What is a Virtual Private Network (VPN)?A Virtual Private Network allows an organisation to join theLocal Area Networks at two or more locations togetherusing an encrypted connection over the Internet. Thisallows users to securely access information wherever itmay be located on the net-work.The following illustrationdepicts a very simple VPN.This would allow remote usersat an organisation's branchoffice to securely access theIT resources, such as serversand printers, at head office.The principal advantages of aVPN over traditional computernetwork solutions are:• Security - all data is encrypted, typically usinga 168 bit key, making it extremely secure• Cost - replacing private circuits (leased lines) can save a considerable amount of money on an annualbasis• Flexibility - almost all IP (Internet Protocol) traffic and hence applications can be routed through a VPNSecurityThe Internet can be a dangerous place for confidentialdata. There are legions of hackers who enjoy nothing bet-ter than the challenge of penetrating other people's com-puter systems. Not all are malicious; their motives are veryvaried. However, even if information gained is not used forfraudulent purposes, the damage to company confidenceand prestige can be significant. Many hackers like to leavetheir mark upon a system or deface it to show theirprowess. Worse still they may create a "back door" intothe system, allowing them or others to easily gain accessagain at a later date.Data sent over the Internet between two computer sys-tems will pass through many computers and network sys-tems over which the end-user has absolutely no control.Unless the data is encrypted then it is extremely vulnera-ble to being eavesdropped on.SmoothWall Corporate Server provides a secure InternetGateway and Firewall to protect an organisation's LocalArea Networks (LANs). The SmoothTunnel andSmoothNode Add-On module establish secure encryptedVPN connections (tunnels) between Corporate ServerSystems.CostPrivate Circuits are supplied by a TelecommunicationsCompany (TelCo) for the sole use of the customer organ-isation. They are normally subject to both installation andannual charges. The charges are normally distance relat-ed, with high capacity long distance circuits normally beingregarded as too expensive for all bar the richest corpora-tions.Using the Internet for the long haul portion of the route isan obvious money saving scheme. It may still be neces-sary to provide short distance private circuits between thecustomer locations and the TelCo, to provide a high-speedconnection into the Internet backbone. However such aconnection could handle multiple VPN connections,instead of the traditional pattern of a dedicated circuit toeach location.FlexibilityInternet Protocol (IP) is a family of protocols of whichTCP/IP is the best known. Most VPNs conform to a stan-dard known as IPSec that enables the VPN to carryalmost all IP protocols. Web servers, file servers, emailservers, FTP servers can all potentially be accessed fromanywhere on a VPN network, thus allowing a company torationalise its information and resources in order to preventneedles duplication. The availability of IPSec VPN clientsoftware for individual Microsoft Windows PC's means thatmobile (Road Warrior) or home workers can participate inthe company VPN, even it be from a dial-connection in anhotel bedroom.How does a VPN Work?Virtual Private Networking is an umbrella term thatembraces all the technologies used to secure communi-cations over the public Internet. A VPN creates "tunnels"between two VPN Gateways to protect the private data asit travels over the Internet. Tunnelling is the process ofencapsulating private IP packets into an IPSec packet; iethe private data packet is wrapped up inside the IPSecpacket like the filling in a sandwich.© SmoothWall Limited 2002 - All trademarks are the property of their respective owners.WallSmoothIntroduction to VPN (Virtual Private Networks)HubHubServerServerBranch OfficeCorporate Server FirewallwithSmoothNode ModuleCorporate Server FirewallwithSmoothTunnel ModuleHead OfficeInternetSecure VPN TunnelWorkstationWorkstation‘Data sent over theInternet betweentwo computer sys-tems will passthrough many com-puters and networksystems over whichthe end-user hasabsolutely no con-trol. Unless thedata is encryptedthen it is extremelyvulnerable to beingeavesdropped on.’© SmoothWall Limited 2002 - All trademarks are the property of their respective owners.WallSmoothA VPN Gateway is the software/hardware combinationwhich controls the VPN tunnels, its primary functionsbeing:• Allow VPN tunnels to be configured• Authenticate the other end of a VPN connection (ie ensure it can be identified/trusted)• Route all data received from its own local network (LAN) to the correct VPN tunnel• Encrypt all data presented to the VPN tunnel and encapsulate it in IPSec packets• De-encapsulate the IPSec packets received from theVPN tunnel and de-crypt the data• Route all data received from the tunnel to the correctcomputer on the local network (LAN)• Allow VPN tunnels to be managedOnce the authentication between the VPN gateways hasbeen established the tunnel is opened and the users cansend and receive data across it. There are two principalauthentication methods, Pre-Shared Key (PSK or SharedSecret) and x509 Digital Certificates (see below). A VPNGateway can normally support many VPN tunnels(depending upon licencing issues, hardware performanceand speed of the Internet connection. What is IPSec?The Internet Protocol Security (IPSec) protocol suite wasdeveloped by an international group organised under theauspices of the Internet Engineering Task Force (IETF).An IPSec tunnel through the Internet protects all data traf-fic passing through it, regardless of the application. Mostfirewall and VPN vendors support the IPSec standardalthough many have made their own custom extensionsto the protocol. This can make it difficult to get their sup-posedly IPSec standard equipment to interoperate withother IPSec solutions from other vendors. Microsoft hastraditionally used an alternative VPN system called Pointto Point Tunnelling Protocol (PPTP). However there are anumber of weaknesses with PPTP and it is not generallyconsidered to be very secure; the reason why virtuallyeverybody else uses IPSec. Corporate Server will allowPPTP traffic to pass through or be forwarded by the fire-wall but it will not act as a PPTP gateway or