Currently, technologies for building virtual secure private networks (VPNs) are attracting more and more attention from large companies (banks, departments, large government agencies, etc.). The reason for this interest lies in the fact that VPN technologies really make it possible not only to significantly reduce the cost of maintaining dedicated communication channels with remote divisions (branches), but also to increase the confidentiality of information exchange.
VPN technologies allow organizing secure tunnels both between company offices and to individual workstations and servers. Potential customers are offered a wide range of hardware and software for creating virtual secure networks – from integrated multifunctional and specialized devices to purely software products.
Thanks to VPN technology, many companies are starting to build their strategies with the Internet as the main medium of communication, even one that is vulnerable or vital.
There are different signs of VPN classification. Most commonly used:
- “working” level of the OSI model;
- architecture of the VPN technical solution;
- method of technical implementation of VPN.
VPN classification according to the “working” layer of the OSI model.
For technologies for secure data transmission over a public (unsecured) network, a generic name is used – a secure channel. The term “channel” emphasizes the fact that data protection is provided between two network nodes (hosts or gateways) along some virtual path laid in a packet-switched network.
VPN classification according to the “working” layer of the OSI model is of considerable interest, since the functionality of the implemented VPN and its compatibility with CIS applications, as well as with other security tools, largely depend on the selected OSI layer.
Based on the “working” layer of the OSI model, the following VPN groups are distinguished:
- VPN link layer;
- VPN network level;
- VPN session level.
Link layer VPN. VPN tools used at the link layer of the OSI model allow for encapsulation of various types of traffic of the third layer (and higher) and the construction of virtual point-to-point tunnels (from a router to a router or from a personal computer to a LAN gateway). This group includes VPN products that use L2F (Layer 2 Forwarding) and PPTP (Point-to-Point Tunneling Protocol), as well as L2TP (Layer 2 Tunneling Protocol), developed jointly by Cisco Systems and Microsoft.
VPN network layer. Network layer VPN products perform IP-over-IP encapsulation. One of the well-known protocols at this level is the IPSec (IP Security) protocol, which is designed for authentication, tunneling and encryption of IP packets. Standardized by the Internet Engineering Task Force (IETF) consortium, the IPSec protocol has incorporated all the best packet encryption solutions and should be included as a mandatory component of the IPv6 protocol.
Associated with IPSec is IKE (Internet Key Exchange), which solves the problem of secure management and exchange of cryptographic keys between remote devices. IKE automates the exchange of keys and establishes a secure connection, while IPSec encrypts and “signs” packets. In addition, IKE allows you to change the key for an already established connection, which increases the confidentiality of the transmitted information.
Session-level VPN. Some VPNs use a different approach called circuit proxies. This method operates above the transport layer and relays traffic from the secured network to the public Internet on a per-socket basis. (An IP socket is identified by a combination of a TCP connection and a specific port, or a given UDP port. The TCP / IP stack does not have a fifth — session — layer, but socket-oriented operations are often referred to as session-based operations.)
Information transmitted between the initiator and the terminator of a tunnel is often encrypted using Transport Layer Security (TLS). To standardize authenticated traffic through the DOE, the IETF has defined a protocol called SOCKS, and SOCKS v.5 is currently being used to standardize channel brokers.
VPN classification by technical solution architecture
According to the architecture of a technical solution, it is customary to distinguish three main types of virtual private networks:
- intracorporate VPN (Intranet VPN);
- VPN with remote access (Remote Access VPN);
- intercorporate VPN (Extranet VPN).
Intra-corporate VPNs are designed to provide secure communication between departments within an enterprise or between a group of enterprises united by corporate communication networks, including leased lines. VPN with remote access is designed to provide secure remote access to corporate information resources for mobile and / or remote (home-office) employees of the company.
Intercompany VPNs are designed to provide secure communications with strategic business partners, vendors, large customers, users, customers, and more. Extranet VPN provides direct access from one company’s network to another’s network, thereby improving the reliability of the communications supported in the course of business cooperation.
It should be noted that there has been a recent trend towards convergence of different VPN configurations.
VPN classification by technical implementation method
VPN configuration and performance is largely determined by the type of VPN device used.
According to the method of technical implementation, VPNs are distinguished based on:
- software solutions;
- specialized hardware with built-in cipher processors.
VPN router based. This method of building a VPN involves the use of routers to create secure channels. Since all information outgoing from the local network passes through the router, it is quite natural to assign encryption tasks to it. An example of equipment for VPN on routers is a device from Cisco Systems.
VPN based on firewalls. Most of the ME manufacturers support tunneling and data encryption functions, for example, the Firewall-1 product from Check Point Software Technologies. When using a PC-based ME, you need to remember that such a solution is only suitable for small networks with a small amount of transmitted information.
The disadvantages of this method are the high cost of the solution per one workplace and the dependence of performance on the hardware on which the ME is running.
VPN software based. Software-implemented VPN products are inferior to specialized devices in terms of performance, but have sufficient power to implement VPN-networks. It should be noted that in the case of remote access, the required bandwidth is not high. Therefore, pure software products easily provide performance sufficient for remote access. The undoubted advantage of software products is flexibility and ease of use, as well as a relatively low cost.
VPN based on specialized hardware. The main advantage of such VPNs is high performance, since the speed is due to the fact that encryption in them is carried out by specialized microcircuits. Dedicated VPN devices provide a high level of security, but they are expensive.