In this article, we will answer the most FAQ what is a VPN server, will we tell you whether a VPN can increase your security, whether you need to use Double VPN and how to check if the VPN service keeps logs, as well as what modern technologies exist to protect personal information.

VPN is virtual private network, which provides encryption between the client and the VPN server.

The main purpose of a VPN is to encrypt traffic and change the IP address.

Let's see why and when it is needed.

What is a VPN for?

All ISPs log their customers' activities on the Internet. That is, the Internet provider knows what sites you visited. This is necessary in order to give out all information about the offender in case of requests from the police, as well as to relieve all legal responsibility for the user's actions.

There are many situations when a user needs to protect their personal data on the Internet and gain freedom of communication.

Example 1. There is a business and it is necessary to transfer confidential data over the Internet so that no one can intercept it. Most companies use VPN technology to transfer information between company branches.

Example 2. Many services on the Internet work on the principle of geo-referencing to the location and prohibit access to users from other countries.

For example, the Yandex Music service only works for IP addresses from Russia and the countries of the former CIS. Accordingly, the entire Russian-speaking population living in other countries does not have access to this service.

Example 3. Blocking certain sites in the office and in the country. Offices often block access to social networks so that employees do not waste working time on communication.

For example, China has blocked many Google services. If a resident of China works with a company from Europe, then there is a need to use services such as Google Disk.

Example 4. Hide visited sites from the ISP. There are times when you need to hide the list of visited sites from the Internet provider. All traffic will be encrypted.

With traffic encryption, your ISP will not know what sites you have visited on the Internet. In this case, your IP address on the Internet will belong to the country of the VPN server.

When you connect to a VPN, a secure channel is created between your computer and the VPN server. All data in this channel is encrypted.

Thanks to a VPN, you will have the freedom to communicate and protect your personal data.

In the logs of the Internet provider there will be a set different characters. The picture below shows the analysis of data obtained by a special program.

In the HTTP header, you can immediately see which site you are connecting to. This data is recorded by Internet service providers.

The following picture shows the HTTP header when using a VPN. The data is encrypted and it is impossible to know which sites you have visited.

How to connect to a VPN

There are several ways to connect to a VPN network.

• PPTP is an outdated protocol. Most modern operating systems have excluded it from the list of supported ones. Cons PPTP - low connection stability. The connection may drop and unsecured data may leak to the Internet.
• L2TP (IPSec) connection is more reliable. Also built into most operating systems (Windows, Mac OS, Linux, iOS, Android, Windows phone and others). It has better reliability than PPTP connection.
• SSTP connection was developed relatively recently. It's only supported on Windows, so it's not widely used.
• IKEv2 is a modern protocol based on IPSec. This protocol has replaced the PPTP protocol and is supported by all popular operating systems.
• OpenVPN connection is considered the most reliable. This technology can be flexibly configured and when the connection drops, OpenVPN blocks the sending of unprotected data to the Internet.

There are 2 data transfer protocols for OpenVPN technology:

• UDP protocol - fast operation (recommended for VoiP telephony, Skype, online games)
• TCP protocol - characterized by the reliability of the transmitted data (requires confirmation of receipt of the packet). Works a little slower than UDP.

How to set up a VPN

Setting up a VPN connection takes several minutes and differs in the VPN connection method.

On our service we use PPTP and OpenVPN connections.

VPN Security

We will always talk about a comprehensive approach to security. User security does not only consist of the VPN connection itself. It is important what program you use to connect to the VPN server.

Currently, services offer convenient VPN clients - these are programs that make it easy to set up a VPN connection. We ourselves offer a convenient VPN client. Thanks to such programs, setting up a VPN connection takes no more than 1 minute.

When we first started providing VPN services in 2006, all of our users set up the official OpenVPN app. It has an open source. Of course, setting up the official OpenVPN client takes more time. But let's see what is better to use in terms of anonymity.

VPN client anonymity

We see the danger in using such programs. The thing is that the source code of such programs is the property of the company and in order to preserve the uniqueness of its program, no one publishes it.

Users cannot find out what data the program collects about you in the absence of open source code.

VPN programs and it can identify you as a specific user even when logs are turned off on the server.

Any program can have the functionality of recording the sites you visited, your real IP address. And since you yourself enter your login into the program, it is generally impossible to talk about any anonymity of using the program.

If your activity requires a high level of anonymity, we recommend that you ditch these VPN programs and use the official open source release of OpenVPN.

At first, you will find this uncomfortable. But over time, you will get used to it if the factor of security and anonymity is in the first place for you.

We guarantee that Secure Kit does not save any data about you. But we must warn you that such programs can spy on you.

Another idea how to increase your security came from the point of view of the geographical location of the servers. On the Internet, it is called an offshore VPN.

What is an offshore VPN

Different countries have different level legislation. There are strong states with strong laws. And there are small countries whose level of development does not allow information protection data in your country.

Initially, the concept of offshore was used to refer to a country in which the tax policy is relaxed. Such countries have very low taxes on business. Global companies have become interested in legal tax evasion in their country, and offshore bank accounts in the Cayman Islands have become very popular.

Currently, in many countries of the world there are already bans on the use of bank accounts in offshore countries.

Most offshore countries are small states located in remote corners of the planet. Servers in such countries are more difficult to find and they are more expensive due to the lack of a developed Internet infrastructure. VPN servers in such countries began to be called offshore.

It turns out that the word offshore VPN does not mean anonymous VPN, but only speaks of territorial belonging to an offshore state.

Should you use an offshore VPN?

An offshore VPN presents additional benefits in terms of anonymity.

Do you think it's much easier to write a formal request:

• to the police department in Germany
• or to the police department on the islands in Antigua Barbuda

An offshore VPN is an extra layer of protection. It is good to use an offshore server as part of the Double VPN chain.

No need to use only 1 offshore VPN server and think that it is completely secure. You need to approach your security and anonymity on the Internet from different angles.

Use an offshore VPN as a link to your anonymity.

And it's time to answer the most frequently asked question. Can an anonymous VPN service keep logs? And how to determine if the service keeps logs?

Anonymous VPN service and logs. How to be?

An anonymous VPN service should not keep logs. Otherwise, it can no longer be called anonymous.

We have compiled a list of questions, thanks to which you can accurately determine whether the service keeps logs.

Now you have full information about VPN connections. This knowledge is enough to make yourself anonymous on the Internet and make the transfer of personal data safe.

New VPN technologies

Are there any new trends in the field of VPN?

We have already talked about the pros and cons of serial cascading of VPN servers (Double, Triple, Quad VPN).

To avoid the disadvantages of Double VPN technology, you can make a parallel cascade of chains. We called it Parallel VPN.

What is Parallel VPN

The essence of Parallel VPN is to direct traffic to a parallel data channel.

The downside of sequential cascading technology (Double, Triple, Quad VPN) is that each server decrypts the channel and encrypts it into the next channel. The data is sequentially encrypted.

There is no such problem in Parallel VPN technology, since all data is double-parallel encrypted. That is, imagine an onion that has several skins. In the same way, data passes in a channel that is double encrypted.

VPN questions are popular these days – what is it, what are its features, and how best to set up a VPN. The thing is that not everyone knows the essence of the technology itself, when it may be needed.

Even on the financial and profit side, setting up a VPN is a lucrative business for which you can get easy money.
It would be nice to explain to the user what VPN is and how best to configure it on Win 7 and 10.

1. Basic

VPN (Virtual Private Network) is a private virtual network. Even simpler - the technology of creation local network, but without physical devices in the form of routers and other things, but with real resources from the Internet. VPN is additional network built on top of another.

On the Microsoft website, such an informative picture was found that will help to understand that the expression "An additional network created on top of another."

The image shown shows the device in the form of a computer. A cloud is a shared or public network, more often a standard Internet. Each of the servers is connected to each other using the same VPN.

So the devices are physically connected to each other. But practice has shown that this is not necessary.

Especially in order not to use wires, cables and other interfering devices, VPN is configured.

Local devices are connected to each other not through cables, but through Wi-FI, GPS, Bluetooth and other devices.
Virtual networks, most often, are a standard Internet connection. Of course, getting access to devices just won’t work, because everywhere there are identification levels aimed at avoiding hacking and ill-wishers in the VPN Network.

2. A few words about the VPN structure

The VPN structure is divided into two parts: external and internal.
Each PC connects to two parts at the same time. This is done using the server.

The server, in our case, is the so-called guard at the entrance. It will detect and register the members of the virtual network.

The computer or device connected to the VPN must have all the data for authorization and so-called authentication, that is, a special, usually one-time password or other means that could help you go through the procedure.

This process is not particularly important to us. More and more powerful and serious methods of authorization on servers are being created by specialists.

To be in such a network, at the entrance you must know the following:
1. Name, PC name for example or other used login to be identified on the network;
2. Password, if any, to complete authorization.
Also, a computer that wants to connect to the next VPN network "carries" all the data for authorization. The server will enter this data into its database. After registering your PC in the database, you will no longer need the above data.

3. VPN and their classification

The classifications of VPN networks are shown below.

Let's try to understand in more detail.
- DEGREE OF PROTECTION. Networks selected by this criterion:
1. Fully secure - these are inherently secure networks;
2. Secure "trusted" - less secure networks, used in cases where the original or "parent" network is reliable.
- IMPLEMENTATION. Implementation methods. Networks selected by this criterion:
1. Combined and software methods;
2. Hardware way– using real devices.
- PURPOSE. VPNs matched by this criterion:
1. Intranet (Intranet) - is used most often in companies where you need to combine several branches;
2. Extranet (Extranet) - is used specifically for organizing networks in which there are various participants, as well as clients of the company;
3. Access (Remote Access) is the organization of VPN networks, where there are so-called remote branches.
- PROTOCOL. The implementation of VPN Networks is possible using the AppleTalk and IPX protocols, but in fact I use TCP / IP most often and more efficiently. The reason is the popularity of this protocol in the main networks.
- LEVEL OF WORK. OSI is preferred here, but VPN network can only work at the link, network and transport layers.
Of course, in practice, one network, you can include several features at the same time. Let's move on to the points about directly setting up a VPN network using your PC or laptop.

4. How to set up a VPN network (virtual network)

The first method was developed specifically for Windows 7.
On Windows 7, the setup is done using fairly simple steps and following the following instructions:
1. Go to " Network and Sharing Center". Click on the panel quick access on the connection icon and in the window select the item we need.

2. The program does not always look like the one in the figure above, it can also be like this:

3. In the new window we find the section " Set up a new connection or network". This section is highlighted in the figure.

4. In the next paragraph we find " Connecting to a workplace"and go" Further».

5. In the event that any VPN connection already exists on the PC, a special window should appear, as in the figure below. Select "No, create a new connection" and go again " Further».

6. In a new window we find " Use my internet connection (VPN)»

7. Now we enter the address, the name of the VPN network. You can find out all the details from the network administrator, which will also tell you a special window.

If the connection has occurred to an already functioning network, it is best to ask the administrator of this network for the data. Usually this procedure does not take much time. Enter data in the provided fields.
8. In the same box, put a tick to " Don't connect now...", and then go to " Further».

9. Enter your data (login and password) from the network. In the following figure, these fields are highlighted.

If the connection is the first with the network, then the data will have to be created new, after checking them by the server, you will be allowed into the network and use it.

If the connection is not primary, then the server will not check your data and will directly let you into the desired network.

10. After entering the required data, click on " To plug».

11. The next window will prompt you to connect to the network now. Better close it.

The setup is successfully completed and it remains only to connect to the network. To do this, you need to go back to the first paragraph " Network and Sharing Center».
12. In the new window, select " Connect to the network».

13. Here we select our connection and connect to it.

Setting up a VPN on Windows 7 completed.

Let's move on to setting up a VPN on Windows 10, the algorithm and actions are almost the same there. The only difference is in some interface elements and access to them.

So, for example, to get into the “Network and Sharing Center” you need to do everything the same as on Windows 7, besides there is a special item “ Creating and configuring a new connection or...».
Further, the setup is done in the same way as on Windows 7, only the interface will be slightly different.

Some inconvenience Windows users 10 may be related to the fact that they will look for the classic view of the network. You should go to " Network and Internet”, and then select “View task and network status” for further work with setting up VPN networks.

In fact, there is nothing complicated in setting up. By the way, this VPN connection it is possible to configure even on Android devices, a section will be devoted to this below.

5. Setting up a VPN on Android

To perform such an operation, you will need to install and download a tool called SuperVPN Free VPM Client from the official Android stores.

A program window that will offer the creation of a VPN network on Android.

In general, everything is clear here, click on " Connect”, after which the search will begin available networks and further connection with them. Setting up a VPN on Android is done without additional programs.

Recently, the world of telecommunications has seen an increased interest in virtual private networks (Virtual Private Network - VPN). This is due to the need to reduce the cost of maintaining corporate networks due to cheaper connection of remote offices and remote users via the Internet. Indeed, when comparing the cost of services for connecting several networks over the Internet, for example, with Frame Relay networks, one can notice a significant difference in cost. However, it should be noted that when networks are connected via the Internet, the question of the security of data transmission immediately arises, so it became necessary to create mechanisms to ensure the confidentiality and integrity of the transmitted information. Networks built on the basis of such mechanisms are called VPNs.

In addition, very often a modern person, developing his business, has to travel a lot. It can be trips to remote corners of our country or to foreign countries. It is not uncommon for people to need access to their information stored on their home or company computer. This problem can be solved by arranging remote access to it using a modem and a line. The use of a telephone line has its own characteristics. The disadvantages of this solution is that a call from another country costs a lot of money. There is another solution called VPN. The advantage of VPN technology is that an organization remote access is done not through a telephone line, but through the Internet, which is much cheaper and better. In my opinion, technology. VPN has the prospect of being widely adopted around the world.

1. The concept and classification of VPN networks, their construction

1.1 What is VPN

VPN(Eng. Virtual Private Network - virtual private network) - a logical network created on top of another network, such as the Internet. Although communications are public networks using insecure protocols, due to encryption, information exchange channels closed from outsiders are created. VPN allows you to combine, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.

At its core, a VPN has many of the properties of a leased line, but it is deployed within a public network, such as . With the tunneling technique, data packets are broadcast over the public network as if they were a normal point-to-point connection. Between each pair of "data sender-receiver" a kind of tunnel is established - a secure logical connection that allows you to encapsulate the data of one protocol into packets of another. The main components of the tunnel are:

• initiator;
• routed network;
• tunnel switch;
• one or more tunnel terminators.

By itself, the principle of VPN operation does not contradict the main network technologies and protocols. For example, when establishing a dial-up connection, the client sends a stream of standard PPP packets to the server. In the case of organizing virtual leased lines between local networks, their routers also exchange PPP packets. However, a fundamentally new point is the forwarding of packets through a secure tunnel organized within the public network.

Tunneling allows you to organize the transmission of packets of one protocol in a logical environment that uses a different protocol. As a result, it becomes possible to solve the problems of interaction between several heterogeneous networks, starting with the need to ensure the integrity and confidentiality of transmitted data and ending with overcoming inconsistencies in external protocols or addressing schemes.

A corporation's existing network infrastructure can be provisioned for VPN use either through software or hardware. The organization of a virtual private network can be compared to laying a cable through a global network. Typically, a direct connection between a remote user and a tunnel end device is established using the PPP protocol.

The most common method for creating VPN tunnels is to encapsulate network protocols (IP, IPX, AppleTalk, etc.) in PPP and then encapsulate the generated packets in a tunneling protocol. Usually the latter is IP or (much less often) ATM and Frame Relay. This approach is called layer 2 tunneling, because the “passenger” here is the layer 2 protocol.

An alternative approach - encapsulating network protocol packets directly into a tunneling protocol (eg VTP) is called layer 3 tunneling.

No matter what protocols are used or what goals persecuted in the organization of the tunnel, the basic technique remainspractically unchanged. Typically, one protocol is used to establish a connection with a remote host, and the other is used to encapsulate data and service information for transmission through a tunnel.

1.2 Classification of VPN networks

VPN solutions can be classified according to several main parameters:

1. By type of medium used:

• Secure VPN networks. The most common variant of private private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, OpenVPN, and PPTP.
• Trusted VPN networks. They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues become irrelevant. Examples of such VPN solutions are: MPLS and L2TP. It is more correct to say that these protocols shift the task of providing security to others, for example L2TP, as a rule, is used in tandem with IPSec.

2. According to the method of implementation:

• VPN networks in the form of special software and hardware. Implementation of the VPN network is carried out using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree security.
• VPN networks as a software solution. use Personal Computer with special software that provides VPN functionality.
• VPN networks with an integrated solution. VPN functionality is provided by a complex that also solves the tasks of filtering network traffic, organizing firewall and ensuring the quality of service.

3. By appointment:

• Intranet VPN. Used to combine into a single secure network several distributed branches of one organization that exchange data over open channels connections.
• Remote Access VPN. Used to create a secure channel between a corporate network segment (central office or branch office) and a single user who, while working at home, connects to corporate resources with home computer or, while on a business trip, connects to corporate resources using a laptop.
• Extranet VPN. Used for networks to which "external" users (for example, customers or clients) connect. The level of trust in them is much lower than in the company's employees, therefore, it is necessary to provide special "frontiers" of protection that prevent or restrict the latter's access to especially valuable, confidential information.

4. By type of protocol:

• There are implementations of virtual private networks under TCP/IP, IPX and AppleTalk. But today there is a trend towards a general transition to the TCP / IP protocol, and the vast majority of VPN solutions support it.

5. By network protocol level:

• By network protocol layer, based on a mapping to the layers of the ISO/OSI network reference model.

1.3. Building a VPN

There are various options for building a VPN. When choosing a solution, you need to consider the performance factors of VPN builders. For example, if a router is already working at the limit of its power, then adding VPN tunnels and applying encryption / decryption of information can stop the entire network from working due to the fact that this router will not be able to cope with simple traffic, not to mention VPN. Experience shows that in order to build VPN is better only use specialized equipment, but if there is a limitation in funds, then you can pay attention to a purely software solution. Consider some options for building a VPN.

• Firewall based VPN. Most firewall manufacturers support tunneling and data encryption. All such products are based on the fact that the traffic passing through the firewall is encrypted. An encryption module is added to the firewall software itself. The disadvantage of this method is the dependence of performance on the hardware on which the firewall is running. When using PC-based firewalls, keep in mind that such a solution can only be used for small networks with a small amount of transmitted information.
• Router based VPN. Another way to build a VPN is to use routers to create secure channels. Since all information coming from the local network passes through the router, it is advisable to assign encryption tasks to this router as well.An example of equipment for building VPN on routers is equipment from Cisco Systems. Starting from version software IOS 11.3, Cisco routers support L2TP and IPSec protocols. In addition to simply encrypting traffic in transit, Cisco supports other VPN features such as authentication at tunnel establishment and key exchange.An optional ESA Encryption Module can be used to improve router performance. In addition, Cisco System has released a dedicated VPN appliance called the Cisco 1720 VPN Access Router for installation in small to medium sized businesses and large branch offices.
• Software Based VPN. The next approach to building a VPN is purely software solutions. When implementing such a solution, specialized software is used that runs on a dedicated computer, and in most cases acts as a proxy server. The computer running this software may be located behind a firewall.
• VPN based network OS.We will consider solutions based on the network OS using the example of Microsoft's Windows OS. To create a VPN, Microsoft uses the PPTP protocol, which is integrated into the Windows system. This solution is very attractive for organizations using Windows as their corporate operating system. It should be noted that the cost of such a solution is much lower than the cost of other solutions. The Windows-based VPN uses a user base stored on the Primary Domain Controller (PDC). When connecting to a PPTP server, the user is authenticated using the PAP, CHAP, or MS-CHAP protocols. The transmitted packets are encapsulated in GRE/PPTP packets. To encrypt packets, a non-standard protocol from Microsoft Point-to-Point Encryption is used with a 40 or 128 bit key obtained at the time of connection establishment. The disadvantages of this system are the lack of data integrity checks and the impossibility of changing keys during the connection. Good points are ease of integration with Windows and low cost.
• Hardware-based VPN. Option to build a VPN on special devices can be used in networks requiring high performance. An example of such a solution is Radguard's IPro-VPN product. This product uses hardware-based encryption of transmitted information, capable of passing a stream of 100 Mbps. IPro-VPN supports IPSec protocol and the ISAKMP/Oakley key management mechanism. Among other things, this device supports network address translation and can be supplemented with a special board that adds firewall functions

2. Protocols of VPN networks

VPN networks are built using data tunneling protocols over a communications network common use Internet, and tunneling protocols provide data encryption and carry out their end-to-end transmission between users. As a rule, today the following protocols are used to build VPN networks:

• Link layer
• network layer
• transport layer.

2.1 Link layer

At the data link layer, the L2TP and PPTP data tunneling protocols can be used, which use authorization and authentication.

PPTP.

Currently, the most common VPN protocol is Point-to-Point Tunneling Protocol - PPTP. It was developed by 3Com and Microsoft to provide secure remote access to corporate networks via the Internet. PPTP uses existing open TCP/IP standards and relies heavily on the legacy point-to-point PPP protocol. In practice, PPP remains the communication protocol of a PPP connection session. PPTP creates a tunnel through the network to the recipient's NT server and sends the remote user's PPP packets through it. The server and workstation use a virtual private network and don't care how secure or accessible the global network between them is. Server-initiated termination of a connection session, unlike specialized remote access servers, allows local network administrators not to let remote users through the Windows Server security system.

Although the scope of the PPTP protocol extends only to devices operating under Windows control, it gives companies the ability to interoperate with existing network infrastructures without compromising their own security. Thus, a remote user can connect to the Internet using a local ISP through an analog phone line or ISDN channel and establish a connection to the NT server. At the same time, the company does not have to spend large sums on the organization and maintenance of a modem pool that provides remote access services.

The work of the RRTR is discussed next. PPTP encapsulates IP packets for transmission over an IP network. PPTP clients use the destination port to create a tunnel control connection. This process occurs at the transport layer of the OSI model. After the tunnel is created, the client computer and the server start exchanging service packets. In addition to the PPTP control connection that keeps the link alive, a connection is created to forward the data tunnel. Data is encapsulated before it is sent through the tunnel in a slightly different way than during normal transmission. Encapsulating data before sending it to the tunnel involves two steps:

1. First, the PPP information part is created. Data flows from top to bottom, from the OSI application layer to the link layer.
2. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Thus, during the second pass, the data reaches the transport layer. However, the information cannot be sent to its destination, since the channel is responsible for this. OSI layer. Therefore, PPTP encrypts the payload field of the packet and takes over the second-layer functions normally associated with PPP, i.e. adds a PPP header and ending to a PPTP packet. This completes the creation of the link layer frame.

Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IPX, AppleTalk, DECnet to enable them to be transported over IP networks. However, GRE does not have the ability to establish sessions and provide data protection from intruders. This uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the scope of PPTP to only IP networks.

After the PPP frame has been encapsulated in a frame with a GRE header, it is encapsulated in a frame with an IP header. The IP header contains the sender and recipient addresses of the packet. Finally, PPTP adds a PPP header and ending.

The sending system sends data through the tunnel. The receiving system removes all service headers, leaving only the PPP data.

L2TP

In the near future, an increase in the number of VPNs deployed based on the new Layer 2 Tunneling Protocol - L2TP is expected.

L2TP appeared as a result of the merger of the PPTP and L2F (Layer 2 Forwarding) protocols. PPTP allows PPP packets to be transmitted through the tunnel, and SLIP and PPP L2F packets. To avoid confusion and interoperability problems in the telecommunications market, the Internet Engineering Task Force (IETF) committee recommended that Cisco Systems combine PPTP and L2F. By all accounts, the L2TP protocol has incorporated the best features of PPTP and L2F. The main advantage of L2TP is that this protocol allows you to create a tunnel not only in IP networks, but also in networks such as ATM, X.25 and Frame Relay. Unfortunately, the Windows 2000 implementation of L2TP only supports IP.

L2TP uses UDP as a transport and uses the same message format for both tunnel management and data forwarding. Microsoft's implementation of L2TP uses UDP packets containing encrypted PPP packets as control messages. Reliability of delivery is guaranteed by the control of the sequence of packets.

The functionality of PPTP and L2TP is different. L2TP can be used not only in IP networks, service messages for creating a tunnel and sending data through it use the same format and protocols. PPTP can only be used over IP networks and needs a separate TCP connection to create and use the tunnel. L2TP over IPSec offers more layers of security than PPTP and can guarantee close to 100% security of business-critical data. The features of L2TP make it a very promising protocol to build virtual networks.

The L2TP and PPTP protocols differ from the layer 3 tunneling protocols in a number of ways:

1. Giving corporations the ability to choose how users authenticate and verify their credentials - on their own "territory" or with an Internet service provider. By processing tunneled PPP packets, corporate network servers obtain all the information they need to identify users.
2. Support for tunnel switching - terminating one tunnel and initiating another to one of many potential terminators. Switching tunnels allows, as it were, to extend the PPP connection to the required endpoint.
3. Providing system administrators corporate network, the ability to implement strategies for assigning access rights to users directly on the firewall and internal servers. Because tunnel terminators receive PPP packets containing user information, they are able to apply administrator-defined security policies to individual user traffic. (Layer 3 tunneling does not distinguish between packets coming from the ISP, so security policy filters must be applied at end workstations and network devices.) In addition, in the case of using a tunnel switch, it becomes possible to organize a "continuation" of the tunnel the second level for direct translation of the traffic of individualusers to the corresponding internal servers. Such servers may be tasked with additional packet filtering.

MPLS

Also at the link layer, MPLS technology can be used to organize tunnels ( From English Multiprotocol Label Switching - multiprotocol label switching - a data transfer mechanism that emulates various properties circuit-switched networks over packet-switched networks). MPLS operates at a layer that could be placed between the data link layer and the third network layer of the OSI model and is therefore commonly referred to as a network link layer protocol. It was designed to provide a versatile data service for both circuit-switched and packet-switched network customers. With MPLS, you can carry a wide variety of traffic, such as IP packets, ATM, SONET, and Ethernet frames.

VPN solutions at the link level have a rather limited scope, usually within the provider's domain.

2.2 Network layer

Network layer (IP layer). The IPSec protocol is used, which implements data encryption and confidentiality, as well as subscriber authentication. The use of the IPSec protocol allows you to implement full-featured access equivalent to physical connection to the corporate network. To establish a VPN, each participant must configure certain IPSec parameters, i.e. each client must have software that implements IPSec.

IPSec

Naturally, no company would want to openly transfer Internet financial or other confidential information. VPN channels are protected by powerful encryption algorithms embedded in the IPsec security protocol standards. IPSec or Internet Protocol Security - the standard chosen by the international community, the IETF - Internet Engineering Task Force, creates the security foundation for the Internet Protocol (IP / IPSec protocol provides protection at the network level and requires support for the IPSec standard only from devices communicating with each other on both all other devices in between simply provide IP packet traffic.

The method of interaction between persons using IPSec technology is usually defined by the term "secure association" - Security Association (SA). A secure association operates on the basis of an agreement entered into by the parties that use IPSec to protect information transmitted to each other. This agreement governs several parameters: sender and recipient IP addresses, cryptographic algorithm, key exchange order, key sizes, key lifetime, authentication algorithm.

IPSec is a consensus set of open standards that has a core that can be easily extended with new features and protocols. The core of IPSec consists of three protocols:

· AN or Authentication Header - authentication header - guarantees the integrity and authenticity of the data. The main purpose of the AH protocol is to allow the receiving side to make sure that:

• the packet was sent by a party with which a secure association has been established;
• the contents of the packet were not distorted during its transmission over the network;
• the package is not a duplicate of an already received package.

The first two functions are mandatory for the AH protocol, and the last one is optional when establishing an association. To perform these functions, the AH protocol uses a special header. Its structure is considered as follows:

1. The next header field indicates the code of the higher-level protocol, that is, the protocol whose message is placed in the data field of the IP packet.
2. The payload length field contains the length of the AH header.
3. The Security Parameters Index (SPI) is used to associate a package with its intended secure association.
4. The Sequence Number (SN) field indicates the sequence number of the packet and is used to protect against spoofing (when a third party tries to reuse intercepted secure packets sent by a truly authenticated sender).
5. The authentication data field, which contains the so-called Integrity Check Value (ICV), is used to authenticate and check the integrity of the packet. This value, also called the digest, is computed using one of the two computationally irreversible MD5 or SAH-1 functions required by the AH protocol, but any other function can be used.

· ESP or Encapsulating Security Payload- encapsulation of encrypted data - encrypts the transmitted data, providing confidentiality, can also maintain authentication and data integrity;

The ESP protocol solves two groups of problems.

1. The first includes tasks similar to those of the AH protocol - this is the provision of authentication and data integrity based on the digest,
2. To the second - transmitted data by encrypting them from unauthorized viewing.

The header is divided into two parts separated by a data field.

1. The first part, called the ESP header itself, is formed by two fields (SPI and SN), the purpose of which is similar to the fields of the same name in the AH protocol, and is placed before the data field.
2. The remaining service fields of the ESP protocol, called the ESP trailer, are located at the end of the packet.

The two fields of the trailer - the next header and authentication data - are similar to the fields of the AH header. The Authentication Data field is omitted if a decision was made to not use the integrity capabilities of the ESP protocol when establishing a secure association. In addition to these fields, the trailer contains two additional fields - filler and filler length.

The AH and ESP protocols can protect data in two modes:

1. in transport - transmission is carried out with original IP headers;
2. in a tunnel - the original packet is placed in a new IP packet and the transmission is carried out with new headers.

The use of one or another mode depends on the requirements for data protection, as well as on the role played in the network by the node that terminates the secure channel. Thus, a node can be a host (end node) or a gateway (intermediate node).

Accordingly, there are three schemes for using the IPSec protocol:

1. host host;
2. gateway-gateway;
3. host gateway.

The capabilities of the AH and ESP protocols partially overlap: the AH protocol is only responsible for ensuring the integrity and authentication of data, the ESP protocol can encrypt data and, in addition, perform the functions of the AH protocol (in a truncated form). ESP can support encryption and authentication/integrity functions in any combination, i.e. either the entire group of functions, or only authentication/integrity, or only encryption.

· IKE or Internet Key Exchange - Internet key exchange - solves the auxiliary task of automatically providing secure channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.

2.3 Transport layer

The transport layer uses the SSL/TLS or Secure Socket Layer/Transport Layer Security protocol, which implements encryption and authentication between the transport layers of the receiver and transmitter. SSL/TLS can be used to secure TCP traffic, it cannot be used to secure UDP traffic. There is no need to implement special software for SSL/TLS VPN to function, as each browser and mail client equipped with these protocols. Due to the fact that SSL/TLS is implemented at the transport layer, a secure connection is established end-to-end.

The TLS protocol is based on Netscape SSL protocol version 3.0 and consists of two parts - TLS Record Protocol and TLS Handshake Protocol. The difference between SSL 3.0 and TLS 1.0 is minor.

SSL/TLS includes three main phases:

1. Dialogue between the parties, the purpose of which is to choose an encryption algorithm;
2. Key exchange based on public key cryptosystems or certificate based authentication;
3. Transfer of data encrypted using symmetric encryption algorithms.

2.4 VPN Implementation: IPSec or SSL/TLS?

Often, the heads of IT departments are faced with the question: which of the protocols to choose for building a corporate VPN network? The answer is not obvious, as each approach has both pros and cons. We will try to conduct and identify when it is necessary to use IPSec, and when SSL / TLS. As can be seen from the analysis of the characteristics of these protocols, they are not interchangeable and can function both separately and in parallel, defining the functional features of each of the implemented VPNs.

The choice of protocol for building a corporate VPN network can be carried out according to the following criteria:

· Type of access required for VPN users.

1. Fully functional permanent connection to the corporate network. The recommended choice is IPSec.
2. A temporary connection, such as a mobile user or a user using a public computer, in order to access certain services, such as e-mail or database. The recommended choice is the SSL/TLS protocol, which allows you to organize a VPN for each individual service.

· Whether the user is an employee of the company.

1. If the user is a company employee, the device they use to access the corporate network via IPSec VPN can be configured in some specific way.
2. If the user is not an employee of the company whose corporate network is being accessed, it is recommended to use SSL/TLS. This will restrict guest access to certain services only.

· What is the security level of the corporate network.

1. High. The recommended choice is IPSec. Indeed, the level of security offered by IPSec is much higher than the level of security offered by the SSL / TLS protocol due to the use of configurable software on the user side and a security gateway on the side of the corporate network.
2. Average. The recommended choice is the SSL/TLS protocol allowing access from any terminal.

· The level of security of data transmitted by the user.

1. High, for example, company management. The recommended choice is IPSec.
2. Medium, for example, partner. The recommended choice is the SSL/TLS protocol.

Depending on the service - from medium to high. The recommended choice is a combination of IPSec (for services requiring a high level of security) and SSL/TLS (for services requiring a medium level of security).

· What is more important, rapid VPN deployment or future scalability of the solution.

1. Rapid deployment of a VPN network with minimal cost. The recommended choice is the SSL/TLS protocol. In this case, there is no need to implement special software on the user's side, as in the case of IPSec.
2. VPN network scalability - adding access to various services. The recommended choice is the IPSec protocol allowing access to all services and resources of the corporate network.
3. Rapid deployment and scalability. The recommended choice is a combination of IPSec and SSL/TLS: use SSL/TLS in the first phase to access the required services, followed by the implementation of IPSec.

3. Methods for implementing VPN networks

A virtual private network is based on three implementation methods:

· Tunneling;

· Encryption;

· Authentication.

3.1 Tunneling

Tunneling ensures the transfer of data between two points - the ends of the tunnel - in such a way that the entire network infrastructure lying between them is hidden from the source and destination of the data.

The tunnel transport medium, like a ferry, picks up the packets of the network protocol used at the entrance to the tunnel and delivers them unchanged to the exit. Building a tunnel is enough to connect two network nodes so that, from the point of view of the software running on them, they appear to be connected to the same (local) network. However, we must not forget that in fact the “ferry” with data passes through many intermediate nodes (routers) of an open public network.

This state of affairs has two problems. The first is that information transmitted through the tunnel can be intercepted by intruders. If it is confidential (numbers bank cards, financial reports, personal information), then the threat of its compromise is quite real, which is already unpleasant in itself. Worse, attackers have the ability to modify the data transmitted through the tunnel so that the recipient cannot verify their authenticity. The consequences can be the most deplorable. Given the above, we come to the conclusion that the tunnel in its pure form is only suitable for certain types of network computer games and cannot qualify for a more serious application. Both problems are solved modern means cryptographic protection information. To prevent unauthorized changes to the data packet along the tunnel, an electronic digital signature(). The essence of the method is that each transmitted packet is supplied with an additional block of information, which is generated in accordance with an asymmetric cryptographic algorithm and is unique for the contents of the packet and secret key EDS of the sender. This block of information is the EDS of the package and allows you to authenticate the data by the recipient, who knows public key EDS of the sender. Protection of data transmitted through the tunnel from unauthorized viewing is achieved by using strong encryption algorithms.

3.2 Authentication

Security is the main function of a VPN. All data from client computers passes through the Internet to the VPN server. Such a server may be long distance from the client computer, and the data on the way to the organization's network passes through the equipment of many providers. How to make sure that the data has not been read or changed? For this, apply various methods authentication and encryption.

PPTP can use any of the protocols used for PPP to authenticate users.

• EAP or Extensible Authentication Protocol;
• MSCHAP or Microsoft Challenge Handshake Authentication Protocol (versions 1 and 2);
• CHAP or Challenge Handshake Authentication Protocol;
• SPAP or Shiva Password Authentication Protocol;
• PAP or Password Authentication Protocol.

MSCHAP version 2 and Transport Layer Security (EAP-TLS) are considered the best because they provide mutual authentication, i.e. The VPN server and client identify each other. In all other protocols, only the server authenticates clients.

Although PPTP provides a sufficient degree of security, L2TP over IPSec is still more reliable. L2TP over IPSec provides authentication at the user and computer levels, as well as authentication and data encryption.

Authentication is carried out either by an open test (clear text password) or by a request / response scheme (challenge / response). With direct text, everything is clear. The client sends the password to the server. The server compares this to the benchmark and either denies access or says "welcome". Open authentication is practically non-existent.

The request/response scheme is much more advanced. In general, it looks like this:

• the client sends a request to the server for authentication;
• the server returns a random response (challenge);
• the client removes a hash from his password (a hash is the result of a hash function that converts an input data array of arbitrary length into an output bit string of a fixed length), encrypts the response with it and sends it to the server;
• the server does the same, comparing the result with the client's response;
• if the encrypted response matches, the authentication is considered successful;

In the first step of authenticating VPN clients and servers, L2TP over IPSec uses local certificates obtained from a certificate authority. The client and server exchange certificates and create a secure ESP SA (security association) connection. After L2TP (over IPSec) completes the computer authentication process, user-level authentication is performed. Any protocol can be used for authentication, even PAP, which transmits the username and password in clear text. This is quite secure as L2TP over IPSec encrypts the entire session. However, authenticating the user with MSCHAP, which uses different encryption keys to authenticate the computer and the user, can increase security.

3.3. Encryption

Encryption with PPTP ensures that no one can access the data while it is being sent over the Internet. Two encryption methods are currently supported:

• MPPE or Microsoft Point-to-Point Encryption is only compatible with MSCHAP (versions 1 and 2);
• EAP-TLS and is able to automatically choose the length of the encryption key when negotiating parameters between the client and the server.

MPPE supports 40, 56 or 128 bit keys. Old operating rooms Windows systems only support encryption with a key length of 40 bits, so in a mixed Windows environment, choose the minimum key length.

PPTP changes the value of the encryption key after each received packet. The MMPE protocol was designed for point-to-point links where packets are transmitted sequentially and there is very little data loss. In this situation, the key value for the next packet depends on the results of the decryption of the previous packet. When building virtual networks across networks public access these conditions cannot be met, since data packets often arrive at the recipient in the wrong order in which they were sent. Therefore, PPTP uses to change the encryption key sequence numbers packages. This allows decryption to be performed independently of previous received packets.

Both protocols are implemented both in Microsoft Windows and outside of it (for example, in BSD), the VPN operation algorithms can differ significantly.

Thus, the “tunneling + authentication + encryption” bundle allows you to transfer data between two points through a public network, simulating the operation of a private (local) network. In other words, the considered tools allow you to build a virtual private network.

An additional nice effect of a VPN connection is the ability (and even the need) to use the addressing system adopted in the local network.

The implementation of a virtual private network in practice is as follows. In local computer network The VPN server is installed in the company's office. The remote user (or router, if two offices are connected) using the VPN client software initiates the connection procedure with the server. User authentication occurs - the first phase of establishing a VPN connection. In the case of confirmation of authority, the second phase begins - between the client and the server, the details of ensuring the security of the connection are negotiated. After that, a VPN connection is organized, which ensures the exchange of information between the client and the server in the form when each data packet passes through the procedures of encryption / decryption and integrity check - data authentication.

The main problem of VPN networks is the lack of established standards for authentication and the exchange of encrypted information. These standards are still under development and therefore products various manufacturers cannot establish VPN connections and automatically exchange keys. This problem entails a slowdown in the spread of VPNs, since it is difficult to force different companies to use the products of one manufacturer, and therefore the process of combining the networks of partner companies into so-called extranet networks is difficult.

The advantages of VPN technology are that the organization of remote access is done not through a telephone line, but through the Internet, which is much cheaper and better. The disadvantage of VPN technology is that the tools for building VPNs are not full-fledged tools for detecting and blocking attacks. They can prevent a number of unauthorized actions, but not all the possibilities that can be used to penetrate into corporate network. But, despite all this, VPN technology has prospects for further development.

What can we expect in terms of the development of VPN technologies in the future? Without any doubt, a single standard for building such networks will be developed and approved. Most likely, the basis of this standard will be the already proven IPSec protocol. Next, manufacturers will focus on improving the performance of their products and creating convenient VPN controls. Most likely, the development of VPN building tools will go in the direction of VPN based on routers, since this decision combines fairly high performance, VPN integration and routing in one device. However, low-cost solutions for smaller organizations will also be developed. In conclusion, it must be said that, despite the fact that VPN technology is still very young, it has a great future ahead of it.

Leave your comment!

VPN (Virtual Private Network) is a virtual private network.

In layman's terms, a VPN is a completely secure channel that connects your internet-enabled device to any other device on the world wide web. If it’s even simpler, then you can imagine it more figuratively: without connecting to a VPN service, your computer (laptop, phone, TV or any other device) when you access the network is like a private house without a fence. At any moment, anyone can intentionally or accidentally break trees, trample the beds in your garden. With the use of a VPN, your home turns into an impenetrable fortress, the protection of which will simply be impossible to break.

How it works?

The principle of VPN operation is simple and “transparent” for the end user. At the moment you go online, a virtual "tunnel" is created between your device and the rest of the Internet, blocking any attempts from the outside to get inside. For you, the work of the VPN remains absolutely “transparent” and invisible. Your personal business correspondence, Skype or telephone conversations cannot be intercepted or overheard in any way. All your data is encrypted using a special encryption algorithm, which is almost impossible to crack.

In addition to protecting against intrusion from the outside, a VPN provides an opportunity to virtually temporarily visit any country in the world and use the network resources of these countries, view TV channels that were previously unavailable. VPN will replace your IP address with any other. To do this, it will be enough for you to select a country from the proposed list, for example, the Netherlands, and all sites and services that you visit will automatically “think” that you are in this particular country.

Why not anonymizer or proxy?

The question arises: why not just use some kind of anonymizer or proxy server on the network, because they also replace the IP address? Yes, everything is very simple - none of the above services provides protection, you still remain "visible" to intruders, and therefore all the data that you exchange on the Internet. And, in addition, working with proxy servers requires you to have a certain ability to set the exact settings. VPN operates on the following principle: "Connected and work", no advanced settings he does not require. The whole connection process takes a couple of minutes and is very simple.

About Free VPNs

When choosing, you should remember that free VPNs almost always have limits on the amount of traffic and data transfer speed. This means that a situation may arise when you simply cannot continue to use a free VPN. Do not forget that free VPNs are not always stable and are often overloaded. Even if your limit is not exceeded, data transfer may take a long time due to the high load on the VPN server. Paid VPN services are distinguished by a large throughput, the absence of restrictions, both in terms of traffic and speed, and the level of security is higher than that of free ones.

Where to begin?

Most VPN services provide the opportunity to test the quality for a short period of time for free. The testing period can be from several hours to several days. During testing, you usually get full access to all functionality VPN service. Our service makes it possible to find such VPN services link:

Private networks are used by organizations to connect to remote sites and to other organizations. Private networks consist of communication lines leased from various telephone companies and Internet service providers. These links are characterized in that they only connect two sites while being separated from other traffic, as leased links provide two-way communication between two sites. Private networks have many advantages.

• The information is kept secret.
• Remote sites can exchange information immediately.
• Remote users do not feel isolated from the system they are accessing.

Unfortunately, this type of network has one big drawback - high cost. Using private networks is very expensive. Using slower links can save money, but then remote users will start to notice the lack of speed, and some of the benefits mentioned above will become less obvious.

With the increase in the number of Internet users, many organizations have switched to the use of virtual private networks (VPNs). Virtual Private Networks provide many of the benefits of private networks at a lower cost. However, with the introduction of a VPN, there are a number of questions and dangers for the organization. A well-built virtual private network can bring great benefits to an organization. If the VPN is implemented incorrectly, all information transmitted through the VPN can be accessed from the Internet.

Definition of virtual private networks

So, we intend to transfer confidential data of the organization over the Internet without using leased communication channels, while still taking all measures to ensure traffic privacy. How will we be able to separate our traffic from the traffic of other users of the global network? The answer to this question is encryption.

On the Internet, you can find traffic of any type. Much of this traffic is transmitted in the clear, and any user observing this traffic will be able to recognize it. This applies to most email and web traffic, as well as telnet and FTP sessions. Secure Shell ( SSH ) and Hypertext Transfer Protocol Secure ( HTTPS ) traffic is encrypted traffic and cannot be viewed by the packet sniffing user. However, traffic like SSH and HTTPS does not form a VPN.

Virtual Private Networks have several characteristics.

• Traffic is encrypted to provide protection from eavesdropping.
• The remote site is authenticated.
• VPNs provide support for many protocols.
• A connection provides communication only between two specific subscribers.

Since SSH and HTTPS are not capable of supporting multiple protocols, the same applies to real VPNs. VPN packets are mixed with the flow of regular Internet traffic and exist separately for the reason that this traffic can only be read endpoints connections.

Note

It is possible to implement traffic passing through an SSH session using tunnels. However, for the purposes of this lecture, we will not consider SSH as a VPN.

Let's take a closer look at each of the VPN characteristics. As mentioned above, VPN traffic is encrypted to protect against eavesdropping. Encryption must be strong enough to guarantee confidentiality transmitted information for as long as it is relevant. Passwords have an expiration period of 30 days (assuming a password change policy every 30 days); however, classified information may not lose its value over the years. Therefore, the encryption algorithm and the use of VPN should prevent illegal decryption of traffic for several years.

The second characteristic is that the remote site is authenticated. This feature may require some users to be authenticated against a central server, or mutual authentication of both nodes that the VPN connects. The authentication mechanism used is controlled by policy. The policy may provide for user authentication with two parameters or with the use of dynamic passwords. At mutual authentication both sites may be required to demonstrate knowledge of a certain shared secret (a secret is some information known to both sites in advance), or