Upgrading and Repairing Networks

What Is a VPN?

Basically, a VPN is nothing more than a secure path through a shared network or WAN that connects two computers, or two networks, so that from the point of view of each endpoint of the connection, they are on the same network. The connection is private because some means have been taken to secure the payload information of the data carried through this virtual tunnel.

A VPN can be a good solution for security issues in many scenarios:

• Employees who work from home and use the Internet to communicate with the company network

• Mobile employees who travel and can dial in to the Internet using a national ISP

• Branch offices using the Internet

• Business partners, customers, or even technical support staff who need access

As this list demonstrates, two basic types of VPNs are used:

• Remote access VPN A connection between a remote computer and the Internet.

• Site-to-site VPN A connection between two networks, which usually is done between two routers, or in some cases firewall/router combinations.

The Mobile Workforce

Many people are on the move in the business world today, and many companies are allowing some employees to work from home. A technique still used today, but which is declining, is to set up a bank of modems and give dial-in access to certain people, such as salesmen, who are always on the move. For a business that needs data connections to branch offices but can't justify the cost of leased lines, modem banks provide the necessary remote connection. You can host a bank of modems under many different operating systems, from Unix (with its efficient kernel and support for large numbers of serial devices) to Windows 2000/2003 (using the remote access service [RAS]). You even can install servers that are basically appliances that act as a front end to provide a bank of modems for dial-in services.

However, maintaining a bank of modems can be expensive because each modem needs a telephone line, which is an ongoing cost. There are several security issues to be considered. For example, what happens if someone discovers the telephone number of your dial-up access? It would then be easy to use a password dictionary attack to break into the network.

However, sometimes a simple dial-in modem is not the best solution. With Internet access available almost anywhere in the United States, Europe, Japan, and many other countries, the Internet can be a good solution to this problem. You can use a single, high-bandwidth connection (buy what you need) to allow multiple home workers, traveling salesmen, and other mobile workers to connect to your network just as if they were sitting at a desk at the office.

The only problem with this access method is the fact that the Internet is not exactly the most secure place in the world. As a matter of fact, just connecting your company's network to the Internet is a serious task that should be accompanied by careful consideration of how you will control that connection (such as using a good firewall strategy), and how you will segment portions of your network to make sure that intrusions or other security breaches can be minimized.

In a typical LAN (local area network) setting, computers, servers, and other resources are connected using switches (or hubs in older networks that have not yet upgraded to newer hardware). Routers are used to connect LANs so that a logical addressing scheme can be used. The problem with security is that when the IP protocol is used, for example, the payload section of the IP packet carries some higher-level protocol message without any way of encrypting the data. If you can intercept the IP packet, you can easily determine which protocol is being used and get to the information very quickly.

As you can guess, VPNs are made up of two basic components: a tunnel, which is a virtual path through a WAN, and some form of encryption to render the contents of the payload (and possibly the header information of the upper-level protocol) unusable if intercepted.