VPNs are a way for remote access employees to gain secure access to corporate networks. A VPN is a secure connection over an unsecure network—the Internet. Communication security over the VPN is provided through encryption. VPNs can also be used for secure communications between two network devices or two users. A connection, VPN software, appropriate protocols, and the same encryption methods are required for a VPN connection.

A VPN establishes a private network over a public network such as the Internet. Instead of dialing in over a telephone line, a VPN uses an Internet connection that the systems have already established. As previously discussed, remote users may benefit from Internet connections provided in public locations such as hotels, coffee shops, and airports. This connection is beneficial when you want to do personal work such as checking personal email or browsing social networking sites. Organizations, however, are not inclined to leave their infrastructure open. Organizations want to ensure that their intranet is available only to employees and that corporate resources are protected. Implementing a VPN environment provides many of the same benefits an employee experiences when connected directly to the corporate network within a corporate infrastructure.

Organizations can also employ VPN capabilities for internal wireless networks. Although you may be able to connect directly to a corporate access point, a VPN connection may be required for you to access internal corporate resources. This implementation ensures security for you and the organization, even when you are still in the organization’s building.

Virtual private networking requires a tunnel. Some of the tunneling protocols that are used for VPN connections are as follows:

• Transport Layer Security (TLS) is the modern standard for VPNs. This protocol has the advantage of working on almost every network and being allowed to pass through almost any firewall. TLS VPNs simply tunnel a VPN connection over a standard TLS connection.
• Point-to-Point Tunneling Protocol (PPTP) was developed by a group of vendors and standardized in 1999 under RFC 2637. PPTP allows PPP to be tunneled over an IP network. PPTP does this by encapsulating PPP packets. PPTP does not change PPP but defines a way to carry it. PPTP relies on Generic Routing Encapsulation (GRE) to build the tunnel between the communicating entities. PPTP allows remote users to set up the PPP connection and then secure a VPN connection. PPTP can only work over IP networks.
• Layer 2 Tunneling Protocol (L2TP) provides the same functionality as PPTP but on networks other than IP networks. When combined with IPSec, L2TP provides encryption and authentication. L2TP sets up a connection between two communication entities over PPP.
• The Internet Protocol Security (IPSec) protocol provides the method for establishing a secure channel. In a VPN, IPSec secures communications between the computer system and the corporate network. It is often used in the VPN configuration because it provides flexibility to the organization. Because it is an open framework, an organization can use different configurations to achieve the appropriate level of security.

IPSec provides authentication and encryption through two security protocols. Authentication Header (AH) is the authentication protocol. Encapsulating Security Payload (ESP) provides authentication and encryption. AH is used to prove the identity of the sender and ensure the data is not tampered with. ESP encrypts the IP packets and ensures their integrity. IPSec can work in two modes, transport mode or tunnel mode. In transport mode, the message payload is protected. This ensures that the messages cannot be read if the traffic is collected. In tunnel mode, the payload, routing, and header information are protected. ESP provides greater security than AH because it protects the routing and header information.

A security association (SA) is used for each device during each VPN connection. The SA is the record of the configuration that the device needs to support an IPSec connection. When the two systems agree on the parameters used for communication, the data are stored in the SA. The SA may contain the authentication and encryption keys, algorithms, key lifetime, and source IP address. When the system receives the packet over the IPSec protocol, the SA will determine how to decrypt the packet, how to authenticate the source packet, the encryption key to use, and if necessary, how to replay the message. A different SA is used for inbound and outbound traffic.

Internet Key Exchange (IKE), as defined in RFC 2409, provides identification to communication partners via a secure connection. IKE is the de facto standard for IPSec. It is a combination of Internet Security Association and Key Management Protocol (ISAKMP) and OAKLEY. The OAKLEY protocol carries out the negotiation process, and ISAKMP provides the framework for the negotiation. This includes the negotiation for the algorithm, protocol, modes, and keys. The partners can authenticate through a shared secret or public key encryption. Once this is determined, the SAs are established.