What is a VPN?
A VPN (Virtual Private Network) is a tunneled connection via a foreign network to enable access to data and resources in another network. It was originally developed to provide branch offices and employees with remote access to corporate applications and network resources inexpensively and easily.
Today, other use cases have emerged, such as circumventing censorship measures and geo-blocking, or connecting to a proxy server to better protect your location and personal data. Encryption, although it is often used for a VPN connection, is not an integral part. Today, IT security means much more than just installing a virus scanner or configuring a firewall.
Classifications of VPN (Virtual Private Network)
The most common distinction between VPN connections is based on the topology (structure of the connections in a computer network):
This form of a VPN is often used by companies and private individuals and is often implemented in that the users have installed VPN client software on their devices that connects them to their company or their VPN provider.
This VPN represents a direct connection between several work computers. It is important that the end devices involved (mostly computers) have a VPN protocol installed (see the subsection “A selection of protocols”), as they communicate directly with each other and not via a VPN server that manages communication.
Site-to-site VPNs are considered the classic in the corporate environment. Here, two or more Local Area Networks (LANs) are connected to one another at different locations. Branches with the main company headquarters, hospitals that connect to exchange data or research groups that join forces.
Site-to-site VPNs are further subdivided into intranet VPNs and extranet VPNs.
Intranet VPNs are networks in which all connected groups are fully trusted. The focus here is more on speed of data exchange than security.
Extranet VPNs focus on security because their main purpose is to connect your own internal network with the networks of business partners and suppliers. Each participant should only have access to certain resources.
VPNs can also be classified as follows:
- the protocol used to tunnel the data traffic
- the tunnel endpoint in a network
- the security provided
- the OSI layer that you use for the target network
- the number of simultaneous connections
Virtual Private Network protocols
PPTP (Point-to-Point-Tunneling Protocol) is an extension of the Point-to-Point Protocol and was proposed by the IETF in 1996 as the standard protocol for Internet tunneling. Due to its age, it is compatible with almost all operating systems and requires little computing power, but is limited to IP, IPX and NetBEUI. The encryption methods of PPTP are to be classified as too weak according to today’s standards and should be considered as a last resort.
L2F (Layer 2 Forwarding) is a protocol from Cisco. It supports different protocols and several independent parallel tunnels. However, user identification is even weaker than with PPTP and additional data encryption is not provided.
L2TP (Layer 2 Tunneling Protocol) is a further development of the aforementioned protocols. L2TP does not offer any authentication, integrity or encryption mechanisms. L2TP normally works with preshared keys and user accounts and therefore comes in a bundle with other protocols, such as IPSec for protecting the tunneled data.
IPSec (Internet Protocol Security) is a collection of protocols, standards and recommendations. IPSec works on IPv4 and IPv6. IPSec has two different operating modes: the transport mode and the tunnel mode. In transport mode, only the data part is encrypted. This mode requires that all network nodes involved must master IPSec, and it enables attackers to at least analyze the data traffic in a network.
In tunnel mode, the complete IP packet is encrypted and given a new IP header. The advantage is that only one gateway has to be configured in the participating networks, which accepts and converts these packets.
However, IPSec is not easy to configure for the average PC user and can pose a security risk if configured incorrectly.