Comm Corner Logo
 Comm Corner 
Small Office, Home Office: 
Secure Communications, 
Virtual Private Network (VPN)  
by John Woody

Alamo PC Organization: HOME > PC Alamode Magazine > Columns > Comm Corner 
;
Remote access, as we discussed in December 1998, provides us with the potential of being in two places at one time. We looked at some of the direct means of communicating with the home/office computer when we are at another location. We also looked into the security and reliability of these direct communications methods. Remote access is only as secure as the application communications program being used. Communication application security depends on the application password capability of the program. There is also a cost to direct remote access in telco POTS or ISDN line tariff charges. Direct call-in from remote locations using one of the current applications has long-distance or private 1-800 charges attached, which must be borne by the individual or the company. 

 Another secure?, reliable?, Communication method now exists which utilizes the Internet as a Virtual Private Network (VPN). VPN is a catch-all term which encompasses several technologies for providing secure remote communications. The technology options which are currently being used are dial-up remote-access server, firewall based VPN, hardware based VPN, outsourced ISP provider VPN, NOS-based VPN, and software-based VPN. All have pros and cons. 

 VPN using either the private network or the Internet has the potential to reduce the cost of direct call-in or dedicated line charges. This cuts out the 800 number, dedicated line cost or telco credit card charges which can be incurred from remote locations. The cost factor really comes into play in a small to mid side office where there are several users who connect to the home office network on a regular basis. The long distance/800/credit card charges can really get out of hand. Offices which have leased telco lines between them are also candidates, in that routers and servers can be connected via the VPN to reduce the direct line access cost. In fact, routers are being manufactured which specialize in VPN. 

 

Virtual Private Networks

VPN is a technique that provides a method of connecting a client (remote computer) to a server or home office computer via a "tunnel" in the Internet (intermediary network). The VPN uses two computers, the route or tunnel over a public or private network. The transmitted data is usually encrypted at the remote computer, sent over the tunnel, then decrypted and forwarded at the host computer to the final address. The remote computer has control of the connection and can manipulate the host computer to upload and download files. 

 One of the main components of VPN is encryption. The obvious goal in using VPN is to limit which users and hosts have access to the home networks as well as to ensure that data transmitted over the Internet, being encrypted will limit who has access during the transmission process. This encryption process allows the openly read IP headers with the encrypted payload (data) to be sent through the tunnel. The encrypted data is encapsulated within the public IP address header. 

What VPN Is

A typical small business VPN network, using the Internet as the intermediary network, begins with a remote client computer running Windows 98 or NT. The connection is through a local ISP for access to the Internet. This mobile computer is setup to use VPN Dial-up Networking (DUN) to tunnel through the Internet to the home office network. The mobile client must make both a physical and a virtual connection to the ISP. First, the physical Point-to-Point (PPP) is made via DUN to the ISP. Then, second, another DUN or Point-to-Point Tunneling Protocol (PPTP) is used to make the second logical connection over the existing PPP connection. Data sent over the logical PPP connection is encapsulated in IP datagrams that contain PPP packets. This second PPP connection creates the VPN connection to a VPN Server at the home office network. The VPN Server must be configured to handle these connections and must be running Windows NT 4.0. This second connection is referred to as a tunnel. 

Tunneling is the process of Sending IP packets to a Server computer on a private network by routing them over another network, such as the Internet. The other network's routers cannot access computers on the private network. Tunneling provides a means for the routing network to transmit the packet to an intermediary computer, the VPN Server in the private network, which is connected to both the Internet and the private network. Both the VPN client and the VPN Server use tunneling to route packets securely to the final destination computer on the private network. Both the VPN client and the VPN Server know the destination IP address and use routers which know only that destination IP address. The encapsulated packet may contain multi-protocol data, including IP, IPX, or NetBEUI protocols. 

 The protocols involved in the two-part connection process are PPP and PPTP. As noted above, the PPP connection is used to gain access to the local ISP and the PPTP connection is used to encapsulate the data. The PPTP protocol uses the Internet Routing Encapsulation (GRE) protocol to create the IP datagrams containing the encrypted data. The VPN Server then disassembles the IP datagram into a PPP packet and then decrypts the PPP packet. Finally, the VPN Servers sends the de-encapsulated IP, IPX, and NetBEUI packet on the home office network to the final destination. 

 Networks running these protocols do not need to be changed to receive and send data. Name resolution methods used on the home office network --such as Windows Internet Naming Service (WINS) for NetBIOS computers, Domain Name System (DNS) for TCP/IP host names, and Service Advertisement Protocol (SAP) for IPX networking— ado not have to be changed. 

 

Configuring The VPN

Different VPN connection configurations will be needed for both the home office network and the remote clients depending on how the VPN is to be used. For example, if a permanent TCP/IP LAN connection to a VPN Server exists, then only the VPN tunnel connection configuration to that server is required. For a connection to a remote VPN Server over the Internet, then there must be two connections configured: one to connect through the ISP and the other to connect via the tunnel to a VPN Server. 

 Windows 95 client machines require update patches or third party VPN applications to install the VPN utilities. Windows 98 and Windows NT Server/Workstation have the VPN utilities built-in. 

 The setup procedure for Windows 98 is first to load the VPN capability from the Control Panel program group. Open Control Panel, then open Add/Remove Programs to open the Windows Setup Tab. Highlight the Communication Check Box and click Details button to open the Communication Services. Scroll down the Communication Services to the Virtual Private Networking check box. Click OK, which will ask for the Windows 98 CD to load the drivers and utilities for VPN. This will setup the Networking protocols, adapters, and services for VPN in Control Panel/Networks. Finally, setup the DUN for the ISP physical connection and the VPN virtual connection. 

 Open Dial-Up Networking from My Computer on the Desktop and select Make New Connection to complete the physical DUN. Then right click the new DUN and scroll to Properties to establish the VPN connection. Select the Multilink Tab and click the Use Additional Devices radio button to highlight that window. Click on the Add button to add the additional devices. Select the devices from the Pop-Up Menu which opens. This is a summary of how the client Windows 98 machine would be setup. 

 

Remote Access VPN Solutions

There are several techniques as noted above for VPN in addition the Microsoft solution mentioned above, all of which have good and less good features. I have reviewed several sets of tests of products and techniques over the past couple of months. One test looked at the different techniques noted above and found pros and cons of each. The most mature and therefore secure of these techniques is the dial-up access hardware (router/modem) solution. Next, according to the testing I reviewed was the VPN dedicated hardware technique. Third, the national ISP technique provided wide-spread access, but was very pricy. Two software solutions, Microsoft PPTP and Digital's AltaVista Tunnel 97 applications were fourth in the review. Software solutions are the latest techniques to be used and are still being sorted out. The firewall solution was the most secure and at the same time, slowest due to the very high level of encryption. Any of the techniques which use encryption are slow because any data packet which is encrypted can not be compressed for transmission. 

 

What Others are Saying

Other writers are recommending that care be taken when choosing a VPN technique. The whole VPN developer community is hard at work refining the ideas to enhance their customer bases. The primary user concerns center around performance and security. The other two factors which concern users are reducing the cost of leased Wide Area Network (WAN) lines and reduction of the level of IT expertise required for network administration. 

 VPN developers are concentrating software efforts on the IP Security (IPSec) standard that used VPN security through authentic an of the host and end point, data integrity checking, and encryption. The Microsoft Windows 2000 (NT 5.0), for example, will include the capability to use the Open Systems Interconnection (OSI) Layer 2 tunneling with IPSec. These developments go a long way in relieving the concerns about security and reliability over the Internet since most VPN solutions are directed at the Internet. 

 Management of VPN in large and mid size companies is becoming a concern as the number of VPN users increases. Time of day access policies are one technique for controlling how VPN is used. Out-sourcing VPN management may be divided on the overall "VPN box" to the out-source firm with the user authentication being held within the company. Point-of-Presence (POP) reliability is another area where the next generation of VPN use will be reviewed. This is to say, that a remote POP which had a bad connection at one time will be judged as not reliable and placed at the bottom of user lists. Some developers are placing all the client software in the VPN router, which will be downloaded automatically to remote users. 

 

Who is Developing VPN

Microsoft leads the software developer techniques with its PPTP layer 2 developments. Axent Technologies has a large company program in the works. Compaq is offering AltaVista Tunnel 98 as its next software solution. One of the firewall techniques is being offered by RadGuard Inc., and is also in the large company category. Other VPN firewall developers are Asend Communications, Aventail Corporation, Lucent Technology, Network Associates Inc., and NetScreen Technologies. 3Com, Bay Networks, Shiva, Check Point, and Cisco each have a class of hardware solutions in their new routers, for example. 

 

Conclusion

The state of VPN is such that buyers or IT managers need to really research the solutions to make the right call. This is especially true for SOHO/individual users. The SOHO/individual user must be concerned with the cost of remote Internet access in that a national ISP may be required if the remote user is outside his local ISP scope of operations. Bandwidth is another consideration. POTS dial-up may not be enough for several remote users. Hardware VPN solutions may still be out cost reach for SOHO/individual users. The secure potential communication is there for SOHO/individuals. The technology is being developed and will be mature enough for general use within the next few years. 

 JOHN WOODY IS A TELECOMMUNICATIONS CONSULTANT SPECIALIZING IN SMALL BUSINESS COMMUNICATIONS, NETWORKS, AND INTERNET BUSINESS TRAINING.