Virtual private network
A virtual private network is an overlay network that uses network virtualization to extend a private network across a public network, such as the Internet, via the use of encryption and tunneling protocols. In a VPN, a tunneling protocol is used to transfer network messages from one network host to another.
Host-to-network VPNs are commonly used by organizations to allow off-site users secure access to an office network over the Internet. Site-to-site VPNs connect two networks, such as an office network and a datacenter. Provider-provisioned VPNs isolate parts of the provider's own network infrastructure in virtual segments, in ways that make the contents of each segment private with respect to the others. Individuals also use VPNs to encrypt and anonymize their network traffic, with VPN services selling access to their own private networks.
VPNs can enhance usage privacy by making an ISP unable to access the private data exchanged across the VPN. Through encryption, VPNs enhance confidentiality and reduce the risk of successful data sniffing attacks.
Background
A network is a group of communicating computers known as hosts, which communicate data to other hosts via communication protocols, as facilitated by networking hardware. Within a computer network, computers are identified by network addresses, which allow rule-based systems such as Internet Protocol to locate and identify hosts. Hosts may also have hostnames, memorable labels for the host nodes, which are rarely changed after initial assignment. The transmission medium that supports information exchange includes wired media like copper cables, optical fibers, and wireless radio-frequency media. The arrangement of hosts and hardware within a network architecture is known as the network topology.Apart from physical transmission media, networks comprise network nodes such as network interface controllers, repeaters, hubs, bridges, switches, routers, and modems:
- The network interface controller is computer hardware that connects the computer to the network media. In Ethernet networks, each NIC has a unique Media Access Control address, usually stored in the controller's permanent memory.
- A repeater is an electronic device that receives a network signal, cleans it of unnecessary noise and regenerates it. The signal is retransmitted at a higher power level, or to the other side of obstruction so that the signal can cover longer distances without degradation.
- An Ethernet repeater with multiple ports is known as an Ethernet hub. In addition to reconditioning and distributing network signals, a hub assists with collision detection and fault isolation for the network. Hubs and repeaters in LANs have been largely obsoleted by modern network switches.
- Unlike hubs, which forward communication to all ports, network switches forward frames only to the ports involved in the communication. Switches normally have numerous ports, facilitating a star topology for devices, and for cascading additional switches. Network bridges are analogous to a two-port switch.
- * Bridges and switches operate at the data link layer of the OSI model and bridge traffic between two or more network segments to form a single local network. Both are devices that forward frames of data between ports based on the destination MAC address in each frame. Network segmentation through bridging and switching helps break down a large, congested network into an aggregation of smaller, more efficient networks.
- A router is an internetworking device that forwards packets between networks by processing the addressing or routing information included in the packet.
- Modems are used to connect network nodes via wire not originally designed for digital network traffic, or for wireless.
Network communication
In a protocol stack, often constructed per the OSI model, communications functions are divided into protocol layers, where each layer leverages the services of the layer below it until the lowest layer controls the hardware that sends information across the media. The use of protocol layering is ubiquitous across the field of computer networking. An important example of a protocol stack is HTTP, the World Wide Web protocol. HTTP runs over TCP over IP, the Internet protocols, which in turn run over IEEE 802.11, the Wi-Fi protocol. This stack is used between a wireless router and a personal computer when accessing the web.
Most modern computer networks use protocols based on packet-mode transmission. A network packet is a formatted unit of data carried by a packet-switched network. Packets consist of two types of data: control information and user data. The control information provides data the network needs to deliver the user data, for example, source and destination network addresses, error detection codes, and sequencing information. Typically, control information is found in packet headers and trailers, with payload data in between.
The Internet protocol suite, also called TCP/IP, is the foundation of all modern networking and the defining set of protocols for the Internet. It offers connection-less and connection-oriented services over an inherently unreliable network traversed by datagram transmission using Internet protocol. At its core, the protocol suite defines the addressing, identification, and routing specifications for Internet Protocol Version 4 and for IPv6, the next generation of the protocol with a much enlarged addressing capability.
Security
VPNs do not make connected users anonymous or unidentifiable to the untrusted medium network provider, such as an internet service provider. However, VPNs can enhance usage privacy by making an ISP unable to access the private data exchanged across the VPN. Through encryption, VPNs enhance confidentiality and reduce the risk of successful data sniffing attacks. Data packets travelling across a VPN may also be secured by tamper proofing via a message authentication code, prevents the message from being altered or tampered without being rejected, enhancing data integrity.A number of other implementations exist to ensure authentication of connecting parties. Tunnel endpoints can be authenticated in various ways during the VPN access initiation, such as by the whitelisting of endpoint IP address. Authentication may also occur after actual tunnels are already active, for example, with a web captive portal. Remote-access VPNs may also use passwords, biometrics, two-factor authentication, or other cryptographic methods. Site-to-site VPNs often use passwords or digital certificates.
Split tunneling
allows a user to access distinct security domains at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a LAN network interface controller, radio NIC, Wireless LAN NIC, and virtual private network client software application. Split tunneling is most commonly configured via the use of a remote-access VPN client, which allows the user to simultaneously connect to a nearby wireless network, resources on an off-site corporate network, as well as websites over the internet.Not every VPN allows split tunneling. Advantages of split tunneling include alleviating bottlenecks, conserving bandwidth, and enabling a user to not have to continually connect and disconnect when remotely accessing resources.. Disadvantages include DNS leaks and potentially bypassing gateway-level security that might be in place within the company infrastructure. Internet service providers often use split tunneling to that implement for DNS hijacking purposes.
Classification
Topology
A host-to-network configuration is analogous to joining one or more computers to a network to which they cannot be directly connected. This type of extension provides computer access to a local area network of a remote site, or any wider enterprise networks, such as an intranet. Each computer is in charge of activating its own tunnel towards the network it wants to join. The joined network is only aware of a single remote host for each tunnel. This may be employed for remote workers, or to enable people accessing their private home or company resources without exposing them on the public Internet.A site-to-site configuration connects two networks. This configuration expands a network across geographically disparate locations. Tunneling is only done between gateway devices located at each network location. These devices then make the tunnel available to other local network hosts that aim to reach any host on the other side. This is useful to keep sites connected to each other in a stable manner, like office networks to their headquarters or datacenter. In this case, any side may be configured to initiate the communication as long as it knows how to reach the other. In the context of site-to-site configurations, the terms intranet and extranet are used to describe two different use cases. An intranet site-to-site VPN describes a configuration where the sites connected by the VPN belong to the same organization, whereas an extranet site-to-site VPN joins sites belonging to multiple organizations.
A limitation of traditional VPNs is that they are point-to-point connections and do not tend to support broadcast domains. Therefore, communication, software, and networking that are based on layer 2 and broadcast packets may not be fully supported as on a local area network. Variants on VPN such as Virtual Private LAN Service and layer 2 tunneling protocols are designed to overcome this limitation.