What is a VPN Router?

This article describes the VPN technology in detail from the specific concepts, solutions for different users, as well as its interfaces and implementation functions.

VPN is short for Virtual Private Network.

As the name suggests, we can regard a virtual private network as an internal private line of an enterprise. It can establish a proprietary communication line between two or more enterprise intranets connected to the Internet in different places through special encrypted communication protocols, it is like setting up a leased line, but it does not need to lay physical lines such as optical cables. This is like applying for a leased line from the telecommunications board, but there is no need to pay for the laying of the line, or purchase a router or other hardware equipment. VPN technology was originally one of the most important technologies of routers. Currently, VPN functions are also supported in vswitches, firewall devices, WINDOWS2000, and other software, the core of a VPN is to use a public network to establish a virtual private network.

For different user requirements, VPN has three solutions: Remote Access to Virtual Network Access VPN), internal virtual network Intranet VPN) and Enterprise extension Virtual Network Extranet VPN ), these three types of VPNs correspond to the traditional remote access network, the internal Intranet of the enterprise, and the Extranet external extensions composed of the enterprise network and the enterprise network of the relevant partners.

A VPN gateway is a device that connects a LAN to a LAN. Literally, we can know that it can implement two major functions: VPN and gateway. In a broad sense, vrouters, firewalls, and other devices that support VPN virtual private networks can be counted as VPN gateways. Currently, common VPN gateway products include VPN gateways, VPN routers, VPN firewalls, VPN servers, and other products.

A typical VPN Gateway product should have the following performance:

It should integrate the functions of packet filtering Firewall and application proxy firewall.

Enterprise-level VPN products have evolved from Firewall Products, and the functional features of firewalls have become part of their basic functions. If it is an independent product, the collaboration between VPN and firewall will encounter many problems that are difficult to solve. It is possible that firewalls and VPN of different manufacturers cannot work together, firewall security policies cannot be formulated because VPN encrypts and encapsulates IP packets, or causes performance loss. For example, the firewall cannot use the NAT Function. If feature integration is used, the above problems do not exist or are easily solved.

VPN should have an open architecture

A VPN is deployed after an enterprise connects to a vro of the Internet, or it has the function of a vro itself. Therefore, it has become the most important portal to protect the security of the enterprise's internal assets. Many security functions such as preventing hacker intrusion, virus detection, identity authentication, and permission check require VPN or collaboration with related products. Therefore, VPN must provide the ability to work with third-party security products in accordance with an open standard.

Complete certification management

A VPN system should support standard Authentication methods, such as RADIUS (Remote Authentication Dial In User Service, Remote Authentication Dial-Up User Service) Authentication, PKIPublic Key-based Infrastructure, and Public Key Infrastructure) certificate authentication and emerging biometric identification technologies. For a large-scale VPN system, the key management center of PKI/KMI provides LDAP directory services for entity personnel, devices, and applications, and uses standard strong authentication technology tokens and IC cards) is an essential condition for successful implementation and normal operation of a VPN system.

VPN should provide interfaces for third-party products

When you deploy the customer-to-lan vpn solution, the VPN product should provide standard features or open API application programming interfaces), you can directly input user information from the company database. Otherwise, for an enterprise with thousands or even tens of thousands of SOHO and mobile office staff, it is unimaginable to create and manage user permissions separately.

The VPN gateway should have an IP address filtering language and can filter packets based on their nature.

The nature of a data packet includes the destination and source IP addresses, protocol types, source and destination TCP/UDP ports, the ACK bit of the TCP packet, and the outbound and inbound network interfaces.

A complete VPN system generally includes the following units:

VPN Server: a computer or device is used to receive and verify VPN connection requests and process data packaging and package settlement.

VPN Client: a computer or device is used to initiate a VPN connection request. It also processes data packaging and package settlement.

VPN data channel: a data connection established on the public network.

Note that the roles of the so-called server and client in the communication after the VPN connection is established are the same. The difference is that the connection is initiated by WHO.

What functions can VPN implement?

First, although the DDN technology can achieve interconnection between enterprises, the rent is expensive. Although the price of ADSL Broadband is low, it can only be used for enterprises to access the Internet and cannot achieve interconnection between enterprises. VPN can help achieve economic and secure interconnection between enterprises, that is, enterprises can achieve convenient and fast mutual access through the ubiquitous Internet.

Second, although the INTERNET provides convenience for enterprises to access data, its highly open and loose management structure also makes enterprises face serious network security problems. Users can use encryption technology to encrypt the data transmitted through the VPN tunnel to ensure that the data is only known to the specified sender and receiver, thus ensuring the data privacy and security.

VPN restrictions

First, if you build a VPN between the company's internal LAN and the external network, you must ensure that the server and the Internet connection network card obtain a public network address, instead of using address conversion technology.

Second, you must have a fixed IP address at the end of the VPN Server. The client must know the IP address of the server in advance to initiate a connection. Most users' IP addresses for broadband Internet access change, so dynamic IP addresses must be converted to static ones.

Users who use dynamic IP addresses can combine the dynamic domain name resolution service with the VPN solution to resolve dynamic IP addresses to static ones.

Three Common VPN deployment Solutions

1. the VPN Client is installed in a software-only manner. The VPN gateway is installed in the headquarters, and the VPN branch gateway is installed in the branch. The mobile users include laptops and remote standalone. This solution works with Microsoft's NT and desktop systems, as well as VPN services and client software developed by a third party.

2. The Headquarters uses a firewall with VPN function, a branch uses a Broadband Router with VPN function, and mobile users include laptops and remote standalone) to install the VPN Client with the firewall. VPN firewalls are more specialized than common broadband routers with VPN functions. Well-known products include NetScreen, Nokia, and Anshi. These products support more than 100 VPNs, with high data throughput and are suitable for the network core of an enterprise.

3. The Headquarters uses a Broadband Router with VPN function, and a Broadband Router with VPN function can be used for the Branch to connect to the broadband network. Mobile users include laptops and remote standalone.) install a VPN Client with WINDOWS.

For large enterprises, you can select the second solution, which has higher network performance considerations. Because after VPN encryption and decryption technology is used, the data transmission speed will decrease accordingly. Small enterprises generally use the third solution, which is rich in products on the market.