Once established, a Virtual Private Network (VPN) is feasible for many businesses. The cost of using a VPN is considerably lower than using long distance, or expensive T1 or T3 lines. As soon as a VPN is built and implemented, several issues surface that must be dealt with - managing the service and security concerns. Using a VPN can be a major issue unless you are familiar with the process of managing and controlling the technology. You need to understand what is involved and how to work with it. By learning these processes, you will be provided with the tools necessary to leverage the technology to your current requirements.

In this ReferencePoint, you will learn to manage the performance,

IP address, and security of a VPN. You will then learn to extend a VPN to create an extranet. All issues that surround these topics will be covered.

Connecting and transmitting information over a phone, LAN, T1, or any other type of connection is useless if there is no security in place to protect the data.

There are situations when important information has to be transmitted over the computer to an intended recipient. If the data gets into the wrong hands, that could cost millions of dollars damage.

With the ever-present danger of hackers breaking into networks and servers, it is important that information be safeguarded. Businesses have to be aware of all security threats to the network.

Once the business is aware of these threats, appropriate procedures are instituted to prevent any possible future attacks to the system. The most important consideration when dealing with security and VPN is to verify and safeguard the data. This can be done by the following methods - authentication and encryption.

This figure shows a security system in place. In this type of environment all data is safe from hacking of any type.

Unfortunately, having a safe and secure transmission is not always possible. There are too many security loopholes in place.

Hackers use many ways and devices to infiltrate and breach security on a network once they know how to do it. It is best to identify these ways in order to provide reliable solutions that work.

This figure shows a hacker spoofing a connection by attaching itself to two computers thereby obtaining information illegally.

One solution to this problem would be to configure routers so no information could be received from another part of the network. Unfortunately, this type of system will not work.

This figure shows a hacker hijacking a transmission between the originating and receiving computer.

The best way to ward off this type of attack is to use widespread encryption on the network, not just locally.

This figure shows a hacker using a sniffing tool to tap into a connection stealing important, vital, and other types of information.

Hackers can also use a method where they intercept, what is known as a key. In a secure system, when transmitting passwords or important data, the information is usually scrambled to make it unreadable. This is called encryption. During transmission, when this data is transferred, a special code known as a key is added to the data. This helps to keep the data unreadable until it reaches its destination.

This figure shows a hacker tapping into a connection and obtaining the encryption key that is being passed back and forth over the network.

When referring to encryption, there are applications that support the encryption policies. These include Secure MIME (S/MIME) and Pretty Good Privacy (PGP) for email and Secure Sockets Layer (SSL/TSL) and Secure HTTP (SHTTP) for Web applications.

If your network cannot verify users who log in, you will not be able to control them. Someone, with unauthorized access can easily log in and do untold damage.

In order to provide optimal protection you need a way to verify the user then just by a password. The most important ingredient here is maintaining high security.

This figure shows a one-time password in place. The hacker is trying to break in using the same password he stole. But, the system rejects it as was configured.

One of the best systems out there that accomplishes this task of one-time password protection is S/Key (developed by Bellcore). This system automatically generates a list of acceptable passwords for the user.

A user generates a phrase only known to him/her. The S/Key system uses this phrase to generate a list of one-time passwords. Since the user's phrase is not transmitted across the network, it is protected.

When this user attempts to login into the network, the network server runs the S/Key program. This program sends out a signal which consists of a number and a string of characters called a seed.

When the user responds to the request, he/she enters the number and seed plus his/her own phrase. The S/Key program takes the number, seed and phrase, combines it and produces a password. This password is compared to the login password used at that time. If they match, the user is allowed access.

Another type of service that needs mentioning here is the Remote Authentication Dial-In User Service (RADIUS) protocol. This service users a client and server to verify login of remote users.

This figure shows remote user dial-in in action. 1) User dials into RAS server, 2) RAS server sends information to server used to verify login, 3) server verifies login and sends permission back to RAS to allow user access.

There are many types of systems in place that handle passwords in different ways to provide security. The focus of these systems is to verify user input and allow log in for authorized users to have system access.

This figure shows how encryption works.

The reason this is used so extensively in networking is the difficulty in creating an algorithm. Once you do establish one, you can use the same algorithm for whatever transmission you use. The only thing you would have to do is include a key. However, if a hacker stole the key you used, you would simply replace it with another key.

You would never have to worry about running out of keys. Because an algorithm can support an endless number of them. For example, if you were to use a key 10 bits long, you would have up to 1024 combinations. The unfortunate side effect to this would be the time it would take for a hacker, using a computer, to find out what all the keys would be. On the other hand, if you were to use a longer bit key, say 75 or 100, it would take a computer almost a century to guess the right key.

Managing a VPN requires the ability to control three distinct areas - security, IP addressing, and network performance. Security involves verifying and allowing certain users access rights and managing encryption keys. Since VPN's connect two or more networks together virtually, there has to be some way to handle IP addressing otherwise conflicts can occur.

To manage your network performance is a different matter. You have more than one network to be concerned with along with your ISP. If you do not match your network performance with your ISP, communication problems will exist.

Also, be concerned with every access point in your network. Do not overlook the modems that may be attached to certain employees computers. If these modems are not secured properly, hackers will have a way to get into your network and do untold damage.

Another area of concern is with viruses. Do not spend considerable time with resolving issues around security to prevent hackers from infiltrating your system. Be concerned about the invasion of viruses. All you need is a virus to attack the network, and the network can be damaged beyond repair.

When setting up your VPN, you need to know how many keys are required and how long a key length to use. The longer bit key is better. If you have high security or confidential documents that can only be accessed by certain people, than it is better to have a key length that would take many years to break.

As for how many keys to use, your gateway alone, requires a number of keys to allow communication, including two keys to identify itself with another gateway, verification, and encryption.

Security gateways don't handle keys the same way other devices do. In order to have a secure connection between gateways, the gateways have to verify each other. They have to agree on the right type of key being sent.

This figure shows the steps involved before transmitting a signal would be allowed. 1) the security gateway would generate the keys. 2) The gateway would register a certificate along with a private key to a certificate authority (CA) either inhouse or third-party. 3) Deliver public key to whoever requested it.

When handling keys during an actual session, the best way is to exchange keys manually. If, for any reason, during a transmission, the session key is compromised by a hacker, log off immediately.

Having control over a VPN is important in a network environment. If you do not want certain personnel to have access to some part of the LAN, you restrict them. However, you do not just restrict them at work, you also want to restrict them while they are at home.

This will mean configuring your VPN to work with the configuration of your firewalls and routers.

This figure shows traffic being filtered by a firewall.

This figure shows traffic being unfiltered. In this situation a firewall will act as a router and will just transfer the traffic to the LAN.

Due to the explosive growth of the Internet and networks, IP addresses are becoming difficult to deal with. There are just not enough to go around. With the introduction of 128-bit addressing, now more addresses are available. This has not reached global proportions. In the meantime, managers are being faced with a dilemma in handling VPNs.

Allocating IP addresses on thousands of workstations and servers is nearly an impossible task. This use to be done manually using various methods. As the network grew larger the task of doing this grew harder. Then, certain automated tools came along that made the process easier.

Network addresses, if not tracked properly, can cause problems. Addresses can get lost if equipment were to be moved. Without knowing what address was assigned to what device, more than one address can be assigned to the same device, causing conflicts.

Previously, an IP address was allocated by hand. Every time a device moved, a new address had to be assigned to it. Since the address was static, the only way to change the address was to go into the configuration file and manually change it.

To help overcome the problem with static addressing, a new method of dynamically assigning addresses was introduced called, Dynamic Host Control Protocol (DHCP). Since people can remember names better, the standard naming service, Domain Name Service (DNS) was adopted.

When a DHCP computer boots, a DHCP request is sent out, asking for any DHCP server to provide it with an IP address and configuration parameters. Once the computer receives the IP address, it only has so much time to use it, unless of course it sends a request to renew the IP address.

The Domain Name Service (DNS) provides a name to IP addresses and other network resources.

This figure shows the level of domains.

If the writing department wanted information from the computer department, the only way that could be done was by going through the root server, tcs.com.

Although DHCP and DNS can simplify IP addressing through dynamic assignment, problems can still result. Firewalls and Internet security products track IP addresses. Each IP address is assigned to every device on the network, whether it is a computer or router. If these products cannot trace the transmission back to a specific user, anyone, even an unauthorized user may gain access to the network.

DHCP does help by assigning IP addresses dynamically. But, certain devices like file, mail, and other important servers should be kept static. This will help the DNS server to recognize these devices.

When you are protecting your network from external access, you have to take extra steps to secure and protect your DNS, while still allowing users access to outside resources. In some situations, this may involve installing two DNS servers.

This could also pose a problem if you have a connection to the Internet and some employees need access to resources. To do this properly, your internal DNS server would have to communicate with an external DNS server, preferably one hosted by your ISP.

You do not want people on the outside to access your resources, so you will need to block access to your internal DNS server. You can do this by installing a firewall. Since your ISP's DNS server is outside of your firewall and your DNS server is inside, they cannot communicate.

You could also install another DNS server on the outside of the firewall. Then, take the host that was on your inside DNS server and separate them into two groups.

The first group will be in charge of email, the Web site, FTP server, and anything else that the outside world will need access to. The second group will only have access to the internal network.

Whenever the internal DNS server needs to pass information to the outside world, it would connect with the external DNS server and forward any necessary information.

This figure demonstrates steps taken during the relaying of information from the LAN to the Internet.

IP addresses can be assigned to work with the Internet, but, more private ones are normally assigned to networks. An example of IP addresses are:

Class A 10.0.0.0 - 10.255.255.255

Class B 172.16.0.0 - 172.31.255.255

Class C 192.168.0.0 - 192.168.255.255

These addresses can work with the Internet, but to do so they would have to be converted using network address translation (NAT).

NAT converts IP addresses into registered addresses that will be recognized over the Internet.

This figure shows how NAT can convert an internal private IP address and make it accessible for the Internet.

Remember that NAT has to translate every part of the IP address. If the data is encrypted, NAT cannot convert it.

If you want to provide more accessibility to the Internet from your network, setup a different ISP account on each computer you want to use.

This figure shows the Border Gateway Protocol in action.

This figure shows a system of connecting two ISPs by means of their own separate router and firewall, and using routers with BGP support.

Networks are increasing with traffic. The requirements for a network are also increasing. With networks interconnecting other networks, this places demands on performance then ever before.

If a VPN is not working according to guidelines set by the network, the network will feel the affects. Slower speeds could result, reducing the overall effectiveness of the network. Then bottlenecks can occur.

Consideration for network performance is a vital issue that cannot be overlooked.

Bandwidth is one factor to consider in network performance. Another factor is the time it takes to request data and when that data is received.

This time factor is dependent on the type of equipment used, the type of connection made, the size of the data, and the time a router or device responds to the request.

If a packet of information is delayed from arriving one minute but arrives on time the next, the transmission becomes irregular. This can pose a major problem since the data can arrive distorted and thereby refused.

It is even more difficult when you consider IP treats each packet of information independently. A later packet could just as well arrive before the earlier packet, causing much confusion and communication errors.

Another point to consider is the way the network views packets of information. The network does not know what particular packet goes with what other packet.

Previously, businesses could plan what would go on the network, including the type of applications to run, etc. With ever-changing technology and access to many resources, applications and users have changed.

Now, instead of running simple applications including a RDMS, spreadsheet, word processing, and maybe a presentation program, more sophisticated applications are being used.

These applications include streaming multimedia, videoconferencing, netmeeting, and so on.

The best way to manage an application is to determine network traffic. The type of traffic flowing at any point in the network where the application is used will determine how to use it.

This figure shows trypical traffic patterns across a network.

In this type of environment, it is important to know what traffic is critical to your business and what is not. It may be necessary to limit the flow of certain traffic, while allowing important traffic to flow.

This is where management takes effect. Every part of your network has to be analyzed against your plan. You need to know what information must be transmitted and where. You need to know what part of the network has to communicate with the other part. You have to make sure the network works in relation to the Internet.

You have to know who has access to applications and who doesn't. You have to know who will have access to the Internet from what machine.

The best way to make sure of a reliable network infrastructure that does not compromise with your VPN development, is to configure the network to handle large traffic conditions.

You can try using different techniques to conserve bandwidth. Some ways of doing this would be data compression and using bandwidth when necessary.

Some of these techniques work well under some conditions, while others do not. There may be times when data compression may not be compatible with a certain router configuration.

A firewall may reject the transmitting of data if the bandwidth is too large or too small. As you can see, there are many factors you must take into consideration when working with a VPN and a network.

One other way you can priortize your network to gain the best efficiency possible is by the way you allocate resources.

If you reserve a portion of your network for a particular type of traffic, you will benefit. You can do this by allocating that portion of the network to a user, application, or protocol.

If you do this, just make sure you calculate the capacity or traffic flow in that area ahead of time. Because if the traffic exceeds your limits, delays can occur.

Other ways to improve your network performance is by using services that will assist your network to work under consistent conditions no matter what load is placed on the network. Plus, you can use a service that will help provide a reliable transmission of data.

It is natural to expect a system that will deliver quality of service at all times. This means making sure that every packet will arrive on scheduled without delays. Should there by traffic overflow, the packet would be discarded.

Two factors influence a VPNs function and performance - the speed of the Internet and the efficiency of the security gateways.

An ISP may not be willing to invest in the proper hardware or software to provide more reliable connections to their systems. That forces you to compromise on your connection speed. Of course, that in turn slows your network. Unfortunately, despite many vendors request to ISPs to update their hardware and software to conform to newer standards, such a situation is not always feasible.

You are left with the option to verify that your security gateways are operational. Even if you cannot control your ISP, you can at least certify continued reliability of your connections by means of your routers and gateways.

If you notice heavier amounts of traffic in one gateway, you may have to make adjustments by adding additional security gateways. You can also use filtering to allow certain types of traffic or information to pass through your network. Set up filters to allow traffic that is critical to the operation of your business to go through at peak times of the day when it is needed the most.

In order to take advantage of the bandwidth your ISP has provided you, make sure to track what traffic goes where. Maybe you can better allocate traffic that does not have to be transmitted over the Internet, to another router. This way bandwidth is freed to allow traffic that has to transmit the opportunity to do so.

Managing a network, as you know is getting harder and more complex. There has to be a way to manage traffic, set up priorities, and pay attention to bandwidth requirements.

One way network administrators dealt with these problems was to come up with a viable solution by using a management type of system based on using policies. This way every network device is configured to use the appropriate amount of bandwidth and provide stable traffic flow.

This figure shows a network with policies installed. Using policies is an area that is growing rapidly among network administrators around the world.

It makes configuring devices easier and helps to automate traffic conditions and patterns. VPN systems will use this type of management now and in the future.

It is always best to monitor your ISP. This way if your network is sluggish but you checked your network and your VPN connection, and found it operating normally, you know it is not your problem.

If your VPN is malfunction, due to heavy traffic at your gateway, you may have to consider installing a more powerful gateway to handle the extra load.

However, if you find your VPN is working but the links are not getting enough traffic, you may want to consider negotiating with the ISP to lower your speed.

Of course, the opposite is true. If you find you need more bandwidth at your links, you will have to request your ISP to increase bandwidth allocation at his end so the speed you have to his system increases.

There are many good monitoring systems available that can monitor the network, take measurements, collect data, and print out reports showing activity on the network and how it is moving and being used.

Most routers and other network devices have protocols built into them that respond automatically when monitoring systems are being used.

VPNs are being used now and will do so in the future. With ever-increasing standardization, improvements will only be a short time away. As newer technology is discovered and implemented, networks will have to adjust their configurations accordingly. This will help to make VPN an even better commodity then it is now.

The Internet has been around for decades, but only in the last few years has it become a household name. Now, more than ever before, businesses and individuals are using the Internet for communications.

Whether at home or in the office, connecting to the Internet is an everyday occurrence. With the ease of use and simplicity of connecting, it is hard to pass up such an opportunity.

Many businesses are taking steps to ensure that their Intranet is configured to allow access by their employees to the Internet.

The best type of system businesses set up is based on e-commerce technology. They know that the Internet has much potential when it comes to selling and engaging in transaction processing.

This figure shows what an extranet looks like.

It looks good on paper, but extranets are hard to incorporate. It takes a great deal of coordination between businesses to make it work. In this scenario, security is even more of an issue.

This is where a VPN comes into the picture, since it provides a secure medium of communication.

Despite the complication of working with one, an extranet does offer many advantages including using TCP/IP, more flexibility, and the use of the World Wide Web.

Using TCP/IP helps reduce connection problems. Business partners do not have to add additional lines to connect to each other, instead they just use the Internet for communications.

Using an extranet gives you more flexibility because this way you can quickly end a task or project. Why wait a month or more for installation of a leased line.

Since Web browsers are becoming more user-friendly, businesses use them for various reasons. Many businesses develop applications that will work in conjunction with Web browsers. Using an extranet, these applications become available to anyone who logs in to the system.

One use of an extranet that is very popular is managing business suppliers. Instead of having every part of your supply chain separate from necessary information, put them together so every one has access to your system.

By doing this, order processing can go faster, delivery of shipments can be quicker, and inventory can be controlled easier.

Since VPNs provide security when communicating over the Internet, using any application, businesses see using an extranet in conjunction with a VPN as an advantage.

Establishing a VPN and establishing an extranet is different by simply obtaining cooperation of your business partner. Even if the whole matter is your idea, you still need to convince your partner to accept it.

You will be mostly concerned with compatibility as it relates to network setup, security, verifying users, VPN and its protocols, and of course digital certificates.

You will need to know if they have the proper equipment to make a connection with your network. Whether they use direct LAN-to-LAN connections or a dial-up service, you have to be sure they are able to gain access to your system.

If you have to provide financial resources so they can connect with you, you need to verify what they have. You could conceivably be looking at a large expense.

In regard financial expenditures, it is easier to setup a dial-up extranet for login purposes. It is more compatible with networks and takes less time. It is more practical to setup a computer, be it desktop or laptop, with remote access software, modems, and an ISP account than installing and configuring IP with a security gateway.

You cannot compromise on your security policies no matter what happens. They have to be sure that they have the same security standards in place to complement yours. Or you can agree on tighter security standards.

Login access and authenticating users will need to be provided for. You have to be sure your system can handle outside users. You may have to install software to handle the different authentication methods each member uses.

One way to work around this is to offer digital certificates to authenticate users. Once the certificates are verified and approved, they can log in knowing they can now transmit secure data.

One area of concern, although not vital, you may need to realize, is the location of the server if inventory is the issue. You and your partner will need to come to some agreement as to where the server will be placed when you are working on inventory or some other type of project.

The last area of concern is in resolving problems. You and your partner will have to come to some kind of agreement as to who will take care of the equipment at either side of the network.

If you find setting up or managing an extranet is too much work for you to handle, you can always use an ISP to manage it. They have the ability to do it all. So, use them if you feel you cannot handle the load.

If you decide to do it yourself, make it easy by implementing it in stages. Do not try to do it at once. Use a select few people to start using it. Explain to them any possible glitches that may occur along the way.

Make sure everyone knows his/her responsibility from the beginning. The last thing you need are personnel problems. Also, make sure everything on your network works correctly and reliably.

You can turn a VPN into an extranet with some effort as long as both parties involved agree on how it will be handled. In addition, log in procedures have to be dealt with.

If you are going to have them log in, use TCP/IP as a protocol to confirm transmission. Be sure when they log in that you have secured access to only the people you want to access your system.

You could configure your network where they have direct connection to it, or you can require they go through an ISP for connection.

If you are creating an extranet by combining two businesses with VPN, you are going to have incompatibility issues. Each partner or business will not have the VPN setup the same way. Until there is a standard set by the industry, this type of situation will have to be dealt within in the best possible way allowable.

VPNs are used by businesses, ISPs, and even by individuals. The use of them will get better and better as newer technology is developed.

VPNs are being used to replace modems and other dial-up services. It is less costly and provides more flexibility.

No matter how far the technology will go; people will still rely on dial-in VPN as the main point of transmission. There have been many services developed that add flexibility to the VPN system. Roaming is one of them.

VPN technology is here and will be for quite some time. With the increasing popularity of using videoconferencing, the idea of using voice and video over the Internet allows the use of VPN even greater.

As time goes on an ISP will play more of a role with VPN. They will change access functionality, change bandwidth requirements, and provide more services to help the improvement of VPN.

An ISP will provide better management of VPN for a business who wishes not deal with the many constraints associated with it. They will also provide additional services to include handling an extranet.

All VPN protocols that are used today will continue to be improved upon as new technology enters the marketplace. Such technology includes new or improved operating systems, new hardware with the software to support it, etc.

Even security issues will improve. For example, algorithms that are used now will be replaced with more advanced algorithms.

Then there is VPN management. Despite all the many issues involved in future VPN usage, VPN management stands out as the top concern by the industry. As newer systems are developed and newer protocols are released, someone will need to implement and manage their use.

Handling of security, especially digital certificates, is a major concern. Dealing with expired or revoked certificates and issuing new ones is one area that has to be dealt with.

With the increase threat on security, securing a VPN system is going to be the biggest challenge facing administrators and managers.

Currently, every point on a VPN is manufactured as a single device, be it routers, firewalls, etc. However, the transition to integrated devices that require little configuration is being planned for future release. This type of approach will benefit businesses in that they will not have to spend more money to implement their systems.

The future of VPN will only get better. Now is the time to invest in the technology and deploy it. This way you will have it in place so transitioning to newer technology will be easier.

Even after deploying the technology, you have to keep up with the latest changes. This may mean attending seminars relating to VPN technology. It may mean researching the Internet to find the latest news regarding the hardware used by your network. There are many resources available to keep up to date with it. Doing so may be time consuming, but vital to your organization.

Join newsgroups relating to VPN. Keep a relationship with your vendors. Subscribe to newsletters from companies that support your type of equipment. Whatever you do, keep the flow of communication open. You never know when you are going to need to upgrade to a newer server, router, or firewall.

Companies including Microsoft and Cisco are continually finding ways to improve on IP addressing and VPN technology, not to mention networking in general. As they deliver newer technology, businesses can take advantage of it, but implementing the upgrades and changes to their system.

As your business and needs expand, your network becomes more sophisticated, equipment becomes more integrated and standardized, keep your focus.

As long as there is an Internet, a network, and the protocols to run it, there will always be a need for VPN, especially, since communication works better and faster with it.

Just check your budget against what is out or coming out and stay within your means. Otherwise, you will go over budget for that necessary future upgrade.

With VPN, the future is now. Take advantage of it.