Information, Computer and Network Security Terms Glossary and
VPN: Virtual Private Network
Virtual Private Network (VPN) refers to simulating a private network over the public Internet by encrypting communications between the two private end-points. This provides the same connectivity , QOS and privacy you would find on a typical private network. Typically, VPNs cab be categorized as follows:
- Frame Relay VPN (Layer 2)
- ATM VPN (Layer 2)
- L2TP and PPTP VPN (Layer 2)
- IPsec VPN (Layer 3)
Provider Provisioned VPNs (PP-VPNs)
- BGP/MPLS VPNs (Layer 2 and 3, RFC 2547bis)
Session based VPN
- SSL VPN (Layer 4 +)
- SOCKS VPN (Layer 4 +)
The traditional VPN technologies have been widely deployed in the field by Service Providers and Enterprises. However, due to their high cost and less features, new VNP technologies such as IPsec VPN, SSL VPN and MPLS VPN are becoming more and more popular. These new VPN technologies are fully compatible with TCP/IP, the choice of technology for data routing and transportation of the world.
The key technology for VPN is the security of data over a public network. The three types of security: authentication, encryption and encapsulation, forms the foundation of virtual private networking. However, authentication, encryption and encapsulation can be performed by many different technologies. In addition, these three sets of technologies can be combined in different ways.
For data encapsulation in VPN, many tunneling technologies are developed, such as Layer 2 Tunneling Protocol (L2TP), Layer 2 Forward protocol (L 2F ) and Point to Point Tunneling Protocol (PPTP). PPTP provides remote users encrypted, multi-protocol access to a corporate network over the Internet. Network layer protocols, such as IPX and NetBEUI, are encapsulated by the PPTP for transport over the Internet. However, PPTP can support only one tunnel at a time for each user. Therefore, its proposed successor, L2TP (a hybrid of PPTP and another protocol, L 2F ) can support multiple, simultaneous tunnels for each user. PPTP and L2TP are the layer 2 VPN technologies from CPE (customer premise equipment) to CPE.
Internet Protocol Security (IPSec), the most widely deployed VPN technology, is a set of authentication and encryption protocols developed by the Internet Engineering Task Force (IETF), to address data confidentiality, integrity, authentication and key management in the IP networks. The IPSec protocol typically works on the edges of a security domain, which encapsulates a packet by wrapping another packet around it. It then encrypts the entire packet. This encrypted stream of traffic forms a secure tunnel across an otherwise unsecured IP network. IPsec is the primary layer 3 VPN technology providing a CPE to CPE tunnel.
SSL/TLS, a technology popularly used for secured communication of web traffic (HTTPS), can also be also used for VPN. SSL VPNs use the highly mature and widespread SSL/TLS protocol to handle the tunnel creation and cryptographic elements necessary to create a VPN. SSL/TLS is much easier to implement than IPSec and provides a simple and well-tested platform. The RSA handshake (or DH) is used exactly as IKE in IPSec, and the SSL crypto library is used to secure the symmetric tunnel after that, again using similar encryption techniques to those protecting IPSec tunnels. This tunnel can pass arbitrary traffic, just like an IPSec VPN.
The VPN technologies popular among service providers are the border gateway protocol/multiprotocol label switching (BGP/MPLS) VPN. BGP/MPLS VPN is introduced t o solve the scal ability problems in the traditional ATM and Frame Relay VPNs. In addition, the MPLS VPN, a connectionless VPN, is fully compatible with the TCP/IP technologies and the Internet world, which has significantly lower cost of deployment and operations. The BGP/MPLS VPN standard is defined in the IETF RFC 2547bis to provide Layer 3 VPN solutions using BGP to carry route information over a MPLS core. This Layer 3 MPLS-VPN solution achieves all of the security of the Layer 2 approach, while adding enhanced scalability inherent in the use of Layer 3 routing technology.
SOCKS version 5 (SOCKS 5) is a circuit-level proxy protocol that was designed to facilitate authenticated firewall traversal. SOCKS v5 supports a broad range of authentication, encryption, tunneling and key management schemes, as well as a number of features not possible with IPSec, PPTP or other VPN technologies. When SOCKS is used in conjunction with other VPN technologies, it's possible to have a more complete security solution than any individual technology could provide. A user may, for example, incorporate IPSec and SOCKS together. IPSec could be used to secure the underlying network transport, while SOCKS could be used to enforce user-level and application-level access control.
Tunneling, IPsec, PPTP, L2TP, L2F, SOCKS 5, Encryption, Encapsulation
http://www.cisco.com/univercd/ cc/td/doc/cisintwk/ito_doc/vpn.htm: Virtual Private Network