Why do you need a VPN? Description of connection and correct configuration. Virtual private networks (vpn)

Today, popular questions about VPN are what it is, what its features are, and how best to set up a VPN. The thing is that not everyone knows the essence of the technology itself, when it may be needed.

Even from the financial and profit side, setting up a VPN is a profitable business for which you can earn easy money.
It would be good to explain to the user what a VPN is and how best to configure it on Win 7 and 10.

1. Basics

This is how the devices are physically connected to each other. But practice has shown that this is not necessary.

A VPN is configured specifically to avoid the use of wires, cables and other interfering devices.

Local devices are connected to each other not through cables, but through Wi-FI, GPS, Bluetooth and other devices.
Virtual networks are most often a standard Internet connection. Of course, it’s not easy to gain access to devices, because everywhere there are levels of identification aimed at avoiding hacking and ill-wishers in the VPN Network.

2. A few words about the VPN structure

A computer or device connected to a VPN must have all the data for authorization and so-called authentication, that is, a special, usually one-time, password or other means that could help complete the procedure.

This process is not particularly important to us. Experts are creating more and more powerful and serious methods of authorization on servers.

To find yourself in such a network, you must know the following at the entrance:
1. Name, PC name for example, or other login used to authenticate yourself on the network;
2. Password, if one is set, to complete authorization.
Also, a computer that wants to connect to another VPN network “carries” all the authorization data. The server will enter this data into its database. After registering your PC in the database, you will no longer need the above-mentioned data.

3. VPNs and their classification

Let's try to figure it out in more detail.
- DEGREE OF PROTECTION. Networks selected according to this criterion:
1. Fully protected – these are initially protected networks;
2. Protected “trust” - less secure networks, used in cases where the original or “parent” network is reliable.
- IMPLEMENTATION. Methods of implementation. Networks selected according to this criterion:
1. Combined and program methods;
2. Hardware method - using real devices.
- PURPOSE. VPNs selected according to this criterion:
1. Intranet – used most often in companies where several branches need to be united;
2. Extranet – used specifically for organizing networks in which there are various participants, as well as company clients;
3. Access (Remote Access) is the organization of VPN networks where there are so-called remote branches.
- BY PROTOCOL. Implementation of VPN Networks is possible using the AppleTalk and IPX protocols, but in reality I use TCP/IP most often and more efficiently. The reason is the popularity of this protocol in major networks.
- WORK LEVEL. OSI is preferred here, but a VPN can only operate at the data link, network and transport layers.
Of course, in practice, one network can include several features at the same time. Let's move on to the points about directly setting up a VPN network using your PC or laptop.

4. How to set up a VPN network (virtual network)

If the connection was made to an already functioning network, it is best to ask the administrator of this network for information. Usually this procedure does not take much time. Enter the data in the provided fields.
8. In the same box, put a tick to “ Don't connect now...", and then we move on to " Further».

If this is the first connection to the network, then new data will have to be created, after checking it with the server, you will be allowed into the network and use it.

If the connection is not primary, then the server will not check your data and will directly connect you to the desired network.

10. After entering the required data, click on “ To plug».

Setting up a VPN on Windows 7 completed.

Let's move on to setting up a VPN on Windows 10, the algorithm and actions there are almost the same. The only difference is in some interface elements and access to them.

So, for example, to get to the “Network and Sharing Center” you need to do everything the same as on Windows 7, in addition, there is a special item “ Creating and setting up a new connection or...».
Further, the setup is done in the same way as on Windows 7, only the interface will be slightly different.

5. Setting up a VPN on Android

A program window that will prompt you to create a VPN network on Android.

VPN (Virtual Private Networks) - virtual private networks. VPN is one of those technologies that is unknown where it came from. However, when such technologies take root in a company's infrastructure, everyone wonders how they ever managed without them. Virtual private networks allow you to use the Internet as your own private network. Thus, the proliferation of VPNs is related to the development of the Internet. The technology itself uses the TCP/IP protocol stack as the basis for its work.

In order to understand what a VPN is, you need to understand two concepts: encryption and virtuality.

Encryption is the reversible transformation of a message to hide it from unauthorized persons.

Virtuality is an object or state that does not really exist, but can arise under certain conditions.

Encryption converts a message from one form, such as "Hello!" into another form “*&878hJf7*&8723”. On the other hand, there is also an inverse transformation, which is called decryption, i.e. converting the message "*&878hJf7*&8723" into a "Hello!" message. The security approach in VPNs assumes that no one other than the intended recipient will be able to perform decryption.

The concept of “virtuality” refers to the “as if” situation. For example, a situation where you access a remote computer using a tablet. In this case, the tablet simulates the operation of a remote computer.

The term VPN has a precise definition:

A VPN is an encrypted or encapsulated communication process that securely transfers data from one point to another; The security of this data is ensured by strong encryption technology and the transmitted data passes through an open, unsecured, routed network.

Since the VPN is encrypted, when communicating between nodes, data is transmitted securely and its integrity is guaranteed. Data flows through an open, unsecured, routed network, so when transmitted over a shared link, it can take many paths to its final destination. Thus, VPN can be thought of as the process of sending encrypted data from one point to another over the Internet.

Encapsulation is the process of placing a data packet inside an IP packet. Encapsulation allows you to add an additional layer of protection. Encapsulation allows you to create VPN tunnels and transfer data over a network with other protocols. The most common way to create VPN tunnels is to encapsulate network protocols (IP, IPX, AppleTalk, etc.) in PPP and then encapsulate the resulting packets into tunneling protocols. The latter most often is the IP protocol, although, in rare cases, ATM and Frame Relay protocols can also be used. This approach is called second-layer tunneling, since the passenger here is the second layer protocol (PPP).

An alternative approach is to encapsulate network protocol packets directly into a tunneling protocol (such as VTP), called Layer 3 tunneling.

VPNs are divided into three types based on their purpose:

1. Intranet is used to unite several distributed branches of one organization into a single secure network, exchanging data via open communication channels.
2. Extranet - Used for networks to which external users (for example, customers or clients) connect. Due to the fact that the level of trust in such users is lower than in company employees, special protection is required to prevent external users from accessing particularly valuable information.
3. Remote access - created between central corporate offices and remote mobile users. With encryption software loaded onto a remote laptop, the remote user establishes an encrypted tunnel with a VPN device at central corporate offices.

There are many options for implementing a VPN. When choosing how to implement a VPN, you need to consider the performance factors of VPN systems. For example, if a router is running at the limit of its processor power, then adding additional VPN tunnels and applying encryption/decryption could bring the entire network to a halt as the router cannot handle normal traffic.

VPN implementation options:

1. VPN based on firewalls. A firewall (firewall) is a software or hardware-software element of a computer network that controls and filters network traffic passing through it in accordance with specified rules. Today, most firewall vendors support tunneling and data encryption. All such products are based on the fact that traffic passing through the firewall is encrypted.
2. Router-based VPN. Since all information emanating from the local network first arrives at the router, it is advisable to assign encryption functions to it. Cisco routers, for example, support L2TP and IPSec encryption protocols. In addition to simple encryption, they also support other VPN features such as authentication at connection establishment and key exchange.
3. VPN based on a network operating system. In Linux, technologies such as OpenVPN, OpenConnect or NetworkManager are usually used to connect a VPN. Creating a VPN in Windows uses the PPTP protocol, which is integrated into the Windows system.

___________________________

Recently, in the world of telecommunications there has been an increased interest in virtual private networks (VPN). This is due to the need to reduce the cost of maintaining corporate networks by cheaper connection of remote offices and remote users via the Internet. Indeed, when comparing the cost of services for connecting several networks via the Internet, for example, with Frame Relay networks, you can notice a significant difference in cost. However, it should be noted that when connecting networks via the Internet, the question of data transmission security immediately arises, so it became necessary to create mechanisms to ensure the confidentiality and integrity of the transmitted information. Networks built on the basis of such mechanisms are called VPN.

In addition, very often a modern person, developing his business, has to travel a lot. These could be trips to remote corners of our country or to foreign countries. Often people need access to their information stored on their home or company computer. This problem can be solved by organizing remote access to it using a modem and line. Using a telephone line has its own characteristics. The disadvantages of this solution are that calling from another country costs a lot of money. There is another solution called VPN. The advantages of VPN technology are that remote access is organized not through a telephone line, but through the Internet, which is much cheaper and better. In my opinion, technology. VPN has the potential to become widespread around the world.

1. Concept and classification of VPN networks, their construction

1.1 What is a VPN

VPN(eng. Virtual Private Network - virtual private network) - a logical network created on top of another network, for example the Internet. Despite the fact that communications are carried out over public networks using insecure protocols, encryption creates information exchange channels that are closed from outsiders. VPN allows you to combine, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.

At its core, a VPN has many of the properties of a leased line, but it is deployed within a public network, for example. With the tunneling technique, data packets are broadcast across the public network as if they were a normal point-to-point connection. A kind of tunnel is established between each data sender-receiver pair - a secure logical connection that allows data from one protocol to be encapsulated in packets of another. The main components of the tunnel are:

• initiator;
• routed network;
• tunnel switch;
• one or more tunnel terminators.

The principle of VPN operation itself does not contradict basic network technologies and protocols. For example, when establishing a remote access connection, the client sends a stream of standard PPP protocol packets to the server. In the case of organizing virtual leased lines between local networks, their routers also exchange PPP packets. However, a fundamentally new aspect is the forwarding of packets through a secure tunnel organized within a public network.

Tunneling allows you to organize the transmission of packets of the same protocol in a logical environment using a different protocol. As a result, it becomes possible to solve the problems of interaction between several different types of networks, starting with the need to ensure the integrity and confidentiality of transmitted data and ending with overcoming inconsistencies in external protocols or addressing schemes.

A corporation's existing network infrastructure can be prepared for VPN use using either software or hardware. Setting up a virtual private network can be compared to laying a cable across a global network. Typically, a direct connection between a remote user and a tunnel end device is established using the PPP protocol.

The most common method for creating VPN tunnels is to encapsulate network protocols (IP, IPX, AppleTalk, etc.) in PPP and then encapsulate the resulting packets into a tunneling protocol. Usually the latter is IP or (much less often) ATM and Frame Relay. This approach is called second-level tunneling, since the “passenger” here is the second-level protocol.

An alternative approach of encapsulating network protocol packets directly into a tunneling protocol (such as VTP) is called Layer 3 tunneling.

No matter what protocols are used or what purposes pursued when organizing a tunnel, the basic technique remainspractically unchanged. Typically, one protocol is used to establish a connection with a remote node, and another is used to encapsulate data and service information for transmission through the tunnel.

1.2 Classification of VPN networks

VPN solutions can be classified according to several main parameters:

1. By type of environment used:

• Secure VPN networks. The most common version of private private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, OpenVPN and PPTP.
• Trusted VPN networks. They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues are becoming irrelevant. Examples of such VPN solutions are: MPLS and L2TP. It would be more correct to say that these protocols shift the task of ensuring security to others, for example L2TP, as a rule, is used in conjunction with IPSec.

2. According to the method of implementation:

• VPN networks in the form of special software and hardware. The implementation of a VPN network is carried out using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree of security.
• VPN networks as a software solution. They use a personal computer with special software that provides VPN functionality.
• VPN networks with an integrated solution. VPN functionality is provided by a complex that also solves the problems of filtering network traffic, organizing a firewall and ensuring quality of service.

3. By purpose:

• Intranet VPN. They are used to unite several distributed branches of one organization into a single secure network, exchanging data via open communication channels.
• Remote Access VPN. They are used to create a secure channel between a corporate network segment (central office or branch) and a single user who, working at home, connects to corporate resources from a home computer or, while on a business trip, connects to corporate resources using a laptop.
• Extranet VPN. Used for networks to which “external” users (for example, customers or clients) connect. The level of trust in them is much lower than in company employees, so it is necessary to provide special “lines” of protection that prevent or limit the latter’s access to particularly valuable, confidential information.

4. By protocol type:

• There are implementations of virtual private networks for TCP/IP, IPX and AppleTalk. But today there is a tendency towards a general transition to the TCP/IP protocol, and the vast majority of VPN solutions support it.

5. By network protocol level:

• By network protocol layer based on comparison with the layers of the ISO/OSI reference network model.

1.3. Building a VPN

There are various options for building a VPN. When choosing a solution, you need to consider the performance factors of VPN builders. For example, if a router is already operating at its maximum capacity, then adding VPN tunnels and applying encryption/decryption of information can stop the entire network due to the fact that this router will not be able to cope with simple traffic, let alone a VPN. Experience shows that it is best to use specialized equipment to build a VPN, but if there is a limitation on funds, then you can pay attention to a purely software solution. Let's look at some options for building a VPN.

• VPN based on firewalls. Most firewall vendors support tunneling and data encryption. All such products are based on the fact that traffic passing through the firewall is encrypted. An encryption module is added to the firewall software itself. The disadvantage of this method is that performance depends on the hardware on which the firewall runs. When using PC-based firewalls, you must remember that such a solution can only be used for small networks with a small amount of information transferred.
• Router-based VPN. Another way to build a VPN is to use routers to create secure channels. Since all information coming from the local network passes through the router, it is advisable to assign encryption tasks to this router.An example of equipment for building VPN on routers is equipment from Cisco Systems. Beginning with IOS software version 11.3, Cisco routers support L2TP and IPSec protocols. In addition to simple encryption of traffic, Cisco supports other VPN features such as authentication during tunnel connection and key exchange.To improve the performance of the router, an optional ESA encryption module can be used. In addition, Cisco System has released a specialized device for VPN, which is called the Cisco 1720 VPN Access Router (VPN access router), intended for installation in small and medium-sized companies, as well as in branches of large organizations.
• Software-based VPN. The next approach to building a VPN is purely software solutions. When implementing such a solution, specialized software is used that runs on a dedicated computer, and in most cases acts as a proxy server. The computer running this software may be located behind a firewall.
• VPN based on network OS.We will look at solutions based on a network OS using Microsoft's Windows OS as an example. To create a VPN, Microsoft uses the PPTP protocol, which is integrated into the Windows system. This solution is very attractive for organizations using Windows as a corporate operating system. It should be noted that the cost of such a solution is significantly lower than the cost of other solutions. Windows-based VPN uses a user base stored on the Primary Domain Controller (PDC). When connecting to a PPTP server, the user is authenticated using the PAP, CHAP or MS-CHAP protocols. Transmitted packets are encapsulated in GRE/PPTP packets. To encrypt packets, a non-standard protocol from Microsoft Point-to-Point Encryption is used with a 40 or 128 bit key received at the time the connection is established. The disadvantages of this system are the lack of data integrity checking and the inability to change keys during the connection. The positive aspects are ease of integration with Windows and low cost.
• Hardware-based VPN. The option of building a VPN on special devices can be used in networks that require high performance. An example of such a solution is the IPro-VPN product from Radguard. This product uses hardware encryption of transmitted information, capable of transmitting a stream of 100 Mbit/s. IPro-VPN supports the IPSec protocol and the ISAKMP/Oakley key management mechanism. Among other things, this device supports network address translation tools and can be supplemented with a special card that adds firewall functions

2. VPN protocols

VPN networks are built using protocols for tunneling data through the public Internet, and the tunneling protocols provide data encryption and provide end-to-end transmission between users. As a rule, today the following levels of protocols are used to build VPN networks:

• Data Link Layer
• Network layer
• Transport layer.

2.1 Link layer

At the data link layer, L2TP and PPTP data tunneling protocols can be used, which use authorization and authentication.

PPTP.

Currently, the most common VPN protocol is the Point-to-Point Tunneling Protocol - PPTP. It was developed by 3Com and Microsoft to provide secure remote access to corporate networks via the Internet. PPTP uses existing open TCP/IP standards and relies heavily on the legacy PPP point-to-point protocol. In practice, PPP remains the communication protocol of the PPTP connection session. PPTP creates a tunnel through the network to the recipient's NT server and transmits PPP packets from the remote user through it. The server and workstation use a virtual private network and have no regard for how secure or accessible the WAN between them is. Server-initiated session termination, unlike specialized remote access servers, allows local network administrators to keep remote users within the security limits of Windows Server.

Although the PPTP protocol only applies to devices running Windows, it provides companies with the ability to interact with existing network infrastructures without compromising their own security systems. Thus, a remote user can connect to the Internet through a local ISP via an analogue telephone line or an ISDN link and establish a connection to the NT server. At the same time, the company does not have to spend large sums on organizing and maintaining a pool of modems that provides remote access services.

The following discusses the operation of the RRTR. PPTP encapsulates IP packets for transmission over an IP network. PPTP clients use the destination port to create a tunnel control connection. This process occurs at the transport layer of the OSI model. After the tunnel is created, the client computer and the server begin exchanging service packets. In addition to the PPTP control connection that ensures the link is operational, a connection is created to forward the data through the tunnel. Encapsulating data before sending it through a tunnel occurs somewhat differently than during normal transmission. Encapsulating data before sending it to the tunnel involves two steps:

1. First, the PPP information part is created. Data flows from top to bottom, from the OSI application layer to the data link layer.
2. The received data is then sent up the OSI model and encapsulated by upper layer protocols.

Thus, during the second pass, the data reaches the transport layer. However, the information cannot be sent to its destination, since the OSI data link layer is responsible for this. Therefore, PPTP encrypts the payload field of the packet and takes over the second-layer functions typically associated with PPP, i.e. adds a PPP header and ending to a PPTP packet. This completes the creation of the link layer frame.

Next, PPTP encapsulates the PPP frame in a Generic Routing Encapsulation (GRE) packet, which belongs to the network layer. GRE encapsulates network layer protocols such as IPX, AppleTalk, DECnet to allow them to be transported over IP networks. However, GRE does not have the ability to establish sessions and protect data from intruders. This uses PPTP's ability to create a tunnel control connection. Using GRE as an encapsulation method limits the scope of PPTP to IP networks only.

After the PPP frame has been encapsulated in a frame with a GRE header, encapsulation is performed in a frame with an IP header. The IP header contains the source and destination addresses of the packet. Finally, PPTP adds a PPP header and ending.

The sending system sends data through the tunnel. The receiving system removes all overhead headers, leaving only the PPP data.

L2TP

In the near future, an increase in the number of virtual private networks is expected, deployed based on the new second-level tunneling protocol Layer 2 Tunneling Protocol - L2TP.

L2TP emerged as a result of combining the PPTP and L2F (Layer 2 Forwarding) protocols. PPTP allows PPP packets to be transmitted through the tunnel, and L2F packets SLIP and PPP. To avoid confusion and interoperability problems in the telecommunications market, the Internet Engineering Task Force (IETF) recommended that Cisco Systems combine PPTP and L2F. By all accounts, L2TP combines the best features of PPTP and L2F. The main advantage of L2TP is that this protocol allows you to create a tunnel not only in IP networks, but also in such as ATM, X.25 and Frame Relay. Unfortunately, the Windows 2000 implementation of L2TP only supports IP.

L2TP uses UDP as a transport and uses the same message format for both tunnel control and data forwarding. L2TP as implemented by Microsoft uses UDP packets containing encrypted PPP packets as control messages. Delivery reliability is guaranteed by packet sequence control.

The functionality of PPTP and L2TP is different. L2TP can be used not only in IP networks; service messages for creating a tunnel and sending data through it use the same format and protocols. PPTP can only be used on IP networks and requires a separate TCP connection to create and use the tunnel. L2TP over IPSec offers more layers of security than PPTP and can guarantee nearly 100 percent security for your organization's critical data. The features of L2TP make it a very promising protocol for building virtual networks.

The L2TP and PPTP protocols differ from third-level tunneling protocols in a number of features:

1. Providing corporations with the opportunity to independently choose the method of authenticating users and verifying their credentials - on their own “territory” or with an Internet service provider. By processing tunneled PPP packets, corporate network servers receive all the information necessary to identify users.
2. Support for tunnel switching - terminating one tunnel and initiating another to one of many potential terminators. Tunnel switching allows you to extend the PPP connection to the required endpoint.
3. Enabling corporate network administrators to implement user access control strategies directly on the firewall and internal servers. Because tunnel terminators receive PPP packets containing user information, they are able to apply administrator-defined security policies to individual user traffic. (Third-level tunneling does not allow distinguishing packets coming from the provider, so security policy filters must be applied to end workstations and network devices.) In addition, if you use a tunnel switch, it becomes possible to organize a “continuation” of the tunnel second level for direct transmission of individual trafficusers to the corresponding internal servers. Such servers may be tasked with additional packet filtering.

MPLS

Also at the data link level, MPLS technology can be used to organize tunnels ( From the English Multiprotocol Label Switching - multiprotocol label switching - a data transfer mechanism that emulates various properties of circuit-switched networks over packet-switched networks). MPLS operates at a layer that could be positioned between the data link layer and the third network layer of the OSI model, and is therefore commonly referred to as a data link layer protocol. It was designed to provide a universal data service for both circuit-switched and packet-switched network clients. MPLS can carry a wide variety of traffic, such as IP packets, ATM, SONET, and Ethernet frames.

Solutions for organizing VPN at the link level have a fairly limited scope, usually within the provider’s domain.

2.2 Network layer

Network layer (IP layer). The IPSec protocol is used, which implements data encryption and confidentiality, as well as subscriber authentication. The use of the IPSec protocol allows for full-featured access equivalent to a physical connection to the corporate network. To establish a VPN, each participant must configure certain IPSec parameters, i.e. Each client must have software that implements IPSec.

IPSec

Naturally, no company would want to openly transfer Internet financial or other confidential information. VPN channels are protected by powerful encryption algorithms based on IPsec security protocol standards. IPSec or Internet Protocol Security - a standard chosen by the international community, the IETF - Internet Engineering Task Force, creates the security framework for the Internet Protocol (IP / IPSec protocol provides security at the network level and requires support for the IPSec standard only from devices communicating with each other on both side of the connection. All other devices located between them simply provide traffic of IP packets.

The method of interaction between persons using IPSec technology is usually defined by the term “secure association” - Security Association (SA). A secure association operates on the basis of an agreement between the parties, who use IPSec to protect information transmitted to each other. This agreement regulates several parameters: sender and recipient IP addresses, cryptographic algorithm, key exchange order, key sizes, key lifetime, authentication algorithm.

IPSec is a consistent set of open standards with a core that can be easily extended with new features and protocols. The core of IPSec consists of three protocols:

· AN or Authentication Header - authentication header - guarantees the integrity and authenticity of the data. The main purpose of the AH protocol is that it allows the receiving side to ensure that:

• the packet was sent by a party with which a secure association has been established;
• the contents of the packet were not distorted during its transmission over the network;
• the packet is not a duplicate of an already received packet.

The first two functions are mandatory for the AH protocol, and the last one is optionally selected when establishing an association. To perform these functions, the AH protocol uses a special header. Its structure is considered according to the following scheme:

1. The next header field indicates the code of the higher-level protocol, that is, the protocol whose message is located in the data field of the IP packet.
2. The payload length field contains the length of the AH header.
3. The Security Parameters Index (SPI) is used to associate a packet with its intended security association.
4. The Sequence Number (SN) field indicates the sequence number of the packet and is used to protect against spoofing (when a third party attempts to reuse intercepted secure packets sent by the actual authenticated sender).
5. The authentication data field, which contains the so-called Integrity Check Value (ICV), is used to authenticate and check the integrity of the packet. This value, also called a digest, is calculated using one of the two computationally irreversible functions MD5 or SAH-1 that are required by the AH protocol, but any other function can be used.

· ESP or Encapsulating Security Payload- encrypted data encapsulation - encrypts transmitted data, ensuring confidentiality, can also support authentication and data integrity;

The ESP protocol solves two groups of problems.

1. The first includes tasks similar to those of the AH protocol - ensuring authentication and data integrity based on the digest,
2. The second is the transmitted data by encrypting it from unauthorized viewing.

The header is divided into two parts, separated by a data field.

1. The first part, called the ESP header itself, is formed by two fields (SPI and SN), the purpose of which is similar to the fields of the same name in the AH protocol, and is placed before the data field.
2. The remaining ESP protocol service fields, called the ESP trailer, are located at the end of the packet.

The two trailer fields - the next header and the authentication data - are similar to the fields of the AH header. The Authentication Data field is absent if a decision is made not to use the integrity capabilities of the ESP protocol when establishing a secure association. In addition to these fields, the trailer contains two additional fields - filler and filler length.

The AH and ESP protocols can protect data in two modes:

1. in transport - transmission is carried out with original IP headers;
2. in a tunnel - the original packet is placed in a new IP packet and transmission is carried out with new headers.

The use of one mode or another depends on the requirements for data protection, as well as on the role played in the network by the node that terminates the secure channel. Thus, a node can be a host (end node) or a gateway (intermediate node).

Accordingly, there are three schemes for using the IPSec protocol:

1. host-host;
2. gateway-gateway;
3. host gateway.

The capabilities of the AH and ESP protocols partially overlap: the AH protocol is responsible only for ensuring the integrity and authentication of data, the ESP protocol can encrypt data and, in addition, perform the functions of the AH protocol (in a stripped down form). An ESP can support encryption and authentication/integrity functions in any combination, that is, either the entire group of functions, authentication/integrity only, or encryption only.

· IKE or Internet Key Exchange - Internet key exchange - solves the auxiliary task of automatically providing endpoints of a secure channel with the secret keys necessary for the operation of authentication and data encryption protocols.

2.3 Transport layer

The transport layer uses the SSL/TLS or Secure Socket Layer/Transport Layer Security protocol, which implements encryption and authentication between the transport layers of the receiver and transmitter. SSL/TLS can be used to secure TCP traffic, but cannot be used to secure UDP traffic. To operate a VPN based on SSL/TLS, there is no need to implement special software since every browser and email client is equipped with these protocols. Due to the fact that SSL/TLS is implemented at the transport layer, a secure connection is established “end-to-end”.

The TLS protocol is based on the Netscape SSL protocol version 3.0 and consists of two parts - the TLS Record Protocol and the TLS Handshake Protocol. The differences between SSL 3.0 and TLS 1.0 are minor.

SSL/TLS includes three main phases:

1. Dialogue between the parties, the purpose of which is to select an encryption algorithm;
2. Key exchange based on public key cryptosystems or certificate-based authentication;
3. Transfer of data encrypted using symmetric encryption algorithms.

2.4 VPN Implementation: IPSec or SSL/TLS?

IT department managers are often faced with the question: which protocol to choose for building a corporate VPN network? The answer is not obvious since each approach has both pros and cons. We will try to conduct and identify when it is necessary to use IPSec, and when SSL/TLS. As can be seen from the analysis of the characteristics of these protocols, they are not interchangeable and can function both separately and in parallel, defining the functional features of each of the implemented VPNs.

The choice of protocol for building a corporate VPN network can be made according to the following criteria:

· Type of access required for VPN users.

1. Fully functional, always-on connection to the corporate network. The recommended choice is the IPSec protocol.
2. A temporary connection, for example, by a mobile user or a user using a public computer, in order to gain access to certain services, such as email or a database. The recommended choice is the SSL/TLS protocol, which allows you to organize a VPN for each individual service.

· Whether the user is an employee of the company.

1. If the user is an employee of a company, the device he uses to access the corporate network via IPSec VPN can be configured in some specific way.
2. If the user is not an employee of the company to which the corporate network is being accessed, it is recommended to use SSL/TLS. This will limit guest access to certain services only.

· What is the security level of the corporate network.

1. High. The recommended choice is the IPSec protocol. Indeed, the level of security offered by IPSec is much higher than that offered by the SSL/TLS protocol due to the use of configurable software on the user side and a security gateway on the corporate network side.
2. Average. The recommended choice is the SSL/TLS protocol, which allows access from any terminal.

· Security level of data transmitted by the user.

1. High, for example, company management. The recommended choice is the IPSec protocol.
2. Average, for example, partner. The recommended choice is the SSL/TLS protocol.

Depending on the service - from medium to high. The recommended choice is a combination of the IPSec protocols (for services requiring a high level of security) and SSL/TLS (for services requiring a medium level of security).

· What is more important, fast VPN deployment or future scalability of the solution.

1. Quickly deploy a VPN network at minimal cost. The recommended choice is the SSL/TLS protocol. In this case, there is no need to implement special software on the user side as in the case of IPSec.
2. VPN network scalability - adding access to various services. The recommended choice is the IPSec protocol, which allows access to all services and resources of the corporate network.
3. Fast deployment and scalability. The recommended choice is a combination of IPSec and SSL/TLS: using SSL/TLS in the first stage to access the necessary services, followed by the implementation of IPSec.

3. Methods for implementing VPN networks

A virtual private network is based on three implementation methods:

· Tunneling;

· Encryption;

· Authentication.

3.1 Tunneling

Tunneling ensures the transfer of data between two points - the ends of the tunnel - in such a way that the entire network infrastructure lying between them is hidden from the source and receiver of the data.

The transport medium of the tunnel, like a ferry, picks up packets of the network protocol used at the entrance to the tunnel and delivers them unchanged to the exit. Building a tunnel is enough to connect two network nodes so that, from the point of view of the software running on them, they appear to be connected to the same (local) network. However, we must not forget that in fact the “ferry” with data passes through many intermediate nodes (routers) of an open public network.

This state of affairs poses two problems. The first is that information transmitted through the tunnel can be intercepted by attackers. If it is confidential (bank card numbers, financial statements, personal information), then the threat of its compromise is quite real, which in itself is unpleasant. Even worse, attackers have the ability to modify the data transmitted through the tunnel so that the recipient will not be able to verify its authenticity. The consequences can be the most dire. Taking into account the above, we come to the conclusion that the tunnel in its pure form is suitable only for some types of network computer games and cannot claim to be used more seriously. Both problems are solved by modern means of cryptographic information protection. To prevent unauthorized changes from being made to the data packet as it travels through the tunnel, the electronic digital signature method () is used. The essence of the method is that each transmitted packet is supplied with an additional block of information, which is generated in accordance with an asymmetric cryptographic algorithm and is unique for the contents of the packet and the secret key of the sender's digital signature. This block of information is the digital signature of the package and allows data to be authenticated by the recipient, who knows the public key of the sender's digital signature. Protection of data transmitted through the tunnel from unauthorized viewing is achieved by using strong encryption algorithms.

3.2 Authentication

Security is the main function of a VPN. All data from client computers passes through the Internet to the VPN server. Such a server may be located at a great distance from the client computer, and data on the way to the organization’s network passes through the equipment of many providers. How can I make sure that the data has not been read or modified? For this, various authentication and encryption methods are used.

PPTP can use any of the protocols used for PPP to authenticate users

• EAP or Extensible Authentication Protocol;
• MSCHAP or Microsoft Challenge Handshake Authentication Protocol (versions 1 and 2);
• CHAP or Challenge Handshake Authentication Protocol;
• SPAP or Shiva Password Authentication Protocol;
• PAP or Password Authentication Protocol.

The best protocols are MSCHAP version 2 and Transport Layer Security (EAP-TLS), since they provide mutual authentication, i.e. The VPN server and client identify each other. In all other protocols, only the server authenticates clients.

Although PPTP provides a sufficient degree of security, L2TP over IPSec is more reliable. L2TP over IPSec provides authentication at the user and computer levels, and also performs authentication and data encryption.

Authentication is carried out either by an open test (clear text password) or by a challenge/response scheme. Everything is clear with the direct text. The client sends the server a password. The server compares this with the standard and either denies access or says “welcome.” Open authentication is almost never seen.

The request/response scheme is much more advanced. In general it looks like this:

• the client sends the server a request for authentication;
• the server returns a random response (challenge);
• the client takes a hash from his password (a hash is the result of a hash function that converts an input data array of arbitrary length into an output bit string of a fixed length), encrypts the response with it and transmits it to the server;
• the server does the same, comparing the received result with the client’s response;
• if the encrypted response matches, authentication is considered successful;

In the first step of authenticating VPN clients and servers, L2TP over IPSec uses local certificates obtained from a certificate authority. The client and server exchange certificates and create a secure connection ESP SA (security association). After L2TP (over IPSec) completes the computer authentication process, user-level authentication is performed. For authentication, you can use any protocol, even PAP, which transmits the username and password in clear text. This is quite secure, since L2TP over IPSec encrypts the entire session. However, performing user authentication using MSCHAP, which uses different encryption keys to authenticate the computer and the user, can enhance security.

3.3. Encryption

PPTP encryption ensures that no one can access your data while it is being sent over the Internet. There are currently two supported encryption methods:

• MPPE or Microsoft Point-to-Point Encryption is only compatible with MSCHAP (versions 1 and 2);
• EAP-TLS can automatically select the length of the encryption key when negotiating parameters between the client and server.

MPPE supports keys with lengths of 40, 56 or 128 bits. Older Windows operating systems only support 40-bit key length encryption, so in a mixed Windows environment you should choose the minimum key length.

PPTP changes the encryption key value after each packet received. The MMPE protocol was designed for point-to-point communication links in which packets are transmitted sequentially and there is very little data loss. In this situation, the key value for the next packet depends on the results of decryption of the previous packet. When building virtual networks through public networks, these conditions cannot be met, since data packets often arrive at the recipient in a different sequence than they were sent. Therefore, PPTP uses packet sequence numbers to change the encryption key. This allows decryption to be performed regardless of previous received packets.

Both protocols are implemented both in Microsoft Windows and outside it (for example, in BSD), the VPN operating algorithms may differ significantly.

Thus, the “tunneling + authentication + encryption” combination allows you to transfer data between two points through a public network, simulating the operation of a private (local) network. In other words, the considered tools allow you to build a virtual private network.

An additional pleasant effect of a VPN connection is the possibility (and even necessity) of using the addressing system adopted in the local network.

The implementation of a virtual private network in practice looks like this: A VPN server is installed in the local computer network of the company's office. The remote user (or router, if connecting two offices) using VPN client software initiates the connection procedure with the server. User authentication occurs - the first phase of establishing a VPN connection. If the authority is confirmed, the second phase begins - the details of ensuring the security of the connection are agreed upon between the client and the server. After this, a VPN connection is organized, ensuring the exchange of information between the client and the server in the form when each data packet goes through encryption/decryption and integrity check procedures - data authentication.

The main problem with VPN networks is the lack of established standards for authentication and encrypted information exchange. These standards are still under development and therefore products from different manufacturers cannot establish VPN connections and automatically exchange keys. This problem entails a slowdown in the spread of VPNs, since it is difficult to force different companies to use the products of one manufacturer, and therefore the process of combining the networks of partner companies into so-called extranet networks is difficult.

The advantages of VPN technology are that remote access is organized not through a telephone line, but through the Internet, which is much cheaper and better. The disadvantage of VPN technology is that VPN building tools are not full-fledged means of detecting and blocking attacks. They can prevent a number of unauthorized actions, but not all the possibilities that can be used to penetrate a corporate network. But despite all this, VPN technology has prospects for further development.

What can we expect in terms of VPN technology development in the future? Without any doubt, a unified standard for constructing such networks will be developed and approved. Most likely, the basis of this standard will be the already proven IPSec protocol. Next, manufacturers will focus on improving the performance of their products and creating user-friendly VPN management tools. Most likely, the development of VPN building tools will go in the direction of router-based VPNs, since this solution combines fairly high performance, integration of VPN and routing in one device. However, low-cost solutions for small organizations will also develop. In conclusion, it must be said that, despite the fact that VPN technology is still very young, it has a great future ahead of it.

Leave your comment!

Before I talk about how to use vpn, a few words about this technology. VPN technology, and in full - Virtual Private Network (from English - virtual private network), exists not only and not so much for providing access to the Internet, but for creating secure networks within large public networks. But system administrators often use VPNs specifically to monitor the traffic of enterprise employees and record statistics. Providing Internet access through a VPN is a normal practice and does not at all contradict technical standards and the purpose of the technology.

But this article is not aimed at system administrators, but at ordinary office workers, often experienced users who need to establish an Internet connection and understand how to use a VPN. And system administrators, who are forced to write countless instructions for users at work, can take this article as the basis for such instructions. I wrote this instruction once when I needed to identify traffic “leakage” from some work machines during non-working hours.

Brief instructions for using Internet services via VPN

One of the functions of a VPN is to provide personal access to the Internet. Now the connection to the Internet will take place after opening a personal VPN session and, accordingly, disconnection from the Internet will occur after it is closed. Each computer connected to the Internet, used for administrative purposes, is assigned to a specific employee, each employee has his own login (user name) and password for connecting to the Internet. Personal login and password for connecting to the Internet is confidential personal information of each employee. Connecting to the Internet using your username and password on a “foreign” computer is impossible. The VPN system monitors the opening and closing times of the session (that is, when the connection and disconnection from the Internet occurs), as well as the amount of downloaded information and statistics of sites visited.

1. A VPN shortcut is installed on the desktop of every computer connected to the Internet, which “launches” the Internet.

1. When you double-click on the shortcut, a window asking for your login (user) and password opens; you must enter your personal data in the appropriate fields.

1. You can check the “save username and password” box, as a result of which you will no longer have to enter these parameters, however, in this case, your personal session will no longer be confidential (that is, it will be available to everyone who could potentially use your computer).
2. If you still decide that it is inconvenient to constantly enter a login and password for your VPN session and have selected the “save username and password” option, it is important that the “only for me” option is selected, in which case access to the Internet will only be with your network account.

1. After your personal data has been entered, you must click on the “connect” button.
2. In most cases, after connecting, two identical network icons will be displayed in the lower right corner of the desktop (system tray), which will indicate that you are connected.

1. To disconnect the VPN session, and therefore the Internet, you need to double-click on the shortcut again, after which the following window will open:

1. In the window you need to click on the “disable” button. After which the VPN session will be closed, the icon in the lower right corner of the desktop will disappear, and access to the Internet will be blocked.

Note on VPN instructions

You can open and close a VPN session (turn on and off access from your computer to the Internet) at any time convenient for you. You can turn it on only to check your mail, and turn it off after checking. You can turn it on for the whole working day and turn it off at the end. Any of the options is your personal decision.

That's all the instructions. You probably already guessed what level of computer literacy I had to deal with in my time. I screwed all this parsley to the billing system on the server, and controlled the traffic. The network troublemakers turned out to be cunning Trojans that generated a lot of outgoing traffic, as a result of which the provider blocked the external IP address for spam. Soon after the incident, my management decided to purchase an antivirus package for the application server, but nothing more.

How to use a VPN for an office employee? was last modified: March 3rd, 2016 by Admin

Relatively recently, VPN technologies have become very popular among computer and mobile technology users. Most people, however, don’t really think about why a VPN is needed on a phone, tablet, desktop computer, or laptop, or how it all works. Let's try to consider some aspects of these issues, without going too much into technical terms and descriptions of operating principles.

What is a VPN in general?

The abbreviation VPN is derived from the English phrase, which literally means “private virtual network.” Unfortunately, this term does not fully characterize the organization of such networks, the principles of operation, and why a VPN is needed in general. Yes, of course, some conclusions can be drawn from the definition. In particular, it can be clearly understood that this definition means a network to which a limited number of users have access.

However, this network is not simple, but protected, and in such a way that the transmitted and received data passes through a kind of tunnel in encrypted form, and it is almost impossible to access them outside the network. But this is only a general concept. If you dig deeper, you can find considerable similarities between VPNs and anonymizers or similar proxy servers, which are capable of providing not only information protection, but also the anonymity of the user’s stay on the Internet, naturally, even while hiding traces of visits to certain resources.

Understanding Tunneling Technology

It’s impossible to talk about why a VPN is needed without understanding how it all works, at least at the most primitive level. Therefore, we will briefly dwell on the principles of operation of connections of this type. To simplify the explanation, we will use the following example.

Data transfer from one computer or mobile device to another is carried out exclusively through a special secure channel called a tunnel. At the output, the traffic is encrypted, and at the input, decryption can only be done if there is an appropriate key, which is known only to the sending and receiving parties. Since access to the network is also limited, only registered users can use it.

But, speaking about why you need a VPN at home or in the office and on different devices when working on the Internet, you should especially pay attention to the fact that when using such technologies, the external IP address of the device from which you connect to a specific resource changes. Why is this being done? The fact is that each device, when connected to the World Wide Web, is assigned a unique external identifier (IP address), even dynamically changing, which directly depends on the geographic location of the provider. Based on this, it is not difficult to realize that access to some services or sites in a certain region may simply be blocked. And a VPN allows you to bypass such restrictions.

Why do you need a VPN?

If we talk about the practical side of the need to use a VPN, we can give several specific examples. Let's say you come to a cafe where you can get free access to Wi-Fi, and log into some social network by entering your username and password. Since the public Wi-Fi network itself has a very low level of security, or none at all, it will not be difficult for any competent attacker to gain access to your data by hacking the transmission channel. Okay, if it concerns only such resources. What if you are currently trying to perform some banking transaction using the same mobile application? Where is the guarantee that such information will not be stolen? Now, it probably becomes clear why you need a VPN on your iPhone or Android device. The same applies to all desktop or laptop computers.

Another, albeit sad, example is Ukraine, where relatively recently one of the most ridiculous laws was adopted at the state level to block some Russian social networks (Odnoklassniki, VKontakte) and services, including search and mail services Yandex and Mail.Ru, not to mention the ban on some online information publications. At first, this caused a real shock among the user audience, but then many quickly realized that using a VPN allows you to bypass these restrictions in no time, even without special knowledge in the field of computer technology. Another thing is China and North Korea. In these countries, even a VPN does not help, since they have such powerful firewalls that it is almost impossible to break through their protection.

Another aspect can be associated with the availability of services on the Internet that are available only for certain regions. So, for example, you won’t be able to simply listen to an Internet radio intended for broadcasting exclusively in the United States, since this service is closed for Eastern Europe. That is, after determining your region based on the external IP device from which the connection is attempted, you simply will not gain access to the service. Changing the address by using a VPN client solves this problem easily!

in browsers?

Why do you need a VPN, we figured it out a little. Now let's look at the practical use of such technologies in relation to the most common Internet browsers. For all browsers today you can find a lot of plugins in the form of additionally installed extensions, among which there are specialized VPN clients like friGate, Browsec and the like. The Opera browser compares favorably with all other browsers, in which such a client is built-in.

To activate it for the first time, you must use the security section of the main menu, and to enable or disable it again, use a special switch added to the panel to the left of the address bar. In this case, you can trust the automatic settings or choose your preferred region yourself.

The image above shows an example of accessing the Yandex start page in Ukraine with the client turned off and on. As you can see, bypassing the blocking is simple.

General purpose programs

However, the matter may not be limited only to browsers, since access to the Internet at any time may be required by some programs installed on a computer or mobile device. The official websites of such applications may also be blocked. In particular, we are talking about updates to Kaspersky Lab antiviruses and Dr. packages. Web. Why you need a VPN in this case is probably clear. Without updating anti-virus databases or components of security programs, full-fledged protection will simply become impossible. But the installation of updates is carried out not through the browser, but directly when accessing the resource by the program itself. In such a situation, special applications help by changing the external IP of the computer for all installed applets.

One of the most interesting applications is the SafeIP program, which can configure addresses both automatically and by allowing the user to select a region. This equally applies to all kinds of email clients like Mail.Ru Agent, for which blocking is bypassed using a similar method.

Why do you need a VPN server?

As for servers of this type, their purpose is more to ensure network security by limiting user access and encrypting information. This allows you to more securely protect your own wireless connection. Again, after connecting to such a server, there will be no need to bypass blocking of various levels on individual devices. In addition, this allows you to organize a network based on an Internet connection from different parts of the world.

Creation using Windows

In principle, you can create a server at home even using Windows tools. True, the principles used are somewhat different from what third-party programs offer.

In Windows, you first need to enter the network settings (ncpa.cpl), create a new incoming connection, select a user with the maximum set of administrative rights, activate allowing users to connect via the Internet (VPN), enable the desired TCP/IP protocol and specify the users who will be allowed connection.

To connect, you will initially need to know the Internet address of the created server and your login and password.

Note: this technique only works for devices with static addresses, and in some cases (if the VPN connection is made through a router), you need to open (forward) port 1723 on the router, which directly depends on the model of the router used.

Mobile settings and applications

Finally, let's see why you need a VPN on Android. In principle, the purpose of such technologies is practically no different from conventional computers. The only difference can be in the setting. For example, you can create a server (access point) using the system itself or use third-party applications. For comfortable access to sites, you can use the mobile version of the Opera browser. But why do you need VPN Master - one of the most popular programs for mobile devices?

In a sense, it is an analogue of the SafeIP application mentioned above and allows you to bypass possible restrictions for all services without exception, including news, antivirus updates, listening to Internet radio or music in special applications like Spotify, not designed for use in a specific region.