Home Perennial flowers Vpn article. What is a VPN: why is it needed and how it works. How VPN differs from anonymizer

Vpn article. What is a VPN: why is it needed and how it works. How VPN differs from anonymizer

VPN (Virtual Private Networks) - virtual private networks. VPN is one such technology, about which it is not known where they came from. However, when such technologies take root in a company's infrastructure, everyone is surprised how they used to do without them. VPNs allow you to use the Internet as your own private network. Thus, the spread of VPN is associated with the development of the Internet. The technology itself uses the TCP / IP protocol stack as a basis for its operation.

In order to understand what a VPN is, you need to understand two concepts: encryption and virtuality.

Encryption is a reversible transformation of a message to hide it from unauthorized persons.

Virtuality is an object or state that does not really exist, but can arise under certain conditions.

Encryption converts a message from one kind, for example, "Hello!" in another form “* & 878hJf7 * & 8723”. On the other hand, there is also an inverse transformation, which is called decryption, i.e. converting the message “* & 878hJf7 * & 8723” to the message “Hello!”. The VPN security approach assumes that no one other than the intended recipient can perform the decryption.

The concept of “virtuality” refers to the “as if” situation. For example, a situation where you access a remote computer using a tablet. In this case, the tablet simulates the operation of a remote computer.

VPN has a precise definition:

VPN is an encrypted or encapsulated communication process that securely transfers data from one point to another; the security of this data is ensured by strong encryption technology and the transmitted data passes through an open, unsecured, routed network.

Since VPN is encrypted, the communication between nodes, data is transmitted securely and their integrity is guaranteed. Data travels through an open, unsecured, routed network, so it can have multiple paths to its final destination when transmitted over a shared line. Thus, a VPN can be thought of as the process of sending encrypted data from one point to another over the Internet.

Encapsulation is the process of placing a data packet inside an IP packet. Encapsulation allows you to add an extra layer of protection. Encapsulation allows you to create VPN tunnels and transfer data over a network with other protocols. The most common way to create VPN tunnels is to encapsulate network protocols (IP, IPX, AppleTalk, etc.) in PPP and then encapsulate the resulting packets in tunneling protocols. The latter is most often the IP protocol, although, in rare cases, ATM and Frame Relay protocols can also be used. This approach is called Layer 2 Tunneling, since the passenger is the Layer 2 Protocol (PPP) itself.

An alternative approach to encapsulating network protocol packets directly into a tunneling protocol (such as VTP) is called Layer 3 tunneling.

By purpose, VPNs are divided into three types:

  1. Intranet is used to unite several distributed branches of one organization into a single secure network, exchanging data over open communication channels.
  2. Extranet - Used for networks to which external users (such as customers or clients) connect. Due to the fact that the level of trust in such users is lower than in the company's employees, special protection is required to prevent external users from accessing especially valuable information.
  3. Remote access - created between central corporate offices and remote mobile users. With encryption software loaded on the remote laptop, the remote user establishes an encrypted tunnel with the VPN device at the corporate headquarters.

There are many options for implementing a VPN. When deciding how to implement a VPN, you need to consider the performance factors of VPN systems. For example, if a router is running at the limit of its processor power, then adding more VPN tunnels and applying encryption / decryption can cause the entire network to stop working as the router will not be able to handle normal traffic.

VPN implementation options:

  1. VPN based on firewalls. A firewall (firewall) is a software or hardware-software element of a computer network that monitors and filters network traffic passing through it in accordance with specified rules. Most vendors' firewalls today support tunneling and data encryption. All such products are based on the fact that traffic passing through the firewall is encrypted.
  2. VPN based on routers. Since all information coming from the local network first goes to the router, it is advisable to assign encryption functions to it. Cisco routers, for example, support L2TP, IPSec encryption protocols. In addition to simple encryption, they also support other VPN features such as connection authentication and key exchange.
  3. VPN based on a network operating system. On Linux, VPN connections are usually made using technologies such as OpenVPN, OpenConnect, or NetworkManager. Windows VPN uses PPTP, which is integrated into Windows.

We provide services for the repair and configuration of computers, smartphones, tablets, wi-fi routers, modems, IP-TV, printers. High quality and inexpensive. Having a problem? Fill out the form below and we will call you back.

The organization of channels between remote networks through a VPN connection is one of the most popular topics on our site. At the same time, as the reader's response shows, the greatest difficulty is the correct routing configuration, although we specially paid attention to this point. Having analyzed the most frequently asked questions, we decided to devote a separate article to the topic of routing. Have questions? We hope that after reading this material, there will be fewer of them.

First of all, let's figure out what is routing... Routing is the process of determining the route of information in communication networks. Let's be honest, this topic is very deep and requires a solid baggage of theoretical knowledge, therefore, within the framework of this article, we will deliberately simplify the picture and touch on the theory exactly to the extent that it will be enough to understand the ongoing processes and obtain practical results.

Let's take an arbitrary workstation connected to the network, how does it determine where to send this or that packet? For this purpose it is intended routing table, which contains a list of rules for all possible destination addresses. Based on this table, the host (or router) decides on which interface and destination address to send a packet addressed to a specific recipient.

Route print

As a result, we will see the following table:

Everything is very simple, we are interested in the section IPv4 route table, the first two columns contain the destination address and netmask, followed by the gateway - the node to which the packets should be forwarded for the specified destination, the interface and the metric. If the column Gateway indicated On-link then this means that the destination address is on the same network as the host and is accessible without routing. Metrics determines the priority of routing rules, if the destination address has several rules in the route table, then the one with the lower metric is used.

Our workstation belongs to the 192.168.31.0 network and, according to the route table, sends all requests to this network to the 192.168.31.175 interface, which corresponds to the network address of this station. If the destination address is in the same network with the source address, then information delivery occurs without using IP routing (network layer L3 of the OSI model), at the link layer (L2). Otherwise, the packet is sent to the node specified in the corresponding route table rule on the destination network.

If there is no such rule, then the packet is sent by zero route, which contains the address of the network's default gateway. In our case, this is the address of the router 192.168.31.100. This route is called null because the destination address for it is 0.0.0.0. This point is very important for further understanding of the routing process: all packets, not belonging to this network and do not have separate routes, always are sent main gateway networks.

What will the router do when it receives such a packet? First of all, let's figure out how a router differs from a regular network station. To put it in an extremely simplified way, a router (router) is a network device that is configured to transmit packets between network interfaces. On Windows, this is achieved by enabling the service Routing and remote access, in Linux by setting the option ip_forward.

The decision to transfer packets in this case is also made based on the routing table. Let's see what this table contains on the most common router, for example, the one we described in the article:. On Linux systems, you can get the route table with the command:

Route -n

As you can see, our router contains routes to the networks 192.168.31.0 and 192.168.3.0 known to it, as well as a zero route to the upstream gateway 192.168.3.1.

The address 0.0.0.0 in the Gateway column indicates that the destination address is available without routing. Thus, all packets with destination addresses in the networks 192.168.31.0 and 192.168.3.0 will be sent to the corresponding interface, and all other packets will be forwarded along the zero route.

The next important point is the addresses of private (private) networks, they are also "gray", they include three ranges:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

These addresses can be freely used by anyone and therefore they not routed... What does it mean? Any packet with a destination address belonging to one of these networks will be dropped by the router if there is no separate entry for it in the routing table. Simply put, the default (null) route for such packets is not applied by the router. It should also be understood that this rule applies only to routing, i.e. when transmitting packets between interfaces, an outgoing packet with a "gray" address will be sent along the null route, even if this node is itself a router.

For example, if our router receives an incoming packet with a destination, say, 10.8.0.1, then it will be discarded, since such a network is unknown to it and addresses in this range are not routed. But if we access the same node directly from the router, then the packet will be sent along the zero route to the 192.168.3.1 gateway and will be dropped by it.

It's time to check how it all works. Let's try from our node 192.168.31.175 to ping the node 192.168.3.106, which is located in the network behind the router. As you can see, we succeeded, although the host route table does not contain any information about the 192.168.3.0 network.

How did this become possible? Since the source node does not know anything about the destination network, it will send a packet to the gateway address. The gateway will check its route table, find there an entry for the 192.168.3.0 network and send the packet to the appropriate interface, you can easily verify this by running the trace command, which will show the entire path of our packet:

Tracert 192.168.3.106

Now let's try to ping host 192.168.31.175 from host 192.168.3.106, i.e. in the opposite direction. It didn't work out for us. Why?

Let's take a close look at the routing table. It does not contain any entries for the 192.168.31.0 network, so the packet will be sent to the 192.168.3.1 router as the main gateway of the network, which will discard this packet, since it does not have any information about the destination network. How to be? Obviously, you should send the packet to the node that contains the necessary information and can transmit the packet to its destination, in our case it is the 192.168.31.100 router, which has the address 192.168.3.108 on this network.

In order for packets for the 192.168.31.0 network to be sent to him, we need to create a separate route.

192.168.31.0 mask 255.255.255.0 192.168.3.108

In the future, we will adhere to such a recording of routes, what does it mean? It's simple, packets for the 192.168.31.0 network with a mask of 255.255.255.0 should be sent to the 192.168.3.108 host. On Windows, a route can be added with the command:

Route add 192.168.31.0 mask 255.255.255.0 192.168.3.108

Route add -net 192.168.31.0 netmask 255.255.255.0 gw 192.168.3.108

Let's try.

Let's analyze the result, a route has appeared in the routing table and all packets to the 192.168.31.0 network are now sent to the router of this network, which can be seen from the response of the ping command, but they do not reach the destination. What's the matter? It's time to remember that one of the main tasks of a router is not only routing, but also the function of a firewall, which clearly prohibits access from the external network inside. If we temporarily replace this rule with a permissive one, then everything will work.

The routes added by the above commands are saved until the node is rebooted, this is convenient, even if you mess up a lot, you just need to reboot to undo the changes. To add a persistent route in Windows, run the command:

Route add 192.168.31.0 mask 255.255.255.0 192.168.3.108 -p

On Linux in / etc / network / interfaces, after the interface description, add:

Post-up route add -net 192.168.31.0 netmask 255.255.255.0 gw 192.168.3.108

By the way, this is not the only way to configure access from the 192.168.3.0 network to the 192.168.31.0 network, instead of adding a route for each node, you can "teach" the router to send packets correctly.

In this case, the source node does not have any records about the destination network and will send the packet to the gateway, last time the gateway dropped such a packet, but now we have added the required route to its routing table, and it will send the packet to the 192.168.3.108 node, which will deliver it to its destination.

We strongly recommend that you practice on similar examples yourself, so that routing will no longer be a black box for you, and routes will no longer be a Chinese literacy. Once you have an understanding, you can move on to the second part of this article.

Now let's look at real examples of connecting office networks through a VPN connection. Despite the fact that OpenVPN is most often used for these purposes and in our examples we also mean solutions based on it, all of the above will be true for any type of VPN connection.

The simplest case is when the VPN server (client) and the network router are located on the same host. Consider the diagram below:

Since, we hope, you have learned the theory and consolidated it in practice, we will analyze the route of packets from the office network 192.168.31.0 to the branch network 192.168.44.0, such a packet will be sent to the default gateway, which is also a VPN server. However, this node does not know anything about the destination network and will have to discard this packet. At the same time, we can already contact the branch router at its address in the VPN network 10.8.0.2, since this network is accessible from the office router.

To access the branch network, we need to pass packets for this network to a node that is part of this network or has a route to it. In our case, this is the branch router. Therefore, we add a route on the office router:

Now the office gateway, having received the packet for the branch network, will send it through the VPN channel to the branch router, which, being the host of the 192.168.44.0 network, will deliver the packet to its destination. To access the office network from the branch network, you need to register a similar route on the branch router.

Let's take a more complicated diagram when the router and the VPN server (client) are different nodes on the network. Here, there are two options: send the required packet directly to the VPN server (client), or force the gateway to do it.

Let's look at the first option first.

In order for the packets for the branch network to get into the VPN network, we must add a route to the VPN server (client) for each client of the network, otherwise they will be sent to the gateway, which will drop them:

However, the VPN server does not know anything about the branch office network, but it can send packets within the VPN network, where there is a branch network node of interest to us, so we will send the packet there by adding a route on the VPN server (client):

192.168.44.0 mask 255.255.255.0 10.8.0.2

The disadvantage of this scheme is the need to register routes at each network node, which is not always convenient. It can be used if there are few devices on the network or selective access is required. In other cases, it would be more correct to transfer the routing task to the main router of the network.

In this case, the network devices of the office do not know anything about the branch network and will send packets for it along the zero route, the network gateway. Now the gateway's task is to redirect this packet to the VPN server (client), it's easy to do by adding the required route to its routing table:

192.168.44.0 mask 255.255.255.0 192.168.31.101

We mentioned the task of the VPN server (client) above, it must deliver packets to the VPN network node that is part of the destination network or has a route to it.

192.168.44.0 mask 255.255.255.0 10.8.0.2

For access from the branch network to the office network, you will need to add the appropriate routes to the network nodes of the branch. This can be done in any convenient way, not necessarily in the same way as it is done in the office. A simple real-world example: all computers in the branch office must have access to the office network, but not all computers in the office must have access to the branch office. In this case, in the branch, we add a route to the VPN server (client) on the router, and in the office we add it only to the necessary computers.

In general, if you have an idea of ​​how routing works and how the decision to redirect packets is made, and also know how to read the routing table, then configuring the correct routes should be straightforward. We hope that after reading this article you will not have them either.

  • Tags:

Please enable JavaScript to view the

Recently, there has been an increased interest in the virtual private network (VPN) in the telecommunications world. This is due to the need to reduce the cost of maintaining corporate networks due to the cheaper connection of remote offices and remote users via the Internet. Indeed, when comparing the cost of connecting several networks over the Internet, for example, with Frame Relay networks, one can notice a significant difference in cost. However, it should be noted that when connecting networks via the Internet, the question immediately arises about the security of data transmission, therefore, it became necessary to create mechanisms to ensure the confidentiality and integrity of the transmitted information. The networks built on the basis of such mechanisms are called VPN.

In addition, very often a modern person, developing his business, has to travel a lot. These can be trips to remote corners of our country or to foreign countries. Often people need access to their information stored on their home computer or on a company computer. This problem can be solved by organizing remote access to it using a modem and a line. The use of a telephone line has its own characteristics. The disadvantage of this solution is that a call from another country costs a lot of money. There is also another solution called VPN. The advantages of VPN technology are that the organization of remote access is done not through a telephone line, but through the Internet, which is much cheaper and better. In my opinion, technology. VPN has the prospect of widespread adoption around the world.

1. Concept and classification of VPN networks, their construction

1.1 What is VPN

VPN(English Virtual Private Network - virtual private network) - a logical network created on top of another network, such as the Internet. Despite the fact that communications are carried out over public networks using insecure protocols, encryption creates channels of information exchange that are closed from outsiders. VPN allows you to combine, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.


At its core, a VPN has many of the properties of a leased line, but it is deployed within a public network, for example. With the tunneling technique, data packets are broadcast over the public network as if over a normal point-to-point connection. A kind of tunnel is established between each pair of "sender-receiver of data" - a secure logical connection that allows you to encapsulate the data of one protocol in packets of another. The main components of the tunnel are:

  • initiator;
  • routed network;
  • tunnel switch;
  • one or more tunnel terminators.

VPN itself does not conflict with major network technologies and protocols. For example, when establishing a dial-up connection, the client sends a stream of PPP packets to the server. In the case of organizing virtual leased lines between local networks, their routers also exchange PPP packets. However, fundamentally new is the forwarding of packets through a secure tunnel organized within the public network.

Tunneling allows you to organize the transmission of packets of one protocol in a logical environment using a different protocol. As a result, it becomes possible to solve the problems of interaction of several different types of networks, starting with the need to ensure the integrity and confidentiality of transmitted data and ending with overcoming inconsistencies in external protocols or addressing schemes.

A corporation's existing network infrastructure can be provisioned for VPN using either software or hardware. Establishing a VPN is like laying cables over a WAN. Typically, a direct connection between the remote user and the endpoint of the tunnel is established using PPP.

The most common method for creating VPN tunnels is to encapsulate network protocols (IP, IPX, AppleTalk, etc.) in PPP and then encapsulate the resulting packets in a tunneling protocol. Typically, the latter is IP or (much less commonly) ATM and Frame Relay. This approach is called Layer 2 Tunneling, since the “passenger” here is the Layer 2 protocol.

An alternative approach to encapsulating network protocol packets directly into a tunneling protocol (such as VTP) is called Layer 3 tunneling.

No matter what protocols are used or what purposes are pursued when organizing a tunnel, the basic technique remainspractically unchanged. Typically, one protocol is used to establish a connection with a remote site, and the other is used to encapsulate data and service information for transmission through the tunnel.

1.2 Classification of VPN networks

VPN solutions can be classified according to several main parameters:

1. By the type of environment used:

  • Secure VPN networks. The most common variant of private private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, OpenVPN, and PPTP.
  • Trusted VPN networks. They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues are becoming irrelevant. Examples of such VPN solutions are: MPLS and L2TP. It would be more correct to say that these protocols shift the task of ensuring security to others, for example L2TP, as a rule, is used in conjunction with IPSec.

2. By the way of implementation:

  • VPN networks in the form of special software and hardware. The VPN network is implemented using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree of security.
  • VPN networks as a software solution. Use a personal computer with special software to provide VPN functionality.
  • VPN networks with an integrated solution. VPN functionality provides a complex that also solves the problems of filtering network traffic, organizing a firewall and ensuring quality of service.

3. By appointment:

  • Intranet VPN. They are used to combine several distributed branches of one organization into a single secure network, exchanging data via open communication channels.
  • Remote Access VPN. They are used to create a secure channel between a segment of a corporate network (central office or branch) and a single user who, while working from home, connects to corporate resources from a home computer or, while on a business trip, connects to corporate resources using a laptop.
  • Extranet VPN. Used for networks to which "external" users (such as customers or clients) connect. The level of trust in them is much lower than in the company's employees, therefore, it is necessary to provide special "lines" of protection, preventing or restricting the latter's access to especially valuable, confidential information.

4. By type of protocol:

  • There are implementations of virtual private networks for TCP / IP, IPX and AppleTalk. But today there is a tendency towards a general transition to the TCP / IP protocol, and the vast majority of VPN solutions support it.

5. By the level of the network protocol:

  • By network protocol layer based on mapping to the ISO / OSI network reference model layers.

1.3. Building a VPN

There are various options for building a VPN. When choosing a solution, you need to consider the performance factors of your VPN builder. For example, if a router is already running at its maximum capacity, then adding VPN tunnels and applying encryption / decryption of information can stop the operation of the entire network due to the fact that this router will not be able to cope with simple traffic, let alone VPN. Experience shows that it is best to use specialized equipment to build a VPN, but if there is a limited means, then you can pay attention to a purely software solution. Let's consider some options for building a VPN.

  • VPN based on firewalls. Most manufacturers' firewalls support tunneling and data encryption. All such products are based on the fact that traffic passing through the firewall is encrypted. An encryption module is added to the actual firewall software. The disadvantage of this method is that performance depends on the hardware that is running the firewall. When using PC-based firewalls, keep in mind that this solution can only be used for small networks with little traffic.
  • VPN based on routers. Another way to build a VPN is to use routers to create secure channels. Since all information outgoing from the local network passes through the router, it is advisable to assign the encryption tasks to this router.An example of equipment for building VPN on routers is equipment from Cisco Systems. Starting with IOS Software Release 11.3, Cisco routers support L2TP and IPSec. In addition to simple encryption of transmitted information, Cisco also supports other VPN functions, such as authentication when establishing a tunnel connection and key exchange.An optional ESA encryption module can be used to improve router performance. In addition, Cisco System has released a dedicated VPN appliance called the Cisco 1720 VPN Access Router for small and medium-sized businesses and large branch offices.
  • VPN software based. The next approach to building a VPN is purely software solutions. When implementing such a solution, specialized software is used that runs on a dedicated computer, and in most cases acts as a proxy server. A computer with such software can be located behind a firewall.
  • VPN based on network OS.We will consider solutions based on a network operating system using the example of Microsoft's Windows operating system. To create a VPN, Microsoft uses PPTP, which is integrated into the Windows system. This solution is very attractive for organizations using Windows as their corporate operating system. It should be noted that the cost of such a solution is significantly lower than the cost of other solutions. A Windows-based VPN uses a user base stored on the Primary Domain Controller (PDC). When connecting to a PPTP server, the user is authenticated using PAP, CHAP, or MS-CHAP. The transmitted packets are encapsulated in GRE / PPTP packets. To encrypt packets, a non-standard Microsoft Point-to-Point Encryption protocol is used with a 40 or 128 bit key obtained at the time of connection establishment. The disadvantages of this system are the lack of data integrity check and the impossibility of changing the keys during the connection. The positives are the ease of integration with Windows and the low cost.
  • VPN based on hardware. The option of building VPN on special devices can be used in networks that require high performance. An example of such a solution is Radguard's IPro-VPN product. This product uses hardware encryption of the transmitted information, capable of transmitting a stream of 100 Mbps. IPro-VPN supports IPSec protocol and ISAKMP / Oakley key management mechanism. Among other things, this device supports the means of translation of network addresses and can be supplemented with a special card that adds firewall functions

2. VPN protocols

VPNs are built using protocols for tunneling data over the public Internet, with the tunneling protocols encrypting data and transferring it end-to-end between users. As a rule, today the protocols of the following levels are used to build VPN networks:

  • Link layer
  • Network layer
  • Transport layer.

2.1 Link layer

At the data link layer, the data tunneling protocols L2TP and PPTP can be used, which use authorization and authentication.

PPTP.

Currently, the most common VPN protocol is Point-to-Point Tunnelling Protocol - PPTP. It was developed by 3Com and Microsoft with the aim of providing secure remote access to corporate networks over the Internet. PPTP leverages existing open TCP / IP standards and relies heavily on the legacy PPP point-to-point protocol. In practice, PPP remains the communication protocol of the PPTP connection session. PPTP creates a tunnel through the network to the recipient's NT server and transmits PPP packets of the remote user through it. The server and workstation use VPN and are oblivious to how secure or accessible the WAN between them is. Server-initiated termination of a connection session, unlike specialized remote access servers, allows local network administrators to keep remote users out of the security system of Windows Server.

While the remit of the PPTP protocol extends only to devices running Windows, it provides companies with the ability to interact with existing network infrastructures without compromising their own security systems. In this way, a remote user can connect to the Internet with a local ISP over an analog phone line or ISDN and establish a connection to the NT server. At the same time, the company does not have to spend large sums on organizing and maintaining a pool of modems that provide remote access services.

Further, the work of the RRTP is considered. PPTP encapsulates IP packets for transmission over an IP network. PPTP clients use the destination port to establish a tunnel control connection. This process takes place at the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin to exchange service packets. In addition to the PPTP control connection to keep the link alive, a data tunnel forwarding connection is created. The encapsulation of data before it is sent through the tunnel is slightly different from normal transmission. Encapsulating data before sending it into the tunnel involves two steps:

  1. First, the PPP information part is created. Data flows from top to bottom, from the OSI application layer to the data link layer.
  2. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Thus, during the second pass, the data reaches the transport layer. However, the information cannot be sent to its destination, since the OSI data link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second layer functions normally owned by PPP, i.e. adds a PPP header and trailing to the PPTP packet. This completes the creation of the link layer frame.

Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet that belongs to the network layer. GRE encapsulates network layer protocols such as IPX, AppleTalk, DECnet to enable them to be transported over IP networks. However, GRE does not have the ability to establish sessions and protect data from intruders. It uses PPTP's ability to create a connection to manage the tunnel. The use of GRE as an encapsulation method restricts the PPTP field of action to IP networks only.

After the PPP frame has been encapsulated in a GRE header frame, it is encapsulated in an IP header frame. The IP header contains the addresses of the sender and recipient of the packet. Finally, PPTP adds a PPP header and ending.

The sender system sends data through the tunnel. The receiving system removes all overhead headers, leaving only PPP data.

L2TP

In the near future, an increase in the number of VPNs deployed based on the new Layer 2 Tunneling Protocol - L2TP - is expected.

L2TP is the result of the combination of PPTP and L2F (Layer 2 Forwarding) protocols. PPTP allows you to tunnel PPP packets, and L2F packets SLIP and PPP. To avoid confusion and interoperability issues in the telecommunications market, the Internet Engineering Task Force (IETF) recommended that Cisco Systems merge PPTP and L2F. By all accounts, L2TP has incorporated the best features of PPTP and L2F. The main advantage of L2TP is that this protocol allows you to create a tunnel not only in IP networks, but also in such networks as ATM, X.25 and Frame Relay. Unfortunately, the Windows 2000 L2TP implementation only supports IP.

L2TP uses UDP as its transport and uses the same message format for both tunnel management and data transfer. L2TP in Microsoft's implementation uses UDP packets containing encrypted PPP packets as control messages. The reliability of delivery is guaranteed by the control of the sequence of the packages.

The functionality of PPTP and L2TP is different. L2TP can be used not only in IP networks, service messages use the same format and protocols to create a tunnel and send data through it. PPTP can only be used on IP networks and needs a separate TCP connection to create and use the tunnel. L2TP over IPSec offers more layers of security than PPTP and can guarantee nearly 100 percent security for business-critical data. The features of L2TP make it a very promising protocol for building virtual networks.

L2TP and PPTP differ from Layer 3 tunneling protocols in a number of ways:

  1. Providing corporations with the ability to independently choose how to authenticate users and verify their credentials - on their own "territory" or with an Internet service provider. By processing tunneled PPP packets, the servers on the corporate network obtain all the information they need to identify users.
  2. Tunnel switching support - terminating one tunnel and initiating another to one of many potential terminators. Tunnel switching allows, as it were, to extend the PPP connection to the required endpoint.
  3. Allow corporate network system administrators to implement strategies for assigning access rights to users directly on the firewall and back-end servers. Because tunnel terminators receive PPP packets containing user information, they are able to apply security policies formulated by administrators to individual user traffic. (Layer 3 tunneling does not distinguish between packets coming from the provider, so security policy filters have to be applied on end workstations and network devices.) In addition, in the case of using a tunnel switch, it becomes possible to organize the "continuation" of the tunnel the second level for direct broadcasting of traffic of individualusers to the corresponding internal servers. These servers may be tasked with additional packet filtering.

MPLS

Also, at the data link layer, for the organization of tunnels, MPLS technology ( From the English Multiprotocol Label Switching - multi-protocol label switching - a data transfer mechanism that emulates various properties of circuit-switched networks over packet-switched networks). MPLS operates at a layer that could be located between the link and third network layers of the OSI model, and therefore it is commonly referred to as a link-network layer protocol. It was designed to provide a universal data service for both circuit-switched and packet-switched clients. MPLS can carry a wide variety of traffic such as IP packets, ATM, SONET, and Ethernet frames.

VPN solutions at the link level have a fairly limited scope, usually within the provider's domain.

2.2 Network layer

Network layer (IP layer). The IPSec protocol is used, which implements encryption and confidentiality of data, as well as authentication of subscribers. Using the IPSec protocol allows for full-featured access equivalent to a physical connection to the corporate network. To establish a VPN, each participant must configure certain IPSec parameters, i.e. every client must have software that implements IPSec.

IPSec

Naturally, no company would like to openly transfer to Internet financial or other confidential information. VPN channels are protected by powerful encryption algorithms embedded in the IPsec security protocol standards. IPSec or Internet Protocol Security - the standard chosen by the international community, the IETF group - Internet Engineering Task Force, creates the basis for security for the Internet Protocol (IP / IPSec protocol provides security at the network layer and requires IPSec support only from communicating devices on both All other devices in between are simply providing IP packet traffic.

The method of interaction between persons using IPSec technology is usually defined by the term "secure association" - Security Association (SA). A secure association operates on the basis of an agreement between the parties that use IPSec to protect information transmitted to each other. This agreement governs several parameters: sender and recipient IP addresses, cryptographic algorithm, key exchange order, key sizes, key lifetime, authentication algorithm.

IPSec is a consistent set of open standards with a core that can be easily extended with new features and protocols. The core of IPSec is made up of three protocols:

· AN or Authentication Header - an authentication header - guarantees the integrity and authenticity of the data. The main purpose of the AN protocol is that it allows the receiving side to make sure that:

  • the packet was sent by a party with which a secure association was established;
  • the contents of the packet were not tampered with during its transmission over the network;
  • the package is not a duplicate of the package already received.

The first two functions are mandatory for the AH protocol, and the last one is optional when establishing an association. The AN protocol uses a special header to perform these functions. Its structure is considered as follows:

  1. The next header field indicates the code of the higher layer protocol, that is, the protocol whose message is placed in the data field of the IP packet.
  2. The payload length field contains the length of the AH header.
  3. The Security Parameters Index (SPI) is used to associate a packet with its secure association.
  4. The Sequence Number (SN) field indicates the sequence number of a packet and is used to protect against false replay (when a third party tries to reuse captured secure packets sent by a genuinely authenticated sender).
  5. The authentication data field, which contains the so-called Integrity Check Value (ICV), is used to authenticate and check the integrity of the packet. This value, also called a digest, is computed using one of the two computationally irreversible functions MD5 or SAH-1 that AH must support, but any other function can be used.

· ESP or Encapsulating Security Payload- Encapsulation of encrypted data - encrypts transmitted data, ensuring confidentiality, can also support authentication and data integrity;

The ESP protocol solves two groups of problems.

  1. The first includes tasks similar to those of the AN protocol - it is to ensure authentication and data integrity based on the digest,
  2. The second - the transmitted data by encrypting them from unauthorized viewing.

The header is divided into two parts, separated by a data field.

  1. The first part, called the actual ESP header, is formed by two fields (SPI and SN), the purpose of which is similar to the fields of the same name in the AH protocol, and is placed before the data field.
  2. The rest of the service fields of the ESP protocol, called the ESP trailer, are located at the end of the packet.

The two trailer fields - the next header and the authentication data - are similar to the AH header fields. The Authentication Data field is not present if the security association is set up to not use ESP's integrity capabilities. In addition to these fields, the trailer contains two additional fields - a placeholder and a placeholder length.

The AH and ESP protocols can protect data in two modes:

  1. in transport - transmission is carried out with original IP-headers;
  2. in tunnel - the original packet is placed in a new IP packet and transmission is carried out with new headers.

The use of this or that mode depends on the requirements for data protection, as well as on the role played in the network by the node that terminates the secure channel. For example, a node can be a host (end node) or a gateway (intermediate node).

Accordingly, there are three schemes for using the IPSec protocol:

  1. host host;
  2. gateway-gateway;
  3. host gateway.

The capabilities of the AH and ESP protocols partially overlap: the AH protocol is only responsible for ensuring the integrity and authentication of data, the ESP protocol can encrypt data and, in addition, perform the functions of the AH protocol (in a truncated form). ESP can support encryption and authentication / integrity functions in any combination, that is, either the entire group of functions, or only authentication / integrity, or only encryption.

· IKE or Internet Key Exchange - Internet key exchange - solves the auxiliary problem of automatically providing endpoints with a secure channel of the secret keys necessary for the operation of the authentication and data encryption protocols.

2.3 Transport layer

The transport layer uses SSL / TLS or Secure Socket Layer / Transport Layer Security, which implements encryption and authentication between the transport layers of the receiver and transmitter. SSL / TLS can be used to protect TCP traffic, it cannot be used to protect UDP traffic. For a VPN based on SSL / TLS to function, there is no need to implement special software, since every browser and email client is equipped with these protocols. Because SSL / TLS is implemented at the transport layer, a secure connection is established end-to-end.

The TLS protocol is based on the Netscape SSL protocol version 3.0 and consists of two parts - the TLS Record Protocol and the TLS Handshake Protocol. The differences between SSL 3.0 and TLS 1.0 are minor.

SSL / TLS has three main phases:

  1. Dialogue between the parties, the purpose of which is to choose an encryption algorithm;
  2. Key exchange based on public key cryptosystems or certificate-based authentication;
  3. Transfer of data encrypted using symmetric encryption algorithms.

2.4 VPN Implementation: IPSec or SSL / TLS?

Often, heads of IT departments are faced with the question: which of the protocols to choose for building a corporate VPN? The answer is not obvious, as each approach has both pros and cons. We will try to conduct and identify when it is necessary to use IPSec, and when SSL / TLS. As can be seen from the analysis of the characteristics of these protocols, they are not interchangeable and can function both separately and in parallel, defining the functional features of each of the implemented VPNs.

The choice of a protocol for building a corporate VPN network can be carried out according to the following criteria:

· The type of access required for VPN users.

  1. Full-featured permanent connection to the corporate network. The recommended choice is IPSec.
  2. The temporary connection, for example, of a mobile user or a user using a public computer, in order to gain access to certain services, such as email or a database. The recommended choice is SSL / TLS, which allows you to set up a VPN for each individual service.

· Whether the user is an employee of the company.

  1. If the user is an employee of the company, the device he uses to access the corporate network via IPSec VPN can be configured in some specific way.
  2. If the user is not an employee of the company that is accessing the corporate network, it is recommended to use SSL / TLS. This will restrict guest access to certain services only.

· What is the security level of the corporate network.

  1. High. The recommended choice is IPSec. Indeed, the security level offered by IPSec is much higher than the security level offered by the SSL / TLS protocol due to the use of configurable software on the user side and a security gateway on the corporate side.
  2. Average. The recommended choice is SSL / TLS, which allows access from any terminal.

· The level of security of data transmitted by the user.

  1. High, for example, company management. The recommended choice is IPSec.
  2. Medium, such as a partner. The recommended choice is SSL / TLS.

Medium to high depending on the service. The recommended choice is a combination of IPSec (for services requiring a high level of security) and SSL / TLS (for services requiring a medium level of security).

· More importantly, fast VPN deployment or future scalability.

  1. Rapid VPN deployment at minimal cost. The recommended choice is SSL / TLS. In this case, there is no need to implement special software on the user side, as in the case of IPSec.
  2. VPN scalability - adding access to various services. The recommended choice is the IPSec protocol, which allows access to all services and resources of the corporate network.
  3. Rapid deployment and scalability. Recommended choice is a combination of IPSec and SSL / TLS: using SSL / TLS as a first step to access the services you need, and then implementing IPSec.

3. Methods for implementing VPN networks

VPN is based on three implementation methods:

· Tunneling;

· Encryption;

· Authentication.

3.1 Tunneling

Tunneling provides data transfer between two points - the ends of the tunnel - in such a way that the entire network infrastructure lying between them is hidden for the source and the data receiver.

The tunnel transport medium, like a steam, picks up the packets of the used network protocol at the entrance to the tunnel and delivers them unchanged to the exit. Tunneling is sufficient to connect two network nodes so that from the point of view of the software running on them, they appear to be connected to the same (local) network. However, we must not forget that in fact the "steam" with data passes through many intermediate nodes (routers) of the open public network.

This state of affairs is fraught with two problems. The first is that information transmitted through the tunnel can be intercepted by intruders. If it is confidential (bank card numbers, financial statements, personal information), then the threat of its compromise is quite real, which is already unpleasant in itself. Worse, attackers have the ability to modify the data transmitted through the tunnel so that the recipient cannot verify its validity. The consequences can be dire. Considering the above, we come to the conclusion that the tunnel in its pure form is suitable only for some types of networked computer games and cannot pretend to be more serious application. Both problems are solved by modern means of cryptographic information protection. To prevent unauthorized changes to the data packet on its way through the tunnel, the method of electronic digital signature () is used. The essence of the method is that each transmitted packet is supplied with an additional block of information, which is generated in accordance with an asymmetric cryptographic algorithm and is unique for the contents of the packet and the sender's EDS secret key. This block of information is the EDS of the packet and allows you to authenticate the data by the recipient, who knows the public EDS key of the sender. The protection of data transmitted through the tunnel from unauthorized viewing is achieved through the use of strong encryption algorithms.

3.2 Authentication

Security is a core VPN function. All data from client computers passes through the Internet to the VPN server. Such a server can be located at a great distance from the client computer, and data on the way to the organization's network passes through the equipment of many providers. How to make sure that the data has not been read or changed? For this, various authentication and encryption methods are used.

PPTP can use any of the PPP protocols to authenticate users

  • EAP or Extensible Authentication Protocol;
  • MSCHAP or Microsoft Challenge Handshake Authentication Protocol (versions 1 and 2);
  • CHAP or Challenge Handshake Authentication Protocol;
  • SPAP or Shiva Password Authentication Protocol;
  • PAP or Password Authentication Protocol.

The best protocols are MSCHAP version 2 and Transport Layer Security (EAP-TLS) because they provide mutual authentication, i.e. The VPN server and client identify each other. In all other protocols, only the server authenticates the clients.

Although PPTP provides a reasonable degree of security, L2TP over IPSec is more reliable. L2TP over IPSec provides user- and computer-level authentication, as well as authentication and data encryption.

Authentication is done either by an open test (clear text password) or by a challenge / response scheme. With direct text, everything is clear. The client sends a password to the server. The server compares this to a benchmark and either denies access or says "welcome". Open authentication is hardly ever encountered.

The request / response scheme is much more advanced. In general, it looks like this:

  • the client sends a request to the server for authentication;
  • the server returns a random response (challenge);
  • the client removes a hash from its password (a hash is the result of a hash function that converts an input data array of arbitrary length into an output bit string of a fixed length), encrypts the response with it and sends it to the server;
  • the server does the same, comparing the received result with the client's response;
  • if the encrypted response matches, authentication is successful;

In the first step of authenticating VPN clients and servers, L2TP over IPSec uses local certificates received from the certificate authority. The client and server exchange certificates and create a secure ESP SA (security association). After L2TP (over IPSec) completes the computer authentication process, user-level authentication is performed. Any protocol can be used for authentication, even PAP, which transmits the username and password in clear text. This is quite secure as L2TP over IPSec encrypts the entire session. However, authenticating the user with MSCHAP, which uses different encryption keys to authenticate the computer and the user, can enhance security.

3.3. Encryption

PPTP encryption ensures that no one can access data when it is sent over the Internet. Two encryption methods are currently supported:

  • The encryption protocol MPPE or Microsoft Point-to-Point Encryption is only compatible with MSCHAP (versions 1 and 2);
  • EAP-TLS and is able to automatically select the length of the encryption key when negotiating parameters between the client and the server.

MPPE supports 40, 56, or 128 bit keys. Older Windows operating systems only support 40-bit key length encryption, so in a mixed Windows environment, choose the minimum key length.

PPTP changes the encryption key value after every received packet. MMPE was designed for point-to-point links in which packets are transmitted sequentially and there is very little data loss. In this situation, the key value for the next packet depends on the decryption results of the previous packet. When building virtual networks via public access networks, these conditions cannot be observed, since data packets often arrive at the recipient in the wrong sequence in which they were sent. Therefore, PPTP uses packet sequence numbers to change the encryption key. This allows decryption to be performed independently of previous received packets.

Both protocols are implemented both in Microsoft Windows and outside it (for example, in BSD); VPN algorithms can differ significantly.

Thus, the bundle "tunneling + authentication + encryption" allows you to transfer data between two points through a public network, simulating the operation of a private (local) network. In other words, the considered tools allow you to build a virtual private network.

An additional pleasant effect of a VPN connection is the ability (and even the need) to use the addressing system adopted in the local network.

The implementation of a virtual private network in practice is as follows. A VPN server is installed in the local area network of the firm's office. The remote user (or router, if two offices are connected) using the VPN client software initiates the connection to the server. User authentication takes place - the first phase of establishing a VPN connection. In the case of authorization confirmation, the second phase begins - between the client and the server, the details of ensuring the security of the connection are negotiated. After that, a VPN connection is organized, which ensures the exchange of information between the client and the server in the form, when each packet with data goes through the encryption / decryption procedures and integrity check - data authentication.

The main problem with VPNs is the lack of well-established standards for authentication and encrypted information exchange. These standards are still under development, and therefore products from different manufacturers cannot establish VPN connections and automatically exchange keys. This problem entails a slowdown in the spread of VPN, since it is difficult to force various companies to use the products of the same manufacturer, and therefore the process of combining the networks of partner companies into so-called extranet networks is difficult.

The advantages of VPN technology are that the organization of remote access is done not through a telephone line, but through the Internet, which is much cheaper and better. The disadvantage of VPN technology is that VPN building tools are not complete tools for detecting and blocking attacks. They can prevent a number of unauthorized actions, but not all the capabilities that can be used to penetrate a corporate network. But, despite all this, VPN technology has prospects for further development.

So what can you expect in terms of VPN technology development in the future? Without a doubt, a unified standard for the construction of such networks will be developed and approved. Most likely, the basis of this standard will be the already proven IPSec protocol. Next, vendors will focus on improving the performance of their products and creating user-friendly VPN controls. Most likely, the development of VPN building tools will go in the direction of VPN based on routers, since this solution combines a fairly high performance, VPN integration and routing in one device. However, low-cost solutions for small organizations will also evolve. In conclusion, it must be said that although VPN technology is still very young, it has a great future ahead of it.

Leave your comment!

Let's get to know VPN a little, find out the basic questions and use these three letters for our benefit.

See how the information flows between my laptop and the smartphone next to it, the so-called route tracing. And there is always a weak link where data can be intercepted.

What is a VPN for?

For the organization of networks within networks and their protection. Let's understand that a VPN is good. Why? Because your data will be more secure. We build secure network over the Internet or another network. It's like an armored car for transporting money down the street from a bank to another bank. You can send money in a regular car, or in an armored car. On any road, money in an armored car is safer. Figuratively VPN is an armored car for your information. And the VPN server is an agency for the provision of armored cars. Briefly speaking, VPN is good.

Data security:

Use a virtual private network (VPN connection)
With a VPN connection, you can effectively use encryption technologies for data as it travels through the network when connected to a public Wi-Fi network. This can prevent cybercriminals monitoring the network from intercepting your data.

Still not convinced? For example, here is the title of one of the tenders:

Provision of services for the provision of communication channels using VPN technology for organizing data transfer between divisions of the Directorate of the Ministry of Internal Affairs of Russia in Kazan

The police are concerned about their safety, state-owned companies and corporations are concerned about this and demand the presence of such channels, and why are we worse? We are even better, because we will not spend budget funds, but we will set everything up quickly, simply and for free.

So let's go. We protect accounts, passwords using VPN when using open Wi-Fi networks. This is usually the weakest link. Of course, intelligence agencies all over the world, criminal groups can afford equipment that replaces and intercepts traffic not only from Wi-Fi networks, but also from satellite and mobile communication networks. This is another level and goes beyond the scope of this post.
The best option is when you have your own VPN server. If not, then you have to rely on the honesty of those who provide these services to you. So, there are paid versions of VPN and free ones. Let's go through the second. Yes, a VPN server can be configured on a home computer, but more about that in a separate post.

How to set up a VPN

Consider Free VPN for Android on the example of Opera VPN - Unlimited VPN.

Downloading a free VPN client. The settings are minimal and boil down to turning on the VPN, choosing a country, by default - a nearby one, a network testing unit. There are also settings for keeping VPN on.

After installing the application, the VPN item appears in the Android settings menu. This switch brings up the Opera VPN main screen (if you only have one VPN connection method).

To control VPN disconnection and activation, you can enable application icons in Android settings.

Settings-> Notifications & Status Bar -> App Notifications-> Opera VPN

Be prepared for the fact that some applications in the VPN tunnel mode will ask you to confirm your status. So, the VKontakte application with the VPN turned on will ask for your phone number, since it considers that an attacker from Germany or the Netherlands is trying to enter your account, which you usually enter from Moscow. Enter the number and continue using.

Here's the easiest way to use a VPN on your Android device. You can also set up a virtual private network based on your router and connect to your home computer from anywhere in the world via a secure channel, freely exchanging private data. But I will talk about this more complicated method, as well as about the settings of paid applications and services in other posts.


Imagine a scene from an action movie in which a villain escapes from a crime scene on a highway in a sports car. A police helicopter pursues him. The car enters a tunnel with several exits. The helicopter pilot does not know from which exit the car will appear, and the villain escapes from the pursuit.

VPN is a tunnel that connects many roads. No one outside knows where the cars entering it will end up. No one outside knows what is happening in the tunnel.

You've probably heard of VPN more than once. On Lifehacker about this thing too. VPNs are most often recommended because the network can be used to access geo-blocked content and generally improve Internet security. The truth is that going online through a VPN can be just as dangerous as going directly.

How does a VPN work?

Most likely you have a Wi-Fi router at home. Devices connected to it can exchange data even without the Internet. It turns out that you have your own private network, but in order to connect to it, you need to be physically within range of the router signal.

VPN (Virtual Private Network) is a virtual private network. It works over the Internet, so you can connect to it from anywhere.

For example, the company you work for might use a VPN for telecommuters. They use a VPN to connect to their work network. At the same time, their computers, smartphones or tablets are virtually transferred to the office and connected to the network from the inside. To enter a virtual private network, you need to know the VPN server address, username and password.

Using a VPN is pretty straightforward. Typically, a company sets up a VPN server somewhere on a local computer, server or data center, and connects to it using a VPN client on the user's device.

Built-in VPN clients are now available on all current operating systems, including Android, iOS, Windows, macOS, and Linux.

VPN connection between client and server is usually encrypted.

So VPN is good?

Yes, if you are a business owner and want to secure your corporate data and services. By letting employees enter the work environment only through VPN and by account, you will always know who and what was doing and is doing.

Moreover, the VPN owner can monitor and control generally all traffic that goes between the server and the user.

Do employees sit on VKontakte a lot? You can close access to this service. Gennady Andreevich spends half his day on sites with memes? All his activity is automatically recorded in the logs and will become an iron argument for dismissal.

Why VPN then?

VPN allows you to bypass geographic and legal restrictions.

For example, you are in Russia and you want. With regret, you learn that this service is not available from the Russian Federation. You can only use it by going online through the VPN server of the country in which Spotify operates.

In some countries, there is Internet censorship that restricts access to certain sites. You want to go to some resource, but it is blocked in Russia. You can open a site only by going online through the VPN server of a country in which it is not blocked, that is, from almost any other than the Russian Federation.

VPN is a useful and necessary technology that copes well with a certain range of tasks. But the security of personal data still depends on the VPN service provider's integrity, common sense, attentiveness, and Internet literacy.

New on the site

>

Most popular

Vegetables. Berries. Cereals. Trees and shrubs. Agriculture. Flowers. Landscape.

© 2021.

POPULAR SECTIONS