Read an Excerpt
Chapter 1: What Is a Virtual Private Network?
In recent years, as more companies have come to require network connections to central offices, the need has grown for inexpensive, secure communications with remote users and offices. Although they're known to be reliable and secure, dedicated circuits and leased lines are not financially feasible for most companies. A Virtual Private Network (VPN) simulates a private network by utilizing the existing public network infrastructure, usually the Internet. The network is termed "virtual" because it uses a logical connection that is built on the physical connections. Client applications are unaware of the actual physical connection and route traffic securely across the Internet in much the same way traffic on a private network is securely routed. When the VPN is configured and initiated, applications will not be able to tell the difference between the virtual adapter and a physical adapter.
When a Virtual Private Network is properly set up, it combines public networks (such as the Internet), Frame Relay, and Asynchronous Transfer Mode (ATM) into a wide area network (WAN) that a dialup link treats as a private network. Once the VPN infrastructure is defined and configured, it provides seamless integration that enables the network to be viewed the same as a private network.
History of Virtual Private Networks
So how did VPNs get to where they are today? Until just a few years ago, VPNs were basically nonexistent. Recently, VPNs have experienced a lot of movement and development in a relatively short period of time as corporate demand to stay connected with users has increased.
A few vendors, such as IBM, Microsoft,and Cisco Systems, Inc., started developing tunneling technologies in the mid `90s. Although products such as IPX and SNA over IP tunneling were available several years ago, they were very specific to their environments and of limited use to the industry as a whole. The industry needed a tunnel solution that could be standardized for all types of traffic. Much of this push toward standardization was based on the acceptance and standardization of TCP/IP.
In 1996, several vendors realized the importance of VPNs, and many of these companies worked together to define tunneling protocols. These tunneling protocols facilitated two major VPN solutions: Point-to-Point Tunneling Protocol (PPTP), created by Microsoft, Ascend, 3Com, and US Robotics, and Layer 2 Forwarding (L2F), created by Cisco. Because both of these solutions are vendor-specific, proprietary protocol interoperability is limited to products from supporting vendors. PPTP and L2F are Open Systems Interconnection (OSI) Layer 2 tunneling protocols that were designed to transport Layer 3 protocols, such as Apple Talk, IP, and IPX, across the Internet. To do this, PPTP and L2F leveraged the existing Layer 2 PPP standard to transport different Layer 3 protocols across serial links. The Layer 3 packets were encapsulated into PPP frames and then encased in IP packets for transport across the IP-based network. Because neither protocol provides data encryption, authentication, or integrity functions that are critical to VPN privacy, these functions must be added as separate processes. PPTP is discussed in detail in Chapter 4, "Point-to-Point Tunneling Protocol (PPTP)".
Driven by the shortcomings of the existing tunneling protocols, in 1997 standardization and planning began to take place. This began with the introduction of Layer 2 Transport Protocol (L2TP) and Internet Protocol Security (IPSec) by the Internet Engineering Task Force (IETF). Because L2TP and IPSec are a multivendor effort, interoperability is not as much a problem as it was for their predecessors. Being a Layer 2 protocol, L2TP allowed for multiprotocol support over an IP-based network. This means that it was not restricted to a specific protocol but could be used to transport several different protocols. The L2TP specification has no built-in data security functions and requires IPSec for data security in transport mode. L2TP is covered in Chapter 7, "Layer 2 Tunneling Protocol (L2TP)."
Because tunneling technology had matured to a point that administrators were able to actually use it, the deployment of tunneling clients became more widespread. Additionally, Windows NT provided the administrator with basic network functions, such as auditing, accounting, and alarms, which allowed for easy implementation and monitoring.
In 1998, VPNs continued to mature with centralized user management, better network management, and enhanced authentication and encryption. Microsoft worked on the Windows NT 4.0 tunneling solution, updating the protocol and the security-related process. Many clients were updated to include tunnel client software for a more streamlined configuration.
1999 saw the introduction of effective VPNs with new features, such as a standards-based authentication model, an easier interface for server configuration, and additional client configuration tools. With the new authentication model, the smart cards that could be deployed for client access increased security and integration of VPNs into consumer devices. Therefore, VPN use by telecommuters became widespread, and corporate use of VPNs for branch office links increased. Windows 2000 has a mature VPN option that provides the necessary features for a secure and manageable tunneling solution that is dramatically less expensive than a hardware solution and/or leased lines. Microsoft has fully committed to implementing VPN technologies in Windows 2000 because they predict that VPNs will be an important element in corporate networks in the near future. Windows 2000 not only comes with built-in support for IPSec, L2TP, and PPTP, but also delivers a full suite of securityrelated services ranging from full Remote Authentication Dial-In User Service (RADIUS) support to the Extensible Authentication Protocol (EAP). Windows 2000 VPN services are discussed in more detail in Chapter 3, "VPN Features in Windows 2000."
How a Virtual Private Network Works
As stated previously, a Virtual Private Network is essentially a "private tunnel" over a public infrastructure. To emulate a private network link, the VPN encapsulates data with a header that provides routing information, which enables the data to travel the public network (normally the Internet) from the source to the destination. To emulate a private link, the VPN encrypts the encapsulated data being sent for confidentiality, authenticity, and guaranteed integrity. Packets that are intercepted on the public network are unreadable without the encryption keys. A link in which the data is encapsulated and encrypted is known as a VPN, or tunnel, connection.
VPNs can be maintained by a variety of devices. It is now possible to have a Windows 2000 server connect to a router with an encrypted tunnel, or another Windows 2000 device, or a firewall, or anything that uses the standard protocols and support that encryption mechanizes...