home › Interesting › Virtual private networks (vpn). VPN clients and their configuration. What is VPN

Virtual private networks (vpn). VPN clients and their configuration. What is VPN

Gennady Makhmetov

Many have read or heard the name "virtual private networks" (VPNs). But many either do not know what "this" is, or they think that "this" is not for them, because "it" is very expensive. In fact, even a small company can easily create a simple virtual private network. In this case, security will be raised to a level unattainable by other means. This opportunity is provided by the availability of high quality freeware products. For firms that can spend money on security and for whom security is important enough to spend money on, there are a large number of products on the market right now. In order to understand what a VPN installation can bring, it is advisable to have an understanding of what a VPN is.

As with any "smart" name, behind the name "virtual private networks" there is absolutely simple idea... Imagine an enterprise with several geographically distant branches, warehouses, offices, workshops. Now the vast majority of organizations use computer networks for accounting and management. Sooner or later, they have a need to combine disparate branches into a single network. It's easy enough to do this: you take telephone lines, install modems in each branch, and the connection is organized as necessary. There is software that allows the connection to be made automatically as needed. However, not all organizations need such a connection - some need constant connection, some need more bandwidth. And that's not a problem - you run cables between branches and use them to transfer information (Fig. 1).

Own communication channels between organizational units provide the best effect - the highest bandwidth, constant connection. What's better? Unfortunately, not many firms can afford to have communication through their own channels, especially if the divisions of the firm are geographically located far away (for example, the office is in Moscow, and production facilities are scattered throughout Siberia). A cheaper alternative to dedicated channels is to connect all branches of the company via the Internet (Fig. 2). In this case, many problems are solved - branches can be located anywhere around the world; those offices that need dedicated channels can have them, the rest can have access to the Internet using a telephone connection. The advent of IP-telephony, which enables telephone conversations over the Internet, makes this solution even more attractive.

Everything would be fine, but connecting to the Internet has its own negative consequences. First, you open your network to possible attacks from various hackers from all over the world - after all, the Internet is the World Wide Web. Secondly, over the Internet, all data is transferred in the clear, and with enough effort (not so much), your ill-wishers can be aware of your business. And thirdly, data can not only be intercepted, but also replaced during transmission over the network. A cracker can compromise the integrity of your databases by disguising himself as one of your branches on the network. If all this poses a real threat to you, and you really need to transfer your data over the Internet, virtual private networks are for you.

A virtual private network is built on the basis of the use of cryptographic protocols.

The use of cryptography allows you to achieve several goals, simultaneously or separately:

Hide information transmitted over the network from prying eyes. This is the most well-known and well-understood use of cryptography - data at one end is transformed so that only the intended recipient can understand and read it.
Make sure that the information is sent exactly to the one indicated by the sender in the package. Ensure the immutability of information during the transfer. Indeed, what's the point if no one knows what information is transmitted over the network, if, if desired, the attacker can fake the parcel and, on behalf of the client, offer the bank to make a payment or, intercepting the client's request, change the amount or addressee of the payment.
Prevent information reuse. Indeed, suppose that someone made a payment using mobile computer... No one can read the request for payment, no one can fake a payment order, but by making a copy of the information and sending it a second and third time, you can force the bank to make a payment a second or third time.

Of course, these problems are being solved in networks now too. Building a VPN allows you to move the solution to some of these problems with application programs to the level of network interaction, create a single point of control, or simply supplement existing tools, significantly increase their effectiveness.

It should be noted here that the use of encryption technologies in almost all countries is regulated by law. For example, in the United States there is a law restricting the export of computer products that use strong encryption algorithms. Russia is no exception. Russian laws are confusing enough that it is best to seek the advice of a legal expert before using cryptography tools. Obviously, everyone can use cryptographic schemes that do not hide information (that is, they implement points 2, 3) without obtaining any licenses.

You can build a virtual private network in a huge number of ways, one listing of which would take up a lot of space. For example, UNIX users have long been using a combination of ssh and ppp for this purpose. However, the real interest is, of course, standard solutions. Currently, the following are widely known:

PPTP (Point-to-Point Tunneling Protocol), jointly developed by Microsoft, 3Com and Asced Communications. This protocol has become quite popular due to its inclusion in Microsoft operating systems.
L2F (Layer-2 Forwarding) is a Cisco development.
L2TP (Layer-2 Tunneling Protocol) is the official Internet standard being developed and promoted.
SKIP (Simple Key-management for Internet Protocols) is a Sun development.
IPsec (Inernet Protocol Security) is the official Internet standard.

The first three of the listed protocols are aimed primarily at mobile users and will not be discussed in this article.

The standard for the Internet is the IPsec suite of protocols. According to the standard, all devices working with the new IP-IPv6 protocol are required to support IPsec.

In the VPN construction mode (tunneling mode), IPsec ensures the security of communication on the Internet by "packing" an IP packet into a new IP packet with various transformations applied to it - encryption and electronic signatures (Fig. 3). The fact is that data transmission on the Internet is like the transmission of information on postcards without an envelope - any interested postal worker can read and even add something to this postcard. Anyone can send a postcard on behalf of another person. Packing an IP packet into another IP packet using cryptography is similar to wrapping a postcard in an envelope, sealing and signing it. This way, you can ensure that no one has read the information in the envelope, that no one has changed the information in it, and the signature on the envelope guarantees the identity of the sender.

Depending on the VPN requirements, two kinds of headers are used, and, accordingly, two modes of protocol functionality are provided. In one case, ESP (Encapsulating Security Payload) is given the ability to transmit encrypted data, electronically sign the transmitted data and include a special counter in the header - a number that increases by 1 in each new packet, preventing data reuse. Thus, the secrecy, immutability of the transmitted data is ensured, the impossibility of their reuse and the identity of their sender is confirmed. Moreover, you can use all these opportunities both simultaneously and separately. In the second case, AH (Authentication Header) allows you to enable the electronic signature of the entire package and the counter. In this way, everything that ESP provides, except for secrecy, is guaranteed. But AH provides an electronic signature of the entire packet, including the external IP header (addresses and other inscriptions on the envelope), while ESP only protects the packaged packet. If necessary, these two headers can be used together, which is used in the case when it is necessary to both ensure data privacy and ensure the integrity of the entire packet.

In order for two devices to exchange information using encrypted and signed data, they need to know the key to the cipher used in transmission, as well as the key to electronic signatures. Key exchange is generally one of the most important in any system that uses cryptographic data protection methods. Obviously, no matter how strong the protocol is, if an attacker has the ability to steal or change keys, it's all down the drain. This situation can be compared to the following everyday situation: someone put up a powerful front door, but allowed anyone to make copies of the keys from it. Of course, this door won't help him. Another requirement is a fairly frequent key change and a limitation on the amount of data that can be transferred using the same key. This limitation is due to the fact that the more data encrypted with one key, and the more time an attacker has, the easier it is for him to "break" the cipher. Therefore, key exchange is one of the most important parts of the standards. And that is why the data exchanged between the devices is encrypted with the so-called session key - a randomly selected number that the parties "agree" on at the beginning of the exchange.

IPsec does not establish a single standard way to distribute keys. It was determined that manual key distribution and a special protocol - IKE (Internet Key Exchange) - must be supported. Each vendor has the right to supplement this set with their own key exchange protocols, but the standard ones must be present.

Manual distribution of keys is a very simple procedure: information is brought on a floppy disk (or any other medium) and entered into a computer. It's simple. But the keys need to be changed. In some situations, they are changed quite often - for example, every hour. It becomes difficult to carry them on a floppy disk every time. You can, of course, generate many keys (for a whole year), distribute them once to all branches and change them regularly. Generally speaking, this is not a bad decision. However, there is a problem of synchronous key change. Moreover, this method is only suitable for a small number of parties involved in the exchange; as their number increases, confusion will inevitably arise somewhere. Based on these considerations, key exchange protocols have been developed for key distribution. One of these protocols is IKE.

The IKE protocol allows devices to agree on most of the parameters that will be used in the exchange of information, on the encryption algorithm, and on keys. IKE is complex enough. It consists of the exchange of messages that must be carried out by the parties before they can exchange information in a secure manner. During this session, the parties first exchange messages confirming their identity. Several ways have been identified to ascertain who we are dealing with. All of them are based on the use of cryptographic methods. Electronic signatures are used based on the use of either public keys (symmetric algorithms) or secret and public keys (asymmetric algorithms).

With symmetric algorithms, the exchanging parties know one shared key. The keys themselves are never sent over the network. Instead, the key is used to electronic signature a random number. After that, the number itself and the signature are sent to the interlocutor. Knowing the shared key and random number, the interlocutor can calculate the electronic signature. If the received signature matches the sent one, it means that the sender is who he claims to be. The algorithm by which the signature is calculated in the standard is not rigidly fixed, but it is determined that at least MD5 and SHA should be supported. In this case, one key is required for each pair of devices. For example, if a device communicates with hundreds of other devices, it needs 100 keys. Again, the potential for confusion in configuration is great. Of course, in this case it is more convenient to use an electronic signature with asymmetric cryptography.

When using an electronic signature, each device has two keys - a secret and a public one. These keys are calculated using a special algorithm and are interconnected. The private key is known only to the owner; the public key can be freely distributed. There are at least two various schemes with asymmetric keys. In one (RSA algorithm), a message encrypted with a private key can only be decrypted using the corresponding public key, and vice versa. Thus, if a known message is correctly decrypted with a public key, then the author of the message is the owner of this key. In another (Diffie-Hellman algorithm), the sender's private key and the recipient's public key are used to compute a so-called mutual key. It turns out that the same mutual key can be calculated by knowing the recipient's private key and the sender's public key. Thus, the mutual key can be calculated only by knowing one of the pairs - the sender's private key and the recipient's public key, or the recipient's secret and the sender's public key. And since only its owner knows the secret key (it should be so!), Only the recipient and the sender can know the mutual key. Based on this fact, the recipient can be sure that the sender of a message encrypted with a mutual key is exactly who he claims to be. Obviously, in the case of using asymmetric encryption algorithms, each device needs only a pair of keys - regardless of the number of interlocutors. The standard for this case also lacks a rigid fixation of a specific algorithm. It is only specified that an implementation must necessarily support the Diffie-Hellman algorithm.

All these methods require prior knowledge of a certain key, which is used to confirm the identity. But since very little information is encrypted with this key, it can be changed much less frequently (the key validity period can be months or even years). The preliminary exchange of identity confirmation prevents an attacker from slipping his key and "hacking" the system.

Having established the identity of the interlocutor, the devices exchange proposals on various parameters - encryption algorithms, session keys. Session keys are temporary and can change quite often. After the agreement is reached, you can begin to transfer information. Of course, the key exchange procedure takes time, and until it is completed, no data packet can be transferred between devices in safe mode... In unfavorable cases, the delay caused by the need to first open a session can be several seconds, and in the case of simultaneous opening of many sessions (for example, at the beginning of a working day, after a system restart), even more.

The developers of the SKIP protocol approached the key exchange somewhat differently. SKIP (acronym for Simple Key-management for Internet Protocols - "simple key exchange protocol for the Internet") is a Sun development and is intended, as the name suggests, for key exchange. This protocol can be used in conjunction with IPsec along with other protocols, or on its own. That is why it is referred to as a separate protocol.

When using SKIP, the key required to decrypt the message (session key) is contained in the packet itself, in the SKIP header (Fig. 4). In order for the packet to be decrypted only by the addressee, this key, in turn, is encrypted. The encryption algorithm and key are chosen so that it can be easily calculated without preliminary exchange. To calculate the mutual key, the already mentioned Diffie-Hellman algorithm is used (the mutual key is calculated from the sender's secret key and the recipient's public key or the sender's public key and the recipient's secret key). But this key is not directly used for encryption either. It is used in conjunction with some counter number to obtain another key. For this, a mathematical operation is performed using the MD5 algorithm with a mutual key and a counter, which gives a new key. It is with this key that the session key is encrypted. The counter value is also transmitted with the packet. Thus, all the information required to decrypt the data in the packet is contained in the packet header, and no prior exchange is required (except, of course, knowledge of the corresponding private and public key). This three-step scheme allows session keys to be changed quite often. The session key can be different in different packets transmitted over the network - it is difficult to imagine a more frequent change. In addition, the presence of a steadily increasing counter avoids the reuse of the encrypted packet. Obviously, SKIP is significantly simpler than IKE, although less flexible.

As mentioned, SKIP can be used with or without IPsec. With SKIP without IPsec, the IP packet to be transmitted is encrypted and packaged into a new IP packet. The new IP packet contains the SKIP header, which, as we mentioned, contains all the information needed to decrypt the packed packet (Figure 5). If SKIP and IPsec are used together, the envelope packet contains two headers - the IPsec header and the SKIP header. The SKIP header contains the key, and the IPsec header contains Additional Information required for correct decryption and processing of the packed packet.

There are many VPN building products on the market right now. Some of them are capable of implementing IPsec with IKE, some with SKIP, some with SKIP without IPsec. Some include support for both.

In addition to purely technical considerations, when choosing one or another protocol, it is also important to have products on the market that implement this protocol and their quality.

Although SKIP is a Sun product, many networking and operating system vendors include SKIP support in their products. SKIP is currently available for Solaris, Sun OS, FreeBSD and Linux. With the active participation of the Russian company Elvis +, versions for Windows NT and Windows 98 were created. Since SKIP is relatively simple and products based on it have been released for many years now, we can safely say that it is a rather mature, developed protocol. A modern Pentium computer running Solaris may well meet the needs of a fairly large organization, especially since performance will still be limited. throughput external channel. And computers running Windows 98 can easily exchange encrypted messages within the organization, if there is such a need. Some of the inflexibility of the protocol is compensated for by its simplicity, and, most likely, you will not have problems with incompatibility between products from different suppliers.

Products that implement the IPsec and IKE protocols are appearing on the market more and more often. Now it seems that all the leading vendors have announced the release of implementations of the standard. They are also available for free distribution Linux systems, OpenBSD. However, OpenBSD contains support for this standard in its base configuration. Anyone can install OpenBSD by "downloading" it from one of the many ftp servers.

However, in my opinion, IKE is still quite young; it is still developing. This can lead to some incompatibility between products from different vendors. In addition, the complexity of the protocol itself entails the complexity of its implementation and, therefore, can lead to errors. However, the flexibility of this protocol makes it extremely attractive.

The final decision, of course, depends on your needs.

In conclusion, I would like to say that if your company has several divisions that are geographically remote and you need to organize the exchange of information between them via the Internet, or if you have users using the Internet for remote access to your network and you care a little about the security of your network, it makes sense for you to think about installing a VPN in your organization. Moreover, a huge number of high-quality products are available today - from free distribution to complete complex commercial solutions. Let me also remind you that VPN without data closure (only with confirmation of the identity of the sender and the integrity of the package) can be installed without any licenses.

ComputerPress 2 "2000

Virtual private network

Most often to create virtual network PPP is encapsulated into some other protocol - Ethernet (by "last mile" providers to provide Internet access.

With proper implementation and dedicated software, a VPN can provide a high level of encryption. transmitted information... At correct setting VPN technology of all components ensures anonymity on the Web.

VPN structure

VPN consists of two parts: an "internal" (controlled) network, of which there can be several, and an "external" network through which the encapsulated connection passes (usually the Internet). It is also possible to connect to a virtual network of a separate computer. A remote user is connected to a VPN through an access server that is connected to both internal and external (public) networks. When connecting a remote user (or when establishing a connection to another secure network), the access server requires going through the identification process, and then the authentication process. After successfully passing both processes, the remote user (remote network) is empowered to work on the network, that is, the authorization process takes place.

VPN classification

VPN solutions can be classified according to several main parameters:

By type of environment used

Protected

The most common version of virtual private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, PPTP.

Trustees

They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues are becoming irrelevant. Examples of such VPN solutions are: Multi-protocol label switching (L2TP (Layer 2 Tunnelling Protocol). (More precisely, these protocols shift the task of providing security to others, for example, L2TP, as a rule, is used in conjunction with IPSec).

By way of implementation

In the form of special software and hardware

The VPN network is implemented using a special set of software and hardware. This implementation provides high productivity and, as a rule, a high degree of security.

As a software solution

Use Personal Computer with a special software providing VPN functionality.

Integrated solution

VPN functionality provides a complex that also solves the problems of filtering network traffic, organizing a firewall and ensuring quality of service.

By appointment

They are used to combine several distributed branches of one organization into a single secure network, exchanging data via open communication channels.

Remote Access VPN

Used to create a secure channel between a segment corporate network(central office or branch) and a single user who, while working from home, connects to corporate resources from a home computer, corporate laptop, smartphone or Internet kiosk.

Extranet VPN

Used for networks to which "external" users (for example, customers or clients) connect. The level of trust in them is much lower than in the employees of the company, therefore, it is necessary to provide special "lines" of protection, preventing or restricting the latter's access to especially valuable, confidential information.

Internet VPN

Used to provide access to the Internet by providers.

Client / Server VPN

It protects the transmitted data between two nodes (not networks) on a corporate network. The peculiarity of this option is that the VPN is built between nodes that are, as a rule, in the same network segment, for example, between a workstation and a server. Such a need very often arises in cases where several logical networks need to be created in one physical network. For example, when you need to split the traffic between the finance department and the HR department, accessing servers located in the same physical segment. This option is similar to VLAN technology, but instead of separating traffic, it uses encryption.

By protocol type

There are implementations of virtual private networks for TCP / IP, IPX and AppleTalk. But today there is a tendency towards a general transition to the TCP / IP protocol, and the vast majority of VPN solutions support it.

By network protocol level

By network protocol layer based on mapping to the ISO / OSI network reference model layers.

VPN Examples

Many major providers offer their VPN services for business customers.

Literature

Ivanov M.A.Cryptographic methods of information protection in computer systems and networks. - M .: KUDITS-OBRAZ, 2001 .-- 368 p.
Kulgin M. Technologies of corporate networks. Encyclopedia. - SPb .: Peter, 2000 .-- 704 p.
Olifer V. G., Olifer N. A. Computer networks. Principles, technologies, protocols: Textbook for universities. - SPb .: Peter, 2001 .-- 672 p.
Romanets Yu. V. Timofeev PA, Shangin VF Information security in computer systems and networks. 2nd ed. - M: Radio and communication, 2002. -328 p.
Stallings W. Fundamentals of network protection. Applications and Standards = Network Security Essentials. Applications and Standards. - M .: "Williams", 2002. - S. 432. - ISBN 0-13-016093-8
Products for Virtual Private Networks [Electronic document] - http://www.citforum.ru/nets/articles/vpn_tab.shtml
Anita Karve Real virtual opportunities // LAN. - 1999.- No. 7-8 http://www.osp.ru/lan/1999/07-08/107.htm
Linux's answer to MS-PPTP [Electronic document] / Peter Gutmann. - http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
Joel Snyder VPN: A Shared Market // Networks. - 1999.- No. 11 http://www.citforum.ru/nets/articles/vpn.shtml
VPN Primer [Electronic Document] - www.xserves.com/downloads/anexgate/VPNPrimer.pdf
PKI or PGP? [Electronic document] / Natalia Sergeeva. - http://www.citforum.ru/security/cryptography/pki_pgp/
IPSec is a protocol for protecting network traffic at the IP level [Electronic document] / Stanislav Korotygin. - http://www.ixbt.com/comm/ipsecure.shtml
OpenVPN FAQ [Electronic Document] - http://openvpn.net/faq.html
Purpose and structure of encryption algorithms [Electronic document] / Panasenko Sergey. - http://www.ixbt.com/soft/alg-encryption.shtml
About modern cryptography [Electronic document] / VM Sidelnikov. - http://www.citforum.ru/security/cryptography/crypto/
Introduction to Cryptography / Ed. V.V. Yashchenko. - M .: MTsNMO, 2000. - 288 s http://www.citforum.ru/security/cryptography/yaschenko/
Security Pitfalls in Cryptography [Electronic Document] / Bruce Schneier. - http://www.citforum.ru/security/cryptography/pitfalls.shtml
IPSec: a panacea or a necessary measure? [Electronic document] / Eugene Patiy. - http://citforum.ru/security/articles/ipsec_standard/
VPN and IPSec at Your Fingertips [Electronic Document] / Dru Lavigne. - http://www.nestor.minsk.by/sr/2005/03/050315.html
A Framework for IP Based Virtual Private Networks [Electronic document] / B. Gleeson, A. Lin, J. Heinanen. - http://www.ietf.org/rfc/rfc2764.txt
OpenVPN and the SSL VPN Revolution [Electronic document] / Charlie Hosner. - http://www.sans.org/rr/whitepapers/vpns/1459.php
Markus Fayner Next generation virtual private networks // LAN.- 2005.- № 11
What is SSL [Electronic document] / Maxim Drogaytsev. - http://www.ods.com.ua/win/rus/security/ssl.html
Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) [Electronic document] / Bruce Schneier. - http://www.schneier.com/paper-pptpv2.html
Point to Point Tunneling Protocol (PPTP) Technical Specifications [Electronic document] / Kory Hamzeh, Gurdeep Singh Pall, William Verthein, Jeff Taarud, W. Andrew Little. - http://infodeli.3com.com/infodeli/tools/remote/general/pptp/pptp.htm
Ryan Normann Choosing the VPN protocol // Windows IT Pro. - 2001. - No. 7 http://www.osp.ru/win2000/2001/07/010.htm
MPLS: A New Order in IP Networks? [Electronic document] / Tom Nolle. - http://www.emanual.ru/get/3651/
Layer Two Tunneling Protocol "L2TP" [Electronic document] / W. Townsley, A. Valencia, A. Rubens. - http://www.ietf.org/rfc/rfc2661.txt
Alexey Lukatsky Unknown VPN // Computer Press.- 2001.- No. 10 http://abn.ru/inf/compress/network4.shtml
The first brick in the VPN wall An overview of entry-level VPN devices [Electronic document] / Valery Lukin. - http://www.ixbt.com/comm/vpn1.shtml
VPN Equipment Review [Electronic document] - http://www.networkaccess.ru/articles/security/vpn_hardware/
Pure hardware VPNs rule high-availability tests [Electronic document] / Joel Snyder, Chris Elliott. - http://www.networkworld.com/reviews/2000/1211rev.html
VPN: Type of VPN [Electronic Document] - http://www.vpn-guide.com/type_of_vpn.htm
KAME FAQ [Electronic Document] - http://orange.kame.net/dev/cvsweb2.cgi/kame/FAQ?rev=HEAD&content-type=text/x-cvsweb-markup
Features of the Russian VPN market [Electronic document] - http://www.cnews.ru/reviews/free/security2006/articles/vpnmarket/
Domestic means of building virtual private networks [?] / I. Gvozdev, V. Zaichikov, N. Moshak, M. Pelenitsyn, S. Seleznev, D. Shepelyavy
Sergey Petrenko Protected virtual private network: a modern perspective on the protection of confidential data // World of the Internet. - 2001. - No. 2

Virtual Private Network is a virtual private network that is used to provide secure connections within corporate connections and Internet access. The main plus of VPN is high security due to encryption of internal traffic, which is important when transferring data.

What is VPN connection

Many people, when faced with this abbreviation, ask: VPN - what is it and why is it needed? This technology opens up the possibility of creating a network connection over another. VPN works in several modes:

node-network;
network-network;
node-node.

The organization of a private virtual network at the network levels allows the use of TCP and UDP protocols. All data that passes through computers is encrypted. This is additional protection for your connection. There are many examples that explain what a VPN is and why you should use one. This issue will be discussed in detail below.

Why you need a VPN

Each provider is able to provide user activity logs upon request of the relevant authorities. Your internet company records all the activities that you have taken online. This helps relieve the provider of any responsibility for the actions taken by the client. There are many situations in which you need to protect your data and gain freedom, for example:

A VPN service is used to send confidential company data between branches. It helps to protect important information from interception.
If you need to bypass the geographic location of the service. For example, the Yandex Music service is available only to residents of Russia and residents of the former CIS countries. If you are a Russian-speaking resident of the United States, then you will not be able to listen to the recordings. A VPN service will help you bypass this ban by replacing the network address with a Russian one.
Hide website visits from the provider. Not every person is ready to share their activities on the Internet, so they will protect their visits with the help of a VPN.

How VPN works

When you use a different VPN channel, your IP will belong to the country where this secure network is located. When connected, a tunnel will be created between the VPN server and your computer. After that, the provider's logs (records) will contain a set incomprehensible symbols... Data analysis special program will not give results. If you do not use this technology, then the HTTP protocol will immediately indicate which site you are connecting to.

VPN structure

This connection consists of two parts. The first is called an "internal" network, you can create several of these. The second is "external", through which the encapsulated connection takes place, as a rule, the Internet is used. There is still a possibility to connect to the network separate computer... The user is connected to a specific VPN through an access server connected simultaneously to the external and internal networks.

When a VPN software connects a remote user, the server requires two important processes: first identification, then authentication. This is necessary to obtain the rights to use this connection. If you complete these two steps completely successfully, your network is empowered to work. Essentially, this is an authorization process.

VPN classification

There are several types of virtual private networks. There are options for the degree of security, the way of implementation, the level of work according to the ISO / OSI model, the protocol involved. You can use a paid service or a free VPN service from Google. Based on the degree of security, channels can be "secure" or "trusted". The latter are needed if the connection itself has the required level of protection. To organize the first option, the following technologies should be used:

PPTP;
OpenVPN;
IPSec.

How to create a VPN server

For all computer users, there is a way how to connect VPN on their own. Below will be considered an option on the Windows operating system. This manual does not provide for the use of additional software. The setting is carried out as follows:

To make a new connection, you need to open the preview pane network accesses... Start typing in the search for the word " Network Connections».
Click on the "Alt" button, in the menu click on the "File" section and select "New incoming connection".
Then set the user who will be given a connection to this computer via VPN (if you have only one Account on a PC, you must create a password for it). Install the bird and click "Next".
Next, you will be asked to select the type of connection, you can leave a checkmark in front of "Internet".
The next step will be to enable network protocols that will work on this VPN. Check all boxes except the second. You can set specific IPs, DNS gateways, and IPv4 ports if you want, but it's easier to leave the automatic assignment.
When you click on the "Allow access" button, the operating system will create a server on its own, display a window with the name of the computer. You will need it to connect.
This completes the creation of a home VPN server.

How to set up a VPN on Android

The above described a way to create a VPN connection on a personal computer. However, many have long been performing all actions using the phone. If you do not know what a VPN for Android is, then all the above facts about this type connections are also valid for a smartphone. The configuration of modern devices ensures comfortable use of the Internet at high speed. In some cases (to launch games, open sites) use proxy substitution or anonymizers, but for a stable and quick connection VPN fits better.

If it is already clear to you what a VPN to your phone is, then you can go directly to creating a tunnel. This can be done on any Android-enabled device. The connection is made as follows:

Go to the section with settings, click on the "Network" section.
Find the item titled " Additional settings"And go to the" VPN "section. Next, you will need a pin code or password that will unlock the ability to create a network.
The next step is to add a VPN connection. Specify a name in the "Server" field, a name in the "username" field, set the connection type. Tap on the "Save" button.
After that, a new connection will appear in the list, which you can use to change your standard connection.
An icon will appear on the screen to indicate that there is a connection. If you tap on it, you will be provided with statistics of received / transmitted data. You can also disable the VPN connection here.

Video: Free VPN Service

Backing up encrypted files

An important aspect of designing any file encryption mechanism is that applications cannot access decrypted data other than through encryption mechanisms. This limitation is especially important for utilities. Reserve copy, with the help of which files are saved on archive media. EFS addresses this problem by providing backup utilities with a mechanism by which they can create backups files and restore them in encrypted form. Thus, the backup utilities do not need to encrypt or decrypt file data during the backup process.

EFS is used when it is necessary to encrypt the contents of files during storage. Other mechanisms are used to ensure the secure transfer of files and other data over the network. One of them is virtual private networks.

VPN (English Virtual Private Network - virtual private network) - a logical network created on top of another network, such as the Internet. Despite the fact that communications are carried out over public networks using unsafe protocols, encryption creates channels of information exchange that are closed from outsiders. VPN allows you to unite, for example, several offices of an organization into a single network using uncontrolled channels for communication between them.

V Microsoft Windows the term "VPN" denotes one of the implementations of the virtual network - PPTP, and it is often used not to create private networks. Most often, to create a virtual network, PPP is encapsulated in some other protocol - IP or Ethernet (PPPoE). VPN technology has recently been used not only to create private networks themselves, but also by some "last mile" providers to provide Internet access.

VPN classification

VPN solutions can be classified according to several main parameters:

1. By the type of environment used

Protected

Confidential

They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues are becoming irrelevant. Examples of such VPN solutions are: Multi-protocol label switching (MPLS) and L2TP (Layer 2 Tunnelling Protocol). (It would be more correct to say that these protocols shift the task of ensuring security to others, for example L2TP, as a rule, is used in conjunction with IPSec).

2. By way of implementation

In the form of special software and hardware

The VPN network is implemented using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree of security.

As a software solution

Use a personal computer with special software to provide VPN functionality.

Integrated solution

VPN functionality provides a complex that also solves the problems of filtering network traffic, organizing a firewall and ensuring quality of service.

3. By appointment

They are used to combine several distributed branches of one organization into a single secure network, exchanging data via open communication channels.

Remote Access VPN

They are used to create a secure channel between a segment of a corporate network (central office or branch) and a single user who, while working from home, connects to corporate resources from a home computer or, while on a business trip, connects to corporate resources using a laptop.

Used for networks to which "external" users connect. The level of trust in them is much lower than in the employees of the company, therefore, it is required to provide special "lines" of protection, limiting the latter's access to especially valuable, confidential information.

4. By type of protocol

5. By the level of the network protocol

By network protocol layer based on mapping to the ISO / OSI network reference model layers.

Control questions

1. What happens when you encrypt an EFS file for the first time?

2. How does EFS solve the problem of backing up encrypted files?

3. What encryption algorithms does EFS use?

4. What is VPN used for?

5. How are VPNs classified by purpose?

Lecture 8.

INTEGRITY CONTROL MECHANISMS
ON WINDOWS FAMILY OS

Integrity control mechanisms appeared in latest version MS Windows ¾ Vista.

From year to year electronic communication is being improved, and ever higher requirements for speed, security and quality of data processing are imposed on information exchange.

And here we will take a closer look at a vpn connection: what it is, what a vpn tunnel is for, and how to use a vpn connection.

This material is a kind of introductory word to a series of articles where we will tell you how to create a vpn on various operating systems.

vpn connection what is it?

So, a virtual private network vpn is a technology that provides a secure (closed from external access) connection of a logical network over a private or public one in the presence of high-speed Internet.

Such a network connection of computers (geographically distant from each other at a considerable distance) uses a point-to-point connection (in other words, “computer-to-computer”).

Scientifically, this type of connection is called vpn tunnel (or tunnel protocol). You can connect to such a tunnel if you have a computer with any operating system in which a VPN client is integrated, capable of forwarding virtual ports using the TCP / IP protocol to another network.

What is vpn for?

The main advantage of vpn is that negotiating parties need a connectivity platform that not only scales quickly, but also (primarily) ensures data confidentiality, data integrity, and authentication.

The diagram clearly shows the use of vpn networks.

The rules for connections via a secure channel must be preliminarily written on the server and router.

How vpn works

When connecting via vpn, the message header contains information about the ip-address of the VPN server and the remote route.

Encapsulated data traveling over a public or public network cannot be intercepted because all information is encrypted.

The VPN encryption stage is implemented on the sender's side, and the data is decrypted at the receiver by the message header (if there is a common encryption key).

After the correct decryption of the message, a VPN connection is established between the two networks, which also allows working in a public network (for example, exchanging data with the 93.88.190.5 client).

Concerning information security, then the Internet is an extremely insecure network, and a VPN network with OpenVPN, L2TP / IPSec, PPTP, PPPoE protocols is quite secure and in a safe way data transmission.

What is a vpn channel for?

vpn tunneling is used:

Inside the corporate network;

For combining remote offices, as well as small branches;

To service digital telephony with a wide range of telecommunication services;

To access external IT resources;

For the construction and implementation of video conferencing.

Why do you need vpn?

vpn connection is required for:

Anonymous work on the Internet;

Downloading applications, in the case when the ip address is located in another regional zone of the country;

Safe work in a corporate environment using communications;

Simplicity and convenience of connection settings;

Providing high speed connection without interruptions;

Creation of a secure channel without hacker attacks.

How to use vpn?

There are endless examples of how vpn works. So, on any computer in the corporate network, when installing a protected vpn connections you can use mail to check messages, publish materials from anywhere in the country, or download files from torrent networks.

Vpn: what is it in a phone?

Access via vpn on your phone (iPhone or any other android device) allows you to remain anonymous when using the Internet in public places, as well as prevent traffic interception and device hacking.

A VPN client installed on any OS allows you to bypass many of the provider's settings and rules (if the provider has set any restrictions).

Which vpn to choose for the phone?

Android mobile phones and smartphones can use applications from Google Playmarket:

- vpnRoot, droidVPN,
- tor browser for surfing networks, aka orbot
- InBrowser, orfox (firefox + tor),
- SuperVPN Free VPN Client
- OpenVPN Connect
- TunnelBear VPN
- Hideman VPN

Most of these programs serve for the convenience of "hot" system configuration, placement of launch shortcuts, anonymous Internet surfing, and the choice of the type of connection encryption.

But the main tasks of using a VPN on your phone is to check corporate mail, creating video conferencing with several participants, as well as holding meetings outside the organization (for example, when an employee is on a business trip).

What is vpn in iPhone?

Let's consider which VPN to choose and how to connect it to an iPhone in more detail.

Depending on the type of network supported, when you first start the VPN configuration in the iphone, you can select the following protocols: L2TP, PPTP and Cisco IPSec (in addition, you can "make" a vpn connection using third-party applications).

All of these protocols support encryption keys, password authentication and certification.

Additional features when setting up a VPN profile on an iPhone include: RSA security, encryption level, and authorization rules for connecting to the server.

For phone iphone from the appstore store you should choose:

- free app Tunnelbear, with which you can connect to VPN servers of any country.
- OpenVPN connect is one of the best VPN clients out there. Here, to run the application, you must first import the rsa keys via itunes into your phone.
- Cloak is a shareware application, because for some time the product can be "used" for free, but to use the program after the demo period has expired, you will have to buy it.

VPN Creation: Selecting and Configuring Equipment

For corporate communications in large organizations or associations of offices remote from each other, hardware equipment is used that can support uninterrupted, secure network operation.

To implement vpn technologies, the following can act as a network gateway: Unix servers, Windows servers, a network router and a network gateway on which the VPN is installed.

A server or device used to create an enterprise vpn network or a vpn channel between remote offices must perform complex technical tasks and provide a full range of services to users both on workstations and on mobile devices.

Any router or vpn router should provide reliable network operation without freezing. And the built-in vpn function allows you to change the network configuration for work at home, in an organization or a remote office.

Configuring vpn on a router

In general, the VPN configuration on the router is carried out using the router's web interface. On "classic" devices for organizing vpn, you need to go to the "settings" or "network settings" section, where you select the VPN section, specify the type of protocol, enter the settings for your subnet address, mask and specify the range of ip-addresses for users.

In addition, to secure the connection, you will need to specify encryption algorithms, authentication methods, generate negotiation keys, and specify DNS WINS servers. In the "Gateway" parameters, you need to specify the gateway ip-address (your ip) and fill in the data on all network adapters.

If there are several routers in the network, it is necessary to fill in the vpn routing table for all devices in the VPN tunnel.

Here is a list of the hardware used to build VPN networks:

Dlink routers: DIR-320, DIR-620, DSR-1000 with new firmware or D-Link router DI808HV.

Cisco PIX 501, Cisco 871-SEC-K9 Routers

Linksys Rv082 router with 50 VPN tunnels support

Netgear DG834G router and FVS318G, FVS318N, FVS336G, SRX5308 routers

Mikrotik router with OpenVPN function. RouterBoard RB / 2011L-IN Mikrotik example

Vpn equipment RVPN S-Terra or VPN Gate

ASUS Routers RT-N66U, RT-N16 and RT N-10

ZyXel routers ZyWALL 5, ZyWALL P1, ZyWALL USG

Popular in the heading: