Virtual private network

honggarae 29/01/2022 946

Introduction

VPNisaremoteaccesstechnology,whichissimplytouseapublicnetworktosetupaprivatenetwork.Forexample,anemployeeofacompanytravelstoanotherplace,andhewantstoaccesstheserverresourcesofthecompany'sintranet.Thistypeofaccessisremoteaccess.

Inthetraditionalenterprisenetworkconfiguration,tocarryoutremoteaccess,thetraditionalmethodistorentaDDN(digitaldatanetwork)dedicatedlineorframerelay.Suchacommunicationschemewillinevitablyleadtohighnetworkcommunicationandmaintenancecosts.Formobileusers(mobileofficeworkers)andremoteindividualusers,theygenerallyenterthecorporateLANthroughadial-upline(Internet),butthiswillinevitablybringsecurityrisks.

Fornon-localemployeestoaccessintranetresources,thesolutiontousingVPNistosetupaVPNserverintheintranet.Afterthenon-localemployeesconnecttotheInternetlocally,theyconnecttotheVPNserverthroughtheInternet,andthenenterthecorporateintranetthroughtheVPNserver.Inordertoensuredatasecurity,thecommunicationdatabetweentheVPNserverandtheclientisencrypted.Withdataencryption,itcanbeconsideredthatdataissafelytransmittedonadedicateddatalink,justlikeadedicatednetworkissetup,butinfactVPNusesapubliclinkontheInternet,soVPNiscalledVirtualprivatenetwork,inessence,usesencryptiontechnologytoencapsulateadatacommunicationtunnelonthepublicnetwork.WithVPNtechnology,userscanuseVPNtoaccessinternalnetworkresourceswhethertheyareonabusinesstriporworkathomeaslongastheycanaccesstheInternet.ThisiswhyVPNsaresowidelyusedinenterprises.

Workingprinciple

  1. Usually,theVPNgatewayadoptsadualnetworkcardstructure,andtheexternalnetworkcardusesthepublicnetworkIPtoaccesstheInternet.

  2. TerminalAofnetworkone(assumedtobethepublicinternet)accessesterminalBofnetworktwo(assumedtobethecompany'sintranet),andthedestinationaddressoftheaccesspacketsentbyitisTheinternalIPaddressofterminalB.

  3. TheVPNgatewayofnetworkonechecksitstargetaddresswhenitreceivestheaccessdatapacketsentbyterminalA.Ifthetargetaddressbelongstotheaddressofnetworktwo,thedataThepackageisencapsulated,andtheencapsulationmethodisdifferentaccordingtotheVPNtechnologyused.Atthesametime,theVPNgatewaywillconstructanewVPNdatapacketandusetheencapsulatedoriginaldatapacketastheloadoftheVPNdatapacket.ThedestinationaddressoftheVPNdatapacketisTheexternaladdressoftheVPNgatewayofnetworktwo.

  4. TheVPNgatewayofnetworkonesendstheVPNdatapackettotheInternet.SincethedestinationaddressoftheVPNdatapacketistheexternaladdressoftheVPNgatewayofnetworktwo,thedatapacketwillbeTherouteintheInternetiscorrectlysenttotheVPNgatewayofnetworktwo.

  5. TheVPNgatewayofnetworktwochecksthereceiveddatapacket.IfitisfoundthatthedatapacketissentfromtheVPNgatewayofnetworkone,itcanbedeterminedthatthedatapacketisVPNdatapacket,andunpackthedatapacket.TheprocessofunpackingismainlytostriptheheaderoftheVPNdatapacket,andthenreversethedatapackettorestoretheoriginaldatapacket.

  6. TheVPNgatewayofnetworktwosendstherestoredoriginaldatapackettothetargetterminalB.SincethetargetaddressoftheoriginaldatapacketistheIPofterminalB,thedatapacketcanItissenttoterminalBcorrectly.FromtheperspectiveofterminalB,thedatapacketitreceivesisthesameastheonedirectlysentfromterminalA.

  7. TheprocessingprocessofthedatapacketreturningfromterminalBtoterminalAisthesameastheaboveprocess,sothattheterminalsinthetwonetworkscancommunicatewitheachother.

Throughtheabovedescription,wecanfindthatwhentheVPNgatewayprocessesthedatapacket,therearetwoparametersthatareveryimportantforVPNcommunication:thedestinationaddressoftheoriginaldatapacket(VPNtargetAddress)andtheremoteVPNgatewayaddress.AccordingtotheVPNdestinationaddress,theVPNgatewaycandeterminewhichdatapacketsareprocessedbyVPN.Generally,thedatapacketsthatdonotneedtobeprocessedcanbedirectlyforwardedtothehigher-levelrouting;theremoteVPNgatewayaddressspecifiesthedestinationoftheprocessedVPNdatapacket.Address,thatis,theVPNgatewayaddressattheotherendoftheVPNtunnel.Sincenetworkcommunicationistwo-way,duringVPNcommunication,theVPNgatewaysatbothendsofthetunnelmustknowtheVPNtargetaddressandthecorrespondingremoteVPNgatewayaddress.

Workingprocess

ThebasicprocessingprocessofVPNisasfollows:

①ItisnecessarytoprotectthehostfromsendingplaintextinformationtootherVPNdevices.

②TheVPNdevicedetermineswhethertoencryptdataordirectlytransmitdataaccordingtotherulessetbythenetworkadministrator.

③Forthedatathatneedstobeencrypted,theVPNdeviceencryptstheentiredatapacket(includingthedatatobetransmitted,thesourceIPaddressandthedestinationIPaddress)andattachesthedatasignature,plusanewdataheader(IncludingthesecurityinformationandsomeinitializationparametersrequiredbythedestinationVPNdevice)Re-encapsulation.

④Transmittheencapsulateddatapacketonthepublicnetworkthroughthetunnel.

⑤AfterthedatapacketarrivesatthedestinationVPNdevice,itisunsealed,andafterthedigitalsignatureisverified,thedatapacketisdecrypted.

Classificationstandards

Accordingtodifferentclassificationstandards,VPNscanbeclassifiedaccordingtoseveralstandards:

ClassifiedbyVPNprotocol

TherearethreemainVPNtunnelingprotocols,PPTP,L2TPandIPSec.Amongthem,PPTPandL2TPworkinthesecondlayeroftheOSImodel,whichisalsocalledthesecondlayertunnelingprotocol;IPSecisthethirdlayertunnelingprotocol.

ClassifiedbyVPNapplication

(1)AccessVPN(remoteaccessVPN):clienttogateway,usingpublicnetworkasbackbonenetworktotransmitVPNdatatrafficbetweendevices;

(2)IntranetVPN(IntranetVPN):gatewaytogateway,connectingresourcesfromthesamecompanythroughthecompany’snetworkarchitecture;

(3)ExtranetVPN(extranetVPN)VPN):ItformsanExtranetwithapartner'scorporatenetwork,whichconnectstheresourcesofonecompanywithanothercompany.

Classifiedaccordingtothetypeofequipmentused

NetworkequipmentprovidershavedevelopeddifferentVPNnetworkequipmentaccordingtotheneedsofdifferentcustomers,mainlyswitches,routersandfirewalls:

(1)RouterVPN:ItiseasiertodeployrouterVPN,justaddVPNserviceontherouter;

(2)SwitchVPN:mainlyusedforconnectinguserswithfewerusersVPNnetwork;

Dividedaccordingtotheimplementationprinciple

(1)OverlappingVPN:ThisVPNrequiresuserstoestablishVPNlinksbetweenendnodes,mainlyincluding:GRE,L2TP,IPSecAndmanyothertechnologies.

(2)Peer-to-peerVPN:ThenetworkoperatorcompletestheestablishmentofVPNchannelsonthebackbonenetwork,whichmainlyincludesMPLSandVPNtechnologies.

Implementationmethods

TherearemanywaystoimplementVPN,thefollowingfourarecommonlyused:

1.VPNserver:Inalargelocalareanetwork,VPNcanberealizedbybuildingaVPNserverinthenetworkcenter.

2.SoftwareVPN:VPNcanberealizedthroughdedicatedsoftware.

3.HardwareVPN:VPNcanberealizedthroughdedicatedhardware.

4.IntegratedVPN:Somehardwaredevices,suchasrouters,firewalls,etc.,allcontainVPNfunctions,butgenerallyhardwaredeviceswithVPNfunctionsareusuallymoreexpensivethanthosewithoutthisfunction.

AdvantagesandDisadvantages

Advantages

  1. VPNenablesmobileemployees,remoteemployees,businesspartnersandotherstotakeadvantageoflocallyavailablehigh-speedBroadbandnetworkconnection(suchasDSL,cableTVorWiFinetwork)toconnecttothecorporatenetwork.Inaddition,high-speedbroadbandInternetconnectionsprovideacost-effectivewaytoconnecttoremoteoffices.

  2. Awell-designedbroadbandVPNismodularandupgradeable.VPNallowsuserstouseaveryeasytosetupInternetinfrastructure,allowingnewuserstoquicklyandeasilyaddtothenetwork.Thiscapabilitymeansthatcompaniescanprovidealargeamountofcapacityandapplicationswithoutaddingadditionalinfrastructure.

  3. VPNcanprovideahighlevelofsecurity,usingadvancedencryptionandidentificationprotocolstoprotectdatafrompryingeyes,andpreventdatathievesandotherunauthorizedusersfromaccessingthisdata.

  4. Fullcontrol,virtualprivatenetworkallowsuserstousethefacilitiesandservicesoftheISP,whilefullycontrollingtheirownnetwork.UsersonlyusethenetworkresourcesprovidedbytheISP,andcanmanageothersecuritysettingsandnetworkmanagementchangesbythemselves.Youcanalsoestablishavirtualprivatenetworkwithintheenterprise.

Disadvantages

  1. EnterprisescannotdirectlycontrolthereliabilityandperformanceofInternet-basedVPNs.OrganizationsmustrelyonInternetserviceprovidersthatprovideVPNstoensuretheoperationoftheservice.Thisfactormakesitveryimportantforcompaniestosignaservice-levelagreementwithanInternetserviceprovider,tosignanagreementthatguaranteesvariousperformanceindicators.

  2. ItisnoteasyforenterprisestocreateanddeployVPNcircuits.Thistechnologyrequiresahigh-levelunderstandingofnetworkandsecurityissues,andrequirescarefulplanningandconfiguration.Therefore,itisagoodideatochooseanInternetserviceprovidertoberesponsibleformostthingsrunningaVPN.

  3. VPNproductsandsolutionsofdifferentvendorsarealwaysincompatible,becausemanyvendorsareunwillingorunabletocomplywithVPNtechnicalstandards.Therefore,themixeduseofproductsfromdifferentmanufacturersmaycausetechnicalproblems.Ontheotherhand,usingequipmentfromonesuppliermayincreasecosts.

  4. Whenusingwirelessdevices,VPNhassecurityrisks.Roamingbetweenaccesspointsisparticularlyproblematic.Whenusersroambetweenaccesspoints,anysolutionthatusesadvancedencryptiontechnologymaybecompromised.

Relevantlaws,regulationsandpolicies

InApril2003,theMinistryofInformationIndustryissuedthe"TelecomAtthesametime,thevirtualprivatenetworkserviceisseparatedfromthebasictelecommunicationserviceandbecomesanindependentvalue-addedtelecommunicationserviceclassification.Butthe"virtualprivatenetwork"concepthereisdifferentfromtheVPNbusinessintheindustry.Theinterpretationofthisclassificationinthenew"TelecomServiceClassificationCatalogue"is:DomesticInternetVirtualPrivateNetworkService(IP-VPN)referstooperatorswhousetheirownorleasedpublicInternetnetworkresourcesandadoptTCP/IPprotocoltoprovidedomesticTheusercustomizestheserviceoftheInternetclosedusergroupnetwork.Theexplanationofthisclassificationemphasizestwocharacteristics,oneistheuseofInternetnetworkresources,andtheotheristheuseofTCP/IP.Thisexplanationcorrespondstothemarketconditionsatthattime.Atthattime,thefocuswasonIPSecVPNbasedontheInternet.AlthoughtheexplanationcanbasicallycovertheSSLVPNmodelthatemergedlater,itdidnotfocusonMPLSVPN.

InJanuary2006,theMinistryofInformationIndustryissuedthe"AnnouncementonTwoValue-AddedTelecommunicationsServicesandDomesticMulti-partyCommunicationServices",officiallyopeningthe"DomesticInternetVirtualPrivateNetworkService"and"OnlineDataProcessingandTransactionProcessing"Business"twovalue-addedtelecommunicationsservices,theabovetwovalue-addedtelecommunicationsserviceshavebeenconvertedfromcommercialtrialstoformalcommercialuse.

In2013,theMinistryofIndustryandInformationTechnologypublishedthe"TelecomBusinessClassificationCatalog(DraftforComment)"andstilldidnotmakeanychangestothis.

OnJanuary27,2015,theMinistryofIndustryandInformationTechnologyrespondedtotheVPNblockedincident,statingthatsomebadinformationshouldbemanagedinaccordancewithChineselaws.TheMinistryofIndustryandInformationTechnologypreviouslyissuedregulationsthatcompaniesprovidingVPNservicesinChinamustregister,otherwisetheywill"notbeprotectedbyChineselaws."

InJanuary2017,theMinistryofIndustryandInformationTechnologyissuedthe"NoticeonCleaningupandRegulatingtheInternetNetworkStructureServiceMarket."ThecompetentauthorityapprovesthatenterprisesandindividualswithoutinternationalcommunicationbusinessqualificationsrentinternationaldedicatedlinesorVPNstoconductcross-bordertelecommunicationsbusinessoperationsinviolationofregulations.Theseregulationsaremainlytocleanupthosewhoareoperatingwithoutalicenseanddonotmeetthestandards,andwillnothaveanyimpactonenterprisesandindividualsthatcomplywithlawsandregulations.

RegardingtheissueofVPN,WenKu,DirectoroftheInformationandCommunicationDevelopmentDepartmentoftheMinistryofIndustryandInformationTechnology,addedthatoperatingrelatedbusinessesinChinashouldapplyforlicensesinaccordancewithChineselawsandregulations.Thisisactuallythecaseinmanycountriesaroundtheworld.Didthis.ThisisdoneintheUnitedStates,Europe,andAsia,andthemanagementmethodsofeachcountryarenotthesame.AlotofworkhasbeendoneinChina'sthreemajoroperatorstoprovideservicestothepeople,andtheInternetspeedhasbeencontinuouslyimproved,andgoodresultshavebeenachieved.

WenKusaidthat,especiallyinthedigitaleconomy,thestreetsandlanes,especiallythesharedbicyclesonthesideofthesubwayentrance,etc.,showthatthenetworkcoverageisverycomplete,andtheapplicationisbecomingmoreandmoreextensive.Atthesametime,wewillalsopayattentiontosomeoftheneedsofthepeople.However,spreadingharmfulorevenviolentandterroristinformationthroughtheInternetisnotallowedbyChineselaw.

Latest: Scientific decision

Next: Modern information technology