The principles of computer networks 3

Computer network

10.6.1.4 explain the purpose of a private virtual network

Virtual private networks – VPN
VPN – Virtual Private Network – simulate the capabilities of a private network within the public, using the existing infrastructure.
The peculiarity of VPN is the formation of logical connections regardless of the type of physical environment. Allow you to do without the use of dedicated channels.
Objective: to ensure a guaranteed quality of service in the public network, as well as their protection from possible unauthorized access or damage. 
The purpose of VPN technology is to maximize the separation of data flows from one enterprise data flows to all other users of the public network. Isolation should be ensured with respect to the parameters of the flow capacity and the confidentiality of the data transmitted.

The history of VPN
The history of the origin of VPN goes back to the 60s of the last century, when the specialists of the engineering Department of the new York telephone company developed a system of automatic connection of PBX subscribers – Centrex (Central Exchange). In other words, it is nothing but a virtual private telephone network, as already created communication channels were rented, i.e. virtual channels of voice information were created. Currently, this service is being replaced by its more advanced analogue – IP-Centrex.
1998 – development of VPN applications allowing centralized control by users
1999 – authentication model, additional tools for configuring clients 2000 – enabling VPN in Windows2000
Currently, the technology has entered a phase of prosperity. Different technologies and architectures are used to meet the needs of a particular network.
Using the Internet to provide remote access to information can be secure.

Basic architecture of VPN
Gateway-to-gateway
Host gateway
Host-host
Combined – via intermediate gateway (IPSG)

Basic VPN components
VPN gateway – a network device connected to several networks, performs the functions of encryption, identification, authentication, authorization and tunneling. It can be solved both software and hardware.
The VPN client (host) can be solved programmatically. Performs encryption and authentication functions. The network can be built without using VPN clients.
A tunnel is a logical connection between a client and a server. In the process of implementing the tunnel uses methods of information protection.
An edge server is a server that is external to the corporate network. Such a server can be, for example, a firewall or a NAT system.
VPN information security – a number of measures to protect corporate network traffic when passing through the tunnel from external and internal threats.

7

The pattern of interaction between provider and client
User scheme – the equipment is located on the territory of the client, methods of information security and QoS are organized independently.
Provider scheme – VPN facilities are placed in the provider's network, methods of information security and QoS are organized by the provider.
Mixed scheme – used when the client interacts with several providers.

VPN data protection

Requirements for a secure channel:
Privacy
Integrity
Accessibility to legitimate users (authentication)

Secure channel organization methods:
Encryption.
Authentication – allows you to organize access to the network only legal users.
Authorization – controls access of legal users to resources in the amounts corresponding to the rights granted to them.
Tunneling – allows you to encrypt a packet with service information.

VPN support at different levels of the OSI model

Link layer:
–L2TP, PPTP, etc. (authorization and authentication)
–MPLS technology (tunnel establishment)

Network layer:
–IPSec architecture ("host-to-gateway and gateway-to-gateway", support encryption, authorization and authentication problem with NAT)

Transport layer:
–SSL/TLS (host-host architecture end-to-end connection, encryption and authentication support, implemented only to support TCP traffic)

VPN selection criteria
Connection type:
–Persistent: IPSec
–Temporary: SSL/TLS

Access type:
–User (company employee): IPSec
–Guest: SSL/TLS

The level of security of the corporate network:
–High: IPSec
–Medium: SSL/TLS
–Depending on the service provided: IPSec +SSL/TLS

Data security level:
–High: IPSec
–Medium: SSL/TLS
–Depending on the service provided: IPSec +SSL/TLS

The scalability of the solution:
–Scalability: IPSec
–Fast deployment: SSL/TLS