Thursday, July 29, 2010

VPNs


As a general definition, virtual private network (VPN) refers to a class of applications that use public or shared network resources to emulate the characteristics of private or dedicated network resources. We need such a general definition since the term has been used by both the PSTN and VPN to designate different services.

In the PSTN parlance, the term VPN usually denotes a service by which an enterprise is given its own numbering plan as well as other PBX-like (but network-based) features. [Software-defined network (SDN) is sometimes used in place of VPN.] Initially, corporations leased dedicated permanent switched circuits (reserved by telephone switches) in order to provide to their employees the look and feel of the dedicated private networks. Subsequently, as telephone switches became programmable, the need for the permanency disappeared; the circuits were established on demand. However, all involved switches had to be programmed to support the corporations’ numbering plans, dialing restrictions, and so on. Furthermore, switches have to be reprogrammed every time something changes. Finally, with the advance of IN solutions, establishment and maintenance of the VPN features can be done in only one place—a network database.

With each of these steps, VPN costs were further lowered without any visible impact on the quality of services provided. The IN mechanism is totally independent from the transport mechanism of voice (that is, IP or PSTN lines and trunks); thus, all the PSTN VPN features can be supported with the same mechanism in the IP environment. In a joint PSTN/IP environment, the control of VPN (a classic IN application) can partially reside on an IP host, making the actual service delivery (for example, number translation or administration of restrictions) much more effective compared with the case in which the control belongs only within the PSTN.

In the IP world, the historical use of the term VPN is similar, except that the items being replaced are dedicated private data communications (rather than telephone) lines. With dedicated private data lines, the Internet can be used to transport corporate data. Definitions of the term vary. We will use the one given in Kosiur (1998): “A virtual private network is a network of virtual circuits for carrying private traffic,” where the virtual circuit is defined as “a connection . . . between a sender and a receiver in which both the route for session and bandwidth . . . [are] allocated dynamically.”

The performance, reliability, security, and quality of service of a successfully implemented VPN are comparable with those of dedicated network solutions. The costs of VPNs, however, are at least 50 percent lower than those of dedicated solutions. In the data environment, the VPN supports private IP addresses, differential treatments of traffic inside and outside a particular private network, and management of the firewalls that separate the private network from external networks. The VPN interconnects enterprise networks via a public data network and provides remote on-demand connection to enterprise networks through the PSTN.

We concentrate only on remote on-demand connection to enterprise networks through the PSTN. It is important to stress, however, that regardless of the initial connection (for example, the PSTN dial-in), VPN solutions may allow user traffic to pass through the Internet. Again, the transport of data over a public medium makes security the central issue when providing VPN service. Authorization and authentication are clearly not enough: Data traveling in IP packets over the Internet can be intercepted. One existing scheme, called tunneling, hides the network infrastructure from the VPN application by establishing gateways at borders with the Internet to encapsulate the IP packets destined for travel over the Internet into point-to-point (that is, gateway-to-gateway) protocol packets as shown in Figure 2. The figure depicts the enterprise network connections (via VPN), but the same configuration applies to ISPs. This mechanism demonstrates how remote users (and separate so-called islands of a private IP network) can be connected into one network. Another important attribute of this solution is that it aids in management of the ever decreasing IP address space in the following two ways:


Figure 2: VPN through tunneling.


  1. The dial-in users can be assigned their IP addresses dynamically.
  2. Only gateways need unique IP addresses (as far as the Internet is concerned); the rest of the VPN IP endpoints can be assigned private IP addresses, which are unique only for that VPN. (The numbers could duplicate the addresses used in any other network, including the Internet.)


Tunneling itself supports several applications, a few of which have already been mentioned, including:


  • Remote access outsourcing. A larger service provider offers remote access termination services to customers, with data traveling through tunnels. The customer requires much less equipment (and less capital investment), which, in turn, would allow more focused specialization in services.



  • Feature services. Tunneling enables the delivery of value-added services (such as IP multicasting and low-latency IP service classes), and so supports applications like video conferencing.



  • Business-to-business services. Tunneling facilitates content hosting for intranets and extranets. With the public key infrastructure in place, support of nonrepudiation will definitely help electronic commerce by making merchants confident about selling over the Internet.

No comments:

Post a Comment