applications in the corporate network.
• SSL/ TLS VPN supports many types of end point devices like mobile phones, PDA’s, smart phones etc and multiple operating systems.
• Supports multiple methods of user authentication and also integration with centralized authentication mechanisms like Radius/LDAP, Active Directory etc.
• It is possible to have secure user customized web-portals (Extranets) for partners etc with SSL/TLS VPN, as the basic characteristic of SSL/TLS VPN is to provide restricted access to certain applications only, and adding more applications when required, thereby providing granular network access controls.
• SSL/TLS VPN’s are basically designed for Internet browsers and hence do not have any NAT/Firewall traversal issues.
• SSL/TLS VPN’s have exhaustive auditing capabilities which is crucial for regulatory compliance. Log information (regarding which user accessed which resources at what time over which period/date etc) can be taken, stored and analyzed with detailed querying and reporting mechanisms.
• SSL VPN’s can cluster VPN devices both within the LAN as well as across the WAN for improved performance, scalability and redundancy.
• SSL VPN’s are better for disaster recovery/ business continuity as it allows for anywhere anytime access to the corporate networks for authorized users.

Some vendors have implemented VPN solutions where the client would establish a VPN either with IPSec or with SSL/TLS based on the best connectivity parameters required for that session.

Open source VPN: Apart from many commercial products available for VPN, there are also free open source alternatives to establish a VPN between two places like OpenVPN and OpenSSL.You may need a hardware device for running the open source software at both the places.

excITingIP.com

In case you want to add to this discussion, please add a comment below or if you want to contact us, you could do so using the contact form. You could stay up to date on this field – Computer Networking by subscribing with your email address in the box titled ” Get Email Updates when new articles are published”