Talking about VPN

To sum up, a VPN is a private connection that is established between two machines or two networks by sharing a public network. In fact, VPN technology enables organizations to safely extend network services over the Internet to remote users, branch offices, and cooperative companies. In other words, the VPN turned the internet into a dedicated WAN for impersonation.

The tempting thing is that the internet has a global reach and today's use of the web has become a standard practice for most users and organizations. As a result, communication links can be established quickly, economically and securely.

The working principle of VPN

By using the Internet as a dedicated WAN, the organization will have to overcome two major obstacles. First, networks often use multiple protocols such as IPX and NetBEUI to communicate, but the Internet can only handle IP traffic. Therefore, VPNs need to provide a way to transfer non-IP protocols from one network to another.

Secondly, the data packets transmitted on the Internet are transmitted in clear text format. Thus, the data contained in the package can be read as long as the Internet traffic is seen. This is obviously a problem if the company wants to use the Internet to transmit important trade secret information.

The way in which the VPN overcomes these hurdles is tunneling: The packet is not exposed to the Internet, but is first encrypted to ensure security, which is then encapsulated by a VPN in the form of an IP packet, which is transmitted through the tunnel (see photo).

To illustrate this concept, assume that you are running NetWare on a network, and that clients on that network want to connect to a remote NetWare server.

The primary protocol used by traditional NetWare is IPX. So, using the normal 2nd-tier VPN model, the IPX packets destined for the remote network reach the tunneling initiator first?? This device may be a remote access device, router, or even a desktop (if the remote client is connected to the server), and it is ready for the packet to be transmitted online.

The VPN tunneling initiator on the source network communicates with the VPN tunnel terminator on the destination network. The two agree on an encryption scheme, and then the tunnel initiator encrypts the package to ensure security (in order to enhance security, a validation process should be used to ensure that connected users have the appropriate permissions to access the target network.) Most existing VPN products support a variety of authentication methods. ）

Finally, the VPN initiator encapsulates the entire cryptographic package as an IP packet. OK, now whatever protocol it was originally transmitting, it can be transmitted on a purely IP internet. And because the package is encrypted, no one can read the original data.

On the destination network, the VPN tunnel terminator receives the packet, removes the IP information, and then decrypts the package based on a consistent encryption scheme, sending the resulting packets to the remote access server or the local router, which then sends the hidden IPX packets to the network and eventually to the appropriate destination.

Protocol method

Currently, several VPN protocols have surfaced in the industry, namely L2TP, IPSec and socks 5. Because of the tunneling capabilities, these protocols are the basic modules that are used to establish a VPN link. Some protocol functions are duplicated, and some offer similar but complementary functions. You need to investigate each of these protocols further when choosing a solution. At the same time, briefly describe these agreements:

L2TP is also called the 2nd-Tier Tunneling Protocol, which combines Cisco's 2nd-tier forwarding (L2F) with Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP supports any routing protocol, including IP, IPX, and AppleTalk. It also supports any WAN backbone technologies, including frame Relay, ATM, X.25, and SONET.

One of the keys to L2TP is the use of PPTP. Microsoft's protocol is an extension of PPP, which is part of the remote access feature of Windows 95/98/nt. So, in general, most PC clients are randomly configured with tunneling capabilities. PPTP provides a consistent way of encapsulating network layer traffic for remote access transmission between Windows clients and servers. The protocol does not qualify for some kind of encryption scheme, but Microsoft Point-to-Point Encryption (MPPE) provides a range of remote access capabilities that are included in a series of Microsoft operating systems.

The L2F part of L2TP enables remote clients to authenticate and connect to the network via ISP and NSP links. In addition to the basic VPN functionality, L2TP can build multiple tunnels from a single client. In fact, a remote client can establish a tunnel connection to a different system at the same time?? For example, connect to enterprise database applications and intranet.

The full name of IPSec is Internet Protocol security, which is essentially a set of protocols that provide security features for IP VPNs. As a layer 3rd feature, IPSec cannot implement services for other layer 3rd protocols such as IPX and SNA. IPSec provides a means to ensure the tightness and authenticity of IP charters. This protocol is compatible with a range of standard encryption schemes and cryptographic negotiation processes, and is compatible with different security systems, including digital signatures, digital certificates, public key infrastructures, and authentication authorizations.

IPSec works by encapsulating the original IP packets into a new IP packet, with the IP packet adding authentication and security headers. The header contains the information required by the remote side, and the remote side participates in the security negotiation process to verify and decrypt the data contained in the package.

The appeal of IPSec is interoperability. IPSec does not specify a proprietary way to authenticate and encrypt. On the contrary, many systems and standards are compatible. IPSec is also a supplement to other VPN protocols. For example, IPSec can perform cryptographic negotiation and authentication, and when an L2TP VPN receives an internal packet, it begins to build a tunnel, which sends the package to another VPN endpoint.

Another option for VPNs is the first socks 5 developed by Aventail. SOCKS 5 is slightly different from L2TP and IPSec: It takes a proxy service mode and works at the TCP Sockets layer. To use Socks 5, the system has to configure SOCKS 5 client software. In addition, the organization will run the SOCKS 5 server.

The SOCKS 5 model works as follows: First, the SOCKS 5 client receives a service request from the client and sends it to the SOCKS 5 server, and the server checks the request against the security database. If the request is licensed, the SOCKS 5 server establishes an authenticated path between the client and the clients, acting as a proxy for the client and performing the request operation. The advantage of SOCKS 5 is that it enables network administrators to enforce specific control over agent traffic. Because working on the TCP layer, SOCKS 5 allows you to specify which applications can access the Internet through firewalls and which applications cannot.

Why are VPNs attractive?

Vendors are able to enumerate the many advantages offered by VPN technology, and with the gradual maturation of VPN products, there will be more advantages.

Saving cost is probably the biggest selling point of VPN. If you use the Internet for remote distribution of network services, you can avoid the acquisition of expensive leased lines leading to branch offices or cooperative companies. You can also avoid paying long-distance telephone charges for ISDN calls between the dial modem or far away. Instead, users and systems are not required to connect to the local ISP, and the rest of the route is delivered to a wide range of internet processing. As for another aspect of cost, you can avoid investing in additional WAN devices, but instead take advantage of existing network facilities already installed.

Another advantage of VPNs is that it is the ideal way to meet the needs of mobile users. VPN enables any user with a VPN client or access network to connect to the enterprise network for access to network services. Since Internet access is now common, you don't have to juggle both users and locations when building a remote mobile access.

Similarly, because it is common to use networks, you can quickly and economically deploy network to network scenarios. There is no need to purchase and configure data lines and WAN interfaces for each site, as long as a link is built using the network connections of each site. This is especially advantageous in the current business environment, as cooperative companies are also connecting networks to improve the speed and efficiency of shared business operations.

How tunneling works: When a VPN device receives an instruction to send packets online, it negotiates the encryption scheme with the VPN device on the target network and then encrypts the package accordingly. The VPN device then encapsulates the encrypted package into an IP packet and sends it over the network to the target network. Once the package arrives, the recipient VPN finalization device will perform the opposite process, allowing the package to continue to be sent to destinations on the internal network.