Virtual Private Networks(VPN)

Virtual Private Networks:

VPNs provide a more active form of security by either encrypting or encapsulating data for transmission through an unsecured network.

These two types of security-encryption and encapsulation-form the foundation of virtual private networking.

However, both encryption and encapsulation are generic terms that describe a function that can be performed by a myriad of specific technologies.

To add to the confusion, these two sets of technologies can be combined in different implementation topologies. Thus, VPNs can vary widely from vendor to vendor.

Layer 2 Tunneling Protocol:

The Internet Engineering Task Force (IETF) was faced with competing proposals from Microsoft and Cisco Systems for a protocol specification that would secure the transmission of IP datagrams through uncontrolled and untrusted network domains.

Microsoft's proposal was an attempt to standardize the Point-to-Point Tunneling Protocol (PPTP), which it had championed.

Cisco, too, had a protocol designed to perform a similar function. The IETF combined the best elements of each proposal and specified the open standard L2TP.

The simplest description of L2TP's functionality is that it carries the Point-to-Point Protocol (PPP) through networks that aren't point-to-point.

PPP has become the most popular communications protocol for remote access using circuit-switched transmission facilities such as POTS lines or ISDN to create a temporary point-to-point connection between the calling device and its destination.

L2TP simulates a point-to-point connection by encapsulating PPP datagrams for transportation through routed networks or internetworks. Upon arrival at their intended destination, the encapsulation is removed, and the PPP datagrams are restored to their original format.

Thus, a point-to-point communications session can be supported through disparate networks. This technique is known as tunneling.

Operational Mechanics:

In a traditional remote access scenario, a remote user (or client) accesses a network by directly connecting a network access server (NAS).

Generally, the NAS provides several distinct functions: It terminates the point-to-point communications session of the remote user, validates the identity of that user, and then serves that user with access to the network.

Although most remote access technologies bundle these functions into a single device, L2TP separates them into two physically separate devices: the L2TP Access Server (LAS) and the L2TP Network Server (LNS).

As its names imply, the L2TP Access Server supports authentication, and ingress. Upon successful authentication, the remote user's session is forwarded to the LNS, which lets that user into the network. Their separation enables greater flexibility for implementation than other remote access technologies.

Implementation Topologies:

L2TP can be implemented in two distinct topologies:

• Client-aware tunneling
• Client-transparent tunneling

The distinction between these two topologies is whether the client machine that is using L2TP to access a remote network is aware that its connection is being tunneled.

Client-Aware Tunneling:

The first implementation topology is known as client-aware tunneling. This name is derived from the remote client initiating (hence, being "aware" of) the tunnel. In this scenario, the client establishes a logical connection within a physical connection to the LAS. The client remains aware of the tunneled connection all the way through to the LNS, and it can even determine which of its traffic goes through the tunnel.

Client-Transparent Tunneling:

Client-transparent tunneling features L2TP access concentrators (LACs) distributed geographically close to the remote users. Such geographic dispersion is intended to reduce the long-distance telephone charges that would otherwise be incurred by remote users dialing into a centrally located LAC.

The remote users need not support L2TP directly; they merely establish a point-to-point communication session with the LAC using PPP.

Ostensibly, the user will be encapsulating IP datagrams in PPP frames.

The LAC exchanges PPP messages with the remote user and establishes an L2TP tunnel with the LNS through which the remote user's PPP messages are passed.

The LNS is the remote user's gateway to its home network. It is the terminus of the tunnel; it strips off all L2TP encapsulation and serves up network access for the remote user.