The concept of virtual private networks

Local area networks (LANs) are the internal networks of organizations, that is, the connections between the teams of a particular organization. These networks connect more and more frequently to the Internet through an interconnection device. Many times, companies need to communicate on the Internet with subsidiaries, customers or even with staff that may be geographically distant. However, the data transmitted through the Internet are much more vulnerable than when traveling through an internal network of the organization, since the route taken is not defined in advance, which means that the data must cross a public network infrastructure that belongs to different entities. For this reason, it is possible that along the line, an intrusive user '' listens '' to the network or even '' hijacks '' the signal. Therefore, the confidential information of an organization or company should not be sent under such conditions. The first solution to satisfy this need for secure communication involves connecting remote networks through dedicated lines. However, since most companies can not connect two remote local area networks with a dedicated line, it is sometimes necessary to use the Internet as a means of transmission. A good solution is to use the Internet as a means of transmission with a tunnel protocol, which means that the data is encapsulated before being sent in an encrypted manner. The term virtual private network (abbreviated VPN) is used to refer to the artificially created network in this way. It is said that this network is virtual because it connects two physical networks (local area networks) through an unreliable (Internet) and private connection because only the computers that belong to a local area network on one side of the VPN They can "see" the data. Therefore, the VPN system provides a secure connection at a low cost, since all that is needed is the hardware from both sides. However, it does not guarantee a quality of service comparable to a dedicated line, since the physical network is public and therefore not guaranteed.

How a VPN works

A virtual private network is based on a protocol called tunnel protocol, that is, a protocol that encrypts the data that is transmitted from one side of the VPN to the other. The word "tunnel" is used to symbolize the fact that the data is encrypted from the moment they enter the VPN until they leave it and, therefore, are incomprehensible to anyone who is not at one end of the spectrum. VPN, as if the data were traveling through a tunnel. In a VPN of two computers, the VPN client is the part that encrypts and decrypts the data from the user side and the VPN server (commonly called remote access server) is the element that deciphers the data from the side of the organization. In this way, when a user needs to access the virtual private network, their request is transmitted unencrypted to the gateway system, which connects to the remote network through the public network infrastructure as an intermediary; then transmit the request in an encrypted manner. The remote computer provides the data to the VPN server on your network and it sends the encrypted response. When the user's VPN client receives the data, it decrypts it and finally sends it to the user.

Tunnel protocols

The main tunnel protocols are the following: PPTP (Point-to-Point Tunneling Protocol) is a layer 2 protocol developed by Microsoft, 3Com, Ascend, US Robotics and ECI Telematics. L2F (Layer Two Forwarding) is a layer 2 protocol developed by Cisco, Northern Telecom and Shiva. Currently it is almost obsolete. L2TP (Layer Two Tunnel Protocol), the result of the work of the IETF (RFC 2661), includes all the characteristics of PPTP and L2F. It is a layer 2 protocol based on PPP. IPSec is a layer 3 protocol created by the IETF that can send encrypted data for IP networks.

PPTP protocol

The principle of PPTP (Point-to-Point Tunneling Protocol) is to create frames with the PPP protocol and encapsulate them using an IP datagram. Therefore, with this type of connection, the remote computers in two local area networks connect with a peer-to-peer connection (with an authentication / encryption system) and the packet is sent inside an IP datagram.

In this way, the data of the local area network (as well as the addresses of the equipment found in the header of the message) are encapsulated within a PPP message, which in turn is encapsulated within an IP message.

L2TP protocol

L2TP is a standard tunnel protocol (standardized in an RFC, request for comments) very similar to PPTP. L2TP encapsulates PPP frames, which in turn encapsulate other protocols (such as IP, IPX or NetBIOS).

IPSec protocol

IPSec is a protocol defined by the IETF that is used to transfer data securely in the network layer. Actually it is a protocol that improves the security of the IP protocol to guarantee the privacy, integrity and authentication of the data sent. IPSec is based on three modules: IP Authentication Header (AH), which includes integrity, authentication and protection against REPLAY attacks on packets; Encapsulated Security Payload (ESP), which defines the encryption of the packet and provides privacy, integrity, authentication and protection against REPLAY attacks; and Security Association (SA), which defines key security and exchange configurations. The SA includes all the information about how to process IP packets (the AH and / or ESP protocols, the mode of transport or tunnel, the security algorithms used by the protocols, the keys used, etc.). The key exchange is done manually or with the IKE exchange protocol (in most cases), which allows both parties to listen to each other.