Virtual Private Networks; Vpn Overview; The Need For Vpns; The Basics Of Vpn Encryption - D-Link NetDefend DFL-210 User Manual

Chapter 9. Virtual Private Networks
This chapter describes VPN usage with NetDefendOS.
• VPN overview, page 181
• IPsec, page 183
• IPsec Tunnels, page 196
• PPTP/L2TP, page 202

9.1. VPN overview

9.1.1. The need for VPNs

Most networks today are connected to each other by the Internet. Business increasingly utilizes the
Internet since it offers efficient and inexpensive communication. Issues of protecting local networks
from Internet-based intrusion are being solved by firewalls, intrusion detection systems and other se-
curity investments.
Private as well as corporate communication requires a means for data to travel across the Internet to
its intended recipient without another party being able to read or alter it. It is equally important that
the recipient can verify that no one is falsifying information, i.e. pretending to be someone else.
VPNs meet this need, providing a highly cost efficient means of establishing secure links to parties
that one wishes to exchange information with in a secure manner.

9.1.2. The basics of VPN Encryption

Cryptography provides the means to create VPNs across the Internet with no additional investments
in connectivity. Cryptography is an umbrella expression covering 3 techniques and benefits:
Confidentiality
Authentication and Integrity
Non-repudiation
VPNs are normally only concerned with confidentiality and authentication. Non-repudiation is nor-
mally not handled at the network level but rather on a transaction (document-by-document) basis.

9.1.3. Planning a VPN

An attacker wishing to make use of a VPN connection will typically not attempt to crack the VPN
encryption since this requires enormous work. Rather, they will see VPN traffic as an indication that
there is something worth targeting on the other end of the connection. Typically, mobile clients and
branch offices are far more attractive targets than the main corporate networks. Once inside those,
getting to the corporate network becomes a much easier task.
In designing a VPN, there are many non-obvious issues that need to be addressed. This includes:
No one but the intended recipients is able to receive and un-
derstand the communication. Confidentiality is accomplished
by encryption.
Proof for the recipient that the communication was actually
sent by the expected sender, and that the data has not been
modified in transit. This is accomplished by authentication,
often by use of cryptographic keyed hashes.
Proof that the sender actually sent the data; the sender cannot
later deny having sent it. Non-repudiation is usually a side-
effect of authentication.
181