A virtual private network (VPN) enables encrypted and targeted transmission of data over public networks such as the Internet. It establishes protected and self-contained systems with different end devices. A common application is a connection of home, offices, or mobile users.
Within a virtual private network (VPN), various participants in an IP network are connected to form an independent subnet. The connections are encrypted to protect the data transmitted in the virtual private network via the public Internet from uncertified access. Tunnel connections created between the individual participants cannot be seen from the outside.
The network structure of the VPN can differ and consist of simple point-to-point connections, point-to-multipoint connections, or wholly engaged participants. Virtual private networks can be used as inexpensive physical and dedicated networks. They use the public Internet as a connection medium and make leased lines unnecessary.
Encryption and tunneling methods in the VPN
To ensure the confidentiality, integrity, and authenticity of the data transmitted via the virtual private network, tunneling methods are used. The connections of the various participants within the VPN are tap-proof and tamper-proof despite the public Internet as a transport medium.
There are different methods and techniques for encryption. Internet Protocol Security (IPsec) with Encapsulating Security Payload (ESP) has established itself as a kind of standard for virtual private networks. Much of today’s VPNs are based on this encryption method. IPsec clients for the end devices are available for many different operating systems such as Microsoft Windows, Apple macOS or Linux.
The counterpart of the VPN’s IPsec connection is formed by central VPN gateways such as routers or firewalls, in which IPsec is also implemented. User IDs, passwords, keys, and certificates are used to authenticate the participants. Particularly secure systems work with so-called multi-factor authentication and use other features such as hardware tokens or chip cards for authentication.
The connection between the central gateway and the subscriber is one or more tunnels. The connection is based on the public IP addresses of the two end stations but includes a further encrypted IP connection with its IP address. This second IP connection is protected and cannot be seen from the outside. Only the endpoints of the tunnel can decrypt and interpret the data transmitted in the tunnel. The public Internet only provides basic connectivity and transport services for the tunnel connection.
Major components Network
The limits of the VPN tunnel connection are called VPN endpoints. On the central-side, the VPN endpoint is the gateway that is responsible for maintaining the authenticity, confidentiality, and integrity of the connection. On the client-side, the VPN endpoint is usually the software client installed on the system, through which all communication in the VPN must take place. There are different solution concepts for the central gateways. It can be hardware-based VPN routers, VPN gateways, and firewalls or software-based VPN servers. Many firewalls and routers used today are equipped with suitable VPN functions for the implementation of virtual private networks.
The web-based SSL VPN
A unique form of VPN that differs significantly from IPsec-based virtual private networks is the web-based SSL VPN. The SSL VPN allows subscribers to access central applications or data without a direct connection to the internal network. If only access to individual services is possible, it is not a full virtual private network in the narrower sense. With SSL VPNs, a difference can be made between fat client, thin client, and clientless implementations.
The Fat Client is used to establish a VPN connection in the ordinary sense. The thin client uses a proxy mechanism of a plug-in and establishes the connection to remote network services. These plug-ins are available in many forms particularly as an extension for web browsers. Clientless SSL solutions do not require any special software expansion and the need for a separate installation. They allow you to access web applications from a company server directly via a standard web browser. For this, the webserver represents the interface to the internal applications.
SSL VPNs have in common that they use the secure SSL or TLS protocol for the transmission of data. SSL VPNs with a fat client are an alternative if IPsec tunnels cannot be established due to restrictions in a network. As with a conventional virtual private network, the client software of the fat client must be installed. It forms the client-side VPN adapter and allows all traffic between the VPN endpoints to be transmitted in an encrypted SSL connection.
VPNs – The Applications
Virtual private networks are used in many areas today. Due to the low costs for networking and the flexible and fast establishment of network connections, they have partially replaced conventional private IP networks based on dedicated lines.
In this way, multiple branches can be networked via a virtual private network via site-to-site connections. It is also possible to connect an individual computer to an employee who works from home or on the go. In this case, it is an end-to-site connection. This type of connection can be used, among other things, to secure communication via public hotspots.
Further use cases for VPNs are so-called end-to-end connections between two end devices, two servers or one end device, and one server. This type of connection is a network that consists of only two participants. Further communication with other participants is not possible. An end-to-end connection can be used, for example, for the maintenance of a server, in which an external service provider can set up the link to the server with his computer but not to any other subscriber in the internal network.
A typical procedure to use a VPN connection
If a virtual private network connection is to be set up from a home office, a standard dial-in process can consist of the following individual steps. First of all, the user establishes a connection to the public Internet with transmission devices such as DSL or mobile telephony. Then he starts the VPN software on his computer. This automatically or manually triggered by the user establishes the connection to the central gateway of the company network via the public Internet.
The next step is to authenticate the user. Depending on the solution used, this can be a key stored in the client, a manually entered combination of user ID and password or another feature such as the one-time password generated by a token. If the remote station can successfully authenticate the user, they are given access to the parts of the company network.