How Virtual Private Networks Work

The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or around the world, and there is one thing that all of them need: A way to maintain fast, secure and reliable communications wherever their offices are. Until fairly recently, this has meant the use of leased lines to maintain a wide area network (WAN). Leased lines, ranging from ISDN (integrated services digital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand its private network beyond its immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines, can become quite expensive and often rises in cost as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating their own VPN (virtual private network) to accommodate the needs of remote employees and distant offices.

Image courtesy Cisco Systems, Inc. A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field. Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. In this edition of HowStuffWorks, you will gain a fundamental understanding of VPNs, and learn about basic VPN components, technologies, tunneling and security. What Makes A VPN? There are two common VPN types:

Remote-access - Also called a virtual private dial-up network (VPDN), this is a (VPDN), user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (ESP). (NAS) and provides the remote users with desktop client software for their NAS) computers. The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to access the corporate network. A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider. Site-to-site - Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be either: Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN. Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.

Image courtesy Cisco Systems, Inc. Examples of the three types of VPN A well-designed VPN can greatly benefit a company. For example, it can:

Extend geographic connectivity Improve security Reduce operational costs versus traditional WAN Reduce transit time and transportation costs for remote users Improve productivity Simplify network topology Provide global networking opportunities Provide telecommuter support Provide broadband networking compatibility Provide faster ROI (return on investment) than traditional WAN

What features are needed in a well-designed VPN? It should incorporate:

Security Reliability Scalability Network management Policy management

Analogy: Each LAN is an Island Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The normal way to travel is to take a ferry from your island to whichever island you wish to visit. Of course, traveling on a ferry means that you have almost no privacy. Anything you do can be seen by someone else. Let's say that each island represents a private LAN and the ocean is the Internet. Traveling by ferry is like connecting to a Web server or other device through the Internet. You have no control over the wires and routers that make up the Internet, just like you have no control over the other people on the ferry. This leaves you susceptible to security issues if you are trying to connect between two private networks using a public resource. Continuing with our analogy, your island decides to build a bridge to another island so that there is easier, more secure and direct way for people to travel between the two. It is expensive to build and maintain the bridge, even though the island you are connecting with is very close. But the need for a reliable, secure path is so great that you do it anyway. Your island would like to connect to a second island that is much farther away but decides that the cost are simply too much to bear. This is very much like having a leased line. The bridges (leased lines) are separate from the ocean (Internet), yet are able to connect the islands (LANs). Many companies have chosen this route because of the need for security and reliability in connecting their remote offices. However, if the offices are very far apart, the cost can be prohibitively high -- just like trying to build a bridge that spans a great distance. So how does VPN fit in? Using our analogy, we could give each inhabitant of our islands a small submarine. Let's assume that your submarine has some amazing properties:

It's fast. It's easy to take with you wherever you go. It's able to completely hide you from any other boats or submarines. It's dependable. It costs little to add additional submarines to your fleet once the first is purchased.

In our analogy, each person having a submarine is like a remote user having access to the company's private network. Although they are traveling in the ocean along with other traffic, the inhabitants of our two islands could travel back and forth whenever they wanted to with privacy and security. That's essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much easier than a leased line. In fact, scalability is a major advantage that VPNs have over typical leased lines. Unlike with leased lines, where the cost increases in proportion to the distances involved, the geographic locations of each office matter little in the creation of a VPN. VPN Security A well-designed VPN uses several methods for keeping your connection and data secure:

Firewalls - A firewall provides a strong barrier between your private network and the Internet. You can set firewalls to restrict the number of open ports, what type of packets are passed through and which protocols are allowed through. Some VPN products, such as Cisco's 1700 routers, can be upgraded routers, to include firewall capabilities by running the appropriate Cisco IOS on them. You should already have a good firewall in place before you implement a VPN, but a firewall can also be used to terminate the VPN sessions. Encryption - This is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories: Symmetric-key encryption Public-key encryption In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A"

becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.

Public-key encryption uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows you to encrypt almost anything. You can find out more about PGP at the PGP site.

Photo courtesy Cisco Systems, Inc. A remote-access VPN utilizing IPSec IPSec - Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication. IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport. transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as: Router to router Firewall to router PC to router PC to server AAA Server - AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following: Who you are (authentication) What you are allowed to do (authorization) What you actually do (accounting) The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.

VPN Technologies Depending on the type of VPN (remote-access or site-to-site), you will need to put in place certain components to build your VPN. These might include:

Desktop software client for each remote user

Dedicated hardware such as a VPN concentrator or secure PIX firewall Dedicated VPN server for dial-up services NAS (network access server) used by service provider for remote-user VPN access VPN network and policy-management center

Because there is no widely accepted standard for implementing a VPN, many companies have developed turn-key solutions on their own. For example, Cisco offers several VPN solutions including:

VPN concentrator - Incorporating the most advanced encryption and authentication techniques available, Cisco VPN concentrators are built specifically for creating a remote-access VPN. They provide high availability, high performance and scalability and include components, called scalable encryption processing (SEP) modules, that enable users to easily increase (SEP) capacity and throughput. The concentrators are offered in models suitable for everything from small businesses with up to 100 remote-access users to large organizations with up to 10,000 simultaneous remote users.

Photo courtesy Cisco Systems, Inc. The Cisco VPN 3000 Concentrator VPN-optimized router - Cisco's VPN-optimized routers provide scalability, routing, security and QoS (quality of service). Based on the Cisco IOS (Internet Operating System) software, there is a router suitable for every situation, from small-office/home-office (SOHO) access through central-site (SOHO) VPN aggregation, to large-scale enterprise needs.

Photo courtesy Cisco Systems, Inc. The Cisco 1750 Modular Access Router Cisco secure PIX firewall - An amazing piece of technology, the PIX (private Internet exchange) firewall combines dynamic network address translation, translation, proxy server, packet filtration, firewall and VPN capabilities in a single piece server, of hardware.

Photo courtesy Cisco Systems, Inc. The Cisco PIX Firewall Instead of using Cisco IOS, this device has a highly streamlined OS that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP. Tunneling Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network. Tunneling requires three different protocols:

Carrier protocol - The protocol used by the network that the information is traveling over Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data Passenger protocol - The original data (IPX, NetBeui, IP) being carried

Tunneling has amazing implications for VPNs. For example, you can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique IP address to extend a private network over the Internet. In a site-to-site VPN, GRE (generic routing encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet you are encapsulating and information about the connection between the client and server. Instead of GRE, IPSec in tunnel mode is sometimes used as the encapsulating protocol. IPSec works well on both remote-access and site-to-site VPNs. IPSec must be supported at both tunnel interfaces to use. In a remote-access VPN, tunneling normally takes place using PPP. Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. Remote-access VPN tunneling relies on PPP. Each of the protocols listed below were built using the basic structure of PPP and are used by remote-access VPNs.

L2F (Layer 2 Forwarding) - Developed by Cisco, L2F will use any authentication scheme supported by PPP. PPTP (Point-to-Point Tunneling Protocol) - PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication scheme supported by PPP. L2TP (Layer 2 Tunneling Protocol) - L2TP is the product of a partnership between the members of the PPTP Forum, Cisco and the IETF (Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP also fully supports IPSec.

L2TP can be used as a tunneling protocol for site-to-site VPNs as well as remote-access VPNs. In fact, L2TP can create a tunnel between:

Client and router NAS and router Router and router

The truck is the carrier protocol, the box is the encapsulating protocol and the computer is the passenger protocol. Think of tunneling as having a computer delivered to you by UPS. The vendor packs the computer (passenger protocol) into a box (encapsulating protocol) which is then put on a UPS truck (carrier protocol) at the vendor's warehouse (entry tunnel interface). The truck (carrier protocol) travels over the highways (Internet) to your home (exit tunnel interface) and delivers the computer. You open the box (encapsulating protocol) and remove the computer (passenger protocol). Tunneling is just that simple! As you can see, VPNs are a great way for a company to keep its employees and partners connected no matter where they are.

The Remote Access and VPN Case Study

Escalating remote access and telecommuting needs and an increase in the use of distributed business models like extranets require pragmatic remote access solutions that are easy to use, economical, and flexible enough to meet the changing needs of every business. To support its 25,000+ employees worldwide with best-of-breed remote access and virtual private networking (VPN) services, Microsoft capitalizes on the built-in communication services included in Windows, integrated VPN firewall and caching support from Microsoft Proxy Server, and complementary services from partners such as UUnet Technologies, Inc., Telco Research, and ATCOM, Inc. This potent combination enables Microsoft to take advantage of the latest third party solutions built on Windows, preserve its legacy investment, and provide an open path for future needs. Today businesses are asking their Information Technology Groups (ITG) to deliver an increasing array of communication and networking services while squeezing the maximum possible from budgets and support staffs. At Microsoft the situation is no different. To meet these demands, the Internet Technology Group (ITG) at Microsoft looked to the Windows operating system platform and software vendors and service providers for the technology needed to meet the remote access demands of its more than 25,000 mobile sales personnel, telecommuters, and consultants around the world. Using Windows-based clients and enhanced Windows NT RAS technology available in the Windows NT Option Pack, Microsoft's ITG is currently using and deploying a custom Windowsbased remote dial-up and virtual private networking (VPN) solution. New user services, in concert with new Windows based network services from UUnet, gives users quicker and easier network access while significantly reducing network costs.

Easy to Use and Manage

Integrated RAS-VPN clients Microsoft's ITG has learned that the widespread adoption and use of technology largely depends on how easy and transparent the experience is for the end user. Likewise, ITG has learned not to deploy technologies whose complexity results in an increased support burden on its limited support staff. To simultaneously make the remote access solution easy to use and easy to manage ITG provided the following: Single client. ITG provided a single client for both the direct dial up and virtual private network connections. Using Windows integrated dial-up networking technology (DUN) and Microsoft Connection Manager, users use the same client interface for secure transparent access whether dialing directly to the corporate network or connecting via a VPN. In fact, users don't need to concern themselves with which method is employed.

Central management. ITG provided central management of remote dial-up and VPN access phone numbers. Microsoft ITG has found that one of the most common support problems traveling users face is determining and managing local access phone numbers. This problem translates into one of the principal reasons for support calls to Microsoft's user support centers. Using the Connection Manager Administration kit (CMAK) wizard, which is part of Microsoft's remote access solution, Microsoft's ITG preloads each client PC with an electronic "phone book" that includes every dial-up remote access phone number for Microsoft's network. The Windows solution also allows phone books to be centrally integrated and managed from a single remote location, and clients to be updated automatically. Microsoft's mobile users now receive phone book updates automatically whenever they log onto the network so they always have access to the latest phone numbers.

Windows Communication Platform

Best-of-breed solutions The open extensibility of the Windows NT Server allowed ITG to preserve its current hardware network investments while partnering with UUnet Technologies, Inc. to provide a flexible and

comprehensive network solution. In addition, using Windows NT allowed Microsoft to take advantage of third party solutions for Windows that capitalize on the extensibility afforded Windows NT-based servers and clients. The Windows platform enabled Microsoft ITG to integrate the best-of-breed network services and applications to best meet its client and network administration needs. ATCOM Inc IPORT: High-speed Internet access on the road Microsoft employees can also connect to high-speed Internet access by plugging into public IPORT jacks in hotels, airports, cafes, and remote locations. Microsoft's ITG used the open extensibility of Windows NT Server to integrate IPORT's pay-per-use Internet access features into its custom remote access solution. The result is that Microsoft employees connecting via the Internet can easily and securely access any Microsoft BackOffice based application, the Microsoft Intranet, and the Internet through IPORT jacks in hotel rooms and public places at rates of up to 50 times that of typical dial-up modems. This high-bandwidth, easily available connection helps Microsoft employees be more productive and have a better online experience while on the road. Microsoft Proxy Server: Secure Internet access and VPN Like its counterpart at every corporation, Microsoft ITG must ensure that the edge of its network is secure while still providing all its employees with the freedom needed to access information world wide. To meet this need ITG has also deployed Microsoft Proxy Server to securely separate the LAN from the Internet, while more easily securing VPN access to popular and productive network resources for Microsoft employees at the highest possible speeds. The Microsoft Proxy Server firewall capabilities protect Microsoft's network from unauthorized access from the Internet by providing network address translation and dynamic IP-level filtering to ensure that no intruders compromise the edge of network. At the same time, Microsoft ITG uses the powerful caching services in Microsoft Proxy Server to expedite the delivery of information. Commonly accessed Intranet or Internet sites used by Microsoft employees are centrally cached and distributed to their specific remote access network server. Hierarchical caching expedites information access and optimizes network performance by reducing network load. The first time a dial-up remote user requests information from the Internet, Proxy Server processes the request on the Internet on the user's behalf and returns the contents of that page to the user. A copy of that page is also cached at the edge of the network on Microsoft Proxy Server, and can be distributed to local dial-up servers. When another remote or local user tries to access that same page from their remote location, Proxy Server passes back to the user the information from the local cache rather than from the remote server location. By reusing relevant cached information, Proxy Server is able to service subsequent users' requests of already- requested information without having to generate additional network traffic. ITG uses Microsoft Proxy Server to enable the Microsoft intranet and remote employees to operate at peak efficiency with the utmost security. Telco Research TRU RADIUS Accountant: RAS reporting, and internal usage charge back (billing) Like many large companies with a multitude of branch offices and remote employees, Microsoft pays a substantial amount for remote access fees due to the need to maintain private leased lines and dedicated 800 numbers. In addition, the sheer number of LAN entry points and autonomy afforded its international divisions made centralized accounting and retail reporting for remote access use and roaming users important. Using Windows NT Server 4.0, integrated user domain directory and RADIUS services, Microsoft ITG is deploying a VPN solution bolstered with centralized accounting and reporting of enterprise wide remote access and VPN use. Microsoft is deploying TRU RADIUS Accountant for Windows NT from Telco Research as part of this solution. Using Telco Research's product, Microsoft ITG is able to generate detailed reporting of remote access and VPN network use for internal cost-accounting purposes while using familiar Windows

NT management tools. In this manner Microsoft ITG is able to quickly and easily deploy a turnkey reporting solution built on the intrinsic communication services of Windows NT Server. The Telco Research on Windows NT Server 4.0 RADIUS solution provides a quickly adaptable reporting and authentication solution that offers the ultimate in network flexibility. This flexibility is a key requirement for many ITG organizations in the face of continued acquisitions and mergers and the increasing convergence of IP-based network applications. This solution facilitates network integration, reduces the number of security management points, streamlines reporting, and reduces the complexity normally associated with reporting and internal usage charge back (billing) of remote access across an enterprise. As a result, Microsoft receives better security, reduced implementation costs, and enhanced reporting to improve remote access management and charge-back service while maintaining the flexibility to accommodate future change. UUnet Technologies, Inc. VIP Services: Economical Internet access and VPN The integrated and open services of Windows enabled Microsoft to supplement its private data network infrastructure and RAS with VPN services by working with UUnet Technologies, Inc., the largest Internet service provider in the world. Under this relationship Microsoft's VPN solution is integrated with the UUnet Radius Proxy servers through the Windows NT Server 4.0 native support for RADIUS. This provides Microsoft employees with secure local access to the Microsoft LAN through more than 1,000 Internet point-of-presence locations worldwide, at speeds ranging from 28.8 Kbps to 155 Mbps. Microsoft ITG made reliable and secure local access to UUnet Technologies IP network available to all Microsoft mobile employees, in part by Windows NT Server 4.0 Remote Access Service integrated RADIUS support. This resulted in the delivery of high-quality VPN services over the UUnet Technologies, Inc. infra-structure at a reduced cost. Microsoft ITG conservatively estimates that this use of Windows based VPN service as an alternative to traditional remote access will save the company more than $3.5 million per year in remote access fees alone. Additional savings are expected from greatly reduced remote access configuration support, and elimination of call requests for RAS phone numbers. Integrated support for RADIUS-based authentication off of the Windows Directory in Windows NT Server also allowed Microsoft to retain all authentication rights for Internet and LAN access for its employees. This helps maintain network security and requires no change or redundant replication of directory information. In addition, the Microsoft Windows NT RADIUS solution is integrated into the Windows NT-based User Manager, which allows Microsoft ITG to capitalize on its existing Windows NT domain security scheme. Microsoft ITG is taking advantage of this integration to quickly enable Microsoft employees to engage in true VPN and to securely authenticate themselves in an easyto-manage way. Through its relationship with UUnet Technologies, Microsoft ITG was able to instantly extend network access to its more than 25,000 employees in more than 50 countries. UUnet Technologies' transcontinental backbone provides access throughout North America, Europe, and the Asia-Pacific region so that Microsoft employees can access information locally anywhere with reliability guarantees and the support of UUnet. In short, Windows enabled a MicrosoftUUnet solution that proved a win for each company.

Planning for the Future

Economical, open system solutions Finally, Microsoft's ITG wanted to ensure that its current investment in the remote access infrastructure would not only be able to meet today's needs, but also enable it to make the most of opportunities provided by the digital convergence of network-aware applications in the near future. The momentum of Windows NT Server as a platform for IP telephony, media-streaming technologies, and the migration to PBX systems based on Windows NT Server 4.0 is evidence of an increased need for higher degrees of client/server network application integration. The

remote access solution ITG selected needed to be flexible enough to meet the forecasted demand for increasingly sophisticated and mission-critical network-aware applications. "In the end," says ITG Program Manager Ken Kubota, "what Microsoft remote employees want is easy, fast, secure access to the corporate network." The unique communication services of Windows NT Server make connecting locally through direct dial or VPN easy and secure. Intelligent partnering with companies like UUnet Technologies, Inc. and ATCOM Inc. has also enabled Microsoft ITG to increase employee productivity by providing secure, fast, reliable local connections to all available network resources from just about anywhere in the world. Using Windows NT Server as the backbone of the remote access solution provides the flexibility needed to economically address current and future needs of Microsoft ITG. The selection of a Windows-based solution allows ITG the freedom to both centrally manage and incrementally extend the Microsoft direct dial and VPN infrastructure at a controlled pace and in an open manner, through partnerships with multiple service providers, such as UUnet Technologies. Furthermore, should outsourcing network WAN services and equipment become even more prevalent, Windows provides ITG with a platform that can accommodate this migration while still preserving the value of current software and hardware investments. Windows NT Server's Routing, RAS, and VPN services-along with tight integration with Microsoft Proxy Server-are already enabling Microsoft ITG to seamlessly extend its RAS-VPN infrastructure to connect Microsoft subsidiaries, branch offices, and extranet partners securely to the corporate network over private and public networks. In addition, the broad application support enjoyed by the Windows communication platform ensures that ITG will continue to have access to a host of rich application services made available by developers and service providers, such as ATCOM Inc., Telco-Research, and UUnet Technologies, Inc., to meet Microsoft's business needs into the future.

Solution Overview
Industry International Software Development Architecture The remote access infrastructure that Microsoft's Redmond, WA., headquarters uses for its 14,000 HQ employees consists of three dedicated VPN server computers running the Windows NT Server network operating system version 4.0. Each machine is a on dual 300-MHz Pentium II processors and with 193 MB of RAM, 2 x 2 gigabytes of local storage, and two 100-MB network interface cards. One network card is connected to the Microsoft local area network and the other connects to a network peering with UUnet Technologies, Inc.'s 135-MBps connection. UUnet provides this connection to the Internet via multiple DS-3 connections in Redmond. These facilities will be upgraded to multiple OC-12 (622-MBps) connections this summer. The UUnet Technologies, Inc. network that supports Microsoft's wholesale remote access and VPN services provides access to one of the largest IP networks in the world. UUnet's backbone infrastructure features a fully meshed network that extends across both the Atlantic and Pacific and includes direct fiber optic connections between Europe, North America, and Asia. UUnet also provides satellite access services for remote areas that lack Internet connections. Server Products Used Microsoft Windows NT Server 4.0 Routing Remote Access Service (RRAS) Connection Manager Connection Point Services Internet Authentication Service Microsoft Proxy Server, firewall and proxy services Client products used Windows 95

Windows 98 Windows NT Workstation Merchant Builder, from The Internet Factory FoxPro Norton anti-virus software