Virtual Private Networks—Connectivity for Remote Access, Intranets and Extranets
A virtual private network (VPN) has all of the features of a private network where dedicated lines tie sites together. However with VPNs, the network connections between sites are shared by multiple organizations. A carrier manages the network. The customer connects dedicated or dialup lines to the carrier's network. The carrier is responsible for connections between customer sites. Many VPNs are based on the Internet Protocol. (See Figure 5.6.) The three most common applications for virtual private networks are:
Remote access for telecommuters and employees that travel
Intranet connectivity for branch offices
Extranet links for business partners
Figure 5.6. A virtual private network.
Lower total cost of ownership compared to private networks is a key reason for using VPNs. The total cost of ownership of private networks includes the cost of staff to maintain the lines and equipment used to connect individual users and computers in wide area networks. For these reasons, managed networks as a substitute for administering the implementation, growth and day-to-day maintenance of private networks is growing. Adding capacity to a virtual private network is simpler than adding higher speed dedicated lines and new hardware to each site of a private network. The customer only needs higher speed access lines from its building to the carrier. The carrier is responsible for making sure there is capacity in the network for the customer's applications.
Many organizations have a mix of private lines for routes with the highest amount of voice and data traffic, and switched services and virtual private network (VPNs) services for routes with less voice and data traffic. Frame Relay, discussed in Chapter 6, is another example of a VPN.
VPNs (Virtual Private Networks) for Electronic Commerce
Extranets are Internet-like connections between organizations and their vendors and customers. Virtual private networks (VPNs) often provide this connectivity. For example, consumers may access their bank to pay bills by phone over a virtual private network. The carrier manages the security, day-to-day reliability and network capacity for the bank. In many cases, the application itself resides at a carrier point of presence (POP).
Customers use VPNs for:
Inventory updates for business partners
Tracking delivery of packages
Electronic commerce (i.e., online shopping)
VPNs for Intranet Service
Intranets use Internet protocols and browsers to provide employees access to corporate information. VPNs based on intranet service provide branch offices with access to corporate files. For example, instead of using private lines to tie branches together, a chain might use a virtual private network. The network might supply security, limiting particular employees access to files based on their profile. Some may only be able to read some documents and other users may have permission to change the file. The VPN provides LAN features to remote offices.
Virtual Private Networks (VPNs) for Remote Access
A robust remote access service enables employees to be productive whether they work from home, a hotel, or their office. According to Cahners In-Stat Group, nearly 5 million employees in the United States telecommute. Organizations frequently supply salespeople and systems engineers with laptop computers for remote access and working off-site. Employees log into their business's computers from the road to access email messages, place orders, check order status and check inventory levels.
Commercial organizations use either remote access servers (RAS) or VPN switches. If they use VPN switches they may also use network-based VPN services from various network providers for additional security. Until recently, most corporations used remote access server (RAS) devices to support dial-in access for employees. A RAS device is a “box” with multiple modem and ISDN ports for dial-in connectivity. However, RAS devices do not support cable and DSL modems. With VPN switch and network solutions, employees' calls are routed into the organization on the same links used for Internet access. VPNs support dial-in and high-speed cable and DSL modem access. Client software is installed on employees' computers to support the VPN service.
As indicated in Figure 5.7, the VPN provider carries remote users' calls over its public network and routes them to an existing T-1 or dedicated line connected to the customer's site. For an additional monthly fee, carriers will manage a customer's on-site router or switch, and security such as a firewall. A firewall is software that screens incoming traffic to prevent hackers' access to files.
Figure 5.7. Remote access via a Virtual Private Network
Organizations that set up virtual private networks for remote access are faced with the following questions:
How much of our remote access hardware and service should we outsource?
Should we underwrite high-speed Internet connections for employees?
Do we need to extend our Help Desk hours to assist employees who access our files after hours?
Should we use an outside service for our Help Desk functionality?
What type of support should we provide employees who wish to set up LANs in their homes so that multiple computers can share high-speed Internet access?
Security on Virtual Private Networks
Security in networks is supported by firewalls, which are designed to keep out hackers. They let only designated users have access to networks. Most computer networks with connections to VPNs and the Internet have firewalls. In organizations' networks, firewall software is installed on routers and on remote access switches called VPN Gateways. Organizations that use carriers' firewall protection have on-site firewall protection as well.
Service providers also have firewall protection. Their security service enables them to build profiles of users so that employees can access files from any location. The security software also checks incoming email for viruses.
Tunneling
Tunneling is a way to provide security on VPNs. Because virtual networks are shared services, security is an important issue. Traffic from multiple organizations is carried on the same “pipes” or telephone lines in the public carrier networks. Tunnels surround customer packets with an extra header on each packet to provide security. Encryption, or scrambling of bits, is an important element of tunneling. The encryption makes hacking into a company's data more difficult.
Network-Based Address Filtering
An alternative to tunneling is network-based IP address filtering. With address filtering, the software looks at a user's IP address and accepts or rejects it based on the IP address. Address filtering is also commonly used on security software located in organizations' premises. Whether they use tunneling or address filtering, VPNs still use authentication and authorization.
Authentication
Authentication tells the network you are the person you claim to be. For example, a salesperson dialing in from a remote laptop computer claims to be John Smith. The authentication software makes sure that he is in fact John Smith—not someone, for example, from a rival firm.
A popular authentication protocol is Challenge Handshake Authentication Protocol (CHAP). With CHAP, whenever a link is established between a remote network and the virtual private network, the security server challenges the dialup user's computer. The remote user's computer responds with a value calculated by the CHAP software and the user's password. The password itself is not transmitted.
Authorization
Authorization allows organizations to allow or deny a person access to particular databases or services. For example, John Smith may be allowed to view the status of orders from his department. However, he may not see the files showing year-to-date sales figures or technical research. Generally, authorization is done both by the carrier and again at the customer site. The customer's own systems allow or deny particular users access to specific internal servers.