Detailed explanation of VPN technology (on)
Lu Xiaopo
Introduction
A virtual private network enables the connection of components and resources across different networks. Virtual private networks can use the Internet or other public Internet infrastructure to create tunnels for users and provide the same security and functionality guarantees as private networks. (Figure 1)
A virtual private network allows a remote communication party, salesperson, or Enterprise branch office to connect to the enterprise server located on the corporate LAN side in a secure manner using the routing infrastructure of public Internet, such as the Internet. The virtual private network is transparent to the client, and the user seems to use a dedicated line to establish a point-to-point connection between the customer computer and the enterprise server to transmit data.
Virtual Private Network technology also enables enterprises to connect with branch offices or other companies through the Internet and other public networks for secure communication. This VPN connection across the Internet is logically equivalent to a connection between two places using a wide area network.
Although VPN communication is based on the public Internet, users feel like they are using a private network to communicate, so they get the name of a virtual private network.
Using VPN technology can solve the problem that the employees need to access the central resources and the enterprises must communicate with each other in a timely and effective way, when the long-distance traffic is increasing and the enterprise's global operation is widely distributed.
If you want employees to be able to connect with the enterprise computing resources wherever they are, the enterprise must adopt a highly reliable and scalable remote access solution. In general, enterprises have the following choices:
1. The Management Information System (MIS) department drives the plan. Establish an internal MIS department that specializes in purchasing, installing and maintaining enterprise modem pools and dedicated network infrastructure.
2. The value-added network (VAN) programme. Companies hire an external company to purchase, install and maintain modem pools and telecommunications network infrastructure.
From the aspects of cost, reliability, management and ease of connection, neither of these schemes can satisfy the enterprise's requirement of network security or extensibility to the greatest extent. Therefore, it is very important to choose a cheap solution based on internet technology to replace the investment that the enterprise spends on the modem pool and the dedicated network infrastructure.
Basic uses of virtual private networks
Remote user access over the Internet
Virtual private Networks support remote access to enterprise resources via the public Internet in a secure manner.
Unlike a network access server (NAS) that uses a dedicated line to dial long-distance or (1-800) telephone connections to an enterprise, a virtual private network user first dials the NAS of the local ISP, The VPN software then leverages the connection established with the local ISP to create a virtual private network across the Internet or other public networks between dial-up users and the Enterprise VPN server.
Network interconnection via the Internet
You can use VPN to connect to a remote local area network in the following two ways.
1. Use a dedicated line to connect branch offices and enterprise LANs.
Without the use of expensive long-distance dedicated circuits, branch offices and enterprise-side routers can connect to the Internet through local ISPs using their own local dedicated lines. The VPN software creates a virtual private network between the branch office and the enterprise router using a connection established with the local ISP and an Internet network.
2. Use dial-up lines to connect branch offices and enterprise LANs.
Unlike the traditional way to dial long-distance or (1-800) telephone connections to Enterprise NAS using a dedicated line connecting a branch office router, a branch office router can connect to a local ISP by dialing it. The VPN software creates a virtual private network across the Internet between the branch office and the enterprise router using a connection established with the local ISP.
It should be noted that in both of these ways, you can establish a connection between the branch office and the Enterprise department and the Internet by using local devices. The VPN can greatly reduce the cost of the connection, whether on the client or the server, by dialing a local access telephone. It is recommended that the enterprise-side routers that serve as VPN servers connect to local ISPs using a dedicated line. The VPN server must monitor the VPN data stream 24 hours a day.
Connecting an enterprise's internal network computer
In an enterprise's internal network, given that some departments may store important data, the traditional way to ensure data security is to disconnect these departments from the entire enterprise network to form isolated small networks. While this protects the important information of the Department, it makes communication difficult because of physical interruptions that make it impossible for users in other departments to do so.
Using a VPN scheme, the network can be connected with the whole enterprise through the use of a VPN server, and the security of the confidential data is ensured. Routers, while also enabling interconnection between networks, do not limit the data flowing to sensitive networks. Use a VPN server, but by using a VPN server, enterprise network administrators specify that only users who meet specific identity requirements can connect to the VPN server to gain access to sensitive information. In addition, all VPN data can be encrypted to ensure the security of the data. Users without access rights cannot see the department's local area network.
Basic Requirements for VPN
Generally speaking, the enterprise chooses a kind of long-distance network interconnection solution to want to be able to access the enterprise resources and the information request to control, the choice plan should be able to realize both the authorized user and the enterprise Local area network resources free connection, the different branch organization resources sharing and to ensure that enterprise data is not compromised when it is transmitted over the public Internet or intranet. Therefore, at a minimum, a successful VPN solution should be able to meet all of the following requirements:
1. User authentication
The VPN scheme must be able to authenticate the user and strictly control only authorized users to access the VPN. In addition, the programme must be able to provide audit and billing functions to show who has accessed what information.
2. Address Management
The VPN scheme must be able to assign users to the addresses on the private network and ensure the security of the addresses.
3. Data encryption
Data passed through the public Internet must be encrypted to ensure that the information is not readable by other unauthorized users of the network.
4. Key Management
The VPN scheme must be able to generate and update the encryption keys for both the client and the server.
5. Multi-Protocol support
The VPN scheme must support basic protocols commonly used on the public Internet, including IP,IPX. A VPN scheme based on Point-to-Point Tunneling Protocol (PPTP) or Layer 2nd Tunneling Protocol (L2TP) can meet all of the above basic requirements and take full advantage of Internet networking across the world. Other scenarios, including secure IP protocol (IPSEC), do not meet all of the above requirements but are still applicable to specific environments. The following sections of this article will focus primarily on the concepts, protocols, and components (component) of VPN.
