Virtual Private Networks (VPNs)

• Background information
• An example of how to deploy a VPN server along with a web and an e-mail server on the same computer

• An example of how to access intranet information remotely via a VPN

• Privacy Issues in Mobile Data Communications

Background information about VPN's

VPNs offer the ability to have private communications over public networks such as the Internet. The term refers to a combination of technologies and techniques that secure the communications between two end points by setting up a secure tunnel impervious to eavesdropping and interference.

• A remote approach using the Internet connection already in place
• The two types of VPNs
• Connection options
• VPN availability*
• Privacy Issues in Mobile Data Communications

* The following information is intended to be a reference for products and services related to mobile PC computing over PCS networks. Neither Intel nor the Mobile Data Initiative endorse the products or companies listed below. This information has been submitted by the companies listed for informational purposes only. No guarantee is made about its accuracy.   

A remote approach using the Internet connection already in place

Purchasing and maintaining modem pools to support remote workers is becoming a major expense for corporations. In addition, many of the calls are long distance. Since most of these same companies already have a connection to the Internet, an attractive approach is to use this Internet connection for remote workers to access corporate resources. Rather than dial into the corporation, remote workers dial into a local Internet service provider and then traverse the Internet to reach their corporate network. Since many of the larger ISPs have points of presence in a large number of cities, remote workers need only make a local call from almost anywhere. And this approach can even work when workers travel or work abroad. For international access, using the Internet can provide much more reliable connections than making international modem calls.

Using the Internet for remote access eliminates both the expense of the modem pool as well as the associated long distance charges. But it does raise questions of security and performance. And it does require additional equipment and software at the corporation and possibly additional bandwidth to the Internet. Fortunately, the technology and service options for addressing both security and performance are expanding rapidly. Standards to address interoperability between vendors are beginning to stabilize as well.

The two types of VPNs

The key technology area that addresses remote access via the Internet is called virtual private networking (VPN). VPNs are used in either of two ways. In one case, the tunnel through the Internet is between two private networks, such as corporate headquarters on one end and a remote office on the other, or between a company and a partner company. In the latter case the management of the tunnel on each end is performed by a dedicated VPN server or by the existing Internet firewall. In fact, VPN functionality can be thought of as an enhanced firewall function. This type of VPN is called an extranet.

The other way of using VPNs is to connect an individual mobile computer (workstation) across the Internet to a private network. Here the VPN function is implemented as software within the mobile computer. This computer can then use a local dial-up connection to access the Internet and reach the private network. Figure 1 shows the two different types of VPNs. There is also a variation on this last approach where the individual workstation makes a connection to an intermediary system, e.g. ISP, which then manages the creation of the tunnel on behalf of the workstation.

Figure 1: Two types of VPNs.

In a VPN connection, the following sequence of steps occur:

1. The two end points first authenticate themselves to each other.
   
2. The VPN server can determine what services the workstation has permission to access, and can control subsequent traffic accordingly. This step is called authorization.
   
3. Once the tunnel has been created, the tunnel endpoints add special headers to packets addressed for the other end of the tunnel, encrypt the original packet and header and encapsulate all this information in new IP packets. The internal headers provide authentication information at the packet level, and also ensure that any tampering with the data can be detected.

Figure 2: Secure tunnel with a VPN.

Connection options

When traveling with a mobile computer, there are a number of ways that you can take advantage of VPN technology to establish connections to your home networks:

Modem connection to local ISP. You can use your PC Card modems to make traditional landline connections to a local ISP, establish a PPP session and then proceed to establish a VPN connection across the Internet.

Circuit-switched cellular connection to local ISP. This approach is almost the same as using a landline connection, except it is done either through an analog or circuit-switched data connection.

Circuit-switched cellular connection directly to the Internet. Rather than connecting to an ISP via a modem gateway, you connect through a direct digital connection to the Internet. Such services are forthcoming.

 

VPN availability

VPN technology is not only available today from companies specializing in VPNs,but also from operating system vendors (e.g. Microsoft), traditional firewall vendors, and possibly even router vendors in the future. There is limited interoperability between products from different vendors today, since standards are only now being finalized, so you will most likely need software from the same vendor for both end points of your tunnels. Key standards to watch are IPsec (secure IP), SOCKS and Layer 2 Tunneling Protocol (L2TP). L2TP is a new standard that will combine attributes of Microsoft's Point to Point Tunneling Protocol (PPTP) and Cisco's L2F (layer 2 forwarding.)

Wireless carriers are expected to provide increasing options for connecting to the Internet. These options will work hand in hand with VPN technologies to allow convenient remote access to private networks from anywhere in the world. Anybody traveling with both a mobile computer and a cellular telephone will find it easier and easier to remain connected to their home organization.

Informational links about virtual private networks:

• Cisco: business case

Here are some links to companies that offer VPN products:

• AltaVista Tunnel
• TimeStep
• VPNet
• Aventail
• V-One

Here are link to more information on VPNs:

Strategic Network "Putting VPNs to Work for Small Businesses and Offices"