From the very name - a virtual private network - it follows that it somehow reproduces the properties of a real private network.
Without any exaggeration, a network can be called private only if the enterprise solely owns and manages the entire network infrastructure - cables, cross-connect equipment, channel-forming equipment, switches, routers and other communication equipment.
A virtual private network is a kind of "network within a network", that is, a service that gives users the illusion that their private network exists inside a public network.
The main objectives of VPN technology are to provide a guaranteed quality of service for user data streams in a public network, as well as to protect them from possible unauthorized access or destruction.
A virtual private network (Virtual Private Network - VPN) is a combination of local networks through an open external environment (global network) into a single corporate network that provides safe data circulation.
The essence of VPN technology is as follows (Figure 6.1):
Figure 6.1 - Scheme of the VPN network
To all computers with Internet access (instead of the Internet, there can be any other network common use), VPN agents are installed that process IP packets transmitted over computer networks.
VPN agents automatically encrypt all outgoing information (and decrypt all incoming information accordingly). They also monitor its integrity using an electronic digital signature (EDS) or imitation inserts (a cryptographic checksum calculated using an encryption key).
Before sending an IP packet The VPN agent works as follows.
The IP address of the packet recipient is analyzed, depending on this address, the protection algorithm for this packet is selected. If there is no such recipient in the VPN agent settings, then the information is not sent.
Generates and adds the sender's EDS or an imitation insert to the package.
Encrypts the packet (entirely, including the header).
Performs encapsulation, i.e. generates a new header, where it indicates the address of not the recipient at all, but its VPN agent. This useful additional feature allows you to think of an exchange between two networks as an exchange between two computers on which VPN agents are installed. Any useful information for an attacker, such as internal IP addresses, is no longer available to him.
When an IP packet is received, reverse action.
The header contains information about the sender's VPN agent. If one is not included in the list of allowed in the settings, then the information is simply discarded.
According to the settings, cryptographic algorithms and EDS are selected, as well as the necessary keys, after which the packet is decrypted and its integrity is checked, packets with broken integrity (the EDS is not correct) are also discarded.
After all the reverse transformations, the packet in its original form is sent to the real destination via the local network.
All of the above operations are performed automatically, the operation of VPN agents is invisible to users. The VPN agent can be located directly on the protected computer (which is especially useful for mobile users). In this case, it protects the communication of only one computer on which it is installed.
6.1 The concept of "tunnel" in data transmission in networks
To transfer data, VPN agents create virtual channels between protected local networks or computers (such a channel is called a "tunnel", and the technology for its creation is called "tunneling"). All information is transmitted through the tunnel in encrypted form.
Figure 6.2.
One of the mandatory features of VPN agents is packet filtering. Packet filtering is implemented in accordance with the settings of the VPN agent, the combination of which forms the VPN security policy. To increase the security of virtual private networks at the ends of the tunnels, it is advisable to place firewalls (filters).
VPN agents act as VPN gateways. A VPN Security Gateway is a network device that connects to two networks, a global network and a local network, and performs encryption and authentication functions for hosts on the network behind it. The VPN gateway can be implemented as a separate hardware device, separate software solution, as well as in the form of a firewall or router, supplemented with VPN functions.
The VPN network connection of the Security Gateway appears to the users of the network behind it as a leased line, when in fact it is an open packet-switched network. The Security Gateway VPN address on the outside network defines the address of the incoming tunneled packet. The inside address is the address of the host behind the gateway. The VPN Security Gateway can function as part of a router, firewall, and the like.
A feature of tunneling is that this technology allows you to encrypt the entire source packet, along with the header, and not just its data field. The original packet is encrypted in full along with the header, and this encrypted packet is placed in another outer packet with an open header. To transport data over a "dangerous" network, open fields the header of the outer packet, and when the outer packet arrives at the endpoint of the secure channel, the inner packet is extracted from it, decrypted and its header is used for further transmission already in clear form over a network that does not require protection.
Figure 6.3 - Establishing a VPN tunnel
In this case, for external packets, the addresses of border routers (VPN gateways) installed at these two points are used, and the internal addresses of end nodes are contained in internal packets in a protected form (Figure 6.4).
Figure 6.4 - Packet tunneling
6.2 Architecture VPN networks
Architecture There are three main types of VPNs:
1) Remote Access VPN
2) Intracorporate VPN (Intranet VPN)
3) Inter-corporate VPN (Extranet VPN)
Remote Access VPN
With the help of this scheme (Figure 6.5) remote access of individual employees to the corporate network of the organization through a public network is provided. Remote clients can work from home or, using a portable computer, from anywhere in the world where there is access to the World Wide Web.
Figure 6.5 - VPN with remote access
6.2.2 Intra-corporate VPNs(Figure 6.6)
Figure 6.6 - Intranet VPN
Here communication is carried out in one common network of geographically distributed branches of the company. This method is called Intranet VPN . This method it is advisable to use both for ordinary branches and for mobile offices that will have access to the resources of the "parent" company, as well as easily exchange data with each other.
6.2.3 Intercompany VPNs(Figure 6.7)
Figure 6.7 - Extranet VPN
This so-called Extranet VPN when access is granted through secure access channels for clients or partners of the organization. Gaining wide distribution due to the popularity of e-commerce.
In this case, remote clients (partners) will have very limited opportunities to use the corporate network, in fact, they will be limited to access to those company resources that are necessary when working with their clients, for example, a site with commercial offers, and VPN is used in this case for secure transfer of sensitive data.
In addition to VPN gateways, Figure 6.7 also shows firewalls. ME. Firewalls (filters) provide control over the transmitted content (viruses and other external attacks). The DOE is a "fence" around the network that prevents intruders from penetrating through it, while the VPN is an "armored car" that protects valuables when they are taken out of the fence. Therefore, both solutions must be used to ensure the required level of security. information resources. Most often, the functions of ME and VPN are combined in the same device.
Every year, electronic communications are improving, and ever higher demands are placed on information exchange for the speed, security and quality of data processing.
And here we take a closer look vpn connection: what is it, what is a vpn tunnel for, and how to use a vpn connection.
This material is a kind of introductory word to a series of articles where we will tell you how to create a vpn on various operating systems.
vpn connection what is it?
So, a virtual private network vpn is a technology that provides a secure (closed from external access) connection of a logical network over a private or public one in the presence of high-speed Internet.
Such network connection computers (geographically distant from each other at a considerable distance) uses a point-to-point connection (in other words, "computer-to-computer").
Scientifically, this connection method is called a vpn tunnel (or tunnel protocol). You can connect to such a tunnel if you have a computer with any operating system that has an integrated VPN client that can “forward” virtual ports using the TCP / IP protocol to another network.
What is vpn for?
The main advantage of vpn is that negotiators need a connectivity platform that not only scales quickly, but also (primarily) provides data confidentiality, data integrity, and authentication.
The diagram clearly shows the use of vpn networks.
Beforehand, the rules for connections over a secure channel must be written on the server and router.
how vpn works
When a vpn connection occurs, information about the IP address of the VPN server and the remote route is transmitted in the message header.
Encapsulated data passing over a public or public network cannot be intercepted because all information is encrypted.
The VPN encryption stage is implemented on the sender's side, and the recipient's data is decrypted by the message header (if there is a common encryption key).
After the message is correctly decrypted, a vpn connection is established between the two networks, which also allows you to work in a public network (for example, exchange data with a client 93.88.190.5).
Concerning information security, then the Internet is an extremely unsecured network, and a VPN network with OpenVPN, L2TP / IPSec, PPTP, PPPoE protocols is completely secure and in a safe way data transmission.
What is a vpn channel for?
vpn tunneling is used:
Inside the corporate network;
To unite remote offices, as well as small branches;
For digital telephony service with big set telecommunication services;
To access external IT resources;
To build and implement videoconferencing.
Why do you need a vpn?
vpn connection is required for:
Anonymous work on the Internet;
Application downloads, in the case when the ip address is located in another regional zone of the country;
Safe work in a corporate environment using communications;
Simplicity and convenience of connection setup;
Collateral high speed connections without breaks;
Creation of a secure channel without hacker attacks.
How to use vpn?
Examples of how vpn works are endless. So, on any computer in the corporate network, when installing a secure vpn connections you can use mail to check messages, publish materials from anywhere in the country, or download files from torrent networks.
Vpn: what is it in the phone?
Access via vpn on your phone (iPhone or any other Android device) allows you to remain anonymous when using the Internet in public places, as well as prevent traffic interception and device hacking.
A VPN client installed on any OS allows you to bypass many settings and rules of the provider (if he has set any restrictions).
Which vpn to choose for the phone?
Android mobile phones and smartphones can use applications from the Google Play market:
- - vpnRoot, droidVPN,
- - tor browser for surfing networks, aka orbot
- - InBrowser, orfox (firefox+tor),
- - SuperVPN Free VPN Client
- - Open VPN Connect
- - Tunnel Bear VPN
- - Hideman VPN
Most of these programs serve for the convenience of "hot" system configuration, placement of launch shortcuts, anonymous Internet surfing, and selection of the type of connection encryption.
But the main task of using a VPN on your phone is to check corporate mail, creating video conferences with multiple participants, as well as holding meetings outside the organization (for example, when an employee is on a business trip).
What is vpn on iphone?
Consider which vpn to choose and how to connect it to an iPhone in more detail.
Depending on the type of network supported, when you first start the VPN configuration on iphone, you can select the following protocols: L2TP, PPTP and Cisco IPSec (in addition, you can “make” a vpn connection using third-party applications).
All of these protocols support encryption keys, user identification with a password and certification.
Among additional features when setting up a VPN profile on an iPhone, you can note: RSA security, encryption level, and authorization rules for connecting to the server.
For iphone phone from the appstore you should choose:
- - free app Tunnelbear, with which you can connect to VPN servers in any country.
- - OpenVPN connect is one of the best VPN clients. Here, to run the application, you must first import rsa-keys via itunes to your phone.
- - Cloak is a shareware application, because for some time the product can be "used" for free, but to use the program after the demo period expires, you will have to buy it.
Creating a VPN: choosing and configuring equipment
For corporate communication in large organizations or associations remote friend from each other, offices use hardware capable of supporting uninterrupted, secure networking.
To implement vpn technologies, the following can act as a network gateway: Unix servers, windows server, network router and network gateway on which VPN is raised.
The server or device used to create a vpn network of an enterprise or a vpn channel between remote offices must perform complex technical tasks and provide a full range of services to users both on workstations and on mobile devices.
Any router or vpn router should provide reliable network operation without “freezes”. And the built-in vpn function allows you to change the network configuration for working at home, in an organization or a remote office.
vpn setup on router
In the general case, VPN configuration on the router is carried out using the router's web interface. On “classic” devices for organizing vpn, you need to go to the “settings” or “network settings” section, where you select the VPN section, specify the protocol type, enter your subnet address settings, masks and specify the range of ip addresses for users.
In addition, to secure the connection, you will need to specify encoding algorithms, authentication methods, generate negotiation keys, and specify DNS WINS servers. In the "Gateway" parameters, you need to specify the ip-address of the gateway (your ip) and fill in the data on all network adapters.
If there are several routers in the network, it is necessary to fill in the vpn routing table for all devices in the VPN tunnel.
Here is a list hardware equipment used when building VPN networks:
Dlink routers: DIR-320, DIR-620, DSR-1000 with new firmware or D-Link router DI808HV.
Routers Cisco PIX 501, Cisco 871-SEC-K9
Linksys Rv082 Router Supporting About 50 VPN Tunnels
Netgear router DG834G and router models FVS318G, FVS318N, FVS336G, SRX5308
Mikrotik router with OpenVPN function. Example RouterBoard RB/2011L-IN Mikrotik
Vpn equipment RVPN S-Terra or VPN Gate
ASUS RT-N66U, RT-N16 and RT N-10 Routers
ZyXel routers ZyWALL 5, ZyWALL P1, ZyWALL USG
The Internet is increasingly being used as a means of communication between computers because it offers efficient and inexpensive communication. However, the Internet is a public network and in order to ensure secure communication through it, some mechanism is needed that satisfies at least the following tasks:
confidentiality of information;
data integrity;
availability of information;
These requirements are met by a mechanism called VPN (Virtual Private Network - virtual private network) - a generalized name for technologies that allow you to provide one or more network connections (logical network) over another network (for example, the Internet) using cryptography tools (encryption, authentication, infrastructure public keys, means to protect against repetition and change of messages transmitted over the logical network).
Creating a VPN does not require additional investments and allows you to stop using leased lines. Depending on the protocols used and the purpose, a VPN can provide three types of connections: host-host, host-network, and network-network.
For clarity, let's imagine the following example: an enterprise has several territorially remote branches and "mobile" employees working at home or on the road. It is necessary to unite all employees of the enterprise in a single network. The easiest way is to put modems in each branch and organize communication as needed. Such a solution, however, is not always convenient and profitable - sometimes you need a constant connection and a large bandwidth. To do this, you will either have to lay a dedicated line between branches, or rent them. Both are quite expensive. And here, as an alternative, when building a single secure network, you can use VPN connections of all company branches via the Internet and configure VPN tools on network hosts.
Rice. 6.4. site-to-site VPN connection
Rice. 6.5. VPN host-to-network connection
In this case, many problems are solved - branches can be located anywhere around the world.
The danger here is that, firstly, the open network is open to attacks from intruders around the world. Secondly, all data is transmitted over the Internet in the clear, and attackers, having hacked the network, will have all the information transmitted over the network. And, thirdly, data can be not only intercepted, but also replaced during transmission through the network. An attacker can, for example, compromise the integrity of databases by acting on behalf of the clients of one of the trusted branches.
To prevent this from happening, VPN solutions use tools such as data encryption to ensure integrity and confidentiality, authentication and authorization to verify user rights and allow access to a virtual private network.
A VPN connection always consists of a point-to-point link, also known as a tunnel. The tunnel is created in an insecure network, which is most often the Internet.
Tunneling or encapsulation is a way to transfer useful information through an intermediate network. Such information may be frames (or packets) of another protocol. With encapsulation, the frame is not transmitted as it was generated by the sending host, but is provided with an additional header containing routing information that allows the encapsulated packets to pass through the intermediate network (Internet). At the end of the tunnel, the frames are de-encapsulated and transmitted to the recipient. Typically, a tunnel is created by two edge devices located at entry points to the public network. One of the obvious advantages of tunneling is that this technology allows you to encrypt the entire original packet, including the header, which may contain data containing information that attackers use to hack the network (for example, IP addresses, number of subnets, etc.) .
Although a VPN tunnel is established between two points, each host can establish additional tunnels with other hosts. For example, when three remote stations need to contact the same office, three separate VPN tunnels will be created to this office. For all tunnels, the node on the office side can be the same. This is possible due to the fact that the node can encrypt and decrypt data on behalf of the entire network, as shown in the figure:
Rice. 6.6. Create VPN tunnels for multiple remote locations
The user establishes a connection to the VPN gateway, after which the user has access to the internal network.
Within a private network, encryption itself does not occur. The reason is that this part of the network is considered secure and under direct control, as opposed to the Internet. This is also true when connecting offices using VPN gateways. Thus, encryption is guaranteed only for information that is transmitted over an insecure channel between offices.
There are many various solutions for building virtual private networks. The most famous and widely used protocols are:
PPTP (Point-to-Point Tunneling Protocol) - this protocol has become quite popular due to its inclusion in Microsoft operating systems.
L2TP (Layer-2 Tunneling Protocol) - combines the L2F (Layer 2 Forwarding) protocol and PPTP protocol. Typically used in conjunction with IPSec.
IPSec (Internet Protocol Security) is an official Internet standard developed by the IETF (Internet Engineering Task Force) community.
The listed protocols are supported by D-Link devices.
The PPTP protocol is primarily intended for virtual private networks based on dial-up connections. The protocol allows you to organize remote access, so that users can establish dial-up connections with Internet providers and create a secure tunnel to their corporate networks. Unlike IPSec, the PPTP protocol was not originally intended to organize tunnels between local networks. PPTP extends the capabilities of PPP, a data-link protocol that was originally designed to encapsulate data and deliver it over point-to-point connections.
The PPTP protocol allows you to create secure channels for data exchange using various protocols - IP, IPX, NetBEUI, etc. The data of these protocols is packed into PPP frames, encapsulated using the PPTP protocol into IP protocol packets. They are then transported using IP in encrypted form over any TCP/IP network. The receiving node extracts the PPP frames from the IP packets and then processes them in the standard way, i.e. extracts an IP, IPX, or NetBEUI packet from a PPP frame and sends it over the local network. Thus, the PPTP protocol creates a point-to-point connection in the network and transmits data over the created secure channel. The main advantage of encapsulating protocols such as PPTP is their multiprotocol nature. Those. data protection at the data link layer is transparent to network and application layer protocols. Therefore, within the network, both the IP protocol (as in the case of an IPSec-based VPN) or any other protocol can be used as a transport.
Currently, due to the ease of implementation, the PPTP protocol is widely used both for obtaining reliable secure access to a corporate network and for accessing ISP networks when a client needs to establish a PPTP connection with an ISP in order to access the Internet.
The encryption method used in PPTP is specified at the PPP layer. Usually the PPP client is desktop computer with the Microsoft operating system, and the Microsoft Point-to-Point Encryption (MPPE) protocol is used as the encryption protocol. This protocol is based on the RSA RC4 standard and supports 40 or 128 bit encryption. For many applications of this level of encryption, using this algorithm is sufficient, although it is considered less secure than a number of other encryption algorithms offered by IPSec, in particular, the 168-bit Triple-Data Encryption Standard (3DES).
How the connection is establishedPPTP?
PPTP encapsulates IP packets for transmission over an IP network. PPTP clients create a tunnel control connection that keeps the link alive. This process is performed at the transport layer of the OSI model. After the tunnel is created, the client computer and the server start exchanging service packets.
In addition to the PPTP control connection, a connection is created to send data over the tunnel. Encapsulating data before sending it to the tunnel involves two steps. First, the information part of the PPP frame is created. Data flows from top to bottom, from the OSI application layer to the link layer. The received data is then sent up the OSI model and encapsulated by upper layer protocols.
Data from the link layer reaches the transport layer. However, the information cannot be sent to its destination, since the OSI link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-level functions that usually belong to PPP, i.e., adds a PPP header (header) and an ending (trailer) to the PPTP packet. This completes the creation of the link layer frame. Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IP, IPX to enable them to be transported over IP networks. However, using the GRE protocol alone will not ensure session establishment and data security. This uses PPTP's ability to create a tunnel control connection. The use of GRE as an encapsulation method limits the scope of PPTP to only IP networks.
After the PPP frame has been encapsulated in a frame with a GRE header, it is encapsulated in a frame with an IP header. The IP header contains the sender and recipient addresses of the packet. Finally, PPTP adds a PPP header and ending.
On the rice. 6.7 shows the data structure for forwarding over a PPTP tunnel:
Rice. 6.7. Data structure for forwarding over a PPTP tunnel
Setting up a VPN based on PPTP does not require large expenses and complex settings: it is enough to install a PPTP server in the central office (PPTP solutions exist for both Windows and Linux platforms), and run on client computers necessary settings. If you need to combine several branches, then instead of setting up PPTP on all client stations, it is better to use an Internet router or a firewall with PPTP support: settings are made only on a border router (firewall) connected to the Internet, everything is absolutely transparent for users. Examples of such devices are DIR/DSR multifunctional Internet routers and DFL series firewalls.
GRE-tunnels
Generic Routing Encapsulation (GRE) is a network packet encapsulation protocol that provides traffic tunneling through networks without encryption. Examples of using GRE:
transmission of traffic (including broadcast) through equipment that does not support a specific protocol;
tunneling IPv6 traffic through an IPv4 network;
data transfer via public networks to implement a secure VPN connection.
Rice. 6.8. An example of a GRE tunnel
Between two routers A and B ( rice. 6.8) there are several routers, the GRE tunnel allows you to provide a connection between the local networks 192.168.1.0/24 and 192.168.3.0/24 as if routers A and B were connected directly.
L2 TP
The L2TP protocol appeared as a result of the merger of the PPTP and L2F protocols. The main advantage of the L2TP protocol is that it allows you to create a tunnel not only in IP networks, but also in ATM, X.25 and Frame relay networks. L2TP uses UDP as a transport and uses the same message format for both tunnel management and data forwarding.
As in the case of PPTP, L2TP begins assembling a packet for transmission to the tunnel by first adding the PPP header, then the L2TP header, to the PPP information data field. The packet thus received is encapsulated by UDP. Depending on the type of IPSec security policy chosen, L2TP can encrypt UDP messages and add an Encapsulating Security Payload (ESP) header and ending, as well as an IPSec Authentication ending (see "L2TP over IPSec" section). Then it is encapsulated in IP. An IP header is added containing the sender and recipient addresses. Finally, L2TP performs a second PPP encapsulation to prepare the data for transmission. On the rice. 6.9 shows the data structure to be sent over an L2TP tunnel.
Rice. 6.9. Data structure for forwarding over an L2TP tunnel
The receiving computer receives the data, processes the PPP header and ending, and strips the IP header. IPSec Authentication authenticates the IP information field, and the IPSec ESP header helps decrypt the packet.
The computer then processes the UDP header and uses the L2TP header to identify the tunnel. The PPP packet now contains only the payload that is being processed or forwarded to the specified recipient.
IPsec (short for IP Security) is a set of protocols for securing data transmitted over the IP Internet Protocol, allowing authentication and/or encryption of IP packets. IPsec also includes protocols for secure key exchange on the Internet.
IPSec security is achieved through additional protocols that add their own headers to the IP packet - encapsulation. Because IPSec is an Internet standard, then there are RFC documents for it:
RFC 2401 (Security Architecture for the Internet Protocol) is the security architecture for the IP protocol.
RFC 2402 (IP Authentication header) - IP authentication header.
RFC 2404 (The Use of HMAC-SHA-1-96 within ESP and AH) - Use of the SHA-1 hash algorithm to create an authentication header.
RFC 2405 (The ESP DES-CBC Cipher Algorithm With Explicit IV) - Use of the DES encryption algorithm.
RFC 2406 (IP Encapsulating Security Payload (ESP)) - Data Encryption.
RFC 2407 (The Internet IP Security Domain of Interpretation for ISAKMP) is the scope of the key management protocol.
RFC 2408( internet security Association and Key Management Protocol (ISAKMP) - management of keys and authenticators of secure connections.
RFC 2409 (The Internet Key Exchange (IKE)) - Key Exchange.
RFC 2410 (The NULL Encryption Algorithm and Its Use With IPsec) - The NULL Encryption Algorithm and Its Use.
RFC 2411 (IP Security Document Roadmap) is a further development of the standard.
RFC 2412 (The OAKLEY Key Determination Protocol) - Checking the Authenticity of a Key.
IPsec is an integral part of the IPv6 Internet Protocol and an optional extension of the IPv4 version of the Internet Protocol.
The IPSec mechanism performs the following tasks:
authentication of users or computers during secure channel initialization;
encryption and authentication of data transferred between endpoints secure channel;
automatic supply of channel endpoints with secret keys necessary for the operation of authentication and data encryption protocols.
IPSec Components
AH (Authentication Header) protocol is a header identification protocol. Ensures integrity by verifying that no bits in the protected part of the packet have been changed during transmission. But using AH can cause problems, for example, when a packet passes through a NAT device. NAT changes the packet's IP address to allow Internet access from a private local address. Because in this case, the packet changes, then the AH checksum becomes incorrect (to eliminate this problem, the NAT-Traversal (NAT-T) protocol was developed, which provides ESP transmission over UDP and uses UDP port 4500 in its work). It's also worth noting that AH was designed for integrity only. It does not guarantee confidentiality by encrypting the contents of the package.
The ESP (Encapsulation Security Payload) protocol provides not only the integrity and authentication of transmitted data, but also data encryption, as well as protection against packet spoofing.
The ESP protocol is an encapsulating security protocol that provides both integrity and confidentiality. In transport mode, the ESP header is between the original IP header and the TCP or UDP header. In tunnel mode, the ESP header is placed between the new IP header and the fully encrypted original IP packet.
Because both protocols - AH and ESP - add their own IP headers, each of them has its own protocol number (ID), by which you can determine what will follow the IP header. Each protocol, according to the IANA (Internet Assigned Numbers Authority - the organization responsible for the address space of the Internet), has its own number (ID). For example, for TCP this number is 6, and for UDP it is 17. Therefore, it is very important when working through a firewall to configure filters in such a way as to pass packets with ID AH and/or ESP of the protocol.
Protocol ID 51 is set to indicate that AH is present in the IP header, and 50 for ESP.
ATTENTION: The protocol ID is not the same as the port number.
IKE (Internet Key Exchange) protocol is a standard IPsec protocol used to secure communication in virtual private networks. The purpose of IKE is the secure negotiation and delivery of identified material to a security association (SA).
SA is the IPSec term for a connection. An established SA (a secure channel called a "secure association" or "security association" - Security Association, SA) includes a shared secret key and a set of cryptographic algorithms.
The IKE protocol performs three main tasks:
provides a means of authentication between two VPN endpoints;
establishes new IPSec links (creates a pair of SAs);
manages existing relationships.
IKE uses UDP port number 500. When using the NAT Traversal feature, as mentioned earlier, the IKE protocol uses UDP port number 4500.
Data exchange in IKE occurs in 2 phases. In the first phase, the SA IKE association is established. At the same time, the endpoints of the channel are authenticated and data protection parameters are selected, such as the encryption algorithm, session key, etc.
In the second phase, SA IKE is used for protocol negotiation (usually IPSec).
With a configured VPN tunnel, one SA pair is created for each protocol used. SAs are created in pairs, as each SA is a unidirectional connection, and data must be sent in two directions. The received SA pairs are stored on each node.
Since each node is capable of establishing multiple tunnels with other nodes, each SA has unique number A that allows you to determine which node it belongs to. This number is called SPI (Security Parameter Index) or Security Parameter Index.
SA stored in a database (DB) SAD(Security Association Database).
Each IPSec node also has a second DB − SPD(Security Policy Database) - Security policy database. It contains the configured host policy. Most VPN solutions allow you to create multiple policies with combinations of suitable algorithms for each host you want to connect to.
The flexibility of IPSec lies in the fact that for each task there are several ways to solve it, and the methods chosen for one task are usually independent of the methods for implementing other tasks. However, the IETF Working Group has defined a core set of supported features and algorithms that must be implemented in the same way across all IPSec-enabled products. The AH and ESP mechanisms can be used with various authentication and encryption schemes, some of which are mandatory. For example, IPSec specifies that packets are authenticated using either the MD5 one-way function or the SHA-1 one-way function, and encryption is done using the DES algorithm. Manufacturers of products that run IPSec may add other authentication and encryption algorithms. For example, some products support encryption algorithms such as 3DES, Blowfish, Cast, RC5, etc.
Any symmetric encryption algorithm that uses secret keys can be used to encrypt data in IPSec.
Stream protection protocols (AH and ESP) can operate in two modes - in transport mode and in tunnel mode. When operating in transport mode, IPsec only deals with transport layer information; only the data field of the packet containing the TCP / UDP protocols is encrypted (the header of the IP packet is not changed (not encrypted)). Transport mode is typically used to establish a connection between hosts.
Tunneling mode encrypts the entire IP packet, including the header network layer. In order for it to be transmitted over the network, it is placed in another IP packet. Essentially, this is a secure IP tunnel. Tunnel mode can be used to connect remote computers to a virtual private network ("host-network" connection scheme) or to organize secure data transfer via open channels links (for example, the Internet) between gateways to connect different parts of a virtual private network (network-to-network connection scheme).
IPsec modes are not mutually exclusive. On the same host, some SAs may use transport mode, while others may use tunnel mode.
During the authentication phase, the ICV checksum (Integrity Check Value) of the packet is calculated. It is assumed that both nodes know The secret key, which allows the recipient to calculate the ICV and compare it with the result sent by the sender. If the ICV comparison is successful, the sender of the packet is considered authenticated.
In mode transportAH
the entire IP packet, except for some fields in the IP header, which can be changed in transit. These fields, whose values for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;
all fields in AH;
payload of IP packets.
AH in transport mode protects the IP header (except for fields that are allowed to change) and the payload in the original IP packet (Figure 3.39).
In tunnel mode, the original packet is placed in a new IP packet, and data transfer is performed based on the header of the new IP packet.
For tunnel modeAH when performing a calculation, the following components are included in the ICV checksum:
all fields external header IP, except for some fields in the IP header, which can be changed in transit. These fields, whose values for ICV calculation are 0, can be part of the service (Type of Service, TOS), flags, fragment offset, time to live (TTL), as well as a checksum header;
all fields AH;
original IP packet.
As you can see in the following illustration, AH tunnel mode protects the entire source IP packet with an additional outer header that AH transport mode does not use:
Rice. 6.10. Tunnel and transport modes of operation of the AN protocol
In mode transportESP does not authenticate the entire packet, but only protects the IP payload. The ESP header in the ESP transport mode is added to the IP packet immediately after the IP header, and the ESP ending (ESP Trailer) is added after the data accordingly.
The ESP transport mode encrypts the following parts of the packet:
IP payload;
An encryption algorithm that uses the Cipher Block Chaining (CBC) encryption mode has an unencrypted field between the ESP header and the payload. This field is called the IV (Initialization Vector) for CBC calculation, which is performed on the receiver. Since this field is used to start the decryption process, it cannot be encrypted. Even though the attacker has the ability to view the IV, there is no way he can decrypt the encrypted part of the packet without the encryption key. To prevent attackers from changing the initialization vector, it is guarded by the ICV checksum. In this case, ICV performs the following calculations:
all fields in the ESP header;
payload including plaintext IV;
all fields in the ESP Trailer except for the authentication data field.
ESP tunnel mode encapsulates the entire original IP packet in a new IP header, an ESP header, and an ESP Trailer. To indicate that ESP is present in the IP header, the IP protocol identifier is set to 50, leaving the original IP header and payload unchanged. As with AH tunnel mode, the outer IP header is based on the IPSec tunnel configuration. In the case of using the ESP tunnel mode, the IP packet's authentication area shows where the signature was made, certifying its integrity and authenticity, and the encrypted part shows that the information is protected and confidential. The original header is placed after the ESP header. After the encrypted part is encapsulated in a new tunnel header that is not encrypted, the IP packet is transmitted. When sent over a public network, such a packet is routed to the IP address of the gateway of the receiving network, and the gateway decrypts the packet and discards the ESP header using the original IP header to then route the packet to a computer located on the internal network. ESP tunneling mode encrypts the following parts of the packet:
For ESP tunnel mode, ICV is calculated as follows:
all fields in the ESP header;
the original IP packet, including the plaintext IV;
all ESP header fields except for the authentication data field.
original IP packet;
Rice. 6.11. Tunnel and transport mode of the ESP protocol
Rice. 6.12. Comparison of ESP and AH protocols
Summary of Application ModesIPSec:
Protocol - ESP (AH).
Mode - tunnel (transport).
Key exchange method - IKE (manual).
IKE mode - main (aggressive).
DH key – group 5 (group 2, group 1) – group number for selecting dynamically created session keys, group length.
Authentication - SHA1 (SHA, MD5).
Encryption - DES (3DES, Blowfish, AES).
When creating a policy, it is usually possible to create an ordered list of algorithms and Diffie-Hellman groups. Diffie-Hellman (DH) is an encryption protocol used to establish shared secret keys for IKE, IPSec, and PFS (Perfect Forward Secrecy). In this case, the first position that matches on both nodes will be used. It is very important that everything in the security policy allows you to achieve this coincidence. If everything else matches except for one part of the policy, hosts will still not be able to establish a VPN connection. When setting up a VPN tunnel between various systems you need to find out what algorithms are supported by each side so that you can choose the most secure policy of all possible.
The main settings that the security policy includes:
Symmetric algorithms for data encryption/decryption.
Cryptographic checksums to check data integrity.
Node identification method. The most common methods are pre-shared secrets or CA certificates.
Whether to use tunnel mode or transport mode.
Which Diffie-Hellman group to use (DH group 1 (768-bit); DH group 2 (1024-bit); DH group 5 (1536-bit)).
Whether to use AH, ESP, or both.
Whether to use PFS.
A limitation of IPSec is that it only supports data transfer at the IP protocol layer.
There are two main schemes for using IPSec, differing in the role of the nodes that form the secure channel.
In the first scheme, a secure channel is formed between the end hosts of the network. In this scheme, the IPSec protocol protects the host that is running:
Rice. 6.13. Create a secure channel between two endpoints
In the second scheme, a secure channel is established between two Security Gateways. These gateways receive data from end hosts connected to networks behind the gateways. The end hosts in this case do not support the IPSec protocol, the traffic directed to the public network passes through the security gateway, which performs protection on its own behalf.
Rice. 6.14. Creating a secure channel between two gateways
For hosts that support IPSec, both transport mode and tunnel mode can be used. For gateways, only tunnel mode is allowed.
Installation and supportVPN
As mentioned above, installing and maintaining a VPN tunnel is a two-step process. In the first stage (phase), the two nodes agree on an identification method, an encryption algorithm, a hash algorithm, and a Diffie-Hellman group. They also identify each other. All this can happen as a result of the exchange of three unencrypted messages (the so-called aggressive mode, Aggressive mode) or six messages, with the exchange of encrypted identification information (standard mode, Main mode).
In the Main Mode, it is possible to negotiate all the configuration parameters of the sender and recipient devices, while in the Aggressive Mode this is not possible, and some parameters (Diffie-Hellman group, encryption and authentication algorithms, PFS) must be pre-configured in the same way on each device. However, in this mode, both the number of exchanges and the number of packets sent are fewer, resulting in less time to establish an IPSec session.
Rice. 6.15. Messaging in standard (a) and aggressive (b) modes
Assuming the operation completed successfully, a first phase SA is created − Phase 1 SA(also called IKESA) and the process proceeds to the second phase.
In the second step, the key data is generated, the nodes agree on the policy to be used. This mode, also called Quick mode, differs from Phase 1 in that it can only be established after Phase 1, when all Phase 2 packets are encrypted. The correct completion of the second phase leads to the appearance Phase 2 SA or IPSecSA and on this the installation of the tunnel is considered completed.
First, a packet arrives at the node with a destination address on another network, and the node initiates the first phase with the node that is responsible for the other network. Let's say the tunnel between the nodes has been successfully established and is waiting for packets. However, nodes need to re-identify each other and compare policies after a certain period of time. This period is called the Phase One lifetime or IKE SA lifetime.
Nodes must also change the key to encrypt data after a period of time called the Phase Two or IPSec SA lifetime.
Phase Two lifetime is shorter than the first phase, because the key needs to be changed more often. You need to set the same lifetime parameters for both nodes. If you do not do this, then it is possible that initially the tunnel will be established successfully, but after the first inconsistent period of life, the connection will be interrupted. Problems can also arise when the lifetime of the first phase is less than that of the second phase. If the previously configured tunnel stops working, then the first thing to check is the lifetime on both nodes.
It should also be noted that if you change the policy on one of the nodes, the changes will take effect only at the next onset of the first phase. For the changes to take effect immediately, you must remove the SA for this tunnel from the SAD database. This will force a revision of the agreement between nodes with the new security policy settings.
Sometimes, when setting up an IPSec tunnel between equipment from different manufacturers, there are difficulties associated with the coordination of parameters during the establishment of the first phase. You should pay attention to such a parameter as Local ID - this is a unique identifier for the tunnel endpoint (sender and recipient). This is especially important when creating multiple tunnels and using the NAT Traversal protocol.
Deadpeerdetection
During VPN operation, if there is no traffic between the endpoints of the tunnel, or if the initial data of the remote host changes (for example, changing the dynamically assigned IP address), a situation may arise when the tunnel is essentially no longer such, becoming, as it were, a ghost tunnel . In order to maintain constant readiness for data exchange in the created IPSec tunnel, the IKE mechanism (described in RFC 3706) allows you to control the presence of traffic from the remote node of the tunnel, and if it is absent for a set time, a hello message is sent (in firewalls D-Link sends a message "DPD-R-U-THERE"). If there is no response to this message within a certain time, in the D-Link firewalls set by the "DPD Expire Time" settings, the tunnel is dismantled. D-Link firewalls after that, using the "DPD Keep Time" settings ( rice. 6.18) automatically attempt to re-establish the tunnel.
ProtocolNATTraversal
IPsec traffic can be routed according to the same rules as other IP protocols, but since the router cannot always extract information specific to transport layer protocols, it is impossible for IPsec to pass through NAT gateways. As mentioned earlier, to solve this problem, the IETF has defined a way to encapsulate ESP in UDP, called NAT-T (NAT Traversal).
The NAT Traversal protocol encapsulates IPSec traffic and simultaneously creates UDP packets that NAT forwards correctly. To do this, NAT-T places an additional UDP header before the IPSec packet so that it is treated like a normal UDP packet throughout the network and the recipient host does not perform any integrity checks. After the packet arrives at its destination, the UDP header is removed and the data packet continues on its way as an encapsulated IPSec packet. Thus, using the NAT-T mechanism, it is possible to establish communication between IPSec clients in secure networks and public IPSec hosts through firewalls.
There are two points to note when configuring D-Link firewalls on the receiving device:
in the Remote Network and Remote Endpoint fields, specify the network and IP address of the remote sending device. It is necessary to allow translation of the IP address of the initiator (sender) using NAT technology (Figure 3.48).
when using shared keys with multiple tunnels connected to the same remote firewall that have been NATted to the same address, it is important to ensure that the Local ID is unique for each tunnel.
Local ID can be one of:
- The information is kept secret.
- Remote sites can exchange information immediately.
- Remote users do not feel isolated from the system they are accessing.
- Traffic is encrypted to provide protection from eavesdropping.
- The remote site is authenticated.
- VPNs provide support for many protocols.
- A connection provides communication only between two specific subscribers.
Auto– the IP address of the outgoing traffic interface is used as the local identifier.
IP– IP address of the WAN port of the remote firewall
DNS– DNS address
Private networks are used by organizations to connect to remote sites and to other organizations. Private networks consist of communication lines leased from various telephone companies and Internet service providers. These links are characterized in that they only connect two sites while being separated from other traffic as the leased links provide two-way communication between two sites. Private networks have many advantages.
Unfortunately, this type of network has one big drawback - high cost. Using private networks is very expensive. You can save money by using slower links, but then remote users will start to notice the lack of speed, and some of the benefits mentioned above will become less obvious.
With the increase in the number of Internet users, many organizations have switched to the use of virtual private networks (VPNs). Virtual Private Networks provide many of the benefits of private networks at a lower cost. However, with the introduction of a VPN, there are a number of questions and dangers for the organization. A well-built virtual private network can bring great benefits to an organization. If the VPN is implemented incorrectly, all information transmitted through the VPN can be accessed from the Internet.
Definition of virtual private networks
So, we intend to transfer confidential data of the organization over the Internet without using leased communication channels, while still taking all measures to ensure traffic privacy. How will we be able to separate our traffic from the traffic of other users of the global network? The answer to this question is encryption.
On the Internet, you can find traffic of any type. Much of this traffic is transmitted in the clear, and any user observing this traffic will be able to recognize it. This applies to most email and web traffic, as well as telnet and FTP sessions. Secure Shell ( SSH ) and Hypertext Transfer Protocol Secure ( HTTPS ) traffic is encrypted traffic and cannot be viewed by the packet sniffing user. However, traffic like SSH and HTTPS does not form a VPN.
Virtual Private Networks have several characteristics.
Since SSH and HTTPS are not capable of supporting multiple protocols, the same applies to real VPNs. VPN packets are mixed with normal Internet traffic flow and exist separately because this traffic can only be read by connection endpoints.
Note
It is possible to implement traffic passing through an SSH session using tunnels. However, for the purposes of this lecture, we will not consider SSH as a VPN.
Let's take a closer look at each of the VPN characteristics. As mentioned above, VPN traffic is encrypted to protect against eavesdropping. Encryption must be strong enough to guarantee confidentiality transmitted information for as long as it is relevant. Passwords have an expiration period of 30 days (assuming a password change policy every 30 days); however, classified information may not lose its value over the years. Therefore, the encryption algorithm and the use of VPN should prevent illegal decryption of traffic for several years.
The second characteristic is that the remote site is authenticated. This feature may require some users to be authenticated against a central server, or mutual authentication of both nodes that the VPN connects. The authentication mechanism used is controlled by policy. The policy may provide for user authentication with two parameters or with the use of dynamic passwords. At mutual authentication both sites may be required to demonstrate knowledge of a certain shared secret (a secret is some information known to both sites in advance), or
Virtual private networks (VPNs) are attracting close attention from both network service providers and Internet service providers, as well as corporate users. Infonetics Research predicts that the VPN market will grow by more than 100% annually through 2003 and reach $12 billion.
Before telling you about the popularity of VPNs, let me remind you that just private (corporate) data networks are built, as a rule, using leased (dedicated) communication channels of public switched telephone networks. For many years, these private networks have been designed with specific corporate requirements in mind, resulting in proprietary protocols that support proprietary applications (however, Frame Relay and ATM protocols have recently gained popularity). Dedicated channels provide reliable protection confidential information, however, the flip side of the coin is the high cost of operation and the difficulty in expanding the network, not to mention the ability of a mobile user to connect to it at an unintended point. At the same time for modern business characterized by significant dispersal and mobility of the workforce. More and more users need access to corporate information via dial-up channels, and the number of employees working from home is also increasing.
Further, private networks are unable to provide the same business opportunities that the Internet and IP-based applications provide, such as product promotion, customer support, or ongoing communication with suppliers. This on-line interaction requires the interconnection of private networks, which typically use different protocols and applications, different systems network management and different communication service providers.
Thus, the high cost, static nature and difficulties that arise when it is necessary to combine private networks based on different technologies, are in conflict with the dynamically developing business, its desire for decentralization and the recent trend towards mergers.
At the same time, in parallel, there are public data transmission networks devoid of these shortcomings and the Internet, which literally enveloped the entire globe with its “web”. True, they are also deprived of the most important advantage of private networks - reliable protection of corporate information. Virtual Private Network technology combines the flexibility, scalability, low cost, and availability of literally "anytime anywhere" Internet and public networks with the security of private networks. At their core, VPNs are private networks that use global networks to transmit traffic. public access(Internet, Frame Relay, ATM). Virtuality is manifested in the fact that for a corporate user they appear to be dedicated private networks.
COMPATIBILITY
Compatibility issues do not arise if VPNs directly use Frame Relay and ATM services, as they are quite well adapted to work in a multiprotocol environment and are suitable for both IP and non-IP applications. All that is required in this case is the availability of an appropriate network infrastructure covering the required geographical area. The most commonly used access devices are Frame Relay Access Devices or routers with Frame Relay and ATM interfaces. Numerous permanent or switched virtual circuits can operate (virtually) with any mixture of protocols and topologies. The matter becomes more complicated if the VPN is based on the Internet. In this case, applications are required to be compatible with the IP protocol. Provided that this requirement is met, you can use the Internet “as it is” to build a VPN, having previously provided the necessary level of security. But since most private networks are multiprotocol or use unofficial, internal IP addresses, they cannot directly connect to the Internet without appropriate adaptation. There are many compatibility solutions. The most popular are the following:
- conversion of existing protocols (IPX, NetBEUI, AppleTalk or others) into an IP protocol with an official address;
- conversion of internal IP addresses to official IP addresses;
— installation of special IP-gateways on servers;
— use of virtual IP-routing;
— use of universal tunneling technique.
The first way is clear, so let's briefly look at the others.
Converting internal IP addresses to official ones is necessary when the private network is based on the IP protocol. Address translation for the entire corporate network is not necessary, since official IP addresses can coexist with internal ones on switches and routers in the enterprise network. In other words, the server with the official IP address is still available to the private network client through the local infrastructure. The most commonly used technique is the division of a small block of official addresses by many users. It is similar to splitting a modem pool in that it also relies on the assumption that not all users need access to the Internet at the same time. There are two industry standards here, Dynamic Host Configuration Protocol (DHCP) and Network Address Translation (NAT), which have slightly different approaches. DHCP leases an address to a host for a period determined by the network administrator, while NAT translates internal IP address to the official dynamically, for the duration of the communication session with
Internet.
Another way to make a private network compatible with the Internet is to install an IP gateway. The gateway translates non-IP protocols to IP protocols and vice versa. Most network operating systems that use native protocols have software for the IP gateway.
The essence of virtual IP routing is to extend the private routing tables and address space to the infrastructure (routers and switches) of the ISP. A virtual IP router is a logical part of a physical IP router owned and operated by a service provider. Each virtual router serves a specific group of users.
However, perhaps the most the best way interoperability can be achieved using tunneling techniques. These techniques have been used for a long time to transmit a multiprotocol packet stream over a common backbone. This proven technology is currently optimized for Internet-based VPNs.
The main components of the tunnel are:
— tunnel initiator;
— routed network;
- tunnel switch (optional);
— one or more tunnel terminators.
Tunneling must be performed at both ends of the end-to-end link. The tunnel must start with a tunnel initiator and end with a tunnel terminator. Initialization and termination of tunnel operations can be performed by various network devices and software. For example, a tunnel can be initiated by a remote user's computer that has a modem and necessary VPN software installed, a front-end router at a corporate branch office, or a network access concentrator at a service provider.
For transmission over the Internet, packets other than IP network protocols are encapsulated on the source side into IP packets. The most commonly used method for creating VPN tunnels is to encapsulate a non-IP packet in a PPP (Point-to-Point Protocol) packet and then encapsulate it in an IP packet. Let me remind you that the PPP protocol is used for a point-to-point connection, for example, for client-server communication. The IP encapsulation process involves adding a standard IP header to the original packet, which is then treated as useful information. The corresponding process at the other end of the tunnel removes the IP header, leaving the original packet unchanged. Since tunneling technology is quite simple, it is also the most affordable in terms of cost.
SAFETY
Ensuring the required level of security is often the primary consideration when a corporation considers using Internet-based VPNs. Many IT managers are accustomed to the inherent privacy of private networks and view the Internet as too "public" to be used as a private network. If you use the English terminology, then there are three "P", the implementation of which together provides complete protection of information. It:
Protection - protection of resources using firewalls (firewall);
Proof - verification of the identity (integrity) of the package and authentication of the sender (confirmation of the right to access);
Privacy - protection of confidential information using encryption.
All three P's are equally important for any corporate network, including VPNs. In strictly private networks, to protect resources and confidentiality of information, it is enough to use quite simple passwords. But once a private network is connected to a public one, none of the three P's can provide the necessary protection. Therefore, for any VPN, firewalls must be installed at all points of its interaction with the public network, and packets must be encrypted and authenticated.
Firewalls are an essential component in any VPN. They allow only authorized traffic for trusted users and block everything else. In other words, all access attempts by unknown or untrusted users are crossed. This form of protection must be provided for every site and user, as not having it anywhere means not having it everywhere. Special protocols are used to ensure the security of virtual private networks. These protocols allow hosts to "negotiate" the encryption and digital signature technique to be used, thus maintaining the confidentiality and integrity of data and authenticating the user.
The Microsoft Point-to-Point Encryption Protocol (MPPE) encrypts PPP packets on the client machine before they are sent to the tunnel. The encryption session is initialized during the establishment of communication with the tunnel terminator using the protocol
PPP.
Secure IP protocols (IPSec) are a series of preliminary standards being developed by the Internet Engineering Task Force (IETF). The group proposed two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). AH protocol adds digital signature header that authenticates the user and ensures data integrity by keeping track of any changes in transit. This protocol protects only the data, leaving the address part of the IP packet unchanged. The ESP protocol, on the other hand, can encrypt either the entire packet (Tunnel Mode) or just the data (Transport Mode). These protocols are used both separately and in combination.
To manage security, the industry standard RADIUS (Remote Authentication Dial-In User Service) is used, which is a database of user profiles that contain passwords (authentication) and access rights (authorization).
The security features are far from being limited to the examples given. Many router and firewall manufacturers offer their own solutions. Among them are Ascend, CheckPoint and Cisco.
AVAILABILITY
Availability includes three equally important components: the time of service provision, throughput and delay time. The time of service provision is the subject of the contract with the service provider, and the other two components are related to the elements of quality of service (Quality of Service - QoS). Modern technologies transport allow you to build a VPN that meets the requirements of almost all existing applications.
CONTROLLABILITY
Network administrators always want to be able to perform end-to-end, end-to-end management of the corporate network, including that part that relates to the telecommunications company. It turns out that VPNs provide more options in this regard than regular private networks. Typical private networks are administered "from border to border", i.e. the service provider manages the network up to the front routers of the corporate network, while the subscriber manages the corporate network itself up to the WAN access devices. VPN technology avoids this kind of division of "spheres of influence", providing both the provider and the subscriber single system managing the network as a whole, both its corporate part and the network infrastructure of the public network. The enterprise network administrator has the ability to monitor and reconfigure the network, manage front access devices, and determine the network status in real time.
VPN ARCHITECTURE
There are three virtual private network architecture models: dependent, independent, and hybrid as a combination of the first two alternatives. Belonging to a particular model is determined by where the four main requirements for VPN are implemented. If the global network service provider provides complete solution for VPN, i.e. provides tunneling, security, performance and management, it makes the architecture dependent on it. In this case, all VPN processes are transparent to the user, and he sees only his native traffic — IP, IPX, or NetBEUI packets. The advantage of the dependent architecture for the subscriber is that he can use the existing network infrastructure "as is", adding only a firewall between the VPN and the private network.
WAN/LAN.
An independent architecture is implemented when an organization provides all the technological requirements on its equipment, delegating only transport functions to the service provider. This architecture is more expensive, but gives the user full control over all operations.
The hybrid architecture includes dependent and independent from the organization (respectively, from the service provider) sites.
What are the promises of VPN for corporate users? First of all, according to industrial analysts, this is a reduction in costs for all types of telecommunications from 30 to 80%. And also it is almost ubiquitous access to the networks of a corporation or other organizations; it is the implementation of secure communications with suppliers and customers; it is an improved and enhanced service not available on PSTN networks, and much more. Specialists see VPNs as a new generation of network communications, and many analysts believe that VPNs will soon replace most private networks based on leased lines.