Virtual Private Networks (VPNs)
The problem of remote access has appeared many times in this book. This problem has actually been an important issue throughout the evolution of TCP/IP. How do you connect computers that are not close enough for a LAN-style cable connection? System administrators have always relied on two important methods for remote connections:
These methods are inherently secure, because they establish a closed, private connection that offers no opportunities for intruders. However, both these methods also have disadvantages. Dial-up connections are notoriously slow, and they are dependent on the quality of the phone connection. A WAN connection is also sometimes slow, but, more significantly, a WAN is expensive to build and maintain, and it is not mobile. A WAN connection is not an option for a remote user of uncertain location traveling with a laptop.
One answer to these problems is to connect directly to the remote network over the open Internet. This solution is fast and convenient, but the Internet is so hostile and insecure that such an option simply is not feasible without providing some way of preventing eavesdropping. Experts began to wonder if there were some way to use the tools of encryption to create a private channel through a public network. The solution to this problem emerged in what we know now as a Virtual Private Network (VPN). A VPN establishes a point-to-point "tunnel" across the network through which ordinary TCP/IP traffic can pass securely.
Whereas IPSec (described earlier in this hour) is a protocol that supports secure network connections, a VPN is the connection itself. A VPN application is a program that creates and sustains these private remote connections.
By the Way
The encryption techniques described earlier in this hour would not work well if every router in the delivery chain had to have knowledge of the encryption key. Encryption is intended for point-to-point connections. The idea is that the VPN client software on the remote server establishes a connection with a VPN server that is acting as a gateway to the network (see Figure 20.8). The VPN client and server exchange plain, routable TCP/IP datagrams that pass normally through the Internet. However, the payload (the data) sent through the VPN connection is actually an encrypted datagram destined for the network. The encrypted datagrams (which are unreadable on the open Internet) are enclosed in the plain, readable datagrams forwarded to the VPN server. The VPN server software then extracts the encrypted datagram, unencrypts the datagram using the encryption key, and forwards the enclosed data to its destination address on the protected network.
Although it is possible for an eavesdropping cyber thief to intercept a non-encrypted packet sent between the VPN client and server, the useful information is all within the encrypted payload, which the listener will not be able to unencrypt without the necessary key.
With the arrival of VPNs, it is now common for users to establish secure LAN-like connections with remote networks over the Internet. On most systems, the details of establishing and maintaining a VPN connection are handled within the software. The user just has to start the VPN application and enter authentication information. After the connection is established, the user interacts with the network as if she were connected locally.