When you use a private WAN connection from a service provider, you trust them that they treat your data confidential. The service provider will make sure that they separate traffic from different customers and that nobody else is able to see your data.
What about the Internet? When you send traffic from A to B using the Internet, you have no control at all which networks are used to get from the source to the destination. Someone in between the traffic path might be capturing your packets and you wouldn’t know.
VPNs (Virtual Private Network) help by establishing a secure connection over an insecure network, such as the Internet. This is a great alternative to private WAN connections since Internet access is usually cheaper and it’s available pretty much everywhere.
VPNs provide a couple of features such as:
- Confidentiality: preventing anyone from reading your data. This is implemented with encryption.
- Authentication: verifying that the router/firewall or remote user that is sending VPN traffic is a legitimate device or router.
- Integrity: verifying that the VPN packet wasn’t changed somehow during transit.
- Anti-replay: preventing someone from capturing traffic and resending it, trying to appear as a legitimate device/user.
There are two common VPN types that we use:
- site-to-site VPN
- client-to-site VPN (remote user)
Let me give you some examples.
With the site-to-site VPN, we have a network device at each site, between these two network devices we build a VPN tunnel. Each end of the VPN tunnel will encrypt the original IP packet, adds a VPN header, a new IP header and then forwards the encrypted packet to the other end of the tunnel.
Here’s an example of a VPN tunnel:
Here’s what happens in the picture above:
- H1 sends an IP packet with source 192.168.1.1 and destination 192.168.2.2.
- R1 encrypts the IP packet, adds a VPN header and creates a new IP header with its own public IP address as the source and 220.127.116.11 as the destination.
- R1 sends the new packet to R2.
- R2 receives the packet, checks if the packet really came from R1, decrypts it and forwards it to H2.
- H2 receives the original IP packet.
In the example above I used two routers but firewalls like the Cisco ASA firewall are often used for VPN tunnels.
The client-to-site VPN is also called the remote user VPN. The user installs a VPN client on his/her computer, laptop, smartphone or tablet. The VPN tunnel is established between the user’s device and the remote network device. Here’s an example:
In the picture above, the user has established a VPN tunnel between its VPN client and R1. This allows the user to access a remote server.
There are a couple of VPN protocols, the most common ones are:
- SSL VPN
Let me give you an overview of each protocol.
The IP protocol itself doesn’t have any security features at all, which is why IPSec was created. IPSec is not a protocol but it’s a framework and offers confidentiality, integrity, authentication and anti-replay features on layer three of the OSI model.
It uses a variety of protocols and the advantage of a framework is that the protocols it uses can change in the future. For example, currently, we can use encryption algorithms like DES, 3DES or AES but if a new algorithm is created, IPSec might use it in the future.
You can use IPSec for:
- Creating a site-to-site VPN tunnel.
- Creating a client-to-site (remote user) VPN tunnel.
- Between two servers to authenticate and/or encrypt traffic.
For an in-depth explanation of IPSec, you can take a look at my IPSec lesson.
PPTP (Point to Point Tunneling Protocol) is one of the older VPN protocols, it was released around 1995. It uses a GRE tunnel for tunneling and PPP for authentication (using MS-Chap or MS-Chap v2). Encryption is done with the MPPE protocol.
Since it’s been around for a while, PPTP is supported on many clients and operating systems. PPTP, however, has been proven insecure so you shouldn’t use this protocol anymore if you want to protect your data.
L2TP (Layer Two Tunneling Protocol) is an extension of PPTP and as the name implies, allows us to tunnel layer two traffic over layer three connections. L2TP can be used if you need to “bridge” two remote LANs together and you want to use a single subnet on both sites. L2TP itself does not offer any encryption or anything, which is why we use often use it together with IPSec. When you use L2TP and IPSec together, it’s often referred to as L2TP/IPSec
SSL (Secure Sockets Layer) is a protocol that is normally used to encrypt traffic between a web browser and web server. When you surf the web using HTTP, everything is clear text. For secure connections, we use HTTPS. We can use the same technology for VPNs.
One of the advantages of SSL VPN is that since it uses HTTPS, you can use it pretty much everywhere. Most public wifi hotspots do permit HTTPS traffic while some might block other traffic like IPSec. Another reason why SSL VPN is popular is that you don’t always have to use a software client.
Most SSL VPN solutions offer a “portal” through the web browser that you can use to access applications. For some advanced features, you might have to install a software client.
If you want to see an example of what SSL VPN looks like, you can take a look at my Cisco ASA Anyconnect Remote VPN lesson.
In this lesson you have learned some of the basics of VPNs:
- VPNs can be used as an alternative to private WAN connections and offer a secure connection over an insecure medium, such as the Internet.
- VPNs offer features such as confidentiality, authentication, integrity and anti-replay.
- The two most common VPN types are site-to-site VPNs and client-to-site VPNs.
- Some common VPN protocols are:
- IPSec: a framework that provides security on layer three of the OSI model.
- PPTP: an old VPN protocol that uses PPP and GRE, insecure and should not be used anymore.
- L2TP: a VPN protocol that tunnels layer two traffic, does not offer any encryption so should be used together with IPsec.
- SSL VPN: uses SSL (HTTPS) to create a secure connection with the web browser.