A virtual private network (VPN) is a mechanism to establish a secure remote access connection across an intermediary network, often the Internet. VPNs allow remote access, remote control, and highly secured communications within a private network.
VPNs employ encryption and authentication to provide confidentiality, integrity, and privacy protection for network communications. The term VPN has its origins in the telecommunications world.
After the proliferation of computer networks and Internet connectivity, the term VPN evolved to refer to tunneling connections across network links.
Early computer VPNs focused on the tunneling or encapsulation processes and rarely included encryption services. Today, VPNs are almost always secured using encryption. However, you should never assume that anything is totally secure, especially connections over public networks.
Also Read: Top 12 Most Common Cyber Security Mistakes
Always confirm that a product performs encryption properly before you depend on it for sensitive operations.
A VPN creates or simulates a network connection over an intermediary network. But what makes a VPN private? Several possible mechanisms exist:
- The primary organization owns all of the network infrastructure components, including switches, routers, and cables. A true private VPN occurs when a single organization owns all of the hardware supporting its VPN. However, few organizations actually own all of the connections between their locations, so this is usually impractical or prohibitively expensive. This wholly owned and operated system constitutes a trusted VPN.
- A dedicated set of channels is used across leased telco connections. This method provides physical isolation even on third-party equipment; hence, privacy is maintained. This type of system is more practical, but it is still expensive. This can also be called a trusted VPN, since you must be able to trust the owner of the hosting infrastructure to protect network communications against eavesdropping.
- Encryption ensures privacy even over public networks, such as the Internet. This method is the most reliable, as the other two options are still at risk to eavesdropping. Additionally, encryption to provide privacy is not only practical, it is the least expensive option as well. This system can be called a secured VPN.
- A hybrid VPN establishes a secure VPN over trusted VPN connections. A trusted VPN allows an organization to know and control the pathway of its transmissions. However, a trusted VPN does not protect against eavesdropping or alteration.
- A secure VPN protects the confidentiality and integrity of data, but it does not control or ensure the transmission path. When you combine these two VPN techniques, you create a potentially more secure and practical solution.
VPNs are often associated with remote access or remote control. However, these associations need clarification to have value. Remote control is the ability to use a local computer system to remotely take control of another computer.
In a way, this process is the application of the thin-client concept on a fully capable modern workstation to simulate working against a mainframe or to virtualize your physical presence. This application is generally the same as a VPN, which creates a remote network connection rather than a remote control session.
With a remote control connection in place, the local monitor, keyboard, and mouse control a remote system. This process looks and feels as though you are physically present at the keyboard of the remote system, which could be located in another city or even on the other side of the world.
Every action you perform locally acts as if you were physically present at that remote computer virtually via the remote control connection. The only limitations are the speed of the intermediary network link and the inability to physically insert or remove media and peripherals.
Suggested Read: Top 13 Network Security Best Practices For Your Organization
You might think of remote control as a form of software-based thin-client or terminal client. In fact, many thin-client and terminal client products sell as remote control solutions. Many modern operating systems include remote control features, such as Remote Desktop, found in most versions of Windows. Once enabled, a Remote Desktop connection remotely controls another Windows system from across the network.
Remote access is different from remote control. A remote access link enables access to network resources using a WAN link to connect to the geographically distant network.
In effect, remote access creates a local network link for a system not physically near the network. Over a remote access connection, a client system can technically perform all of the same tasks as a locally connected client. Network administrators can impose restrictions on which resources and services a remote access VPN client can use.
Remote access and VPNs were originally supported over dial-up telephone links using modems. Today, remote access encompasses a variety of connection types, including Integrated Services Digital Network (ISDN), digital subscriber line (DSL), cable modem, satellite, mobile broadband, and more.
Due to the wide availability of high-speed Internet connections, VPNs and other remote access solutions have become popular for both personal and business purposes.
In many cases, a remote access connection is created from a remote client back to a primary network. If the remote client needs to connect directly to the local area network (LAN), such as over a dial-up connection, a remote access server (RAS) will host a modem to accept the connection.
If the remote client can use the Internet to access the LAN, then a local Internet connection is necessary. Once a normal LAN connection or Internet connection runs from the client, the VPN link is possible. Once the connection is established, the remote client can interact with the network as if it were locally connected.
VPNs can operate over standard Internet connections or dedicated business communication circuits, such as Multi-Protocol Label Switching (MPLS), Asynchronous Transfer Mode (ATM), and Frame Relay. However, the additional expense of a dedicated, isolated, and even secured business circuit is not necessary with a VPN.
A VPN can operate securely over the Internet and still provide high levels of security through encryption. This allows inexpensive insecure links to replace expensive business-leased lines without sacrificing security.
VPNs are one of the most efficient and cost-effective means to provide secure remote connectivity. VPNs take advantage of cheap long-distance connections when established over the Internet, since both endpoints need only a local Internet link. The Internet serves as a “free” long-distance carrier.
Connections from a LAN to an intermediary network can support VPN traffic only, or they can allow a combination of both VPN and normal non-VPN traffic. The latter configuration is less secure, but it offers flexibility as to whether all communications must be VPN-secured or not.
An Internet connection reserved solely for VPN use, therefore, is not necessary. An OC-1 line is more than capable of supporting one or more VPN links—in addition to numerous non-VPN Internet sessions—with no difficulty or latency. Latency is a delay in the transfer of data that is not desired or planned.
Setting up VPNs can require extensive knowledge and expertise on the part of the IT or security administrator. For example, some important concerns of secure VPNs include:
- All VPN traffic must be authenticated and encrypted. A VPN without authentication is not private, and a VPN without encryption is insecure.
- All VPN endpoints must abide by the same security parameters and algorithms. Each VPN tunnel must have corresponding encryption key sets to securely exchange encrypted content. Additionally, the same security policy should govern all endpoints.
- Proper encryption protocols must ensure that no external third party can affect the security of the VPN. Weak encryption makes a “secure” VPN vulnerable to attacks.
When you use a trusted VPN, you need to consider these concerns:
- A trusted VPN is based on the provider’s ability to limit and control access to the VPN’s content. Only the trusted VPN provider should be able to modify the channels or pathway of the VPN.
- Only the trusted VPN provider can add, remove, or change data in the trusted channel. Violating this violates the trust the client places in the provider.
- The addressing and routing performed within the trusted VPN must be defined before the VPN goes online. These services are usually predefined in the SLA (service level agreement), but they may be dynamically modified for each VPN connection.
Even hybrid VPNs have an important focus for concern, namely that the segments of the VPN that are trusted versus secured need clear definition. Mistaking security for trust—or vice versa—can have devastating results.
You may also read: A Brief Guide on What Firewalls Cannot Do
VPNs use tunneling or encapsulation protocols. Tunneling protocols encase the original network protocol so that it can traverse the intermediary network. In many cases, the tunneling protocol employs encryption so that the original data traverses the intermediary network securely.
The protocols that create VPNs include IPSec (Internet Protocol Security), PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol), SSH (Secure Shell), SSL (Secure Sockets Layer), OpenVPN, and TLS (Transport Layer Security). The dominant forms of secure VPNs use IPSec or SSL/TLS as the tunneling/encapsulation protocol.
Most VPNs use software that operates on top of the OS of a host. However, some VPN appliances can support VPN connectivity without adding any software to the host. A host VPN software product allows a single host access to VPN services, while a VPN appliance allows an entire network to access VPN services.
VPNs simplify many business networking problems by providing an easy and efficient means to securely connect headquarters, remote offices, traveling workers, and telecommuters.
Benefits of Deploying a VPN
The reasons to deploy and use VPNs vary greatly among organizations. Cost is always a significant factor in any business decision. Budgets are never unlimited, so organizations must consider their options amid limited funds to accomplish their missions and goals. One common goal is high productivity.
Granting workers the ability to access and use resources in a timely and efficient manner assists in the completion of work. When those resources are computer files or network services, employees no longer need to be in the same building as those resources. Remote access to resources, therefore, is becoming more common than ever.
Secure remote access is essential. As the proliferation of access and connectivity spreads from work to home to portable/mobile devices, access to the Internet and private LANs is becoming ubiquitous.
Companies must use security controls on resource access or suffer the consequences of insecure access methods. With the removal of physical limitations for access comes the loss of control over where and how workers connect into the private LAN.
Workers may connect to the company LAN from mobile phones, through Internet cafés, over hotel networks, and at other random Wi-Fi hotspots. In this age of Bring Your Own Device (BYOD), many use personally owned laptop computers and mobile devices rather than officially issued company systems.
All of these are outside the control of the company’s IT and security department. The only option is to limit LAN connections to those that can be secured. Thus, VPNs have become a necessity in this mobile and interconnected world.
VPNs support remote access from a wide variety of complex devices, reduce risk caused by insecure access locations, and enable interaction with all LAN resources.
Furthermore, flexibility, scalability, ease of administration, reliability, and more make VPNs an obvious choice in the face of modern connectivity risks and challenges. Scalability is the ease of which an organization can quickly increase capacity and use or shrink capacity and use of a device, system, or network.
Remote access, mobile connectivity, and secured communications are solid reasons to deploy and use a VPN. But are these the only positive aspects of a VPN? The most often touted benefit of VPNs is cost savings. VPNs are a great way to save on long-distance charges for telecommuters and traveling workers.
These also create huge savings for businesses that would need only local Internet links for a VPN, rather than a dedicated leased line between each location. The farther away each business location is and the more locations a company has, the more cost savings a VPN can generate.
A leased line is a semi-private connection subscription whereby the traffic on the line is limited to those that have subscribed (often one to a few businesses in a geographic area). Leased lines can potentially transmit the data of business competitors, so eavesdropping on unencrypted data packets is a concern, as is the high cost of such an exclusive means of communication.
Additionally, to truly compare the connectivity that a VPN offers to dedicated leased lines, you need a full mesh of leased lines. A full mesh requires a line between each business location. This allows for direct communication between one site and another.
Since a VPN across the Internet would provide the equivalent site-to-site communication capabilities, only a mesh network of dedicated leased lines can truly compare. In this leased line situation, your organization is the only entity using the communication pathway; it is dedicated for your business.
This solution is obviously very expensive compared to a VPN’s significant cost savings.
As corporations seek to reduce IT infrastructure costs, a common technique is to allow employees to telecommute. Telecommuting allows workers to access corporate resources whether the employee works from home, while traveling, or while on site with a customer.
In the past, telecommuting clearly implied the use of dial-up connections to connect with the company LAN; now it refers to any geographically remote employee connecting to the network to do his or her job.
With the proliferation of high-speed broadband connections and Wi-Fi, telecommuting has become more plausible and realistic. Through the use of VPNs, telecommuting enables a true remote office, rather than just a file exchange and communication system.
VPNs make telecommuting not only possible, but also practical and secure. Because of VPNs, expanding the workforce is no longer a geographically limited proposition.
Extranets are often deployed as businesses establish new partnerships or seek more interaction with suppliers, distributors, and other external entities. Extranets are border networks, similar to a demilitarized zone (DMZ), where resources are hosted for access by external entities.
However, unlike a DMZ, an extranet is not open for public use. Only a limited and specific set of users is allowed to connect into an extranet. Often, this limitation means that a specific VPN configuration is necessary to access the extranet’s resources. With VPNs, extranets are both possible and practical.
Extranets can suffer from extensive hits or visitor traffic to the site. Consider the process of checking the delivery status of a package you ordered by logging into the carrier or delivery service’s website. That is using an extranet. You have an ability to see only the status of your specific package within the system, and the means to gain that access is with a specific tracking number.
VPNs allow system administrators to manage and control a network remotely. Because of VPNs, employees can work from anywhere, friends can create WAN links to support multiplayer games, and technical support can repair client systems remotely. A VPN is the solution whenever a network connection is needed between two systems or two networks but it is not feasible to install a direct cable connection.
Often, the real benefits of a VPN are not from the VPN itself, but from all of the new possibilities for work, research, learning, and play that are now feasible. These benefits include:
- Reduced equipment costs
- Unlimited geographic connectivity
- Increased flexibility and versatility of worker location
- Improved privacy and confidentiality due to strong encryption
- Verified transmission integrity
- Fully scalable global infrastructure and architecture
- Rapid deployment options
- Flexible integration with existing networks and technologies
- Faster return on investment (ROI) than traditional WAN infrastructures
- Reduced dependence on long-distance carrier solutions
- Reduced support burden on Internet service provider (ISP)
Individuals and organizations that use and integrate VPNs in new and unique ways are sure to reap additional benefits. History shows us that as new means of communication are created, these often change and are used in ways that were unpredictable at the beginning of the installation.
However, VPNs are not perfect, and some challenging issues limit their use.
Limitations of a VPN
Although VPNs offer many benefits, you need to evaluate the very real and distinct limitations before you put a VPN in place. A VPN connection offers flexible secure communication options, but it does not ensure quality of service.
A VPN link is dependent upon the stability, throughput, and availability of the ISP connection, as well as the intervening network connections between endpoints.
VPNs over the Internet can easily suffer from latency, fragmentation, traffic congestion, and dropped packets. This also results in a lack of dedicated bandwidth between business sites because of the volatility of the Internet.
Fragmentation occurs when a packet’s size exceeds the size allowed on a segment of the network or Internet. The too-large packet is broken or fragmented into smaller packets that meet the size limit. Traffic congestion on a network is similar to rush hour traffic on most highways.
During peak times, more traffic (packets or cars) attempts to join the artery (bandwidth on a wired or wireless device, or physical highway), which causes all traffic to significantly slow down because capacity is greater than the highway (network or physical) can support.
This slowdown affects both network traffic and employee productivity. A malware or denial of service (DoS) attack against the network shares some common behaviors with traffic congestion, which can be dangerous if an administrator mistakes an attack for congestion.
Although VPNs are excellent solutions over nearly every broadband connection option, a VPN can be difficult to maintain over dial-up. In more rural areas, dial-up connections are still in use and may be the only alternative to wireless communication.
VPN traffic is encrypted, and encrypted traffic does not compress. Most dial-up modem connections rely on compression—mainly hardware compression—to improve connection speed. When compression is not possible, a significant and noticeable speed reduction occurs.
Additionally, VPN tunnel management can impose a significant increase in management overhead because of changes in protocol headers, potential authentication latency, and a prolonged connection establishment negotiation.
Another area of concern is the minor risk or potential of data exposure while in transit over the Internet. This is only a real concern if the VPN does not use strong encryption or configures the encryption improperly. Proper security management will eliminate this as a serious concern.
Vulnerabilities exist at VPN endpoints. With a VPN, side attacks against the encrypted link are nearly eliminated. However, data entering or leaving the VPN is at risk. An end-user computer could be infected by malicious code that can traverse the VPN link into the company LAN.
Also, private and confidential data from the company LAN can be copied across the VPN link to the end-user computer. On this computer, that data is less secure and subject to a wider range of threats.
You should also consider the increased difficulty in providing technical support remotely. This is especially true when the remote connection is not functioning. In addition, it is more difficult to keep remote systems in compliance with security settings, conduct training, allow supervisory oversight, enable HR management, and monitor user activities.
An even larger concern is granting open or blanket unrestricted network-resource access to those connecting via VPN. You must enforce stronger authentication and authorization limitations on VPN users, especially on VPN telecommuters.
Remote users should have access only to those resources necessary for their current tasks. Unlimited access to network resources can quickly result in exploitation and confidential data leakage if the remote user or the remote computer is compromised.
If you understand these limitations and address each properly, you can help to avoid catastrophic mistakes when correctly installing and productively using VPNs. One of the primary tools to accomplish this is the VPN policy.