The advantages and disadvantages of using VPN for company wide communication
Virtual Private Network (VPN) is a maturing technology that offers a cheaper alternative when compared dedicated network links such as Wide Area Networks (WAN). In addition, VPN also offers users the chance to communicate information through mobile secure technologies when on the move (i.e. in the train or hotel). This report will look into the advantages and disadvantages of using VPN when communicating from one office to another, albeit across the world from each other. In addition, the report will primarily focus on security issues when using such a technology. The report will be split into two main sections with the first aiming to provide the non technical user with the necessary information to decide whether the company would benefit from using such a technology when communicating internationally between one office and another.
Virtual Private Networks (VPN)
This section will firstly introduce the network technology VPN. It will then look at other alternatives and compare and contrast with the advantages and disadvantages of using VPN. One of the most important issues will then be discussed, the security implications of VPN. Other facets of using VPN technology will be discussed before finally summarising the technology in a conclusion.
Background Virtual Private Networks (VPN)
With global communication requirements ever increasing in today’s business world a lot of companies use leased lines to provide Wide Area Networks (WANs) between one office and another (Tyson , 2004). This WAN is built up from different networking technologies ‘ranging from Integrated Services Digital Network (ISDN) providing speeds of 128 Kbps and Optical Carrier-3 (OC3) providing much greater speeds of up to 155 Mbps (Tyson , 2004).’ These network technologies ensure a company can build its private network way beyond its original foundations which answers the question to global expansion. A WAN is obviously more advantageous to a company when considering security, reliability and performance of a dedicated leased network is far greater than a shared public network. Using a dedicated line however can astronomically increase in price as the distance increases from one location to another.
Companies also would increase their networks by using Intranets which is a network provided by the company and accessed in-house by company users. This kind of network was designed for connecting company wide users and not remote users in the field. With the ever increasing size of the Internet and the growing demands of business users the Virtual Private Network (VPN) emerged. The VPN would use existing Internet technology to send data to and from one source to another albeit in a secure fashion. In addition, wireless protocols are also supported by VPN and this ensures the on the move user can access sensitive information.
A VPN is any network that can provide a secure network through an already existing untrusted or unsecured network (Black, 1999). The VPN technology uses different strategies to transport data such as tunnelling where a logical structure is used to encapsulate the data contents inside the payload or data field of another network protocol. This method of tunnelling ensures data can travel through networks it would otherwise be unable to transport through (Black, 1999). This technology has also been implemented into wireless systems (Synder, 2005) which ensures the mobile user on the move can use a secure network to assist his /her everyday working tasks which could mean remotely referencing a sales database for an interested customer or, could be one of the emergency services requiring intelligence regarding a situation such as a persons details.
Advantages and Disadvantages using VPN
VPN is considered as a maturing technology and is answering a lot of business communication problems that were once considered as unavoidable monopolistic overheads. With VPN technology there are certainly some disadvantages such a limited security for wireless users although more enhanced technologies are continually emerging on a frequent basis. The advantages of the technology are that the data can be sent from one location to another within the world using an existing and continually growing infrastructure, the Internet.
By using encapsulation, encryption and data tracking the data is sent both securely and accurately to the next user. The main advantage of using VPN over a dedicated WAN or even an Intranet is mainly based on the cost. In using an existing network (Internet) the operational costs are much lower than that used with the WAN alternative. Obviously with a huge organisation a dedicated line between one site and another has many advantages however when that site is overseas the alternative of mixing with VPN technologies becomes a much more attractive approach. VPN provides a secure link by using point-to-point protocols and encryption techniques such as Symmetric-key encryption or Public-key encryption (Tyson , 2004) which will be discussed at length within the next section.
So in summary VPN extends geographic connectivity, provides well established security methods, reduced operational costs when compared with that of the WAN technology. In addition VPN also provides reduced set-up times, fast network links for remote users, the network topology is simplified, productivity improved due to less constraints when compared with other networking methods, provides Voice over IP protocol (teleconferencing facilities), provides broadband networking compatibility and when compared with infrastructure set up constraints such as that seen with WAN technologies and VPN ensures a faster return on investment.
For a well designed VPN there are five key features it must incorporate; Security, Reliability, Scalability, Network and Policy Management. This can be quite an arduous task to keep up with when there are three different types of VPN available. The different types are Site-to-Site VPN where the link across the Internet is either connected on an Intranet basis to main company Local Area Network (LAN) or, it is connected to a partner company LAN on an Extranet basis (partner company could be a supplier or long term customer). The other type of VPN network is a Remote-Access VPN where dial-up facilities are used to link users in remote areas with no physical link but a mobile phone airway link can be established.
Security is more secure with the Intranet and Extranet network methods than compared with Remote-Access VPN. This is to do with the medium used in terms of allowable bandwidth and error correction at any one time. Security is perhaps one of the main facets of a VPN network and has to be totally impregnable from criminal activity such as fraud, terrorism or company espionage for example. All of the different types of VPN offer encryption facilities which permit secure connections between a company’s private networks.
As mentioned before there are two types of computer encryption used;
• Public-Key Encryption
• Symmetric-Key Encryption
Symmetric-Key Encryption (Singh, 2000) is where each computer has a secret code (i.e. both parties who wish to communicate with each other). This secret code works very similar to idea behind the German Enigma machine where the secret code encodes the encrypted message as a shifted sequence along the everyday alphabet.
The secret code is a key by where the encrypted key and actual key are sent separately at certain times of the day. This key enables the user or system to decode the sequence of letters, to the correct sequence of letters, see below for example;
S A R A H – shift by 3 letters or numbers
V D U D K – is the new encrypted message
Figure 2.1 above displays the process of using symmetric-key encryption
The other encryption method is Public-Key Encryption where this is considered asymmetric when compared to symmetric key inscription. Basically, the two user’s wish to communicate with each other. Each user has a private key (secret code) and a public key which everyone can access (similar to gaining a phone number from a telephone directory). Using the analogy of padlocks the concept of public-key encryption can be extended to the reader. If user one has their private key secure from everyone else, they can distribute their public key to anyone they like, when user 2 wishes to send an encrypted message they use users 1’s public key which is analogous to user 1 distributing many padlocks securing boxes of information.
Once this padlock is closed or the message is encrypted it can only be seen by user 1 and no one else. In the analogy of padlocks, user 1 is the only person to have a unique key (private key) to open the distributed padlocks. Not even user 2 can open the padlock with his/her key as it is different private key or in the analogy, padlock key. This form of encryption is more modern and much harder to decipher than symmetric key encryption hence the Enigma code was cracked from the Allies obtaining coded items and intercepted signals.
The security used in VPN networks are as follows; encryption, IPsec, SSL and QoS (which will all be discussed in greater depth within the technical appendix), firewalls and AAA server.
VPN is certainly an emerging technology which provides companies a good alternative to the more expensive WAN technology. VPN utilises the well established Internet to securely send its data from one location to another location albeit on the other side of the planet. To that end, there is no major infrastructure setup cost in implementing or leasing a dedicated network as with the WAN system. The VPN connections between users are secure in that tried and tested encryption methods have been integrated within the system.
Other areas of security will be discussed in greater depth within the Technical Appendix following this conclusion. In addition, VPN caters for mobile users on the move this by wireless VPN technology and can transfer data such a text, Voice over IP (VoIP) and image frames. The wireless security issues however provide some security albeit more research is required into providing trusted secure systems such as that seen on the VPN Internet, Intranet or Extranet technologies.
The Technical Appendix of the report is aimed at further informing the technical user with the information given in Section 2. It will firstly look at the technical aspects of VPN technology such as the different networks and, case examples. Lastly it will look at the technical security issues faced with VPN technology which is key to the migration of using the technology for commercial purposes.
VPN Technical Background
As discussed in Section 2.0, VPN utilises an already well established medium for communication, the Internet. This section will describe the techniques in how VPN transports information from one location to another location. The three types of VPN networks are displayed below (Tyson , 2004) in Figure 3.1.
Image courtesy Cisco Systems, Inc.
Figure 3.1 displays the 3 different networks used in VPN
All three network architectures use a method of tunnelling (Tyson , 2004) to ensure secure connections are made between users. Tunnelling is fundamental to VPN technologies. Tunnelling is where a data packet is wrapped around another packet that is Internet Protocol (IP) readable and transferred from one point to another within the Internet. Thus the IP packet is readable at both points albeit the packet that has been encapsulated within the IP packet may use some other network protocol such as private protocol or NetBeui that is unreadable across the Internet. This type of network allows different protocol formats to pass through the Internet onto private networks where they can be read and transferred further into a company network hub for example. To that end, a private network can be extended across the Internet infrastructure.
Tunnelling requires three different protocols for it to work correctly. The first is the Carrier protocol, this is the protocol of network the information is being transported over such as IP when using the Internet infrastructure. Encapsulating protocol is the protocol that ensures the original data is encapsulated around the transported protocol and is hidden from the transportation protocol. Such encapsulating protocols are L2F, PPTP, L2TP, GRE, IPSec (Tyson , 2004). Lastly is the Passenger protocol, this is the network protocol relating to the encapsulated data such as IPX, NetBeui, IP protocols. Passenger protocol can ensure the original data works on a private network once it has been transferred from one point to another point on the Internet.
Tunnelling is achieved from using either IPSec or Generic Routing Encapsulation (GRE) which ensures the passenger protocol can be read at the different ends of passenger protocol interfaces. Basically before being transported in the tunnel over the Internet the encapsulated data is wrapped up and information describing what the data is (kind of meta data similar to that used in eXtensible Markup Language (XML)) is then stored and read for interface communication at the other end.
VPN Security Technical Background
The most crucial element of a VPN is the security it uses for point-to-point communication. As already discussed encryption algorithms are used to convert the original data into a secret message and undistinguishable to an unintended user.
VPN uses the following technologies to ensure secure point-to-point networks; Firewalls, Encryption, IPSec, GRE, AAA Server. There are more technologies used however the above are key to most VPN systems and will be discussed further here. The firewalls act as a filter and will only allow desired packets of information to pass from the Internet to private network interfaces. If undesired packets arrive they are simply stored in quarantine with an alert sent to the user or, they are deleted.
The firewall prevents such unwanted technologies such as outside sabotage or espionage in the form of computer Virus’s (virus’s can cause unlimited harm to software and hardware components) or Trojan horses (again can cause unlimited harm to software and hardware but is disguised as a program that is trusted by the computer – say a software update or video file). Encryption as already discussed can be in the form of symmetric-key or public-key encryption and provides varying levels of secrecy when transporting data from one private network to another private network via the Internet. The most reliable and secure method of encryption is that of public-key encryption (not including quantum cryptography however this is still under research) which is discussed at length by Singh (Singh, 2000).
Internet Protocol Security Protocol (IPsec) and GRE are different encapsulating protocols which ensure the original message is wrapped up inside the transport protocol and understood at the point-to-point interfaces across the Internet. IPsec uses more advanced encryption algorithms in that there are two encryption methods; tunnel and transport. The tunnel method encrypts both the header and payload of each packet and the transport just encrypts the payload of each packet. For IPSec to work correctly the firewalls, routers and interfaces have to be able to read IPsec protocol otherwise it will not work. The encryption method of IPSec uses Public-key Encryption technology.
Wright (Wright, 2000) discusses ‘IPsec is built around a number of standardised cryptographic technologies, and uses’:
• Secure Hash Algorithm (SHA), for authenticating packets. Digital certificates for validating public keys or Keyed hash algorithms, such as Hashbased Message Authentication Code (HMAC) with Message Digest version 5 (MD5).
• Deliver secret keys between peers on a public network using Diffie-Hellman key exchanges
• In order to guarantee the identities of the two parties Public key cryptography for signing Diffie-Hellman key exchanges are used.
• The Data Encryption Standard (DES) and other algorithms for encrypting data.
Above Wright (Wright, 2000) provides some useful technical information which shows that IPsec is becoming a much more advanced encapsulation protocol than when it was first introduced back in 1995. The current version of IPsec is IPv6 and has overcome a lot of security problems otherwise thought as incurable problems.
Authentication Authorisation and Accounting (AAA) server is primarily used for more secure connections such as that required for remote dialup access. When a user dials up the AAA server it checks who the person is, then, what the persons rights and privileges are and the accounting is a log of what tasks place during the online session of the user.
There are other technologies used to provide security to VPN technologies such as SSL and QoS. Quality of Service (QoS) is a system where users are monitored to see if they have permission to use certain networks (i.e. other VPNs) if not, they are denied access. This bird’s eye view can see if a network is under attack from cyber terrorism and can shut down sections if necessary and divert traffic. Secure Sockets Layer (SSL) VPN is specifically designed for remote access in that it provides all the encapsulation protocol for remote users such as wireless or dialup users out in the field. SSL VPN (Nortel SSLVPN, 2005) offers many advantages in that it is a secure method through use of advanced encryption technologies and, it is also supported across multiple applications and platforms. SSL VPN also has a built in AAA server facility which is key to any remote access required by the user on the move.
Looking at both sections it is possible to see that the executive recruitment company Smythe and Smythe would be best advised to implement a VPN network for secure communications between its head office in one country to an office(s) in another country(s). There network set-up time and costs are much cheaper than that of using a dedicated or leased line between company offices. This is because VPN uses an already tried and well established medium, the Internet. The security from one to another private network across the Internet is very good. This is because the security technology is based around the use of public-key encryption methods. In addition, encapsulation protocols such as IPSec and SSL VPN allow both secure networks or remote dialup sessions respectively. As a further step towards security, VPN QoS can be used to monitor unwanted access and shut down networks that are under attack and divert traffic using other VPN networks. Buy dissertations online at PhDify.com
References and Bibliography
- Black, Ulysses. PPP and L2TP: Remote Access Communications. Prentice Hall: New York, 1999. Chapter 18
- Marie Wright. Network Security – Virtual Private Network Security, Volume 2000, Issue 7, 1 July 2000, Pages 11-14
- Nortel SSLVPN. http://products.nortel.com/go/product_content.jsp?segId=0&parId=0&prod_id=38760&locale=en-US, 2005
- Singh, Simon. The Code Book – The Secret History of Codes & Code-breaking, Fourth Estate London, 2000, page 243 – 293
- Synder, Joel. http://www.networkworld.com/topics/wireless.html, Check Point's VPN-1 Edge W security device picks up wireless support, Network World, May 2005.
- Tyson , Jeff. http://computer.howstuffworks.com/vpn1.htm, Howstuffworks – Introduction to How Virtual Private Networks Work, 2004
- Tyson , Jeff. http://computer.howstuffworks.com/vpn1.htm, Howstuffworks – VPN Security: Encryption, 2004
- Tyson , Jeff. http://computer.howstuffworks.com/vpn2.htm, Howstuffworks – Remote-Access VPN, 2004
- Tyson , Jeff. http://computer.howstuffworks.com/vpn13.htm, Howstuffworks – Tunneling, 2004