Introduction to VPNs

A virtual private network (VPN) is a network connection that hides the content of the data transferred between the VPN client and server. Virtual private networks allow you to extend your private network to geographically dispersed locations without incurring the expense of a dedicated WAN link. The VPN takes advantage of the low-cost public Internet and allows you to connect clients and servers in a secure fashion over the public Internet.

The most compelling reason to implement a VPN is cost savings. A VPN allows you to accomplish the same things you can accomplish with dedicated links between networks or with dial-up modem solutions. The VPN solution is much more effective than either the dedicated WAN link or dial-up modem solution.

For example, suppose you have employees with notebook computers. These employees travel all over the world and often need to connect the notebook computers to the corporate network to access email or data files. The traditional solution for remote access is to install a modem bank on a remote access server and have the traveling notebook users make long distance or “800” calls to the corporate RAS server. This is an expensive solution because the long distance and 800 costs can literally run into millions of dollars a month for a large company.

A VPN solution allows the notebook users to call into a local Internet service provider (ISP) and then establish a VPN connection over the connection made to the ISP. The VPN connection does not require a long distance call and takes advantage of the existing call to the local ISP. The VPN connection completely obviates the requirement for long distance calls and modem banks. A single VPN server can support hundreds of VPN users using a single high-speed Internet connection. If more users need to be supported, a second VPN server can be installed at a fraction of the price of modem banks and long distance charges.

VPN Economics

Another example is a company that wants to connect satellite offices to a central office. Imagine that you run a company with a central office in Dallas, Texas. You have satellite offices in New York City, New York and in San Francisco, California. You can interconnect all those offices to create a single network using dedicated WAN links. The drawback of this traditional solution for connecting remote, geographically dispersed networks is that it is very expensive.

A VPN solution can be used to join remote networks to a central office. All three networks are connected to the Internet. A VPN connection can be established to the Internet between each satellite office and the central office. The VPN connection does not require dedicated WAN links. The price of an Internet connection for each office is just a fraction of the price of a dedicated WAN link.

The cost savings realized by joining clients and networks via VPNs is the driving force behind the popularity of virtual private networking. The data traveling over the VPN is encrypted so that Internet intruders are not able to intercept and read that data.

VPN Architectures

VPN architectures are defined by how the VPN server is placed in relation to other network components, such as VPN clients and firewalls. In this section, we discuss the following VPN architectures:

• VPN server

• VPN gateway

• VPN server external to firewall

• VPN server internal to firewall

• VPN server on the firewall

VPN Server

A VPN server is a computer or hardware device that can accept VPN calls from VPN client computers. The most common VPN client is some version of the Microsoft Windows VPN client, included with versions of Microsoft Windows 95/98/Me/2000/XP. The Microsoft VPN client software allows connections to both PPTP and L2TP/IPSec VPN servers. However, Windows 2000 and Windows XP are able to make L2TP/IPSec calls. Other Microsoft Windows versions are able to make PPTP calls.

VPN hardware vendors can also choose to implement their own proprietary VPN clients. It is important to assess the compatibility between your VPN clients and other network devices, such as firewalls, before making a decision on what type of VPN client to use.

VPN servers allow incoming calls to the VPN server. After the call to the VPN server is complete, the VPN client can access resources on the VPN server itself, or the VPN client can access resources on the internal network behind the VPN server. This depends on how the VPN server is configured.

The VPN server architecture does not connect entire networks. To connect networks to one another, you must configure a VPN gateway.

VPN Gateway

A VPN gateway isused to connect geographically disparate networks. The VPN gateway can be configured to route requests destined to remote corporate LANs over a virtual network interface rather than to the Internet.

The VPN gateway configuration is also called a gateway-to-gateway VPN. The VPN gateway computers control access to the private networks via the VPN connections. This allows the VPN gateways to be connected to the Internet and also accept connections from remote VPN gateways at the same time.

For example, imagine that you have a network in Dallas and you want to connect that network to a remote network in San Francisco. The hosts at the Dallas networks are assigned IP addresses in the 10.0.0.0/16 network ID and the hosts in the San Francisco network are assigned addresses in the 192.168.1.0/24 network ID.

On the Dallas VPN gateway, you can configure a VPN virtual interface that forwards packets to network ID 192.168.1./24 over the VPN interface to the San Francisco VPN gateway. On the San Francisco VPN gateway, you can configure a VPN virtual interface to forward all packets destined for network ID 10.0.0.0/16 to the Dallas VPN gateway. Static routes are configured on each gateway to allow routing to take place over the correct interface.

The VPN gateway acts as a router, or more precisely, a VPN router. The VPN gateway routes packets for particular network IDs over the VPN interface depending on how routing table entries are defined.

VPN Server External to Firewall

VPN servers can be placed in front of a firewall, behind a firewall, or on the firewall itself. Each architecture has its advantages and disadvantages.

The VPN server can be placed in front of the firewall. VPN clients connect to the VPN server and then can access resources on the DMZ segment between the VPN server and the firewall, or they can be allowed to access internal network resources on the private network.

The advantage of putting the VPN server external to the firewall is that you don't have to configure the firewall to allow VPN traffic through.

However, there are several disadvantages to putting the VPN server external to the firewall. First, the user accounts database must be placed on the external VPN server, or you must be able to use a protocol, such as RADIUS, to allow authentication requests to be passed into the internal network. A second disadvantage of putting the VPN server external to the firewall is that the external interface of the VPN server is open to Internet attacks. Although you can configure host-based security to control access to the VPN server, the VPN server still becomes the primary focus of Internet intruders. Finally, putting the VPN server external to the firewall creates configuration challenges if you want to allow VPN clients access to internal network resources and prevent them from accessing resources on the DMZ segment (via credentials they provided to the VPN server).

VPN servers should be placed external to the firewall only if you have specialized requirements, such as the VPN users require access to resources only on the VPN segment or when you have created a VPN extranet to allow partners to access resources external to the corporate firewall.

VPN Server Internal to Firewall

VPN servers can be placed internal to the corporate firewall. VPN clients can call the VPN server located behind the firewall because the firewall is configured to pass VPN messages through the firewall to the VPN server.

The disadvantage to this approach is that firewall configuration includes:

• Complex firewall configuration

• Issues with using private addresses on the DMZ segment

The VPN architecture can be simple or complex depending on the type of firewall you use and whether you have decided to use private network addresses on the DMZ segment between the firewall and VPN server. Most firewalls have a facility to simplify passing VPN messages through the firewall. However, some VPN protocols, such as L2TP/IPSec, will not pass through a NAT device. Although there are some proprietary solutions to passing L2TP/IPSec over a NAT device, they add complexity to the firewall configuration.

The advantages to placing the VPN server behind the firewall are

• The firewall protects the VPN sever from Internet attack.

• The user accounts database is more easily accessible.

• The firewall can be configured to accept VPN requests from specific users or network IDs.

• Access to internal network resources is easier to configure.

The firewall can be configured to pass only VPN traffic to the VPN server interface on the DMZ segment. This protects the VPN server from attack because only VPN requests are passed to the VPN server. This makes it easier to secure the VPN server by focusing on the VPN server components.

When the VPN server is internal to the firewall, it's likely that the internal interface of the VPN server will be connected to a trusted network that allows communications with an authentication server. This allows the VPN server to directly communicate with the authentication server, rather than having to utilize RADIUS for remote authentication. This simplifies your VPN client authentication architecture.

The firewall can be configured to accept VPN requests from particular clients, rather than all clients on the Internet. This is a realistic configuration if you have already arranged a deal with a national or international ISP to provide IP addresses to your remote access clients within a particular network ID.

Access to internal network resources is easier because the VPN server has an interface directly connected to the network. This obviates the requirement of creating a second VPN link that is tunneled inside the first VPN link, which is often required if you want to access internal network resources when the VPN server is external to the firewall.

The advantages of placing the VPN server internal to the firewall far outweigh the disadvantages. Placing the VPN server internal to the firewall should be considered the preferred configuration.

VPN Server on the Firewall

The VPN server can also be put on the firewall itself. The advantage of this approach is that the firewall and VPN configuration can be done on the same box, and the same vendor provides the interface to configure both the firewall and VPN components.

The firewall components can secure the VPN server from attack by Internet intruders. However, a major drawback to this configuration is that if the VPN server components are compromised, the entire firewall may be liable to successful attack. Putting the firewall and the VPN server on the same machine does violate a basic rule of secure network computing. This rule states the firewall machine should have no additional applications and services installed. Only the firewall components should be installed.

Both hardware- and software-based firewalls provided dual VPN and firewall functionality. One advantage of the hardware-based firewalls is that there aren't many operating system components that can be attacked by an Internet intruder. On the other hand, much of the security provided by hardware firewalls falls into the realm of “security through obscurity” and not much information is shared about how these types of firewalls work. Contrast this situation with software-based firewalls, such as ISA Server 2000, where there are lively community discussions regarding how the firewall operates and potential weaknesses in the firewall configuration and design.

VPN Protocols

A VPN protocol provides a point-to-point link and an encryption (and sometimes an authentication) method. Although there are several virtual link layer protocols that allow you to create virtual tunnels, the private part of a VPN is defined by the encryption of the data within the tunnel.

The two most commonly used VPN protocols are the Microsoft Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol over IPSec (L2TP/IPSec). A third method of tunneling data via a virtual point-to-point link is by tunneling data through a pure IPSec tunnel.

PPTP

PPTP was developed by Microsoft and was first introduced with the “Steelhead” add-in for the Windows NT 4.0 Routing and Remote Access Service. The first version of PPTP (1.0) suffered from some serious security problems and the protocol was soon updated by Microsoft to address those security issues. The current version of PPTP is version 2.0 and this version is included with the Windows 2000 Routing and Remote Access service.

When we speak of PPTP, we are actually referring to two protocols. PPTP is the link layer protocol that is used to create the virtual point-to-point connection. PPTP itself does not provide any data encryption. Data encryption services are provided by the Microsoft Point-to-Point Encryption Protocol (MPPE). MPPE generates encryption keys based on Microsoft CHAP (MS-CHAP) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication mechanisms.

PPTP can provide a high level of security for VPNs, but it does suffer from its dependence on the encryption key being based on passwords. If simple passwords are used, breaking into a PPTP-based VPN server becomes a relatively simple affair. The foundation of PPTP VPN security is based on complex passwords. Any organization wanting to use PPTP-based VPNs must also enforce complex user passwords.

The problem with dependence on password complexity is that users will do their best to circumvent password security requirements. The best solution to this problem is to combine a password (what the user knows) with a machine certificate (what the user has). Combining what the user knows with something the user has allows you to relax somewhat the level of complexity in user passwords.

Unfortunately, PPTP cannot take advantage of the know/have security scheme. To solve this problem, you can use another VPN protocol that is gaining popularity—L2TP/IPSec.

L2TP/IPSec

L2TP over IPSec is a VPN tunneling protocol that is gaining popularity because, in addition to authenticating the user, L2TP/IPSec connections also authenticate the machines participating in the VPN connection. The machine authentication depends on each machine having a digital certificate to confirm its identity. If one or both machines do not contain a valid digital certificate, the L2TP/IPSec connection attempt fails.

The Layer 2 Tunnel Protocol provides the virtual link, and IPSec provides encryption. L2TP is a combination of the PPTP link layer protocol (developed by Microsoft) and the Layer 2 Forwarding Protocol (developed by Cisco). The IETF proposed that these protocols be combined into a single protocol to avoid fragmentation in the VPN market. The combination of the two protocols resulted in the Layer 2 Tunnel Protocol we use today.

Like PPTP, user authentication is via typical PPP authentication mechanisms, such as CHAP and MS-CHAP. Unlike PPTP, the encryption mechanism is not dependent on the authentication protocol because IPSec does not use the users' credentials to create an encryption key. The encryption keys are typically based on machine certificates, although IPSec is flexible enough to use different types of encryption keys. The type of encryption key used by IPSec is dependent on how a particular operating system or network device implements the IPSec encryption protocol.

IPSec can provide more than just encryption of data moving through the L2TP tunnel. In addition to the encryption provided by the Encapsulating Security Payload (ESP) protocol, IPSec can also provide for packet authentication. Authentication determines whether the packet has been changed while in transit. The Authentication Header (AH) protocol handles this authentication function for IPSec. If a packet protected by AH is changed in transit, AH flags the packet as invalid and the packet is dropped.

L2TP/IPSec can be used both by VPN clients calling a VPN server and by VPN gateways connecting to one another. Because of the flexibility in implementation options and the enhanced security provided by IPSec, the L2TP/IPSec tunneling protocol is considered the standard and preferred VPN protocol for small and large networks.

Pure IPSec Tunnels

IPSec can be used to create a VPN tunnel. When IPSec is used to create a VPN tunnel, it is said to be working in tunnel mode. Tunnel mode IPSec connections can be configured between VPN gateways. Data inside the IPSec tunnel is encrypted using IPSec as the encryption protocol.

Pure IPSec tunnels are not typically used by VPN clients to call VPN servers over the Internet. There are a number of technical reasons for this, but the primary limitation to using IPSec tunnel mode between VPN client and server is related to proprietary implementations of IPSec tunnel mode. L2TP implementations are more standardized, so interoperability issues are less significant.

IPSec tunnels are more viable when they are created between two VPN gateway devices from the same manufacturer. Many unexpected complications result when you attempt to create pure IPSec tunnels between unrelated devices.