fbpx
Wikipedia

Virtual private network

February 15, 2024

"VPN" redirects here. For other uses, see VPN (disambiguation). For commercial services, see VPN service.

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.[1]

A VPN can extend access to a private network (one that disallows or restricts public access) to users who do not have direct access to it, such as an office network allowing secure access from off-site over the Internet.

[2] The benefits of a VPN include security, reduced costs for dedicated communication lines, and greater flexibility for remote workers.[3]

A VPN is created by establishing a virtual point-to-point connection through the use of tunneling protocols over existing networks. A VPN available from the public Internet can provide some of the benefits[example needed] of a private wide area network (WAN).[4]

Types edit

 
VPN classification tree based on the topology first, then on the technology used
 
VPN connectivity overview, showing intranet site-to-site and remote-work configurations used together

Virtual private networks may be classified into several categories:

Remote access
A host-to-network configuration is analogous to connecting a computer to a local area network. This type provides access to an enterprise[jargon] network, such as an intranet. This may be employed for remote workers, or to enable a mobile worker to access necessary tools without exposing them to the public Internet.
Site-to-site
A site-to-site configuration connects two networks. This configuration expands a network across geographically disparate offices or connects a group of offices to a data center installation. The interconnecting link may run over a dissimilar intermediate network, such as two IPv6 networks connected over an IPv4 network.[5]
Extranet-based site-to-site
In the context of site-to-site configurations, the terms intranet and extranet are used to describe two different use cases.[6] An intranet site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas an extranet site-to-site VPN joins sites belonging to multiple organizations.

Typically, individuals interact with remote access VPNs, whereas businesses tend to make use of site-to-site connections for business-to-business, cloud computing, and branch office scenarios. However, these technologies are not mutually exclusive and, in a significantly complex business network, may be combined to enable remote access to resources located at any given site, such as an ordering system that resides in a data center.

VPN systems also may be classified by:

  • the tunneling protocol used to tunnel the traffic
  • the tunnel's termination point location, e.g., on the customer edge or network-provider edge
  • the type of topology of connections, such as site-to-site or network-to-network
  • the levels of security provided
  • the OSI layer they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity
  • the number of simultaneous connections

Security mechanisms edit

VPNs cannot make online connections completely anonymous, but they can increase privacy and security by encrypting all communication between remote locations over the open Internet. To prevent disclosure of private information or data sniffing, VPNs typically allow only authenticated remote access using[clarification needed] tunneling protocols and secure encryption techniques.

The VPN security model provides:

 
The life cycle phases of an IPSec tunnel in a virtual private network

Secure VPN protocols include the following:

  • Internet Protocol Security (IPsec) was initially developed by the Internet Engineering Task Force (IETF) for IPv6, and was required in all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.[7] This standards-based security protocol is also widely used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals: availability, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination.
  • Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the OpenVPN project and SoftEther VPN project[8]) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from locations where IPsec runs into trouble[clarification needed] with Network Address Translation and firewall rules.
  • Datagram Transport Layer Security (DTLS) – used in Cisco AnyConnect VPN and in OpenConnect VPN[9] to solve the issues TLS has with tunneling over TCP (SSL/TLS are TCP-based, and tunneling TCP over TCP can lead to big delays and connection aborts[10]).
  • Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms.
  • Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL/TLS channel (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1).
  • Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registered trademark "MPVPN".[relevant?][11]
  • Secure Shell (SSH) VPN – OpenSSH offers VPN tunneling (distinct from port forwarding) to secure[ambiguous] remote connections to a network, inter-network links, and remote systems. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.[12] SSH is more often used to remotely connect to machines or networks instead of a site to site VPN connection.
  • WireGuard is a protocol. In 2020, WireGuard support was added to both the Linux[13] and Android[14] kernels, opening it up to adoption by VPN providers. By default, WireGuard utilizes the Curve25519 protocol for key exchange and ChaCha20-Poly1305 for encryption and message authentication, but also includes the ability to pre-share a symmetric key between the client and server.[15]
  • Internet Key Exchange version 2 was created by Microsoft and Cisco and is used in conjunction with IPSec for encryption and authentication. Its primary use is in mobile devices, whether on 3G or 4G LTE networks, since it automatically reconnects when a connection is lost.
  • OpenVPN is a free and open-source VPN protocol based on the TLS protocol. It supports perfect forward-secrecy, and most modern secure cipher suites, like AES, Serpent, TwoFish, etc. It is currently[may be outdated as of March 2023] being developed and updated by OpenVPN Inc., a non-profit providing secure VPN technologies.
  • Crypto IP Encapsulation (CIPE) is a free and open-source VPN implementation for tunneling IPv4 packets over UDP via encapsulation.[16] CIPE was developed for Linux operating systems by Olaf Titz, with a Windows port implemented by Damion K. Wilson.[17] Development for CIPE ended in 2002.[18]

Authentication edit

Tunnel endpoints must be authenticated before secure VPN tunnels can be established.[citation needed] User-created remote-access VPNs may use passwords, biometrics, two-factor authentication, or other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates. Depending on the VPN protocol, they may store the key to allow the VPN tunnel to establish automatically, without intervention from the administrator. Data packets are secured by tamper proofing via a message authentication code (MAC), which prevents the message from being altered or tampered without being rejected due to the MAC not matching with the altered data packet.

Routing edit

Tunneling protocols can operate in a point-to-point network topology however, this would theoretically not be considered a VPN because a VPN by definition is expected to support arbitrary and changing sets of network nodes. But since most router implementations support a virtual, software-defined tunnel interface, customer-provisioned VPNs often are simply[ambiguous] defined tunnels running conventional routing protocols.

Provider-provisioned VPN building blocks edit

 
Site-to-site VPN terminology

Depending on whether a provider-provisioned VPN (PPVPN) operates in Layer 2 (L2) or Layer 3 (L3), the building blocks described below may be L2 only, L3 only, or a combination of both. Multiprotocol Label Switching (MPLS) functionality blurs the L2–L3 identity.[19][original research?]

RFC 4026 generalized the following terms to cover L2 MPLS VPNs and L3 (BGP) VPNs, but they were introduced in RFC 2547.[20][21]

Customer (C) devices

A device that is within a customer's network and not directly connected to the service provider's network. C devices are not aware of the VPN.

Customer edge device (CE)

A device at the edge of the customer's network which provides access to the PPVPN. Sometimes it is just a demarcation point between provider and customer responsibility. Other providers allow customers to configure it.

Provider edge device (PE)

A device, or set of devices, at the edge of the provider network that connects to customer networks through CE devices and presents the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and maintain VPN state.

Provider device (P)

A device that operates inside the provider's core network and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of providers.

User-visible PPVPN services edit

OSI Layer 2 services edit

VLAN edit

VLAN is a Layer 2 technique that allows for the coexistence of multiple local area network (LAN) broadcast domains interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).

Virtual Private LAN Service (VPLS) edit

Developed by Institute of Electrical and Electronics Engineers, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. Whereas VPLS as described in the above section (OSI Layer 1 services) supports emulation of both point-to-point and point-to-multipoint topologies, the method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as metro Ethernet.

As used in this context, a VPLS is a Layer 2 PPVPN, emulating the full functionality of a traditional LAN. From a user standpoint, a VPLS makes it possible to interconnect several LAN segments in a way that is transparent to the user, making the separate LAN segments behave as one single LAN.[22]

In a VPLS, the provider network emulates a learning bridge, which may include VLAN service optionally.

Pseudo-wire (PW) edit

PW is similar to VPLS but can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as Asynchronous Transfer Mode or Frame Relay. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.

Ethernet-over-IP tunneling edit

EtherIP (RFC 3378)[23] is an Ethernet-over-IP tunneling protocol specification. EtherIP has only a packet encapsulation mechanism. It has no confidentiality or message integrity protection. EtherIP was introduced in the FreeBSD network stack[24] and the SoftEther VPN[25] server program.

IP-only LAN-like service (IPLS) edit

A subset of VPLS, the CE devices must have Layer 3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.

Ethernet virtual private network (EVPN) edit

Ethernet VPN (EVPN) is an advanced solution for providing Ethernet services over IP-MPLS networks. In contrast to the VPLS architectures, EVPN enables control-plane-based MAC (and MAC,IP) learning in the network. PEs participating in the EVPN instances learn the customer's MAC (MAC,IP) routes in control-plane using MP-BGP protocol. Control-plane MAC learning brings a number of benefits that allow EVPN to address the VPLS shortcomings, including support for multi-homing with per-flow load balancing and avoidance of unnecessary flooding over the MPLS core network to multiple PEs participating in the P2MP/MP2MP L2VPN (in the occurrence, for instance, of ARP query). It is defined RFC 7432.

OSI Layer 3 PPVPN architectures edit

This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention.

One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space.[26] The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.

BGP/MPLS PPVPN

In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are in the form of 12-byte strings, beginning with an 8-byte route distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.[citation needed]

PEs understand the topology of each VPN, which is interconnected with MPLS tunnels directly or via P routers. In MPLS terminology, the P routers are label switch routers without awareness of VPNs.[citation needed]

Virtual router PPVPN

The virtual router architecture,[27][28] as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label but do not need routing distinguishers.[citation needed]

Unencrypted tunnels edit

Some virtual networks use tunneling protocols without encryption to protect the privacy of data. While VPNs often provide security, an unencrypted overlay network does not fit within the secure or trusted categorization.[29] For example, a tunnel set up between two hosts with Generic Routing Encapsulation (GRE) is a virtual private network but is neither secure nor trusted.[30][31]

Native plaintext tunneling protocols include Layer 2 Tunneling Protocol (L2TP) when it is set up without IPsec and Point-to-Point Tunneling Protocol (PPTP) or Microsoft Point-to-Point Encryption (MPPE).[32]

Trusted delivery networks edit

Trusted VPNs do not use cryptographic tunneling; instead, they rely on the security of a single provider's network to protect the traffic.[33]

From a security standpoint, a VPN must either trust the underlying delivery network or enforce security with a mechanism in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.[citation needed]

VPNs in mobile environments edit

Mobile virtual private networks are used in settings where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points without dropping the secure VPN session or losing application sessions.[37] Mobile VPNs are widely used in public safety where they give law-enforcement officers access to applications such as computer-assisted dispatch and criminal databases,[38] and in other organizations with similar requirements such as field service management and healthcare.[39][need quotation to verify]

Networking limitations edit

A limitation of traditional VPNs is that they are point-to-point connections and do not tend to support broadcast domains; therefore, communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported as on a local area network. Variants on VPN such as Virtual Private LAN Service (VPLS) and layer 2 tunneling protocols are designed to overcome this limitation.[40]

See also edit

References edit

  1. ^ "virtual private network". NIST Computer Security Resource Center Glossary. from the original on 2 January 2023. Retrieved 2 January 2023.
  2. ^ "What Is a VPN? - Virtual Private Network". Cisco. from the original on 31 December 2021. Retrieved 5 September 2021.
  3. ^ Mason, Andrew G. (2002). Cisco Secure Virtual Private Network. Cisco Press. p. 7. ISBN 9781587050336.
  4. ^ "Virtual Private Networking: An Overview". TechNet. Microsoft Docs. 4 September 2001. from the original on 17 June 2022. Retrieved 7 November 2021.
  5. ^ Davies, Joseph (July 2007). "IPv6 Traffic over VPN Connections". The Cable Guy. TechNet Magazine. from the original on 7 November 2021. Retrieved 7 November 2021 – via Microsoft Docs.
  6. ^ RFC 3809 - Generic Requirements for Provider Provisioned Virtual Private Networks. sec. 1.1. doi:10.17487/RFC3809. RFC 3809.
  7. ^ RFC 6434, "IPv6 Node Requirements", E. Jankiewicz, J. Loughney, T. Narten (December 2011)
  8. ^ "1. Ultimate Powerful VPN Connectivity". www.softether.org. SoftEther VPN Project. from the original on 8 October 2022. Retrieved 8 October 2022.
  9. ^ "OpenConnect". from the original on 29 June 2022. Retrieved 8 April 2013. OpenConnect is a client for Cisco's AnyConnect SSL VPN [...] OpenConnect is not officially supported by, or associated in any way with, Cisco Systems. It just happens to interoperate with their equipment.
  10. ^ "Why TCP Over TCP Is A Bad Idea". sites.inka.de. from the original on 6 March 2015. Retrieved 24 October 2018.
  11. ^ "Trademark Status & Document Retrieval". tarr.uspto.gov. from the original on 21 March 2012. Retrieved 8 October 2022.
  12. ^ "ssh(1) – OpenBSD manual pages". man.openbsd.org. from the original on 5 July 2022. Retrieved 4 February 2018.
    • Barschel, Colin. . cb.vu. Archived from the original on 28 May 2019. Retrieved 2 August 2009.
    • "SSH_VPN – Community Help Wiki". help.ubuntu.com. from the original on 2 July 2022. Retrieved 28 July 2009.
  13. ^ Salter, Jim (30 March 2020). "WireGuard VPN makes it to 1.0.0—and into the next Linux kernel". Ars Technica. from the original on 31 March 2020. Retrieved 30 June 2020.
  14. ^ "Diff - 99761f1eac33d14a4b1613ae4b7076f41cb2df94^! - kernel/common - Git at Google". android.googlesource.com. from the original on 29 June 2022. Retrieved 30 June 2020.
  15. ^ Younglove, R. (December 2000). "Virtual private networks - how they work". Computing & Control Engineering Journal. 11 (6): 260–262. doi:10.1049/cce:20000602. ISSN 0956-3385.
    • Benjamin Dowling, and Kenneth G. Paterson (12 June 2018). "A cryptographic analysis of the WireGuard protocol". International Conference on Applied Cryptography and Network Security. ISBN 978-3-319-93386-3.
  16. ^ Fuller, Johnray; Ha, John (2002). Red Hat Linux 9: Red Hat Linux Security Guide (PDF). United States: Red Hat, Inc. pp. 48–53. (PDF) from the original on 14 October 2022. Retrieved 8 September 2022.
    • Petersen, Richard (2004). "Chapter 17: Internet Protocol Security: IPsec, Crypto IP Encapsulation for Virtual Private Networks". Red Hat - The Complete Reference Enterprise Linux & Fedora Edition. United States: McGraw-Hill/Osborne. ISBN 0-07-223075-4. from the original on 17 January 2023. Retrieved 17 January 2023.
  17. ^ Titz, Olaf (20 December 2011). "CIPE - Crypto IP Encapsulation". CIPE - Crypto IP Encapsulation. from the original on 18 May 2022. Retrieved 8 September 2022.
  18. ^ Titz, Olaf (2 April 2013). "CIPE - encrypted IP in UDP tunneling". SourceForge. from the original on 8 September 2022. Retrieved 8 September 2022.
    • Wilson, Damion (19 October 2002). "CIPE-Win32 - Crypto IP Encapsulation for Windows NT/2000". SourceForge. from the original on 8 September 2022. Retrieved 8 September 2022.
  19. ^ "Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching" (PDF). (PDF) from the original on 24 November 2020. Retrieved 24 October 2020.
  20. ^ E. Rosen & Y. Rekhter (March 1999). "BGP/MPLS VPNs". Internet Engineering Task Force (IETF). RFC 2547. from the original on 1 September 2022. Retrieved 8 October 2022.
  21. ^ Lewis, Mark (2006). Comparing, designing, and deploying VPNs (1st print. ed.). Indianapolis, Ind.: Cisco Press. pp. 5–6. ISBN 1587051796.
  22. ^ Ethernet Bridging (OpenVPN), from the original on 8 October 2022, retrieved 8 October 2022
  23. ^ Hollenbeck, Scott; Housley, Russell. "EtherIP: Tunneling Ethernet Frames in IP Datagrams". from the original on 8 October 2022. Retrieved 8 October 2022.
  24. ^ Glyn M Burton: RFC 3378 EtherIP with FreeBSD 23 March 2018 at the Wayback Machine, 3 February 2011
  25. ^ net-security.org news: Multi-protocol SoftEther VPN becomes open source 8 October 2022 at the Wayback Machine, January 2014
  26. ^ Address Allocation for Private Internets 8 October 2022 at the Wayback Machine, RFC 1918, Y. Rekhter et al., February 1996
  27. ^ RFC 2917, A Core MPLS IP VPN Architecture
  28. ^ RFC 2918, E. Chen (September 2000)
  29. ^ Yang, Yanyan (2006). "IPsec/VPN security policy correctness and assurance". Journal of High Speed Networks. 15: 275–289. CiteSeerX 10.1.1.94.8561.
  30. ^ "Overview of Provider Provisioned Virtual Private Networks (PPVPN)". Secure Thoughts. from the original on 16 September 2016. Retrieved 29 August 2016.
  31. ^ RFC 1702: Generic Routing Encapsulation over IPv4 networks. October 1994.
  32. ^ IETF (1999), RFC 2661, Layer Two Tunneling Protocol "L2TP"
  33. ^ Cisco Systems, Inc. (2004). Internetworking Technologies Handbook. Networking Technology Series (4 ed.). Cisco Press. p. 233. ISBN 9781587051197. Retrieved 15 February 2013. [...] VPNs using dedicated circuits, such as Frame Relay [...] are sometimes called trusted VPNs, because customers trust that the network facilities operated by the service providers will not be compromised.
  34. ^ Layer Two Tunneling Protocol "L2TP" 30 June 2022 at the Wayback Machine, RFC 2661, W. Townsley et al., August 1999
  35. ^ IP Based Virtual Private Networks 9 July 2022 at the Wayback Machine, RFC 2341, A. Valencia et al., May 1998
  36. ^ Point-to-Point Tunneling Protocol (PPTP) 2 July 2022 at the Wayback Machine, RFC 2637, K. Hamzeh et al., July 1999
  37. ^ Phifer, Lisa. "Mobile VPN: Closing the Gap" 6 July 2020 at the Wayback Machine, SearchMobileComputing.com, 16 July 2006.
  38. ^ Willett, Andy. "Solving the Computing Challenges of Mobile Officers" 12 April 2020 at the Wayback Machine, www.officer.com, May, 2006.
  39. ^ Cheng, Roger. "Lost Connections" 28 March 2018 at the Wayback Machine, The Wall Street Journal, 11 December 2007.
  40. ^ Sowells, Julia (7 August 2017). "Virtual Private Network (VPN) : What VPN Is And How It Works". Hackercombat. from the original on 17 June 2022. Retrieved 7 November 2021.

Further reading edit

  • Kelly, Sean (August 2001). . Communication News: 26–28. ISSN 0010-3632. Archived from the original on 17 December 2001.

February 15, 2024
virtual, private, network, redirects, here, other, uses, disambiguation, commercial, services, service, this, section, multiple, issues, please, help, improve, discuss, these, issues, talk, page, learn, when, remove, these, template, messages, this, article, n. VPN redirects here For other uses see VPN disambiguation For commercial services see VPN service This section has multiple issues Please help improve it or discuss these issues on the talk page Learn how and when to remove these template messages This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources Virtual private network news newspapers books scholar JSTOR May 2021 Learn how and when to remove this template message This article may be too technical for most readers to understand Please help improve it to make it understandable to non experts without removing the technical details March 2023 Learn how and when to remove this template message Learn how and when to remove this template message A virtual private network VPN is a mechanism for creating a secure connection between a computing device and a computer network or between two networks using an insecure communication medium such as the public Internet 1 A VPN can extend access to a private network one that disallows or restricts public access to users who do not have direct access to it such as an office network allowing secure access from off site over the Internet 2 The benefits of a VPN include security reduced costs for dedicated communication lines and greater flexibility for remote workers 3 A VPN is created by establishing a virtual point to point connection through the use of tunneling protocols over existing networks A VPN available from the public Internet can provide some of the benefits example needed of a private wide area network WAN 4 Contents 1 Types 2 Security mechanisms 2 1 Authentication 3 Routing 3 1 Provider provisioned VPN building blocks 4 User visible PPVPN services 4 1 OSI Layer 2 services 4 1 1 VLAN 4 1 2 Virtual Private LAN Service VPLS 4 1 3 Pseudo wire PW 4 1 4 Ethernet over IP tunneling 4 1 5 IP only LAN like service IPLS 4 1 6 Ethernet virtual private network EVPN 4 2 OSI Layer 3 PPVPN architectures 4 3 Unencrypted tunnels 5 Trusted delivery networks 6 VPNs in mobile environments 7 Networking limitations 8 See also 9 References 10 Further readingTypes edit nbsp VPN classification tree based on the topology first then on the technology used nbsp VPN connectivity overview showing intranet site to site and remote work configurations used togetherVirtual private networks may be classified into several categories Remote access A host to network configuration is analogous to connecting a computer to a local area network This type provides access to an enterprise jargon network such as an intranet This may be employed for remote workers or to enable a mobile worker to access necessary tools without exposing them to the public Internet Site to site A site to site configuration connects two networks This configuration expands a network across geographically disparate offices or connects a group of offices to a data center installation The interconnecting link may run over a dissimilar intermediate network such as two IPv6 networks connected over an IPv4 network 5 Extranet based site to site In the context of site to site configurations the terms intranet and extranet are used to describe two different use cases 6 An intranet site to site VPN describes a configuration where the sites connected by the VPN belong to the same organization whereas an extranet site to site VPN joins sites belonging to multiple organizations Typically individuals interact with remote access VPNs whereas businesses tend to make use of site to site connections for business to business cloud computing and branch office scenarios However these technologies are not mutually exclusive and in a significantly complex business network may be combined to enable remote access to resources located at any given site such as an ordering system that resides in a data center VPN systems also may be classified by the tunneling protocol used to tunnel the traffic the tunnel s termination point location e g on the customer edge or network provider edge the type of topology of connections such as site to site or network to network the levels of security provided the OSI layer they present to the connecting network such as Layer 2 circuits or Layer 3 network connectivity the number of simultaneous connectionsSecurity mechanisms editVPNs cannot make online connections completely anonymous but they can increase privacy and security by encrypting all communication between remote locations over the open Internet To prevent disclosure of private information or data sniffing VPNs typically allow only authenticated remote access using clarification needed tunneling protocols and secure encryption techniques The VPN security model provides confidentiality such that even if the network traffic is sniffed at the packet level see network sniffer or deep packet inspection an attacker would see only encrypted data not the raw data sender authentication to prevent unauthorized users from accessing the VPN message integrity to detect and reject any instances of tampering with transmitted messages nbsp The life cycle phases of an IPSec tunnel in a virtual private networkSecure VPN protocols include the following Internet Protocol Security IPsec was initially developed by the Internet Engineering Task Force IETF for IPv6 and was required in all standards compliant implementations of IPv6 before RFC 6434 made it only a recommendation 7 This standards based security protocol is also widely used with IPv4 and the Layer 2 Tunneling Protocol Its design meets most security goals availability integrity and confidentiality IPsec uses encryption encapsulating an IP packet inside an IPsec packet De encapsulation happens at the end of the tunnel where the original IP packet is decrypted and forwarded to its intended destination Transport Layer Security SSL TLS can tunnel an entire network s traffic as it does in the OpenVPN project and SoftEther VPN project 8 or secure an individual connection A number of vendors provide remote access VPN capabilities through SSL An SSL VPN can connect from locations where IPsec runs into trouble clarification needed with Network Address Translation and firewall rules Datagram Transport Layer Security DTLS used in Cisco AnyConnect VPN and in OpenConnect VPN 9 to solve the issues TLS has with tunneling over TCP SSL TLS are TCP based and tunneling TCP over TCP can lead to big delays and connection aborts 10 Microsoft Point to Point Encryption MPPE works with the Point to Point Tunneling Protocol and in several compatible implementations on other platforms Microsoft Secure Socket Tunneling Protocol SSTP tunnels Point to Point Protocol PPP or Layer 2 Tunneling Protocol traffic through an SSL TLS channel SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1 Multi Path Virtual Private Network MPVPN Ragula Systems Development Company owns the registered trademark MPVPN relevant 11 Secure Shell SSH VPN OpenSSH offers VPN tunneling distinct from port forwarding to secure ambiguous remote connections to a network inter network links and remote systems OpenSSH server provides a limited number of concurrent tunnels The VPN feature itself does not support personal authentication 12 SSH is more often used to remotely connect to machines or networks instead of a site to site VPN connection WireGuard is a protocol In 2020 WireGuard support was added to both the Linux 13 and Android 14 kernels opening it up to adoption by VPN providers By default WireGuard utilizes the Curve25519 protocol for key exchange and ChaCha20 Poly1305 for encryption and message authentication but also includes the ability to pre share a symmetric key between the client and server 15 Internet Key Exchange version 2 was created by Microsoft and Cisco and is used in conjunction with IPSec for encryption and authentication Its primary use is in mobile devices whether on 3G or 4G LTE networks since it automatically reconnects when a connection is lost OpenVPN is a free and open source VPN protocol based on the TLS protocol It supports perfect forward secrecy and most modern secure cipher suites like AES Serpent TwoFish etc It is currently may be outdated as of March 2023 being developed and updated by OpenVPN Inc a non profit providing secure VPN technologies Crypto IP Encapsulation CIPE is a free and open source VPN implementation for tunneling IPv4 packets over UDP via encapsulation 16 CIPE was developed for Linux operating systems by Olaf Titz with a Windows port implemented by Damion K Wilson 17 Development for CIPE ended in 2002 18 Authentication edit Tunnel endpoints must be authenticated before secure VPN tunnels can be established citation needed User created remote access VPNs may use passwords biometrics two factor authentication or other cryptographic methods Network to network tunnels often use passwords or digital certificates Depending on the VPN protocol they may store the key to allow the VPN tunnel to establish automatically without intervention from the administrator Data packets are secured by tamper proofing via a message authentication code MAC which prevents the message from being altered or tampered without being rejected due to the MAC not matching with the altered data packet Routing editTunneling protocols can operate in a point to point network topology however this would theoretically not be considered a VPN because a VPN by definition is expected to support arbitrary and changing sets of network nodes But since most router implementations support a virtual software defined tunnel interface customer provisioned VPNs often are simply ambiguous defined tunnels running conventional routing protocols Provider provisioned VPN building blocks edit nbsp Site to site VPN terminologyDepending on whether a provider provisioned VPN PPVPN operates in Layer 2 L2 or Layer 3 L3 the building blocks described below may be L2 only L3 only or a combination of both Multiprotocol Label Switching MPLS functionality blurs the L2 L3 identity 19 original research RFC 4026 generalized the following terms to cover L2 MPLS VPNs and L3 BGP VPNs but they were introduced in RFC 2547 20 21 Customer C devicesA device that is within a customer s network and not directly connected to the service provider s network C devices are not aware of the VPN Customer edge device CE A device at the edge of the customer s network which provides access to the PPVPN Sometimes it is just a demarcation point between provider and customer responsibility Other providers allow customers to configure it Provider edge device PE A device or set of devices at the edge of the provider network that connects to customer networks through CE devices and presents the provider s view of the customer site PEs are aware of the VPNs that connect through them and maintain VPN state Provider device P A device that operates inside the provider s core network and does not directly interface to any customer endpoint It might for example provide routing for many provider operated tunnels that belong to different customers PPVPNs While the P device is a key part of implementing PPVPNs it is not itself VPN aware and does not maintain VPN state Its principal role is allowing the service provider to scale its PPVPN offerings for example by acting as an aggregation point for multiple PEs P to P connections in such a role often are high capacity optical links between major locations of providers User visible PPVPN services editOSI Layer 2 services edit VLAN edit VLAN is a Layer 2 technique that allows for the coexistence of multiple local area network LAN broadcast domains interconnected via trunks using the IEEE 802 1Q trunking protocol Other trunking protocols have been used but have become obsolete including Inter Switch Link ISL IEEE 802 10 originally a security protocol but a subset was introduced for trunking and ATM LAN Emulation LANE Virtual Private LAN Service VPLS edit Developed by Institute of Electrical and Electronics Engineers VLANs allow multiple tagged LANs to share common trunking VLANs frequently comprise only customer owned facilities Whereas VPLS as described in the above section OSI Layer 1 services supports emulation of both point to point and point to multipoint topologies the method discussed here extends Layer 2 technologies such as 802 1d and 802 1q LAN trunking to run over transports such as metro Ethernet As used in this context a VPLS is a Layer 2 PPVPN emulating the full functionality of a traditional LAN From a user standpoint a VPLS makes it possible to interconnect several LAN segments in a way that is transparent to the user making the separate LAN segments behave as one single LAN 22 In a VPLS the provider network emulates a learning bridge which may include VLAN service optionally Pseudo wire PW edit PW is similar to VPLS but can provide different L2 protocols at both ends Typically its interface is a WAN protocol such as Asynchronous Transfer Mode or Frame Relay In contrast when aiming to provide the appearance of a LAN contiguous between two or more locations the Virtual Private LAN service or IPLS would be appropriate Ethernet over IP tunneling edit EtherIP RFC 3378 23 is an Ethernet over IP tunneling protocol specification EtherIP has only a packet encapsulation mechanism It has no confidentiality or message integrity protection EtherIP was introduced in the FreeBSD network stack 24 and the SoftEther VPN 25 server program IP only LAN like service IPLS edit A subset of VPLS the CE devices must have Layer 3 capabilities the IPLS presents packets rather than frames It may support IPv4 or IPv6 Ethernet virtual private network EVPN edit Ethernet VPN EVPN is an advanced solution for providing Ethernet services over IP MPLS networks In contrast to the VPLS architectures EVPN enables control plane based MAC and MAC IP learning in the network PEs participating in the EVPN instances learn the customer s MAC MAC IP routes in control plane using MP BGP protocol Control plane MAC learning brings a number of benefits that allow EVPN to address the VPLS shortcomings including support for multi homing with per flow load balancing and avoidance of unnecessary flooding over the MPLS core network to multiple PEs participating in the P2MP MP2MP L2VPN in the occurrence for instance of ARP query It is defined RFC 7432 OSI Layer 3 PPVPN architectures edit This section discusses the main architectures for PPVPNs one where the PE disambiguates duplicate addresses in a single routing instance and the other virtual router in which the PE contains a virtual router instance per VPN The former approach and its variants have gained the most attention One of the challenges of PPVPNs involves different customers using the same address space especially the IPv4 private address space 26 The provider must be able to disambiguate overlapping addresses in the multiple customers PPVPNs BGP MPLS PPVPNIn the method defined by RFC 2547 BGP extensions advertise routes in the IPv4 VPN address family which are in the form of 12 byte strings beginning with an 8 byte route distinguisher RD and ending with a 4 byte IPv4 address RDs disambiguate otherwise duplicate addresses in the same PE citation needed PEs understand the topology of each VPN which is interconnected with MPLS tunnels directly or via P routers In MPLS terminology the P routers are label switch routers without awareness of VPNs citation needed Virtual router PPVPNThe virtual router architecture 27 28 as opposed to BGP MPLS techniques requires no modification to existing routing protocols such as BGP By the provisioning of logically independent routing domains the customer operating a VPN is completely responsible for the address space In the various MPLS tunnels the different PPVPNs are disambiguated by their label but do not need routing distinguishers citation needed Unencrypted tunnels edit Some virtual networks use tunneling protocols without encryption to protect the privacy of data While VPNs often provide security an unencrypted overlay network does not fit within the secure or trusted categorization 29 For example a tunnel set up between two hosts with Generic Routing Encapsulation GRE is a virtual private network but is neither secure nor trusted 30 31 Native plaintext tunneling protocols include Layer 2 Tunneling Protocol L2TP when it is set up without IPsec and Point to Point Tunneling Protocol PPTP or Microsoft Point to Point Encryption MPPE 32 Trusted delivery networks editTrusted VPNs do not use cryptographic tunneling instead they rely on the security of a single provider s network to protect the traffic 33 Multiprotocol Label Switching MPLS often overlays VPNs often with quality of service control over a trusted delivery network L2TP 34 which is a standards based replacement and a compromise taking the good features from each for two proprietary VPN protocols Cisco s Layer 2 Forwarding L2F 35 obsolete as of 2009 update and Microsoft s Point to Point Tunneling Protocol PPTP 36 From a security standpoint a VPN must either trust the underlying delivery network or enforce security with a mechanism in the VPN itself Unless the trusted delivery network runs among physically secure sites only both trusted and secure models need an authentication mechanism for users to gain access to the VPN citation needed VPNs in mobile environments editMobile virtual private networks are used in settings where an endpoint of the VPN is not fixed to a single IP address but instead roams across various networks such as data networks from cellular carriers or between multiple Wi Fi access points without dropping the secure VPN session or losing application sessions 37 Mobile VPNs are widely used in public safety where they give law enforcement officers access to applications such as computer assisted dispatch and criminal databases 38 and in other organizations with similar requirements such as field service management and healthcare 39 need quotation to verify Networking limitations editA limitation of traditional VPNs is that they are point to point connections and do not tend to support broadcast domains therefore communication software and networking which are based on layer 2 and broadcast packets such as NetBIOS used in Windows networking may not be fully supported as on a local area network Variants on VPN such as Virtual Private LAN Service VPLS and layer 2 tunneling protocols are designed to overcome this limitation 40 See also edit nbsp Free Software portal nbsp Internet portalAnonymizer Dynamic Multipoint Virtual Private Network Ethernet VPN Internet privacy Mediated VPN Opportunistic encryption Split tunneling Virtual private server VPN serviceReferences edit virtual private network NIST Computer Security Resource Center Glossary Archived from the original on 2 January 2023 Retrieved 2 January 2023 What Is a VPN Virtual Private Network Cisco Archived from the original on 31 December 2021 Retrieved 5 September 2021 Mason Andrew G 2002 Cisco Secure Virtual Private Network Cisco Press p 7 ISBN 9781587050336 Virtual Private Networking An Overview TechNet Microsoft Docs 4 September 2001 Archived from the original on 17 June 2022 Retrieved 7 November 2021 Davies Joseph July 2007 IPv6 Traffic over VPN Connections The Cable Guy TechNet Magazine Archived from the original on 7 November 2021 Retrieved 7 November 2021 via Microsoft Docs RFC 3809 Generic Requirements for Provider Provisioned Virtual Private Networks sec 1 1 doi 10 17487 RFC3809 RFC 3809 RFC 6434 IPv6 Node Requirements E Jankiewicz J Loughney T Narten December 2011 1 Ultimate Powerful VPN Connectivity www softether org SoftEther VPN Project Archived from the original on 8 October 2022 Retrieved 8 October 2022 OpenConnect Archived from the original on 29 June 2022 Retrieved 8 April 2013 OpenConnect is a client for Cisco s AnyConnect SSL VPN OpenConnect is not officially supported by or associated in any way with Cisco Systems It just happens to interoperate with their equipment Why TCP Over TCP Is A Bad Idea sites inka de Archived from the original on 6 March 2015 Retrieved 24 October 2018 Trademark Status amp Document Retrieval tarr uspto gov Archived from the original on 21 March 2012 Retrieved 8 October 2022 ssh 1 OpenBSD manual pages man openbsd org Archived from the original on 5 July 2022 Retrieved 4 February 2018 Barschel Colin Unix Toolbox cb vu Archived from the original on 28 May 2019 Retrieved 2 August 2009 SSH VPN Community Help Wiki help ubuntu com Archived from the original on 2 July 2022 Retrieved 28 July 2009 Salter Jim 30 March 2020 WireGuard VPN makes it to 1 0 0 and into the next Linux kernel Ars Technica Archived from the original on 31 March 2020 Retrieved 30 June 2020 Diff 99761f1eac33d14a4b1613ae4b7076f41cb2df94 kernel common Git at Google android googlesource com Archived from the original on 29 June 2022 Retrieved 30 June 2020 Younglove R December 2000 Virtual private networks how they work Computing amp Control Engineering Journal 11 6 260 262 doi 10 1049 cce 20000602 ISSN 0956 3385 Benjamin Dowling and Kenneth G Paterson 12 June 2018 A cryptographic analysis of the WireGuard protocol International Conference on Applied Cryptography and Network Security ISBN 978 3 319 93386 3 Fuller Johnray Ha John 2002 Red Hat Linux 9 Red Hat Linux Security Guide PDF United States Red Hat Inc pp 48 53 Archived PDF from the original on 14 October 2022 Retrieved 8 September 2022 Petersen Richard 2004 Chapter 17 Internet Protocol Security IPsec Crypto IP Encapsulation for Virtual Private Networks Red Hat The Complete Reference Enterprise Linux amp Fedora Edition United States McGraw Hill Osborne ISBN 0 07 223075 4 Archived from the original on 17 January 2023 Retrieved 17 January 2023 Titz Olaf 20 December 2011 CIPE Crypto IP Encapsulation CIPE Crypto IP Encapsulation Archived from the original on 18 May 2022 Retrieved 8 September 2022 Titz Olaf 2 April 2013 CIPE encrypted IP in UDP tunneling SourceForge Archived from the original on 8 September 2022 Retrieved 8 September 2022 Wilson Damion 19 October 2002 CIPE Win32 Crypto IP Encapsulation for Windows NT 2000 SourceForge Archived from the original on 8 September 2022 Retrieved 8 September 2022 Configuring PFC3BXL and PFC3B Mode Multiprotocol Label Switching PDF Archived PDF from the original on 24 November 2020 Retrieved 24 October 2020 E Rosen amp Y Rekhter March 1999 BGP MPLS VPNs Internet Engineering Task Force IETF RFC 2547 Archived from the original on 1 September 2022 Retrieved 8 October 2022 Lewis Mark 2006 Comparing designing and deploying VPNs 1st print ed Indianapolis Ind Cisco Press pp 5 6 ISBN 1587051796 Ethernet Bridging OpenVPN archived from the original on 8 October 2022 retrieved 8 October 2022 Hollenbeck Scott Housley Russell EtherIP Tunneling Ethernet Frames in IP Datagrams Archived from the original on 8 October 2022 Retrieved 8 October 2022 Glyn M Burton RFC 3378 EtherIP with FreeBSD Archived 23 March 2018 at the Wayback Machine 3 February 2011 net security org news Multi protocol SoftEther VPN becomes open source Archived 8 October 2022 at the Wayback Machine January 2014 Address Allocation for Private Internets Archived 8 October 2022 at the Wayback Machine RFC 1918 Y Rekhter et al February 1996 RFC 2917 A Core MPLS IP VPN Architecture RFC 2918 E Chen September 2000 Yang Yanyan 2006 IPsec VPN security policy correctness and assurance Journal of High Speed Networks 15 275 289 CiteSeerX 10 1 1 94 8561 Overview of Provider Provisioned Virtual Private Networks PPVPN Secure Thoughts Archived from the original on 16 September 2016 Retrieved 29 August 2016 RFC 1702 Generic Routing Encapsulation over IPv4 networks October 1994 IETF 1999 RFC 2661 Layer Two Tunneling Protocol L2TP Cisco Systems Inc 2004 Internetworking Technologies Handbook Networking Technology Series 4 ed Cisco Press p 233 ISBN 9781587051197 Retrieved 15 February 2013 VPNs using dedicated circuits such as Frame Relay are sometimes called trusted VPNs because customers trust that the network facilities operated by the service providers will not be compromised Layer Two Tunneling Protocol L2TP Archived 30 June 2022 at the Wayback Machine RFC 2661 W Townsley et al August 1999 IP Based Virtual Private Networks Archived 9 July 2022 at the Wayback Machine RFC 2341 A Valencia et al May 1998 Point to Point Tunneling Protocol PPTP Archived 2 July 2022 at the Wayback Machine RFC 2637 K Hamzeh et al July 1999 Phifer Lisa Mobile VPN Closing the Gap Archived 6 July 2020 at the Wayback Machine SearchMobileComputing com 16 July 2006 Willett Andy Solving the Computing Challenges of Mobile Officers Archived 12 April 2020 at the Wayback Machine www officer com May 2006 Cheng Roger Lost Connections Archived 28 March 2018 at the Wayback Machine The Wall Street Journal 11 December 2007 Sowells Julia 7 August 2017 Virtual Private Network VPN What VPN Is And How It Works Hackercombat Archived from the original on 17 June 2022 Retrieved 7 November 2021 Further reading editKelly Sean August 2001 Necessity is the mother of VPN invention Communication News 26 28 ISSN 0010 3632 Archived from the original on 17 December 2001 Retrieved from https en wikipedia org w index php title Virtual private network amp oldid 1206803211, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.