Introduction to VPNs
Long gone is the time when corporate networks were separate isles of local connectivity. Today, most networks are connected to each other by the Internet. Issues of protecting the local networks from Internet-based crime and intrusion are being solved by firewalls, intrusion detection systems, anti-virus software and other security investments. However, business is increasingly often being done across the Internet as a means of efficient and inexpensive communication.
As we all have learned the hard way, not all parts of the Internet can be trusted in our time. Private interests as well as corporate communication requirements necessitate a means for data to be able to travel across the Internet to its intended recipient without allowing anyone else to read or alter it. It is equally important that the recipient can verify that no one is falsifying information, i.e. pretending to be someone else.
VPNs, Virtual Private Networks, provide a very cost efficient means of establishing secure links to parties that one wishes to exchange information with in a secure manner.
VPNs vs Fixed Connections
Using leased lines or other non-public channels to exchange data between organisations is not a new concept. It has been done since the first computers began talking to each other. In the beginning, communication was limited to local area communication links, but in time, people were finding reasons to have their computers exchange information across greater distances.
Fixed connections are usually very reliable as far as uptime and available bandwidth is concerned. They are also fairly secure, as long as no one attacks the telephony infrastructure or digs your optical fibres out of the ground and attach their own equipment to it.
Fixed long-distance connections, provided that suitable security measures are taken, may be considered "Private Networks".
However, fixed channels of communication are just that: fixed. If you hire a fixed connection between company A and B, you only allow communication between companies A and B.
If several organizations would want to communicate with each other in all directions, separate fixed connections between all organisations would be needed. Such situations quickly escalate beyond all manageability and cost efficiency:
Two organizations only require one connection.
Three organizations require three connections.
Five organizations require ten connections.
Seven organizations require twenty-one connections.
Ten organizations require fourty-five connections.
100 organizations require 4 950 connections.
One could argue that maybe some communication could be done by the way of intermediates. If I wish to talk to company B, maybe I can send my data to company C that has a link to company B? That way I don't have to have a link to company B of my own?
In some cases, and in a small scale, this may work. On the other hand, it may not work at all even if it is on a manageable scale. Consider a company that sells a product to ten customers who all compete with each other.
- Would any one of them accept that their orders and delivery confirmations travel through the hands of one of their competitors?
Another solution is required.
From a connectivity and security perspective, Virtual Private Networks may still be viewed as "fixed connections" in that they do provide connectivity between two or more organizations. This is a fact that does not change even though cryptography is deployed to implement the "Virtual" side of the "Private Network".
Cryptography and Authentication : VPN Basics
Cryptography provides a means to create "Virtual Private Networks" across the Internet with no additional investments in cables, leased lines or other connectivity.
Cryptography is an umbrella expression covering three basic techniques and benefits:
• Confidentiality ?no one but the intended recipients is able to intercept and understand the communication. Confidentiality is accomplished by encryption.
• Authentication and Integrity ?proof for the recipient that the communication was actually sent by the expected sender, and that the data has not been modified in transit. This is accomplished by authentication, often by use of cryptographic keyed hashes.
• Non-repudiation ?proof that the sender actually sent the data; the sender cannot later deny having sent it. Non-repudiation is usually a benign side-effect of authentication.
VPNs are normally only concerned with confidentiality and authentication. Non-repudiation is normally not handled at the network level but rather on a transaction (document-by-document) basis.
The following sections explain how encryption works, how it is used in VPNs to provide confidentiality, and how authentication is used to provide integrity.