Evaluation of the Virtual Private Network

The networking buzz-phrase VPN (virtual private network) varies across the board and often references a set of different technologies depending on whom you ask or what you read.  In an effort to better define and simplify what a VPN is, I want to give a general overview of the term. In the simplest form, a VPN is a secure connection over a public network.  Perhaps, an easier way would be to look at each acronym (VPN) individually. Let’s start by examining what a network is – keeping things simple, let’s say a network is a collection of devices that are capable of communicating with each other and successfully transmitting and receiving data. The word private is intricately linked to the concept of virtualization, but first, let’s summarize what private means in VPN. The term private refers in some fashion to secret communications between two or more devices. “Those outside the secret communication are not privy to the communicated content and are unaware of the private communication altogether” (3). Virtualization is a bit harder to nail down, but it can be thought of as something that’s simulated while performing functions of something that isn’t really there. In effort to expand a bit more; when private communications are sent across a shared network, a virtual network is constructed using the common foundation rather than using dedicated physical circuits, i.e., “the virtual private network has no corresponding physical communications system – instead, the private network is a virtual creation” (3).

Leading up to VPN’s

Over the past couple of decades, companies have spread out facilities across the country and across continents. Regardless of companies physical location, one thing they all required is a secure and reliable way to communicate with one another.  In an effort to do so, many companies used leased lines to maintain a wide area network (WAN).  “Leased lines such as ISDN (integrated services digital network, 128Kbps ) and OC3 (Optical Carrier-3, 155Mbs) fiber are private network connections that a telecommunication’s company could lease to its customers” (2). “The biggest advantages came down to reliability, performance, and security”(6). The downside came with the rising costs of leased lines as the distance between endpoints (the companies),  and the speed of service.

As ISPs (internet service providers) continued to develop faster more reliable services, at lower costs than leased lines, big business turned to it as a means of extending their own network (2). “First came intranets, a private internal network designed for use only by company employees, while distant colleagues could work together through technologies such as desktop sharing” (2). As more and more companies connected across the internet, the demand for a more sophisticated security system arose. “While anti-virus and related software were effective at the end-user level, but what was really needed was a way to improve the security of the connection itself” (8). That’s where VPNs came in. “In 1996 Gurdeep Singh-Pall (Microsoft) invented the PPTP ( Point-to-Point Tunneling Protocol), a method for implementing virtual private networks” (9). By today’s standards, the PPTP protocol is barely secure, but it was a breakthrough at the time. Gurdeep’s development of the PPTP protocol meant that businesses could safely and securely extend all of its intranet resources to its employee’s working from home, or from remote offices all over the world.

Virtual Private Network

VPNs use a virtual connection routed through the internet to provide privacy and security. While VPNs use a shared infrastructure, “the distinction is that they providing exclusive communications environments that do not share any points of interconnection” (3).  One of the biggest motivations for VPN implementation is the common requirement to virtualize some portion of an organization’s communications into a common infrastructure while making them invisible to external viewers. The simple economics of pooling communications over virtual networks on a single system is much more economical than the same equivalent on many physical infrastructures.

VPN Types

VPNs can be classified into two common types, remote-access and site-to-site. With a remote-access VPN, an employee can access the company’s intranet from home, or while traveling outside the office. Remote-access VPNs permit secure, encrypted connections from a remote location to a company’s private network. “Large-scale services may be set up by an ESP (enterprise service provider) who sets up a NAS (network access server) and provides client software” (6). “With dedicated equipment and large-scale encryption, company’s can connect multiple sites over a public network to share one cohesive virtual network” (10).

Site-to-site VPN’s can be broken into two categories; intranet-based, and Extranet-based. In an intranet-based VPN a company can connect one or more remote locations as a single private network ie., separate LANs (local area network) to a single WAN (wide area network). In an extranet-based VPN, companies can work in a shared environment with separate companies, such as suppliers, manufacturers, and shipping and connect those companies LANs, while preventing access to their separate intranets.

History / Security

“The Advanced Research Projects Agency Network (ARPANET) was an early packet-switching network and the first network to implement the protocol suite TCP/IP (Transmission Control Protocol / Internet Protocol) – which set the standard for computer networking that we know today” (8). “This research eventually led to the institution of the Internet Protocol Suite as a standard military communication and later by the computer industry” (8). Large corporations adopted the new technology quickly. “TCP/IP details how all information is packetized, addressed, transmitted and received across the Internet” (8). “TCP/IP operates in 4 layers; link, internet, transport, and application” (8). “When data packets are sent over the network,  the packet is marked with information identifying where it originated and where it is going” (8). By itself, TCP/IP leave a chance to prying eyes that can monitor traffic and intercept data through session hijacking and man-in-the-middle attacks just to name a couple.

In 1993 John Ioannidis developed SWIPE, (Software IP Encryption Protocol) one of the earliest forms of a VPN. End-to-end encryption (E2EE) secures communication from one end device to another using encryption keys. “Shortly following, Wei Xu started research in 1994 focusing on IP security and enhanced protocols that eventually led to the development of  IPsec (Internet protocol security)” (8).  “IPsec is a protocol that authenticates and encrypts each pack of information across the internet” (8). “In 1995 the IPsec working group was created within the IETF (Internet Engineering Task Force), a global community of Internet engineers, developers, and programmers concerned with the evolution of the Internet” (8). “This task force created a standardized set of freely available protocols addressing the components, extensions, and implementation of IPsec” (8).

I’m no way shape or form could I explain in depth or detail all the intricate ways a VPN can set up with various protocols and encryption in this paper, but it’s worth providing a small inkling into some of its properties. While there are several forms a VPN can take, vacations of the tunneling protocol are the most popluar.  Tunneling works by packing a packet, within another, and sending it over the internet. “Tunneling requires a carrier protocol, an encapsulating protocol, and a passenger protocol: the carrier protocol is the protocol used by the network that the info is traveling over, the encapsulating protocol is the protocol wrapped around the original data, and the passenger protocol is the original data being carried” (6). Three layers are required for security, the tunneling protocol, authentication, and encryption. “The tunneling protocol creates the connection and then data is encrypted before being sent through to the endpoint to be authenticated and decrypted” (8).

“Protocol defines how services handle data and transmission over a VPN” (11). Common protocols include PPTP, L2TP. SSTP, IKEV2, and OpenVPN. While there no way to provide all the detail in such a short paper, I believe it’s important to acknowledge them. PPTP (Point-to-Point) was designed by Microsoft and used a TCP and a Generic Routing Encapsulation tunnel for PPP packets. PPTP is less used today as it has may well know security issues. L2TP/IPsec (Layer 2 Tunneling Protocol) used keys to establish a secure connection on each end of the tunnel. However, the execution might be unsafe as there have been reports of breaking the protocol and peek inside. “L2TP is a combination of PPTP and Cisco’s L2F protocol” (11). SSTP (Secure Socket Tunneling Protocol) uses SSL (Secure Socket Layer) and its upgraded brother TLS (Transport Layer Security).  SSTP uses symmetric-key cryptography, in which only the two parties involved in the transfer can decrypt the data. IKEv2 (Internet Key Exchange, version 2) works with IPsec to establish a secure connection. Besides the fact that it’s considered one of the most secure protocols, IKEv2 can reconnect automatically if the connection drops and uses a secure key exchange between devices. OpenVPN is an open source project that uses SSL/TLS and secures connection with keys on both sides. It’s perhaps the most secure and versatile protocol. While set-up and security may vary between user to user, company to company there’re benefits and downsides to all protocols. As a short side note, most VPNs use an AES (Advanced Encryption Standard) -128 encryption or AES-256 encryption.

Benefits / Summary

There are clear advantages to use VPNs in the corporate world. As big businesses began to grow and expand past the local scale, the need to communicate effectively and efficiently was a necessity. Leased lines were great for connecting LAN to LAN, or LAN to WAN networks, but the expense had the potential to be astronomical. “As ISPs (internet service providers) continued to develop faster more reliable services, at lower costs than leased lines, big business turned to it as a means of extending their own network” (2).  VPN’s can provide extended geographic connectivity, reduce operating costs through virtualization, improve upon current security measures with encryption and tunneling protocols, and simplify network topologies. I haven’t made any mentioned of the benefits of the consumer yet as this paper has mainly focused on the corporate/business side. So, quickly, many VPN services offer desktop and mobile apps with the same security standards and encryption. Encryption ensures privacy (tunneling and encryption) over Wi-Fi and public networks. Most VPN providers have 1000s of server location across the word to bypass geo restrictions. Additionally, consumer VPNs with a no-log policy are popular among the torrent users, and other questionable practices online.  With that said, let’s wrap thing up.

While we would all like to think ‘so’,  the internet is not a safe place. Security and data integrity are a must for any business, as well as any individual. The need for secure, private data transmission is paramount, and a correctly implemented virtual private network can provide this. 

References

1. Cisco. (2008, October 13). How Virtual Private Networks Work. Retrieved from https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14106-how-vpn-works.html

2. Crawford, S., & Tyson, J. (2011, April 14). How VPNs Work. Retrieved from https://computer.howstuffworks.com/vpn.htm

3. Ferguson, P & Huston, G. (1998, April). What is a VPN? Retrieved from https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-18/what-is-a-vpn.html

11. Mason, J. (2017, November 23rd). VPN Beginners Guide. Retrieved from https://thebestvpn.com/what-is-vpn-beginners-guide/

4. Singh, K. & Gupta, H. (2016). A New Approach for the Security of VPN. 1-5. Retrieved from https://www.researchgate.net/publication/307090754_A_New_Approach_for_the_Security_of_VPN

5. Spengler, E. (2008). Virtual Private Networks (VPNs) Simplified. Retrieved from https://www.cisco.com/c/dam/en_us/training-events/le21/le34/downloads/689/academy/2008/sessions/BRK-134T_VPNs_Simplified.pdf

6. Tyson, J. (2001). How Virtual Private Networks Work. Retrieved from http://www.armchairpatriot.com/How%20Stuff%20Works/How%20Virtual%20Private%20Network.pdf

7. Unknown author. IPSec, VPN, and Firewall Concepts. Retrieved from http://www.cs.unh.edu/~it666/reading_list/Networking/firewall_concept_terms.pdf

8. Unknown/guest. (2019, August 17). The History of VPN. Retrieved from https://www.le-vpn.com/history-of-vpn/

9. Unknown. (2016, June 22). A Brief History of VPNs. Retrieved from https://www.goldenfrog.com/blog/brief-history-of-vpns

10. Wikipedia contributors. (2018, November 30). Virtual Private Network. In Wikipedia,

Retrieved from https://en.wikipedia.org/wiki/Virtual_private_network