Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not controlled by the entity aiming to implement the VPN) or need to be isolated (thus making the lower network invisible or not directly usable).
A VPN can extend access to a private network to users who do not have direct access to it, such as an office network allowing secure access from off-site over the Internet. This is achieved by creating a link between computing devices and computer networks by the use of network tunneling protocols.
It is possible to make a VPN secure to use on top of insecure communication medium (such as the public internet) by choosing a tunneling protocol that implements encryption. This kind of VPN implementation has the benefit of reduced costs and greater flexibility, with respect to dedicated communication lines, for remote workers.
The term VPN is also used to refer to VPN services which sell access to their own private networks for internet access by connecting their customers using VPN tunneling protocols.
Motivation
The goal of a virtual private network is to allow network hosts to exchange network messages across another network to access private content, as if they were part of the same network. This is done in a way that makes crossing the intermediate network transparent to network applications. Users of a network connectivity service may consider such an intermediate network to be untrusted, since it is controlled by a third-party, and might prefer a VPN implemented via protocols that protect the privacy of their communication.
In the case of a provider-provisioned VPN, the goal is not to protect against untrusted networks, but to isolate parts of the provider’s own network infrastructure in virtual segments, in ways that make the contents of each segment private with respect to the others. This situation makes many other tunneling protocols suitable for building PPVPNs, even with weak or no security features (like in VLAN).
Operation
How a VPN works depends on which technologies and protocols the VPN is built upon. A tunneling protocol is used to transfer the network messages from one side to the other. The goal is to take network messages from applications on one side of the tunnel and replay them on the other side. Applications do not need to be modified to let their messages pass through the VPN, because the virtual network or link is made available to the OS.
Applications that do implement tunneling or proxying features for themselves without making such features available as a network interface, are not to be considered VPN implementations but may achieve the same or similar end-user goal of exchanging private contents with a remote network.
Topology
Virtual private networks configurations can be classified depending on the purpose of the virtual extension, which makes different tunneling strategies appropriate for different topologies:
Remote access
A host-to-network configuration is analogous to joining one or more computers to a network to which they cannot be directly connected. This type of extension provides that computer access to local area network of a remote site, or any wider enterprise networks, such as an intranet. Each computer is in charge of activating its own tunnel towards the network it wants to join. The joined network is only aware of a single remote host for each tunnel. This may be employed for remote workers, or to enable people accessing their private home or company resources without exposing them on the public Internet. Remote access tunnels can be either on-demand or always-on. Because the remote host location is usually unknown to the central network until the former tries to reach it, proper implementations of this configuration require the remote host to initiate the communication towards the central network it is accessing.
Site-to-site
A site-to-site configuration connects two networks. This configuration expands a network across geographically disparate locations. Tunneling is only done between gateway devices located at each network location. These devices then make the tunnel available to other local network hosts that aim to reach any host on the other side. This is useful to keep sites connected to each other in a stable manner, like office networks to their headquarters or datacenter. In this case, any side may be configured to initiate the communication as long as it knows how to reach the other.
In the context of site-to-site configurations, the terms intranet and extranet are used to describe two different use cases.[4] An intranet site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas an extranet site-to-site VPN joins sites belonging to multiple organizations.
Typically, individuals interact with remote access VPNs, whereas businesses tend to make use of site-to-site connections for business-to-business, cloud computing, and branch office scenarios. However, these technologies are not mutually exclusive and, in a significantly complex business network, may be combined.
Apart from the general topology configuration, a VPN may also be characterized by:
the tunneling protocol used to tunnel the traffic,
the tunnel’s termination point location, e.g., on the customer edge or network-provider edge,
the security features provided,
the OSI layer they present to the connecting network, such as Layer 2 link/circuit or Layer 3 network connectivity,
the number of simultaneous allowed tunnels,
the relationship between the actor implementing the VPN and the network infrastructure provider, and whether the former trusts the medium of the former or not
A variety of VPN technics exist to adapt to the above characteristics, each providing different network tunneling capabilities and different security model coverage or interpretation.
Leave a Reply