Benefits of Using VPN Technology

Introduction

A Virtual Private Network (VPN) empowers employees and associates to collaborate, attend conferences or remote learning sessions.  When deployed over bandwidth-efficient technologies such as streaming and multicasting applications and lower-cost local loop broadband services such as DSL, Cable Modems and non-licensed Wireless technologies, VPN becomes the service of choice for businesses.

The popularity and benefits of VPN are realized because VPN allows businesses to securely connect and communicate with remote office counterparts or partner offices using DSL or Cable Modem local loop services and the public Internet at a fraction of the cost of dedicated, private leased telephone lines.  There are two major uses for VPNs.  The first is to connect two or more geographically separated networks, such as those at a main office and a remote branch office, this method is referred to as site-to-site VPN.  The second is to allow fixed or mobile employees or authorized business partners to access the company's network resource from a remote PC, such as traveling professionals with their laptop or home computer.  This method is therefore referred to as Remote Access VPN.  Both of these methods use permit access to protected network resources by only authorized users. 

How Does It Works?

A virtual private network consists of two main components.  The first component is a VPN gateway, which has multiple network interfaces and selectively encrypts and decrypts data traffic as is flowing through. Two VPN gateways can be used to establish multiple encrypted data communication channels between two offices such as in the case of Site-to-Site VPN.  Each of these digitally encrypted channel is referred to as the IPSec tunnel, because the underlying technology that it is built upon is the Internet Protocol Security (or IPSec).

With the remote access VPN method, a VPN client software is installed on a remote PC which helps establish the mentioned digitally encrypted IPSec data channel (also referred to as the IPSec tunnel) between the remote VPN client and the main office VPN gateway.  Next, the VPN client communicates the user's identity (user name and password)  with the VPN gateway (over this IPSec tunnel).  The VPN gateway then verifies the user identity with its user database within the network access services (NAS) directory, and authorizes (or denies) the connection depending on the provided user's ID. 

How Does Encryption Work?

Encryption is the process of modifying information so that it can not be read by anyone except the intended recipient. This is done by applying mathematical algorithms that require a “key” to unlock, or decrypt, the original data. Algorithms that use the same key to encrypt and decrypt data are known as “symmetric” encryption algorithms. Common examples include DES and RC4®. Algorithms that use different keys to encrypt and decrypt data are known as “asymmetric” or “public-key” encryption algorithms. Common examples include RSA and Diffie-Hellman.  Technologic’s products use both symmetric and public-key algorithms to create VPNs.

Authentication & Integrity

In addition to encryption and decryption, a VPN must also verify who’s sending the information and ensure that it has not been modified while traveling over the Internet. The process of verifying the sender’s identity is known as

“Authentication”. Authentication can be performed with a user name and password, or with a piece of information known as a “digital certificate”. A digital certificate contains encryption parameters, which can be used to uniquely identify a user or a host system. Verifying that data has not been modified by an external party is known as “integrity checking”. Integrity checking is done by applying a mathematical algorithm, known as a “hash”, to data before it’s sent and computing the same hash when the data is received. If the two hashes map to the same result, then the data hasn’t been modified. Technologic VPNs use authentication and integrity checking to verify the identity and validity of data.

Tunneling

VPNs use a process called “tunneling” to pass encrypted traffic over the Internet. Tunneling is the process of encapsulating a network packet within another one and provides the benefit of hiding the IP addresses of the actual sender and receiver as well as other protocol information (such as whether the packet contains email or web traffic). The packet that travels across the Internet is encrypted and only the IP addresses of the VPN endpoints (gateways or clients) are exposed.  Infomatek's recommended VPN solutions work with clients who are assigned dynamic IP addresses by their Internet provider.

Remote Access VPN

Connect Branch Offices

Virtual Private Networks are ideal for connecting two or more remote office networks together. With a VPN, employees can enjoy the benefits of intranet web sites, email, conferencing, and file sharing between geographically separated networks. Most commonly, this is used to connect multiple branch offices to a main office and to each other. Traffic from one network is routed to a remote network via normal IP routing, but as it passes through the VPN gateway, it’s encrypted and tunneled to the VPN gateway at the remote office. When the remote gateway receives the encrypted packet, it verifies the sender and integrity, then decrypts the packet and forwards the original packet, unmodified, to it’s intended recipient. Because the VPN is implemented only between the two gateways, it is completely transparent to all users and applications.

 

IPSec/SKIP Technologies

Infomatek VPN solutions implement Remote Office VPN using a combination of IPSec and SKIP technologies. IPSec stands for IP Security and is the Internet Engineering Task Force (IETF) developed VPN protocol standard.  It defines the packet formats used to encrypt and authenticate information. SKIP stands for Simple Key Management for Internet Protocols and is an industry standard developed by Sun Microsystems. It is used to negotiate and dynamically change encryption keys for improved security and ease of use. Infomatek’s VPN SKIP implementation is compatible with other vendors, including Sun Microsystems, Check Point, and TrustWorks.

Configuration

A Remote Office VPN requires two compatible gateway products, one at each network.  Each VPN gateway has a unique certificate, which is used to identify it and exchange encryption keys with other gateways. To configure a VPN, each gateway is given information about the other gateway, the remote network, and which encryption algorithms to use. This configuration is all done through the system’s secure, web-based management interface. After that, the two gateways automatically exchange digital certificates and the VPN is complete. Gateways can support multiple remote networks with different parameters. For example, a VPN to a branch office in the US should be configured to use the strongest encryption available, but a VPN to an overseas office may have to use weaker, exportable encryption.

Access Control

Infomatek VPN solutions offer two choices for access control through a remote office VPN. The first, called an “Untrusted VPN”, allows you to pass all VPN traffic through the firewall’s proxies to enforce access control, user authentication, and provide logging of transactions. The second choice, called a “Trusted VPN”, bypasses the proxies for improved performance and flexibility. Trusted VPNs are appropriate for branch offices where the users are employees and access control is enforced on servers when necessary.  Untrusted VPNs are appropriate for business partners or consultants who need limited access to internal resources. Infomatek's VPN solutions such as the Interceptor and InstaGate both support simultaneous combinations of Trusted and Untrusted VPNs.

Remote User VPN

Connect Remote Users

A Virtual Private Network can allow remote users to access the company LAN through any Internet Service Provider (ISP). Once connected to an ISP, the user initiates a VPN link to the gateway and from then on, all office traffic is routed through the VPN. Like the Remote Office VPN, a tunnel is created to hide the traffic, but with remote user VPN, the tunnel exists at a lower network layer. This is done by having the gateway assign a unique IP address to the client for use on the office network. VPN traffic between the client and the gateway will use the gateway’s public address and the dynamic address assigned by the user’s ISP. Once the traffic is decrypted by the gateway, it will use the client address that was assigned by the gateway to communicate with internal servers.

PPTP

Infomatek implements Remote Access VPN using Microsoft’s Point to Point Tunneling Protocol (PPTP).  Support for PPTP is integrated into Microsoft’s Dial-Up Networking in Windows 95, 98, and NT. This means that you do not have to purchase and install third-party VPN client software for remote users. The software is bundled with Windows 98 and NT and can be downloaded free of charge for Windows 95 with the Dial-Up Networking Upgrade 1.3. Third party PPTP client software is also available for Mac OS.

Easy Configuration

Configuring Remote User VPN involves allocating a range of client IP addresses and creating user accounts on the gateway. A client IP address is assigned to a client when it connects and is returned to the pool when the session has ended.  Accounts are created by setting a username and password for each user. Users can also be assigned to groups and PPTP access can be provided at the user or group level.

On the user’s system, a new Dial-Up Networking entry is created with the public IP address of the gateway. To connect, the user selects the Dial-Up Networking entry and is prompted for a username and password. Windows then connects to the gateway and is assigned a new IP address on the LAN and is also provided with the address of the DNS server. The user can also set the IP address of the WINS server on the LAN, to allow network browsing and logging on to NT domain controllers.

Interoperability

As an alternative to PPTP, remote users can also use IPSec/SKIP for remote access. This requires Technologic’s Remote Office VPN feature and a third party IPSec/SKIP client. Technologic has tested interoperability with clients from Sun Microsystems and TrustWorks.