Virtual private networks. What will we do with the received material. Ethernet networking technologies. Flow control in full duplex mode. Port mirroring. Consolidation of ports into trunk lines. Virtual networks

Useful programs

The functionality of modern switches allows you to organize virtual networks (VLANs) to create a flexible network infrastructure. Currently, VLANs are not yet widespread, especially in small corporate networks. This is largely due to the fact that configuring switches to organize VLANs is not easy, especially if the network infrastructure includes multiple switches. In addition, the configuration of switches when creating VLANs, as well as setting up other functionalities, can differ significantly between switches from different companies, as a result of which well-known manufacturers network equipmentsuch as Cisco, HP, 3Com, Allied Telesyn, Avaya, arrange special courses on how to work with their equipment. It is clear that it is clearly not in the interests of the manufacturers themselves to simplify the configuration of their equipment, to make this process intuitive and simple, and even more so to develop common agreements and a single interface for configuring equipment from different manufacturers, but users are quite capable of understanding many switch capabilities on their own. Therefore, in this article we will consider the capabilities of modern switches for organizing virtual networks and talk about the basic principles of their configuration.

Purpose of virtual networks

a virtual VLAN (Virtual LAN) refers to a group of network nodes that form a Broadcast Domain. This definition is quite correct, but not very informative, so we will try to interpret the concept of a virtual network in a slightly different way.

When creating a local network based on a switch, despite the possibility of using custom filters to restrict traffic, all nodes in the network represent a single broadcast domain, that is, broadcast traffic is transmitted to all nodes in the network. Thus, the switch does not initially restrict broadcast traffic, and the networks themselves built according to this principle are called flat.

Virtual networks form a group of network nodes in which all traffic, including broadcast, is completely isolated at the data link layer from other network nodes. This means that transmission of frames between network nodes belonging to different virtual networks is not possible based on the link layer address (although virtual networks can communicate with each other at the network layer using routers).

Isolation of individual network nodes at the data link level using virtual network technology allows solving several problems simultaneously. First, virtual networks improve network performance by localizing broadcast traffic within the virtual network and creating a barrier to the broadcast storm. Switches forward broadcast packets (as well as multicast and unknown packets) within a virtual network, but not between virtual networks. Secondly, the isolation of virtual networks from each other at the data link layer makes it possible to increase the security of the network, making some resources unavailable for certain categories of users.

Types of virtual networks

on the emergence of the generally recognized standard for organizing virtual networks IEEE 802.1Q, each manufacturer of network equipment used its own technology for organizing VLANs. This approach had a significant drawback - the technologies of one manufacturer were incompatible with the technologies of other firms. Therefore, when building virtual networks based on several switches, it was necessary to use only equipment from one manufacturer. The adoption of the IEEE 802.1Q virtual network standard made it possible to overcome the incompatibility problem, but there are still switches that either do not support the IEEE 802.1Q standard, or, in addition to the possibility of organizing virtual networks according to the IEEE 802.1Q standard, provide for other technologies.

There are several ways to build virtual networks, but today switches mainly implement port trunking technology or use the IEEE 802.1Q specification.

Virtual networks based on port trunking

port-based virtual networks are usually implemented in so-called Smart switches or managed switches as an addition to the IEEE 802.1Q VLAN capability.

This method of creating virtual networks is quite simple and, as a rule, does not cause problems. Each port on the switch is assigned to one or another virtual network, that is, the ports are grouped into virtual networks. The decision to forward a network packet on this network is based on the destination MAC address and associated port. If you connect a user's PC to a port that is assigned to belong to a certain virtual network, for example, to VLAN # 1, then this PC will automatically belong to VLAN # 1. If a switch is connected to this port, then all ports of this switch will also belong to VLAN # 1 (Fig. 1).

Figure: 1. Virtual networks built using the technology of port trunking based on one switch

Using port trunking technology, the same port can be simultaneously assigned to several virtual networks, which allows the implementation of shared resources between users of different virtual networks. For example, to implement sharing to a network printer or to a file server of users of virtual networks VLAN # 1 and VLAN # 2, the switch port to which it is connected network printer or a file server, must be assigned simultaneously to VLAN # 1 and VLAN # 2 (Fig. 2).

Figure: 2. Creating a shared resource between several virtual networks using port trunking technology

The described technology has a number of advantages over the use of the IEEE 802.1Q standard, but it also has its drawbacks.

The advantages include the simplicity of the configuration of virtual networks. In addition, it does not require network endpoints to support the IEEE 802.1Q standard, and since most Ethernet LAN controllers do not support this standard, networking based on port trunking can be easier. In addition, with a similar organization of virtual networks, they can intersect, which allows you to create shared network resources.

Trunking VLANs are used in cases where a single switch or a stack of switches with a single management is used. However, if the network is large enough and built on several switches, then the possibilities for organizing virtual networks based on port trunking have significant limitations. First of all, this technology does not scale well and in most cases is limited to only one switch.

Let us consider, for example, a situation when a network is built on the basis of two switches supporting the technology of organizing virtual networks based on port trunking (Fig. 3).

Figure: 3. Implementation of virtual networks based on port trunking when using two switches

Let it be necessary that some of the ports of the first and second switches belong to VLAN # 1, and the other part to VLAN # 2. To do this, it is necessary, firstly, that both switches make it possible not only to organize virtual networks based on grouping of ports, but also to distribute such networks to several switches (a similar function is implemented by far from all switches), and secondly, that so many physical connectionshow many virtual networks have been created. Consider two six-port switches. Let in the first switch ports 1 and 2 belong to VLAN # 1, and ports 3 and 4 to VLAN # 2; on the second switch, ports 1, 2, and 3 are for VLAN # 1, and port 4 is for VLAN # 2. For users of VLAN # 1 on the first switch to be able to communicate with users on VLAN # 1 on the second switch, these switches must be connected to each other by ports belonging to VLAN # 1 (for example, port 5 of the first and second switches must be assigned to VLAN # 1). Similarly, for VLAN # 2 users on the first switch to communicate with VLAN # 2 users on the second switch, these switches should be connected through the ports assigned to VLAN # 2 (these can be ports 6 on both switches). Thus, the problem of scalability of virtual networks based on the port trunking technology is solved (albeit not in all cases) by establishing redundant links between switches.

Virtual networks based on IEEE 802.1Q standard

if you have a developed network infrastructure with many switches, IEEE 802.1Q technology will be a more efficient solution for creating virtual networks. In virtual networks based on the IEEE 802.1Q standard, information about the belonging of the transmitted Ethernet frames to a particular virtual network is embedded in the transmitted frame itself. Thus, the IEEE 802.1Q standard defines changes to the Ethernet frame structure to allow VLAN information to be transmitted over the network.

A 4-byte Tag is added to the Ethernet frame - these frames are called Tagged frames. Additional bits contain information about the Ethernet frame belonging to the virtual network and about its priority (Fig. 4).

The added frame tag includes a two-byte TPID (Tag Protocol Identifier) \u200b\u200bfield and a two-byte TCI (Tag Control Information) field. The TCI field, in turn, consists of the Priority, CFI and VID fields. The Priotity field is 3 bits long and specifies eight possible frame priority levels. The 12-bit VID (VLAN ID) is the VLAN ID. These 12 bits allow 4096 different VLANs to be identified, however, IDs 0 and 4095 are reserved for special use, therefore, it is possible to define 4094 virtual networks in the 802.1Q standard. The 1-bit CFI (Canonical Format Indicator) field is reserved for other types of network frames (Token Ring, FDDI) transmitted over the Ethernet backbone, and is always 0 for Ethernet frames.

Changing the Ethernet frame format leads to the fact that network devices that do not support the IEEE 802.1Q standard (such devices are called Tag-unaware) cannot work with frames in which tags are inserted, and today the vast majority network devices (in particular, Ethernet network endpoint controllers) do not support this standard. Therefore, to ensure compatibility with devices that support the IEEE 802.1Q standard (Tag-aware devices), IEEE 802.1Q standard switches must support both traditional Ethernet frames, that is, untagged frames (Untagged), and frames with tags (Tagged) ...

Incoming and outgoing traffic, depending on the type of source and destination, can be formed by both Tagged frames and Untagged frames - only in this case it is possible to achieve compatibility with devices external to the switch. The traffic inside the switch is always formed by Tagged packets. Therefore, in order to support different types of traffic and so that the internal traffic of the switch is formed from Tagged packets, the frames on the receiving and transmitting ports of the switch must be converted according to predefined rules.

Ingress rules

Let's consider in more detail the process of transmitting a frame through a switch (Fig. 5). With respect to traffic, each port of the switch can be both inbound and outbound. After the frame is received by the ingress port of the switch, the decision about its further processing is made based on the predefined Ingress rules. Since the received frame can be of both Tagged and Untagged types, the rules of the input port determine which frame types should be accepted by the port and which should be filtered out. The following options are possible: reception of only Tagged frames, reception of only Untagged frames, reception of both types of frames. By default, for all switches, the ingress port rules set the ability to receive both frame types.

Figure: 5. Forwarding Process in an IEEE 802.1Q Compliant Switch

If it is determined by the rules of the input port that it can receive a Tagged frame, which contains information about belonging to a specific virtual network (VID), then this frame is transmitted without modification. And if the ability to work with Untagged frames is defined, which does not contain information about belonging to a virtual network, then first of all such a frame is converted by the input port of the switch to the Tagged type (recall that all frames inside the switch must have tags about belonging to a virtual network) ...

To make this conversion possible, each port on the switch is assigned a unique PVID (Port VLAN Identifier), which identifies the port belonging to a specific virtual network within the switch (by default, all switch ports have the same PVID \u003d 1). The Untagged frame is converted to the Tagged type by adding a VID tag (Fig. 6). The value of the VID field of the incoming Untagged frame is set equal to the value of the PVID of the incoming port, that is, all incoming Untagged frames are automatically assigned to the virtual network inside the switch to which the incoming port belongs.

Forwarding Process Rules

After all incoming frames have been filtered, transformed, or left unchanged in accordance with the inbound port rules, the decision to send them to the outbound port is based on predefined packet forwarding rules. The rule for forwarding packets within a switch is that packets can only be sent between ports associated with the same virtual network. As already noted, each port is assigned a PVID, which is used to convert received Untagged frames, as well as to determine whether the port belongs to a virtual network inside the switch with VID \u003d PVID. Thus, ports with the same identifier within the same switch are associated with the same virtual network. If a virtual network is built on the basis of a single switch, then the PVID port identifier, which determines its belonging to the virtual network, is sufficient. However, the networks created in this way cannot overlap, since only one identifier corresponds to each switch port. In this sense, the virtual networks you create would not be as flexible as port-based virtual networks. However, the IEEE 802.1Q standard was designed from the outset to build a scalable VLAN infrastructure across multiple switches, and this is its main advantage over port-based VLAN technology. However, port IDs alone are not enough to extend a network beyond a single switch, so each port can be associated with multiple VLANs with different VIDs.

If the packet destination address matches a switch port that belongs to the same virtual network as the packet itself (the packet VID and the port VID or the packet VID and port PVID may match), then such a packet can be transmitted. If the transmitted frame belongs to a virtual network with which the output port is not connected in any way (the VID of the packet does not correspond to the PVID / VID of the port), then the frame cannot be transmitted and is dropped.

Egress rules

After frames inside the switch are forwarded to the egress port, their further conversion depends on the egress port rules. As already mentioned, traffic inside the switch is generated only by Tagged packets, while inbound and outbound traffic can be formed by both types of packets. According to the rules of the egress port (Tag Control), it is determined whether Tagged frames should be converted to Untagged format.

Each port on the switch can be configured as Tagged or Untagged Port. If the outbound port is defined as Tagged Port, outbound traffic will be generated by Tagged frames with information about the VLAN membership. Therefore, the egress port does not change the type of frames, leaving them the same as they were inside the switch. Only a device compliant with the IEEE 802.1Q standard, such as a switch or server with a network interface card that supports VLANs of this standard, can be connected to the specified port.

If the output port of the switch is defined as Untagged Port, then all outgoing frames are converted to the Untagged type, that is, additional information about belonging to the virtual network is removed from them. Any network device can be connected to this port, including a switch that is not compliant with the IEEE 802.1Q standard, or end-client PCs whose network cards do not support VLANs of this standard.

Configuring IEEE 802.1Q VLANs

Let's consider specific examples of configuring virtual networks of the IEEE 802.1Q standard.

To form a VLAN in accordance with the IEEE 802.1Q standard, you must do the following:

  • set the name of the virtual network (for example, VLAN # 1) and determine its identifier (VID);
  • select the ports that will belong to this virtual network;
  • set the rules for the input ports of the virtual network (the ability to work with frames of all types, only with Untagged frames or only with Tagged frames);
  • set the same PVIDs of ports included in the virtual network;
  • set egress port rules for each virtual network port, configuring them as Tagged Port or Untagged Port.

Then you need to repeat the above steps for the next virtual network. It should be remembered that only one PVID can be assigned to each port, but the same port can be part of different virtual networks, that is, it can be associated with several VIDs at the same time.

Table 1. Setting port characteristics when creating virtual networks based on one switch

Examples of building VLAN networks based on switches compatible with the IEEE 802.1Q standard

And now let's look at typical examples of building virtual networks based on switches that support the IEEE 802.1Q standard.

If there is only one switch to the ports of which end-user computers are connected, then to create completely isolated virtual networks from each other, all ports must be declared as Untagget Ports to ensure compatibility with client Ethernet network controllers. The belonging of hosts to a particular VLAN is determined by setting the PVID of the port.

Take an eight-port switch that creates three isolated virtual networks VLAN # 1, VLAN # 2, and VLAN # 3 (Figure 7). The first and second ports on the switch are assigned PVID \u003d 1. Since the identifiers of these ports coincide with the identifier of the first virtual network (PVID \u003d VID), these ports form VLAN # 1 (Table 1). If ports 3, 5 and 6 are assigned PVID \u003d 2 (coincides with the VID of VLAN # 2), then the second virtual network will be formed by ports 3, 4 and 8. VLAN # 3 is formed similarly based on ports 5, 6 and 7. For ensuring compatibility with end equipment (it is assumed that PCs of network clients whose network cards are not compatible with the IEEE 802.1Q standard are connected to the switch ports), all ports must be configured as Untagged.

Figure: 7. Organization of three VLANs according to the IEEE 802.1Q standard based on one switch

If the network infrastructure includes several switches that support the IEEE 802.1Q standard, then a slightly different configuration principle must be used to communicate the switches with each other. Consider two six-port switches that support the IEEE 802.1Q standard and on the basis of which you need to configure three isolated virtual networks VLAN # 1, VLAN # 2 and VLAN # 3.

Let the first virtual network include clients connected to ports 1 and 2 of the first switch and to ports 5 and 6 of the second switch. VLAN # 2 refers to clients connected to port 3 of the first switch and port 1 of the second switch, and VLAN # 3 refers to clients connected to ports 4 and 5 of the first switch and ports 2 and 3 of the second switch. Port 6 of the first switch and port 4 of the second switch are used to connect the switches to each other (Figure 8).

Figure: 8. Organization of three VLANs according to the IEEE 802.1Q standard based on two switches

To configure the specified virtual networks, you must first of all define on each of the switches three virtual networks VLAN # 1, VLAN # 2 and VLAN # 3, specifying their identifiers (VID \u003d 1 for VLAN # 1, VID \u003d 2 for VLAN # 2 and VID \u003d 3 for VLAN # 3).

On the first switch, ports 1 and 2 must be part of VLAN # 1, for which these ports are assigned PVID \u003d 1. Port 2 of the first switch must be assigned to VLAN # 2, for which the port ID is set to PVID \u003d 2. Likewise, ports 5 and 6 of the first switch are set to PVID \u003d 3, since these ports belong to VLAN # 3. All specified ports on the first switch must be configured as Untagged Port to be compatible with client NICs.

Port 4 of the first switch is used to communicate with the second switch and must forward frames of all three VLANs unchanged to the second switch. Therefore, it must be configured as a Tagged Port and included in all three virtual networks (associate with VID \u003d 1, VID \u003d 2 and VID \u003d 3). In this case, the port identifier does not matter and can be anything (in our case, PVID \u003d 4).

A similar procedure for configuring virtual networks is carried out on the second switch. The port configurations of the two switches are shown in table. 2.

Table 2. Setting port characteristics when creating virtual networks based on two switches

Auto registration to IEEE 802.1Q virtual networks

the considered examples of virtual networks referred to the so-called static virtual networks (Static VLAN), in which all ports are manually configured, which, although very obvious, but with a developed network infrastructure is a rather routine matter. In addition, each time users move within the network, it is necessary to reconfigure the network in order to maintain their membership in the given virtual networks, which, of course, is highly undesirable.

There is and alternative way configuration of virtual networks, and the networks created by this are called dynamic virtual networks (Dynamic VLAN). In such networks, users can automatically register to the VLAN using a special GVRP (GARP VLAN Registration Protocol) registration protocol. This protocol defines the way that switches exchange VLAN information to automatically register VLAN members on ports throughout the network.

All switches that support the GVRP function can dynamically receive VLAN registration information from other switches (and therefore pass to other switches), including information about the current VLAN members, the port through which the VLAN members can be accessed, etc. GVRP uses GVRP Bridge Protocol Data Units (GVRP BPDU) messages to communicate from one switch to another. Any GVPR-enabled device that receives such a message can dynamically attach to the VLAN it is advertised about.

The concept of virtual private networks, abbreviated as VPN (from English appeared in computer technology recently. The creation of this type of connection made it possible to combine computer terminals and mobile devices into virtual networks without the usual wires, and regardless of the location of a particular terminal. Now we will consider the question of how a VPN connection works, and at the same time we will give some recommendations for setting up such networks and related client programs.

What is VPN?

As already understood, a VPN is a virtual private network with several devices connected to it. There is no need to delude yourself - it is usually impossible to connect a dozen two or three simultaneously operating computer terminals (as it can be done in LAN). This has its own limitations in configuring the network or even just in the bandwidth of the router responsible for assigning IP addresses and

However, the idea originally embedded in the connection technology is not new. They tried to justify it for a long time. And many modern users computer networks do not even imagine that they knew about it all their lives, but simply did not try to grasp the essence of the issue.

How a VPN works: basic principles and technologies

For a better understanding, we give the simplest example that anyone knows modern man... Take the radio, for example. Indeed, in fact, it is a transmitting device (translator), an intermediary unit (repeater) responsible for transmitting and distributing a signal, and a receiving device (receiver).

Another thing is that the signal is broadcast to absolutely all consumers, and the virtual network works in a selective way, combining only certain devices into one network. Note that neither in the first nor in the second case, wires are required to connect transmitting and receiving devices that exchange data with each other.

But there are some subtleties here. The fact is that initially the radio signal was unprotected, that is, it can be received by any radio amateur with a working device at the appropriate frequency. How does a VPN work? Yes, exactly the same. Only in this case, the role of a relay is played by a router (router or ADSL modem), and the role of a receiver is a stationary computer terminal, laptop or mobile device equipped with a special module wireless connection (Wi-Fi).

With all this, the data outgoing from the source is initially encrypted, and only then, using a special decoder, is reproduced on specific device... This principle of communication through a VPN is called tunneling. And this principle is most consistent with mobile connectionwhen the redirection occurs to a specific subscriber.

Tunneling local virtual networks

Let's figure out how VPN works in tunneling mode. In essence, it involves the creation of a certain straight line, say, from point "A" to point "B", when, when transmitting data from a central source (a router with a server connection), all network devices are automatically determined according to a predefined configuration.

In other words, a tunnel is created with encryption when sending data and decoding when receiving. It turns out that no other user who tried to intercept data of this type during transmission will be unable to decrypt it.

Implementation means

Some of the most powerful tools for this kind of connection and security at the same time are Cisco systems. True, some inexperienced admins have a question about why the VPN-Cisco equipment does not work.

This is due primarily only to wrong setting and installed drivers for D-Link or ZyXEL routers, which require fine tuning just because they are equipped with built-in firewalls.

In addition, you should pay attention to the connection diagrams. There can be two of them: route-to-route or remote access. In the first case, we are talking about combining several distribution devices, and in the second, we are talking about managing the connection or data transfer using remote access.

Access protocols

In terms of protocols, the PCP / IP layer configuration tools are mostly used today, although the internal protocols for VPNs may vary.

VPN Stopped Working? There are some hidden parameters to look at. So, for example, the additional protocols PPP and PPTP based on TCP technology still belong to the TCP / IP protocol stacks, but for a connection, say, in the case of using PPTP, you must use two IP addresses instead of the prescribed one. However, in any case, tunneling involves the transfer of data enclosed in internal protocols such as IPX or NetBEUI, and all of them are supplied with special PPP-based headers for the smooth transmission of data to the corresponding network driver.

Hardware devices

Now let's look at the situation where the question arises about why the VPN does not work. It is understandable that the problem may be related to incorrect configuration of the equipment. But another situation may also appear.

It is worth paying attention to the routers themselves, which control the connection. As mentioned above, you should only use devices that match the connection parameters.

For example, routers like the DI-808HV or DI-804HV are capable of connecting up to forty devices simultaneously. As for ZyXEL hardware, in many cases it can work even through the embedded network operating system ZyNOS, but only using the mode command line via Telnet protocol. This approach allows you to configure any device with data transmission across three networks in a common Ethernet environment with IP traffic, as well as use the unique Any-IP technology designed to use a standard router table with redirected traffic as a gateway for systems that were originally configured to work on other subnets.

What to do if VPN doesn't work (Windows 10 and below)?

The very first and most important condition is the correspondence of the output and input keys (Pre-shared Keys). They must be the same at both ends of the tunnel. It is also worth paying attention to cryptographic encryption algorithms (IKE or Manual) with or without an authentication function.

For example, the same AH protocol (in the English version - Authentication Header) can provide only authorization without the possibility of using encryption.

VPN clients and their configuration

When it comes to VPN clients, it's not all that simple. Most programs based on such technologies use standard tuning methods. However, there are pitfalls here.

The problem is that no matter how you install the client, with the service turned off in the operating system itself, nothing good will come of it. That is why you first need to enable these parameters in Windows, then enable them on the router (router), and only then proceed to configure the client itself.

In the system itself, you will have to create a new connection, and not use the existing one. We will not dwell on this, since the procedure is standard, but on the router itself you will have to go into additional settings (most often they are located in the WLAN Connection Type menu) and activate everything connected with the VPN server.

It is also worth noting the fact that you yourself will have to install it into the system as a companion program. But then it can be used even without manual settingby simply choosing the nearest location.

One of the most popular and easiest to use is a VPN client-server called SecurityKISS. The program is installed, but then you don't even need to go into the settings in order to ensure normal communication for all devices connected to the distributor.

It happens that the well-known and popular Kerio VPN Client package does not work. Here you will have to pay attention not only to the operating system itself, but also to the parameters of the client program. As a rule, entering the correct parameters will eliminate the problem. In extreme cases, you will have to check the settings of the main connection and the used TCP / IP protocols (v4 / v6).

What's the bottom line?

We've covered how a VPN works. In principle, there is nothing difficult in the connection itself or in creating networks of this type. The main difficulties are in setting up specific equipment and setting its parameters, which, unfortunately, many users overlook, relying on the fact that the whole process will be reduced to automation.

On the other hand, we have now dealt with issues related to the technical operation of virtual VPN networks themselves, so you will have to configure the equipment, install device drivers, etc., using separate instructions and recommendations.


AT recent times in the world of telecommunications, there is an increased interest in the so-called Virtual Private Networks (VPN). This is due to the need to reduce the cost of maintaining corporate networks due to the cheaper connection of remote offices and remote users via the Internet (see Fig. 1). Indeed, when comparing the cost of connecting several networks over the Internet, for example, with Frame Relay networks, you can notice a significant difference in cost. However, it should be noted that when connecting networks via the Internet, the question immediately arises about the security of data transmission, therefore, it became necessary to create mechanisms to ensure the confidentiality and integrity of the transmitted information. The networks built on the basis of such mechanisms are called VPN.

Figure 1. Virtual Private Network.

In my essay, I will try to explain what a VPN is, what advantages and disadvantages it has this technology and what VPN implementations are there.

What is VPN

What is VPN? There are many definitions, but the main hallmark This technology is the use of the Internet as a backbone for the transmission of corporate IP-traffic. VPNs are designed to meet the challenges of connecting an end user to a remote network and connecting multiple local networks. The VPN fabric includes WAN links, secure protocols, and routers.

How does a Virtual Private Network work? To combine remote local networks into a corporate virtual network, so-called virtual dedicated channels are used. A tunneling mechanism is used to create such connections. The tunnel initiator encapsulates the LAN packets (including non-routable protocol packets) into new IP packets that contain the address of this tunnel initiator and the address of the tunnel terminator in their header. At the opposite end, the tunnel terminator performs the reverse process of extracting the original packet.

As noted above, such a transfer requires taking into account confidentiality and data integrity issues that cannot be achieved with simple tunneling. To achieve the confidentiality of the transmitted corporate information, it is necessary to use a certain encryption algorithm, which is the same at both ends of the tunnel.

In order to be able to create a VPN based on hardware and software from different manufacturers, some standard mechanism is needed. One such VPN construction mechanism is Internet Protocol Security (IPSec). IPSec describes all the standard VPN methods. This protocol defines the authentication methods used to initialize the tunnel, the encryption methods used by the tunnel endpoints, and the mechanisms for exchanging and managing encryption keys between these points. The disadvantages of this protocol are that it is IP-oriented.

Other VPN building protocols are PPTP (Point-to-Point Tunneling Protocol), developed by Ascend Communications and 3Com, L2F (Layer-2 Forwarding) by Cisco Systems, and L2TP (Layer-2 Tunneling Protocol), which combines both of the above protocols. However, these protocols, unlike IPSec, are not fully functional (for example, PPTP does not define the encryption method), so we will mainly focus on IPSec.

Talking about IPSec, we must not forget about the IKE (Internet Key Exchange) protocol, which allows you to ensure the transfer of information through the tunnel, excluding outside interference. This protocol solves the problem of securely managing and exchanging cryptographic keys between remote devices, while IPSec encrypts and signs packets. IKE automates the key transfer process using an encryption mechanism public key, to establish secure connection... In addition, IKE allows you to change the key for an already established connection, which significantly increases the confidentiality of the transmitted information.

How to build a VPN

There are various options for building a VPN. When choosing a solution, you need to consider the performance factors of your VPN builder. For example, if the router is already running at the limit of its processor power, then adding VPN tunnels and applying encryption / decryption of information can stop the operation of the entire network due to the fact that this router will not be able to cope with simple traffic, let alone VPN.

Experience shows that it is best to use specialized equipment to build a VPN, but if there is a limitation in funds, then you can pay attention to a purely software solution.

Let's consider some options for building a VPN:

VPN based on firewalls

Most manufacturers' firewalls support tunneling and data encryption. All such products are based on the fact that if traffic goes through a firewall, then why not encrypt it at the same time. An encryption module is added to the actual firewall software. The disadvantage of this method is the dependence of performance on the hardware on which the firewall is running. When using PC-based firewalls, remember that similar decision can only be used for small networks with a small amount of transmitted information.

Figure 2. Firewall VPN

An example of a firewall solution is Check Point Software Technologies' FireWall-1. FairWall-1 uses a standard IPSec-based approach to build VPN. Traffic entering the firewall is decrypted, and then standard access control rules are applied to it. FireWall-1 runs on Solaris and Windows NT 4.0 operating systems.

VPN router based

Another way to build a VPN is to use routers to create secure channels. Since all information outgoing from the local network passes through the router, it is advisable to assign the encryption tasks to this router.

A striking example of equipment for building VPN on routers is the equipment of Cisco Systems. Starting with IOS Software Release 11.3 (3) T, Cisco routers support L2TP and IPSec. Besides simple encryption Cisco also supports other VPN functions such as tunneling authentication and key exchange.


Figure 3. Router VPN

To build a VPN, Cisco uses tunneling with encryption of any IP stream. In this case, the tunnel can be established based on the source and destination addresses, TCP port number (UDP) and the specified quality of service (QoS).

An optional ESA (Encryption Service Adapter) encryption module can be used to improve router performance.

In addition, Cisco System has released a dedicated VPN appliance called the Cisco 1720 VPN Access Router for small and medium-sized businesses and large branch offices.

VPN software based

The next approach to building a VPN is purely software solutions. When implementing such a solution, a specialized softwarewhich runs on a dedicated computer and in most cases acts as a proxy server. A computer with such software can be located behind a firewall.


Figure 4. Software VPN

An example of such a solution is Digital's AltaVista Tunnel 97 software. Using this software, the client connects to the Tunnel 97 server, authenticates on it and exchanges keys. Encryption is performed on the basis of 56 or 128 bit Rivest-Cipher 4 keys obtained during the connection establishment process. Next, the encrypted packets are encapsulated in other IP packets, which in turn are sent to the server. In the course of operation, Tunnel 97 checks the data integrity using the MD5 algorithm. In addition, this software generates new keys every 30 minutes, which significantly increases the security of the connection.

The AltaVista Tunnel 97 benefits from ease of installation and ease of use. The disadvantages of this system can be considered a non-standard architecture (proprietary key exchange algorithm) and low performance.

VPN based on network OS

We will consider solutions based on a network operating system using the example of Microsoft's Windows NT system. To create a VPN, Microsoft uses PPTP, which is integrated into windows system NT. This decision very attractive for organizations using Windows as a corporate operating system... It should be noted that the cost of such a solution is significantly lower than the cost of other solutions. VPN in operation on windows based NT uses the NT user base stored on the Primary Domain Controller (PDC). When connecting to a PPTP server, the user is authenticated using PAP, CHAP, or MS-CHAP. The transmitted packets are encapsulated in GRE / PPTP packets. To encrypt packets, a non-standard Microsoft Point-to-Point Encryption protocol is used with a 40 or 128 bit key obtained at the time of connection establishment. The disadvantages of this system are the lack of data integrity check and the impossibility of changing keys during the connection. The positives are the ease of integration with Windows and the low cost.

Private networks are used by organizations to connect to remote sites and to other organizations. Private networks are made up of communication lines leased from various telephone companies and Internet service providers. These communication channels are characterized in that they connect only two objects, being separated from other traffic, since the leased channels provide two-way communication between two sites. Private networks have many benefits.

  • The information is kept secret.
  • Remote sites can exchange information immediately.
  • Remote users do not feel isolated from the system they are accessing.

Unfortunately, this type of network has one big disadvantage - high cost. Using private networks is very expensive. By using slower links, you can save money, but then remote users will start to notice the lack of speed and some of the above benefits will become less obvious.

With the growing number of Internet users, many organizations have moved to virtual private networks (VPNs). Virtual private networks provide many of the benefits of private networks at a lower cost. However, with the introduction of VPN, a whole host of issues and dangers arise for the organization. A properly designed VPN can be of great benefit to an organization. If the VPN is not implemented correctly, all information transmitted through the VPN can be accessed from the Internet.

Defining VPNs

So, we intend to transmit the organization's classified data via the Internet without using leased communication channels, while still taking all measures to ensure traffic privacy... How do we manage to separate our traffic from the traffic of other users of the global network? The answer to this question is encryption.

Any type of traffic can be found on the Internet. Much of this traffic goes to open formand anyone observing this traffic will be able to recognize it. This applies to most email and web traffic, as well as telnet and FTP communications. Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS) traffic is encrypted traffic and cannot be viewed by the tracking user. However, traffic such as SSH and HTTPS does not form a VPN.

Virtual private networks have several characteristics.

  • The traffic is encrypted to provide protection against eavesdropping.
  • The remote site is being authenticated.
  • Virtual private networks provide support for a variety of protocols.
  • The connection provides communication only between two specific subscribers.

Since SSH and HTTPS are not capable of supporting multiple protocols, the same is true for real virtual private networks. VPN packets are mixed with regular Internet traffic and exist separately for the reason that this traffic can only be read by the endpoints of the connection.

Note

It is possible to implement traffic transmission over an SSH session using tunnels. However, for the purposes of this chapter, we will not consider SSH as a VPN.

Let's take a closer look at each of the VPN characteristics. As mentioned above, VPN traffic is encrypted to prevent eavesdropping. The encryption must be strong enough to be guaranteed confidentiality transmitted information for the period as long as it is relevant. Passwords have a validity period of 30 days (this implies a policy of changing the password every 30 days); however, classified information may not lose its value over the years. Therefore, the encryption algorithm and the use of VPN should prevent illegal decryption of traffic for several years.

The second characteristic is that the remote site is authenticated. This feature may require some users to authenticate to a central server, or to mutually authenticate both nodes that the VPN connects. The authentication mechanism used is controlled by policy. The policy can provide for user authentication using two parameters or using dynamic passwords. When mutual authentication it may be required that both sites demonstrate knowledge of a certain shared secret (a secret refers to some information known to both sites in advance), or it may be required

Did you like the article? To share with friends:
You may also be interested in