Let's use an example to explain how VPNs work. The Virtual Entity Networks Inc. (VEN Inc.) has two branches, London and Sydney. If the Australian branch in Sydney decides to contract a supplier, then the London office might need to know that immediately. The main part of the IT infrastructure is set up in London. In Sydney there are twenty people whose work depends on the availability of the data hosted on London servers.
Both sites are equipped with a permanent Internet line. An Internet gateway router is set up to provide Internet access for the staff. This router is configured to protect the local network of the site from unauthorized access from the other side, which is the "evil" Internet. Such a router set up to block special traffic can be called a firewall and must be found in every branch that is supposed to take part in the VPN.
The VPN Software must be installed on this firewall (or a device or server protected by it). Many modern firewall appliances from manufacturers like Cisco or BinTec include this feature, and there is VPN Software for all hardware and software platforms.
In the next step, the VPN Software has to be configured to establish the connection to the other side: e.g. the London VPN server has to accept connections from the Sydney server, and the Sydney server must connect to London (or vice versa).
If this step is successfully completed, the company has a working Virtual Network. The two branches are connected via the Internet and can work together like in a real network. Here, we have a VPN without privacy, because any Internet router between London and Sydney can read the data exchanged. A competitor gaining control over an Internet router could read all relevant business data going through the virtual network.
So how do we make this Virtual Network private? The solution is encryption. The VPN traffic between two branches is locked with special keys, and only computers or persons owning this key can open this lock and look at the data sent.
All data sent from Sydney to London or from London to Sydney must be encrypted before and decrypted after transmission. The encryption safeguards the data in the connection like the walls of a tunnel protect the train from the mountain around it. This explains why Virtual Private Networks are often simply known as tunnels or VPN tunnels, and the technology is often called tunneling—even if there is no quantum mechanics or other magic involved.
The exact method of encryption and providing the keys to all parties involved makes one of the main distinguishing factors between different VPN solutions.
A VPN connection normally is built between two Internet access routers equipped with a firewall and VPN software. The software must be set up to connect to the VPN partner, the firewall must be set up to allow access, and the data exchanged between VPN partners must be secured (by encryption). The encryption key must be provided to all VPN partners, so that the data exchanged can only be read by authorized VPN partners.
In the earlier examples, we have discussed several possible scenarios for the use of VPN technology. But one typical VPN solution must be added here: More and more enterprises offer their customers or business partners a protected access to relevant data for their business relations, like ordering formulas or stocking data. Thus, we have three typical scenarios for VPN solutions in modern enterprises:
An intranet spanning over several locations of a company
A dial-up access for home or field workers with changing IPs
An extranet for customers or business partners
Each of these typical scenarios requires special security considerations and setups. The external home workers will need different access to servers in the company than the customers and business partners. In fact, access for business partners and customers must be restricted severely.
Now that we have seen how a VPN can securely connect a company in different ways, we will have a closer look at the way VPNs work. To understand the functionality, some basic network concepts need to be understood.
All data exchange in computer networks is based on protocols. Protocols are like languages or rituals that must be used between communication partners in networks. Without the correct use of the correct protocol, communication fails.
Networking Concepts—Protocols and Layers
There is a huge number of protocols involved in any action you take when you access the Internet or a PC in your local network. Your Network Interface Card (NIC) will communicate with a hub, a switch, or a router; your application will communicate with its pendant or a server on the other PC, and many more protocol-based communication procedures are necessary to exchange data.
Because of this the Open Systems Interconnection (OSI) specification was created. Every protocol used in today's networks can be classified by this scheme.
The OSI specification defines seven numbered layers of data exchange, which start at Layer 1 (the physical layer) of the underlying network media (electrical, optical, or radio signals) and span up to Layer 7 (the application layer), where applications on PCs communicate with each other.
The layers of the OSI model are:
1. Physical Layer: Sending and receiving through the hardware.
2. Data Link Layer: Direct communication between network devices within the same medium.
3. Network Layer: Routing, addressing, error handling, etc.
4. Transport Layer: End-to-end error recovery and flow control.
5. Session Layer: Establishing connections and sessions between applications.
6. Presentation Layer: Translating between application data formats and network formats.
7. Application Layer: Application-specific protocols.
This set of layers is hierarchical and every layer is serving the layer above and the layer below. If the protocols of the physical layer could communicate successfully, then the control is handed to the next layer, the Data Link Layer. Only if all layers, 1 through 6, can communicate successfully, can data exchange between applications (on Layer 7) be achieved.
In the Internet, however, a slightly different approach is used.
The Internet is mainly based on the Internet Protocol (IP).
The layers of the IP model are:
1. Link Layer: A concatenation of OSI Layers 1 and 2 (Physical and Data Link Layers).
2. Network Layer: Comprises the Network Layer of the OSI model.
3. Transport Layer: Comprises protocols like Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), which are the basis for protocols of the Application Layer.
4. Application Layer: Concatenation of OSI Layers 5 through 7 (Session, Presentation, and Application Layers). The protocols in the Transport Layer are the basis for protocols of the Application Layer (Layer 5 through Layer 7) like HTTP, FTP, or others.
A network packet consists of two parts: header and data. The header is a sort of label containing metadata on sender, recipient, and administrative information for the transfer. On the networking level of an Ethernet network, these packets are called frames. In the context of the Internet Protocol these packets are called datagrams, Internet datagrams, IP datagrams, or simply packets.
So what do VPNs do? VPN Software takes IP packets or Ethernet frames and wraps them into another packet. This may sound complicated, but it is a very simple trick, as the following examples will show:
Example 1: Sending a (not really) anonymous parcel
You want to send a parcel to a friend who lives in a community with strange people, whom you don't trust. Your parcel has the address label with sender and recipient data (like an Internet packet). If you do not want the commune to know that you sent your friend a parcel, but at the same time you want your friend to realize this before he opens it, what would you do? Just wrap the whole parcel in another packet with a different address label (e.g. without your sender information) and no one in the commune will know that this parcel is from you. But your friend will unpack the first layer and see a parcel still unpacked, and with an address label from you.
Example 2: Sending a locked parcel
OK, now let's distrust the commune still more. Somebody might want to open the parcel in order to find out what's inside. To prevent this, you will use a locked case. There are only two keys to the lock, one for you and one for your friend. Only you and your friend can unlock the case and look inside the packet.
VPN Software uses a combination of the earlier two examples:
Whole Network packets (frames, datagrams) consisting of header and data are wrapped into new packets.
All data including metadata like recipient and sender are encrypted.
The new packets are labeled with new headers containing meta-information about the VPN and are addressed to the VPN partner.
All VPN Software systems differ only in the special way of wrapping and locking the data.
We have learned already that VPN technology often is called tunneling, because the data in a VPN connection is protected from the Internet as the walls of the a road or rail tunnel protect the traffic in the tunnel from the masses of stone of the mountain above. Let's now have a closer look at how VPN Software does this:
The VPN software in the locations A and B encrypts (lock) and decrypts (unlock) the data and sends it through the tunnel. Like cars or trains in a tunnel, the data cannot go anywhere else but the other tunnel endpoint.
The following are put together and wrapped into one new package:
Tunnel information (like the address of the other endpoint)
Encryption data and methods
The original IP packet (or network frame)
The new package is then sent to the other tunnel endpoint. The payload of this package now holds the complete IP packet (or network frame), but in encrypted form and thus not readable for anyone not possessing the right key. The new header of the packet simply contains the addresses of sender and recipient and other metadata necessary for and provided by the VPN software used.
Perhaps you have noticed that the amount of data sent grows during the process of "wrapping". Depending on the VPN software used, this so called overhead can become a very important factor. The overhead is the difference between net data sent to the tunnel software and gross data sent through the tunnel by the VPN software. If a file of 1 MB is sent from user A to user B, and this file causes 1.5 MB traffic in the tunnel, then the overhead would be 50%, a very high level. (Please note that every protocol used causes overhead, so not all of that 50% might be the fault of the VPN solution.) The overhead caused by the VPN Software depends on the amount of organizational data and the encryption used. Whereas the first depends only on the VPN Software used, the latter is simply a matter of choice between security and speed. In other words, the better the encryption you use, the more overhead you will produce. Speed versus security is your choice.