Everybodys connecting.

Security & Savings with Virtual Private Networks

In todays New Economy, small businesses that might have dealt
with just local or regional concerns now have to consider global
markets and logistics. Many companies even have facilities spread
across the country or throughout the world. t the same time
security concerns of their network from hackers, !enial"of"#ervice
$!o#% attacks and sending data over the Internet have become more
widespread. &hether companies have a local, national, or global
presence, they all need one thing' a way to maintain fast, secure,
and reliable communications wherever their offices and workers are
located.
(ntil recently, such communications were only available by using
leased telephone lines to maintain a &ide rea Network $&N%.
)eased lines enabled companies to e*pand their private network
beyond their immediate geographic area. Moreover, a &N provided
advantages over a public network like the Internet when it came to
reliability, performance, and security. (nfortunately, leased lines
are e*pensive to maintain, with costs rising as the distance
between the offices increases.
s the popularity of the Internet grew, businesses turned to it as a
cost"effective way to e*tend their networks. +he continuing
popularity with the Internet has led to the evolution of ,irtual
-rivate Networks $ ,-Ns %.
,-N is a connection that allows private data to be sent securely
over a shared or public network, such as the Internet. In fact,
one of the driving forces behind ,-Ns is the Internet and its
global presence. &ith ,-Ns, communication links between users and
sites can be achieved .uickly, ine*pensively, and safely across
the world. In this way, ,-Ns empower organi/ations to e*tend their
network service to branch offices and remote users such as
traveling employees, telecommuters, and strategic partners by
creating a private &N via the Internet.
&ith all these benefits, small businesses are also eager to reap
the advantages afforded by ,-Ns. 0owever, they1re also eager to
learn more first. +his paper e*plains what a ,-N is and how ,-Ns
provide secure, private connections to network applications. 2y
reading this paper, you will gain a fundamental understanding of
,-Ns, including their security mechanisms, benefits, and cost"
saving advantages.
What is a VPN?
Internet technologies have changed the way that companies disseminate
information to their employees, customers, partners, and suppliers.
3





Everybodys connecting.
Initially, companies were conservative with the information they
published on the Internet 4 product information, product
availability, and other less business"critical items. More
recently, using ,-Ns across the Internet has gained wider
acceptance as a way to provide more costeffective access to
business"critical information.
,-N is a combination of software and hardware that allows mobile
employees, telecommuters, business partners, and remote sites to
use a public or 5unsecured5 medium such as the Internet to
establish a secure, private connection with a host network. &ith a
,-N deployed across the Internet, virtual private connections can
be established from almost anywhere in the world.
6rom the users perspective, a ,-N connection is a point"to"point
connection between the users computer and the companys server.
+he nature of the intermediate internetwork is irrelevant to the
user because it appears as if the data is being sent over a
dedicated private link. In this way, the secure connection across
the internetwork appears to the user as a private network
communication, despite the fact that this communication is
occurring over a public internetwork hence the name ,irtual
-rivate Network.
VPN Security
2ecause the Internet facilitates the creation of ,-Ns from
anywhere, networks need strong security features to prevent
unwelcome access to private networks and to protect private data as
it traverses the public network. fter all, companies that have
e*pectations of privacy over their own networks have the same
e*pectation when the Internet is involved. (nfortunately, as data
travels between users and their remote offices, it can pass through
78 or more different servers around the world before reaching its
final destination. &ith so many potentially prying eyes, the data
should be secured through some form of encryption.
7
6igure 3 shows an e*ample of a ,-N.
Figure 1. Example of a VPN





Everybodys connecting.
Encryption
key component of a ,-N solution is providing data privacy.
&ithout an e*plicit way to provide data privacy, information
traveling over an unsecured channel like the Internet is
transmitted in clear te*t.
!ata transmitted in clear te*t can be viewed or even stolen
through common 9sniffing: programs and;or devices that monitor data
traveling over a network. +ools such as a protocol analy/er or
network diagnostic tools built into todays operating systems can
easily 9see: the clearte*t information as it is transmitted.
<ompanies are also concerned that some private data may not be
encrypted by the ,-N before it is transmitted on the public wire.
I- headers, for e*ample, will contain the I- addressees of both the
client and the server. 0ackers may capture these addresses and
choose to target these devices for future attacks.
+o ensure data privacy and protect valuable transmitted data
against 9man"in"the"middle: attacks, encryption techni.ues are
re.uired to scramble clear te*t into cipher te*t. Encryption
scrambles a message into cipher te*t. +he cipher te*t is then sent
to the recipient, who decrypts the message back into clear te*t
again. +his encryption;decryption process on the parts of the
sender and receiver of the message combine to form a cryptosystem.
+here are two types of cryptosystems' private key $described
below% and public key $ described on page =%.
Private Key (Symmetric) ryptosystems
private key cryptosystem uses the same secret, fi*ed"length bit
string as a key for both encryption and decryption. +o emulate a
private link, the data being sent is encrypted for confidentiality.
-ackets that are intercepted on the shared or public network are
indecipherable without the private key.
6igure 7 shows an e*ample of how data flows in a private key
cryptosystem. In this e*ample, the originator encrypts the message
9abc: using the secret key, transforming it into 9>?@:. nyone
that has the same secret key can then decrypt the message 9>?@:
back into the original message of 9abc:.
A





Everybodys connecting.
Figure 2. Example of a Private Key (Symmetric) Cryptosystem
#ome common symmetric encryption algorithms include'
!ata Encryption #tandard $!E#% !E# takes a B="bit block of
data and a 8B"bit key and produces a B="bit block of encrypted
data.
C<= an alternate to !E# that the same key to scramble and
descramble packets. C<= uses either =D" or 37E"bit encryption
and is appro*imately 3D times faster than !E#.
+riple"!E# $A"!E#% an even more highly sophisticated
encryption mechanism that uses three keys instead of one,
thereby providing a much higher level of security than !E#.
Each of these algorithms differs in bit length $or 5strength5%. +he
strength of the algorithm establishes the amount of effort re.uired
to break the system. +he longer the bit length, the 9stronger: the
encryption algorithm and the greater the effort re.uired to break
the system.
private key cryptosystem suffers from the following drawbacks'
#ince the 9secret key: is used for both encryption and
decryption, anyone who steals the key can steal all the data
that is currently or had already been encrypted, jeopardi/ing
all present and past communications using the shared key.
2ecause of this danger, the keys must be delivered in a
protected manner such as a direct face"to"face
negotiation or a telephone call e*change.

#ince the privacy of all data communications is based
on the
integrity of the secret key, it is important to replace keys
periodically. Ceplacing keys on a fre.uent basis presents
hackers with a very small window of access to the system,
thereby providing a greater level of privacy.
Pub!ic Key ("symmetric) ryptosystems
public key cryptosystem uses a pair of mathematically related
keys'
private key that is kept secret within the system, and
=





Everybodys connecting.
public key that can be made known to the public.
2ecause one of the two elements the public key is made available
to the general public, the initial creation and e*change of a
9shared secret key: that is used for secure communications can be
accomplished more easily than with a private key cryptosystem. +wo
public key cryptosystems that are commonly used within ,-N
solutions today are !iffie"0ellman $!0% and Civest #hamir dlemen $
C# %.
6igure A shows an e*ample of a private key $symmetric%
cryptosystem.
Figure 3. Example of a Private Key (Symmetric) Cryptosystem
#ser "uthentication and "ccess ontro!
(p to this point, this paper has discussed the encryption aspects
of ,-Ns. E.ually as important is the process of ensuring that
users are who they she say they are. +he following sections
describe the steps taken to address and resolve these security
concerns.
$nternet Protoco! Security
Internet -rotocol #ecurity $I-#ec% is a framework of open
standards developed by the Internet Engineering +ask 6orce $IE+6%
to ensure data privacy, data authentication, and user
authentication on public networks. It is a robust standard that
has withstood e*tensive peer review and emerged as the clear
industry standard for Internet ,-Ns.
8





Everybodys connecting.
Fne of the advantages of I-#ec is that it operates at the network
layer, whereas other approaches insert security at the application
layer. +he benefit of network layer security is that it can be
deployed independently of applications running on the network. +his
means that organi/ations are able to secure their networks without
deploying and coordinating security on an application"by"
application basis.
%ata and #ser "uthentication
!ata authentication methods can be used to verify that
communications have not been modified in transit.
&ith user authentication, the identity of the remote user must be
verified before that user is granted access to the corporate
network.
&ith this method, unauthori/ed individuals are denied access to the
network. +his process is arguably the most important element of any
,-N solution.
+here are a number of user"authentication methods. +hese include'
Pres!are" secrets
-re"shared secrets are passwords that are distributed to users
9out of band,: or independent of the ,-N technology
infrastructure. +hey offer an easy way to deploy ,-Ns .uickly
to a limited number of remote users. 0owever, shared secrets do
not provide robust scalability for large remote user
environments.
#igital certificates
!igital certificates are electronic credentials for proving
user identity. +hese electronic credentials can be stored on
the remote computer or on tokens carried by the user.
Management of digital certificates, including distribution and
revocation, is automated by a -ublic Gey Infrastructure $-GI%.
-GIs offer a stronger and more scaleable authentication
infrastructure than shared secrets, but are more e*pensive and
comple* to deploy.
$y%ri" &o"e 'ut!e(ticatio(
0ybrid Mode uthentication allows organi/ations to integrate
legacy authentication schemes such as #ecureI!, +<<#H, and C!I(# with ,-Ns.
&ithout 0ybrid Mode uthentication, these schemes must be replaced by shared
secrets or digital certificates to deploy a ,-N, which can be a comple* and costly
process. &oa!s and 'ypes o( VPNs
,-Ns address the following three goals'
+hey provide remote, traveling, and telecommuting workers with
access to central network resources.
B





Everybodys connecting.
+hey securely interconnect satellite offices to enable corporate
intranets.
+hey supply partners, suppliers, and customers with controlled
access to selected network resources.
0istorically, remote access has been the strongest of the three
goals for ,-N adoption, but this situation is changing. &hile
remote access remains at the top of the list, the goals of
establishing intranet and e*tranets have emerged. +oday, an e.ual
percentage of network managers are building ,-N"based e*tranets
and ,-N"based remote"access solutions, with the goal of
interconnecting internal offices close behind.
+o achieve these objectives, ,-Ns have evolved into the following
three classifications'
VPN )ype #escriptio(
Cemote"access ,-Ns llow remote workers and telecommuters to
connect to the companys corporate
information resources ine*pensively using
the Internet or an Internet #ervice
-rovider1s $I#-s% backbone.
Intranet"based ,-N n internal, +<-;I-"based, password"
protected network that businesses use to
share information with employees and
others with authori/ation.
E*tranet"based ,-N network that allows controlled network
access from e*ternal networks, such as
from customers, trading partners,
suppliers, partners, and business
associates. &hen a company has a close
relationship with other companies, it may
want to build an e*tranet"based ,-N that
connects its )N to the )N of the other
companies.

key ingredient of ,-N solutions is that the same network
infrastructure can be used to support all three types of ,-Ns.
single ,-N can support remote"access users, intranets, and
e*tranets. +he following sections describes these ,-N types, and
6igure A illustrates them.
I





Everybodys connecting.
Figure *. Examples of )!ree V+'N )ypes
Summary o( VPN )ene(its
well"designed ,-N can provide companies with significant
advantages, including'
E*tended geographic connectivity
Improved security
Ceduced operational costs versus traditional &N
Ceduced transit time and transportation costs for remote users
Improved productivity
#implified network topology
Jlobal networking opportunities
+elecommuter support
2roadband networking compatibility
6aster return on investment than traditional &N technology
#calability that provides a comprehensive solution for cost"
effective remote access, intranet, and e*tranet connectivity
using public data services
E





Everybodys connecting.
ost*Saving "dvantages
In addition to the benefits mentioned above, ,-Ns enable small
businesses to save from ADK to IDK over competing remote"access
solutions. 6or connectivity outside the (#, the savings can reach
LD K. +he following sections provide additional information about
the cost savings that can be achieved with ,-Ns.
E!iminating Pricey +eased +ines
Fne way a ,-N lowers costs is by eliminating the need for
companies to procure e*pensive long"distance leased lines. &ith
,-Ns, an organi/ation needs only a relatively short dedicated
connection to an I#-. +his connection can be a local broadband
connection such as !igital #ubscriber )ine $!#)% service, cable
service, or a local leased line
$which is considerably less e*pensive than a long"distance leased
line%. +his factor alone convinces many organi/ations to eliminate
other remote"access methods in favor of ,-N solutions.
,educing +ong*%istance %ependence
nother way ,-Ns reduce costs is by allowing remote employees to
access the corporate )N via the Internet by placing a local call
into the nearest I#-1s -F-. +his provides a three"fold cost
savings.
6irstly, local Internet calls are significantly less e*pensive than
pricey long"distance calls.
#econdly, companies do not have to support e*pensive toll"free EDD
telephone numbers to accommodate their remote employees.
+hirdly, remote employees located at international venues can be
supported ine*pensively $see 9Ceduced International <alling
E*penses,: ne*t%.
,educed $nternationa! a!!ing E-penses
,-Ns can also slash communications costs significantly for
companies that have many international sites. +ypically, the cost
to link a European site to a North merican head.uarters office
can be high when using leased lines or data services such as frame
relay. ,-N built around an I#- with -F-s in countries where
there are branch offices allows the international sites to pay
only for dedicated Internet access to that -F-. +his method is
much less e*pensive than paying for a longdistance link back to
the (nited #tates. In fact, some studies show that international
remote access ,-Ns can yield cost savings of between BD and LDK
over other remote"access solutions.
.bviating /u!tip!e "ccess +ines
#ome organi/ations that have multiple access lines' one to carry
data back to head.uarters and a second for Internet access. In
L





Everybodys connecting.
fact, some industry studies have found that as many as I7K of sites
have multiple access lines. (sing a ,-N, a branch office with
multiple links can eliminate its data lines and move traffic over
the e*isting Internet access connection, resulting in dramatic cost
savings.
,educed E0uipment osts
,-N e.uipment is much less e*pensive to deploy and maintain than
e.uipment re.uired for other remote"access solutions. ccording to
a recent survey by Jiga Information Jroup, domestic remote access
,-Ns can yield cost savings of 7D to IDK over other remote"access
e.uipment. .((!oading Support )urden
nother, more subtle way that ,-Ns lower costs is by offloading
the support burden. &ith ,-Ns, the I#- handles remote access
rather than the organi/ation. I#-s can, in theory, charge much
less for their support than it costs a company internally, because
the public provider1s cost is shared among potentially thousands
of customers. In addition, I#-s possess the knowledge and
capabilities for maintaining remote access, which may e*ceed a
companys own core e*pertise.
Sca!abi!ity and VPNs
+he cost to an organi/ation of traditional leased lines may be
reasonable at first but can increase e*ponentially as the
organi/ation grows. company with two branch offices, for
e*ample, can deploy just one dedicated line to connect the two
locations. If a third branch office needs to come online, just two
additional lines will be re.uired to directly connect that
location to the other two.
0owever, as an organi/ation grows and more companies must be added
to the network, the number of leased lines re.uired increases
dramatically.
6our branch offices re.uire si* lines for full connectivity, five
offices re.uire ten lines, and so on. In a traditional &N, this
e*plosion limits the fle*ibility for growth. ,-Ns that utili/e the
Internet avoid this problem by simply tapping into the
geographically distributed access already available.
"dditiona! "dvantages
+he real benefits of ,-Ns lie not in cost savings, but in coverage
and openness. ,-Ns particularly Internet"based ,-Ns are
unmatched in their potential for global coverage. No other network
service offers the global footprint available by using the
Internet.
+he same can be said about the openness of the standards"based I-
protocol. If there1s an intranet or e*tranet in your companys
3D





Everybodys connecting.
future, no other network infrastructure will get you there more
directly than a ,-N.
VPN 'unne!ing
,-N technology is based on a tunneling strategy. +unneling creates
a private network that spans the Internet. Essentially, tunneling
is the process of placing an entire packet within another packet
and sending it over a network. +he protocol of the outer packet is
understood by the network and the source and destination points
$called tunnel interfaces% where the packet enters and e*its the
network.
+unneling utili/es three different protocols'
Carrier protocol
+he protocol used by the network that is carrying the information.
E(capsulati(g protocol
+he protocol that is wrapped around the original data
Passe(ger protocol
+he original data being carried
+o better understand how these components work, think of tunneling
as a package delivered to you by an overnight"delivery service.
+he sender places the package $passenger protocol% in an envelope
$ encapsulating protocol%, which is then put on a delivery truck
$carrier protocol% at the sender1s office $entry tunnel
interface%. +he truck $ carrier protocol% travels over the roads
$Internet% to your home $e*it tunnel interface% and delivers the
package. Mou open the package $ encapsulating protocol% and remove
the contents $passenger protocol%. +unneling is just that simple.
+unneling has significant implications for ,-Ns. 6or e*ample, you
can place a packet that uses a protocol not supported on the
Internet $ such as Net2eui% inside an I- packet and send it safely
over the Internet. 6urthermore, you can insert a packet that uses a
private $ non"routable % I- address inside a packet that uses a
globally uni.ue I- address to e*tend a private network over the
Internet.
NE'&E", So!utions
NE+JECs 6,#A3E <able;!#) -ro#afe ,-N 6irewalls provide the
ability to establish multiple ,-N tunnels using I-#ec !E# or A"!E#
encryption technology. +hese routers can be used together to
establish and terminate a ,-N tunnel, without the need for ,-N
client software. <onversely, they can be used in conjunction with
standard ,-N client software $#afenet%, when using multiple routers
is not practical. +he latter e*ample could apply to a mobile
workforce, such as a salesperson, for e*ample.
33





Everybodys connecting.
Fther routers that support I-#ec pass"through, such as NE+JECs
C-B3=
<able;!#) &eb #afe Couter, can be used at a remote site and
terminate a ,-N tunnel, provided the -<s at the remote site are
using a ,-N client.
<learly, the most practical and easy"to"deploy method would be to
have ,-N"enabled 6,#A3Es at both sites, which would eliminate the
need for ,-N client software on each computer.
onc!usion
+his paper has shown that ,-Ns deliver tangible business benefits,
with secure communications and significant cost savings versus
other remoteaccess solutions. Moreover, end users do not need to
know anything about ,-N client software or hardware to establish a
,-N tunnel and access the company )N. &hen a user wants to check
e"mail remotely, for e*ample, the user simply opens his or her e"
mail client and re.uests a download as if connected to the company
)N.
Fne of the most e*citing aspects of ,-Ns is that everyone can
benefit from these solutions. In the beginning days of the
technology, early adopters were the largest and the smallest of
companies.
)arge enterprises viewed ,-Ns as a way to contain escalating &N
costs, connect remote users, and integrate partners, suppliers,
and customers into their networks.
,ery small companies adopted ,-Ns because they were the first
real &N or remote"access solutions they could afford.
+oday, ,-Ns are e.ually appealing to companies of all si/es. Even
small businesses are finding compelling reasons to implement ,-Ns.
Many view ,-Ns as a competitive advantage, specifically because of
their global coverage and the relative ease with which they can be
e*tended to create e*tranets.
,-Ns also have universal appeal across industry types. +he
earliest adopters included high"technology firms, computer
services, and communications companies. 2usinesses in other
industries including insurance, real estate, manufacturing, and
finance have since found ,-Ns beneficial. s the technology
continues to grow, success stories are coming from other
industries as well, including education, health services,
transportation, and government. Even the (# military takes
advantage of ,-N benefits. &ith the decrease in the cost of ,-N
technology, it is not surprising to see small businesses taking
advantage of the savings reali/ed by embracing and deploying these
networks.
&ith all of the interest in ,-Ns, analysts predict tremendous
growth. 2y late 7DD3, nearly IDK of businesses with networking
37





Everybodys connecting.
needs are e*pected to be testing ,-Ns or using them in a
production environment.
Jiven the growing interest in and increasing
deployment of ,-Ns, it is vital to scale that interest in terms of
security. -ossessing a better understanding of ,-Ns and their
security mechanisms empowers companies to e*pand the borders of
their business, without increasing the vulnerability of their
information assets. It also enables you to make a well"informed
decision when evaluating ,-N solutions. $n(ormation +in1s

IE+6 &eb site http';;www.ietf.org;
I- #ecurity -rotocol
$I-#ec%
http';;www.ietf.org;html.charters
; ipsec"charter.html
-ublic Gey Infrastructure
$N.8DL "
-GIN%
http';;www.ietf.org;html.charters
; pki*"charter.html
#imple -ublic Gey
Infrastructure
http';;www.ietf.org;html.charters
; spki"charter.html
-oint"to"-oint -rotocol
E*tensions
http';;www.ietf.org;html.charters
; pppe*t"charter.html
#ocksv8 ftp';;ftp.isi.edu;innotes;rfc3L7E
.t*t
#earch IE+6 !raft
!atabase
http';;search.ietf.org;search;bro
k ers;internet"drafts;.uery.html
3A