VPN

A virtual private network (VPN) is a private communications network often used within a company, or by several companies or organizations, to communicate confidentially over a publicly accessible network. VPN message traffic can be carried over a public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service provider's private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider.

Authentication mechanism
VPN involves two parts: the protected or "inside" network, which provides physical and administrative security to protect the transmission; and a less trustworthy, "outside" network or segment (usually through the Internet). Generally, a firewall sits between a remote user's workstation or client and the host network or server. As the user's client establishes the communication with the firewall, the client may pass authentication data to an authentication service inside the perimeter. A known trusted person, sometimes only when using trusted devices, can be provided with appropriate security privileges to access resources not available to general users.

Many VPN client programs can be configured to require that all IP traffic must pass through the tunnel while the VPN is active, for better security. From the user's perspective, this means that while the VPN client is active, all access outside their employer's secure network must pass through the same firewall as would be the case while physically connected to the office ethernet. This reduces the risk that an attacker might gain access to the secured network by attacking the employee's laptop: to other computers on the employee's home network, or on the public internet, it is as though the machine running the VPN client simply does not exist. Such security is important because other computers local to the network on which the client computer is operating may be untrusted or partially trusted. Even with a home network that is protected from the outside internet by a firewall, people who share a home may be simultaneously working for different employers over their respective VPN connections from the shared home network. Each employer would therefore want to ensure their proprietary data is kept secure, even if another computer in the local network gets infected with malware. And if a travelling employee uses a VPN client from a Wi-Fi access point in a public place, such security is even more important. However, the use of IPX/SPX is one way users might still be able to access local resources.


Types of VPN
Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking snooping and thus Packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. When properly chosen, implemented, and used, such techniques can provide secure communications over unsecured networks. This has been the usually intended purpose for VPN for some years.

Because such choice, implementation, and use are not trivial, there are many insecure VPN schemes available on the market.

Secure VPN technologies may also be used to enhance security as a "security overlay" within dedicated networking infrastructures.

Secure VPN protocols include the following:

IPsec (IP security) - commonly used over IPv4, and an obligatory part of IPv6.
SSL used either for tunneling the entire network stack, as in the OpenVPN project, or for securing what is, essentially, a web proxy. Although the latter is often called a "SSL VPN" by VPN vendors, it is not really a fully-fledged VPN in the usual sense. (See also TUN/TAP.)
PPTP (point-to-point tunneling protocol), developed jointly by a number of companies, including Microsoft.
L2TP (Layer 2 Tunnelling Protocol), which includes work by both Microsoft and Cisco.
L2TPv3 (Layer 2 Tunnelling Protocol version 3), a new release.
VPN-Q The machine at the other end of a VPN could be a threat and a source of attack; this has no necessary connection with VPN designs and has been usually left to system adminstration efforts. There has been at least one attempt to address this issue in the context of VPNs. On Microsoft ISA Server, an applications called QSS (Quarantine Security Suite) is available.
Some large ISPs now offer "managed" VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves. In addition to providing remote workers with secure access to their employer's internal network, other security and management services are sometimes included as part of the package. Examples include keeping anti-virus and anti-spyware programs updated on each client's computer.

Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic. In a sense, these are an elaboration of traditional network and system administration work.

Multi-protocol label switching (MPLS) is often used to build trusted VPN.
L2F (Layer 2 Forwarding), developed by Cisco, can also be used.
[edit]
Characteristics in application
A well-designed VPN can provide great benefits for an organization. It can:

Extend geographic connectivity.
Improve security where data lines have not been ciphered.
Reduce operational costs versus traditional WAN.
Reduce transit time and transportation costs for remote users.
Simplify network topology in certain scenarios.
Provide global networking opportunities.
Provide telecommuter support.
Provide broadband networking compatibility.
Provide faster ROI (return on investment) than traditional carrier leased/owned WAN lines.
Show a good economy of scale.
Scale well, when used with a public key infrastructure.
However, since VPNs extend the "mother network" by such an extent (almost every employee) and with such ease (no dedicated lines to rent/hire), there are certain security implications that must receive special attention:

Security on the client side must be tightened and enforced, lest security be lost at any of a multitude of machines and devices. This has been termed, Central Client Administration, and Security Policy Enforcement. It is common for a company to require that each employee wishing to use their VPN outside company offices (eg, from home) first install an approved firewall (often hardware). Some organizations with especially sensitive data, such as healthcare companies, even arrange for an employee's home to have two separate WAN connections: one for working on that employer's sensitive data and one for all other uses.
The scale of access to the target network may have to be limited.
Logging policies must be evaluated and in most cases revised.
A single breach or failure can result in the privacy and security of the network being compromised. In situations in which a company or individual has legal obligations to keep information confidential, there may be legal problems, even criminal ones, as a result. Two examples are the HIPPA regulations in the US with regard to health data, and the more general European Union data privacy regulations which apply to even marketing and billing information and extend to those who share that data elsewhere.


Tunneling
Tunneling is the transmission of data through a public network in such a way that routing nodes in the public network are unaware that the transmission is part of a private network. Tunneling is generally done by encapsulating the private network data and protocol information within the public network protocol data so that the tunneled data is not available to anyone examining the transmitted data frames. Tunneling allows the use of public networks (eg, the Internet), to carry data on behalf of users as though they had access to a 'private network', hence the name.

Port forwarding is one aspect of tunneling in particular circumstances.


VPN security dialogs
The most important part of a VPN solution is security. The very nature of VPNs ? putting private data on public networks ? raises concerns about potential threats to that data and the impact of data loss. A Virtual Private Network must address all types of security threats by providing security services in the areas of:

Authentication (access control) - Authentication is the process of ensuring that a user or system is who the user claims to be. There are many types of authentication mechanisms, but they all use one or more of the following approaches:

something you know (eg, a login name, a password, a PIN),
something you have (eg, a computer readable token (eg, a Smartcard), a card key),
something you are (eg, fingerprint, retinal pattern, iris pattern, hand configuration, etc).
What is generally regarded as weak authentication makes use of one of these components, usually a login name/password sequence. Strong authentication is usually taken to combine at least two authentication components from different areas (i.e., two-factor authentication). But note that use of weak and strong in this context can be misleading. A stolen SmartCard and a shoulder-surfed login name / PIN sequence is not hard to achieve and will pass a strong authentication two-factor text handily. More seriously, stolen or lost security data (eg, on a backup tape, a laptop, or stolen by an employee) dangerously furthers many such attacks on most authentication schemes. There is no fully adequate technique for the authentication problem, including biometric ones.