|
HAVE I HELPED?
|
VPN - the FUTURE OF INTERNET REMOTE CONNECTIVITY
More and more, corporate road warriors are outfitted with special client software that runs on their PC that talks to a special server that their company has sitting on the Internet. This server sits on the internet [it has a public IP address] at the entrance to their corporate network, and contains firewall and encryption software. The corporate warrior makes a normal Internet connection, either via dialup to a local ISP, or using the Ethernet connection provided by the hotel, or even using the Ethernet connection provided by the company he is visiting [even sitting inside on their corporate LAN]. He then starts his special client software, and then connects, over the Internet, to that special server their company has. Once "connecting" to the company server, the client and server transition to a completely secure encrypted mode, using this publicly available Internet connection. He is able to "tunnel" thru the Internet to his own corporate network. It looks just like he is sitting at an office in his company building [except it may be a little slower because he IS going thru a large section of the public Internet to get to that server!] Anybody intercepting his traffic in transit will not be able to decode any of the traffic because it is encrypted.
There are several protocols that have been developed to provide this capability. Microsoft provides "PPTP," Cisco provided "L2F," and the IEEE has standardized "IPSEC." Later, the IEEE combined PPTP and L2F proprietary aspects into the standards based "L2TP."
You will find the PPTP protocol in widespread use, indeed it comes free on every Microsoft machine, along with the L2TP protocol. IPSEC software is also widely used and supported by many vendors.
The reason for theses protocols of course is to provide encrypted, secure communications over the public Internet. In years prior to the widespread availability of the Internet, companies would lease "private line" facilities from the local and inter exchange carriers. Since the line was a "private, dedicated" line, used only by that company, there was no worry (well, within reasonable means) that the communications could be intercepted. This private line was typically a DS1, or a fractional DS1, or a DS0 line, and it could extend across the state, or across the country if need be. The private line was dedicated for the use of that company, and was not shared. The Internet of course is a shared facility, so there is no guarantee of the route that packets will take across it. Packets traversing the Internet therefore run the risk of being intercepted. If you can secure the communication over the Internet public shared facilities using encryption techniques, then you would not run the risk of anybody decrypting your information, even if it were intercepted.
I will describe how PPTP and IPSEC operate, from a client perspective, using Ethereal captured traces.
PPTP
The client first makes a TCP connection to the PPTP server on port 1723.
IPSEC
The client and the server first do a "magical" Diffie Helman exchange in order to exchange a common encryption key. Amazing that this can be done over the unencrypted facility. It is done using public and private encryption keys. This process is done over UDP port 500. Once the key is exchanged and lots of other stuff is set, then the connection is switched into encrypt mode, where the communication switches to the encrypted tunnel - this uses the ESP protocol - ethertype 50. If you are sniffing this connectionm, you will see first the exchange on UDP 500, and then the switch to the protocol 50.
A Microsoft resource page explaining some of this stuff, Microsoft style...
Here is a document explaining many problems encountered with VPN clients running behind Firewalls and NAT routers.