VPN: What They Are and Why They Are Used

The connection needs between the remote offices of a company and the constant increase in mobile work have grown together with the quality and speed of broadband connections. The logical consequence of this scenario is the increasingly widespread use of VPN connections. This acronym means Virtual Private Network, virtual private network. Generalizing: the use of “public” infrastructures beyond one’s control (and management) to implement a secure connection between the various offices of a company or between a “ road warrior ” and one’s own headquarters.

The technical discussion of the subject is vast and complex, the English and Italian Wikipedia entries offer extensive explanations and several links for further information. Here I will try to give an overview of VPNs, with the basic concepts and a hint of the most common methods of implementation.

A VPN allows you to securely connect the two ends of the connection via a non-dedicated network, typically using the internet, reducing the cost of CDN lines, which were once the only option. All this brings several benefits: the main ones are:

· Economical: the cost of infrastructures is reduced. Choosing the right implementation in the design phase allows you to choose the most appropriate solution at the best sustainable cost.

· Simplicity: technology is very mature and does not require esoteric skills.

· Safety: it is based on standards that are mostly open and universally recognized as safe. With a few tricks, it is possible to obtain good compromises between ease of access and reasonable security.

The concept is quite simple, and adopts the “ hub and spoke “ paradigm: a central office from which the connections to the remote offices are unraveled. (It is evident that the “ mesh ” model is not sustainable in the particular case of VPNs). Using appropriate rules, it is possible to decide that each remote office accesses only the central node, or to also enable traffic between the peripheries. In the particular case of the connection between only two seats, the model is simplified.

The solutions that can be adopted are many and range from a simple server equipped with open-source software to expensive appliances redundant in HA: the choice depends on costs, integration with existing infrastructures, the necessary bandwidth, workload, and criticality of the connection, just to mention some factors that affect the choice of the system to rely on.

In some cases, the creation of a site-to-site VPN can be entirely delegated to the connectivity provider. It is a choice made mainly by small and medium-sized companies, often without an IT department. In Italy, I mainly encountered solutions from Telecom, which uses the VPN capabilities of Cisco routers (I think, correct me in the comments), and Fastweb, which implements MPLS networks on its fiber infrastructure.

There are many reasons to use a VPN, one of the most common being remote access to applications that are not suitable for natively publishing. For example sharing of files and vertical applications, perhaps on proprietary platforms. Ideal candidates for VPN access are resources that lack native tools to ensure security beyond the corporate perimeter. Depending on the level of protection required, it will be up to the perimeter system engineer to decide, when possible, whether the resources should be placed in the DMZ or whether access should be made directly on the LAN.

The implementation is not without problems: often the VPN traffic is sensitive to routers that treat the packets too casually, or it encounters difficulties due to the setting of the MTU. Diagnostics are by no means easy: Syslog messages are difficult to interpret and often show only the effect but not the cause. Fortunately, complicated cases are a fraction of the total: very often the installation does not present particular problems.

In the case of a site-to-site or hub and spoke connection, it is not necessary to touch the hosts on the local network, it is sufficient to make sure that the separate offices have to address plans that do not overlap, to avoid routing problems and complicated maneuvers. subnetting. (Do yourself a big favor: different networks, always). The VPN is implemented through software or appliances that communicate with their remote counterpart, representing the endpoint of the VPN, i.e. the place where incoming packets are decrypted and routed in clear text to the destination host, and outgoing packets are encrypted, encapsulated, and sent to the remote gateway.

In simpler implementations, the endpoint of a VPN is the same firewall that controls traffic to and from the outside; if instead, the two entities do not coincide, it will be necessary to define a static route on the default gateway, in order to correctly route the traffic.

In the case of mobile users or very small offices (one or two hosts), a client component is used that connects the node directly to the remote network. Typically these are proprietary software provided by appliance manufacturers, which create a virtual network card on which VPN traffic can travel. In these cases, ARP proxying mechanisms come into play and no longer route. In most cases, you could use the native tools that the different operating systems make available, but the operation is so complicated (at least in the case of Windows) that the use of these virtual drivers is universally widespread. In fact, for access to limited resources by a few clients, an SSH tunnel might be considered, even easier to implement.

I have been using OpenVPN for a long time and I am very happy with it. It does not require special resources and allows me to access my entire network by publishing a single TCP port and without having a static public IP.

In principle, the different appliances are interoperable, but often with some difficulty. Choosing similar units is very often limited to filling in one or two windows with the same data in complementary positions.

For users who need to be able to work from public computers, kiosks, and shared computers, the solutions based on SSL-VPN offer the convenience of being able to access the remote network via a browser and some java components, and have the advantage of working in environments strongly controlled: it is sufficient that SSL traffic over HTTPS (TCP / 443) passes. The disadvantage is the lesser integration with the system and the need to install an “invasive” component if you want to have full access to the network.

Ultimately, VPNs offer a number of benefits that certainly make them interesting; in return, a little care is needed in the project and a little attention to security management: one-time password mechanisms, tokens, careful access control, and account management ( RADIUS ), are some of the methods to be adopted to ensure a (fairly) peaceful sleep.

Find the best total security software with your VPN to prevent all types of malicious attacks.