With the growing volume of information proliferating on the Internet and data traversing insecure channel mediums, information security and data privacy are becoming imperative. Secure communication is becoming increasingly important when sensitive data traverses insecure shared channels.
IPsec VPN (Internet Protocol Security, Virtual Private Network) is a standard defined by the IETF (Internet Engineering Task Force) that provides data confidentiality, authentication, and integrity for IP traffic at the network layer of the OSI (Open System Interconnection) model. The IPsec framework is one of the essential frameworks that is used for secure communication.
This chapter provides a basic overview of various types of VPN technologies and deployments. The major component of the chapter focuses on the IPsec Secure VPN framework and its implementation.
As discussed in Chapter 14, "Cryptography," VPN carries private traffic over a public or shared infrastructure (such as the Internet).
VPN employs the cryptographic and noncryptographic approaches necessary to create a secure communication over insecure channels.
In recent years, the term VPN has taken on many meanings. Three types of distinctly different VPN technologies available today are the following:
Secure VPN (also known as Cryptographic VPN)
Trusted VPN (also known as non-Cryptographic VPN)
Hybrid VPN
With the rapid growth of global communication, the Internet and commonly shared mediums are now being used as the most common mode of communication. With this development, security has become a major concern for traffic traversing the shared medium. Cryptographic techniques evolved with dedicated protocols and standards to protect the privacy of traffic. These protocols and standards are rapidly growing in popularity and are increasingly being used by customers and service providers. Traffic is secured using encryption technology in a secure tunnel between the communicating peers. These are called secure VPNs.
Secure VPNs are commonly used to replace or augment existing point-to-point networks that utilize dedicated leased circuits or WAN networks over Frame Relay and ATM circuits.
Secure VPN technologies include
IPsec
L2TP over IPsec
SSL encryption
This chapter primarily focuses on IPsec Secure VPN.
The major characteristic of Trusted VPN is that it enables the service provider to offer a dedicated leased circuit or channel to a customer. Hence, pseudo point-to-point communication occurs in this scenario, thereby allowing networks to peer directly by using a dedicated leased circuit. This technique provides a sense of security and data privacy. When traffic traverses these dedicated point-to-point circuits, you have what is called a Trusted VPN.
Security and integrity of Trusted VPN traffic relies on the fact that the circuit is not shared, thereby providing the assurance that the circuit is dedicated to a single site for point-to-point communication. Service providers today offer several types of Trusted VPN services.
Trusted VPN technologies, which can generally be categorized into Layer 2 and Layer 3 VPNs, include the following:
BGP VPN (Layer 3 VPN)
Multicast VPN (Layer 3 VPN)
Transport of Layer 2 frames over MPLS and any transport over MPLS (AToM) (Layer 2 VPN)
Virtual Private LAN Services (VPLS) (Layer 2 VPN)
Note
Trusted VPNs (Layer 2 and Layer 3 VPNs) will be discussed in Chapter 19, "Multiprotocol Label Switching VPN (MPLS VPN)."
Hybrid VPN is the combination of both the Trusted and the Secure VPNs. This is an emerging concept that is slowly gaining momentum. The concept is to run a secure VPN tunnel as part of a trusted VPNāthat is, a tunnel within a tunnel.
Note
It is important to understand that Secure VPN and Trusted VPN technologies do not technically overlay each other and can coexist in the same environment in a single service.
VPN designs can be constructed in a variety of scenarios. The most common deployment scenarios are the following:
Internet VPN: Internet VPN is the most common application that protects private communications over the shared (insecure) public access Internet.
Intranet VPN: Intranet VPN protects private communication within an enterprise or organization that may or may not involve traffic traversing a WAN.
Extranet VPN: Extranet VPN protects private communications between two or more separate entities that may involve data traversing the Internet or some other WAN medium.