A virtual private network (abbreviated as VPN)
|“||[is a] restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (e.g., the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network.||”|
|“||[is] a private network that is maintained across a shared or public network, such as the Internet, by means of specialized security procedures.||”|
|“||uses the public telecommunication infrastructure and the Internet to provide remote and secure access to an organization's network.||”|
|“||consists of computer hardware and software that allow[s] an organization to securely communicate through the Internet or a set of local telephone lines. It establishes an encrypted "tunnel" for connections to an organization's internal network.||”|
|“||[is t]he extension of a private network that provides encapsulated, encrypted, and authenticated logical (not physical) links across shared or public networks. VPN connections typically provide remote access and router-to-router connections to private networks over the Internet.||”|
Often explained as tunneling a smaller network through a larger network, a virtual private network is intended to provide a secure connection between remote clients, such as branch offices or traveling personnel, and a central office.
VPNs allow organizations or individuals to connect a network between two or more physical locations without incurring the costs of purchasing or leasing dedicated telephone lines or frame relay circuits. Through measures like authentication and data encryption, cryptographic VPNs can establish a secure virtual connection between physical locations.
A VPN can be established to circumvent strict Internet controls and censorship within a given country; multinational corporations that operate in repressive Internet environments often purchase from the government the right to use VPNs to connect to their home offices.
VPNs can be implemented through hardware, existing firewalls, and stand-alone software applications. To a user, VPNs appear no different than traditional networks and can be used normally whether the user is dialing in from home or accessing a field office from headquarters. VPNs are typically used in intranets and extranets and in remote access connections.
- Intranets are interlinked private networks within an enterprise that allow information and computer resources to be shared throughout an organization. Some organizations have sensitive data on a LAN that is physically disconnected from the rest of the organization's intranet. This lack of connectivity may cause data on the LAN to be inaccessible to users. A VPN can be used to allow the sensitive LAN to be physically connected to the intranet, but separated by a VPN server. Only authorized users would be able to establish a VPN connection with the server to gain access to the sensitive LAN, and all communications across the VPN could be encrypted for data confidentiality.
- Remote access VPNs simplify the process of remote access, allowing off-site users to connect, via the Internet, to a VPN server at the organization’s headquarters. Digital subscriber line or cable modem services allow remote VPN users to access the organization’s network at speeds comparable to those attained with on-site access.
A VPN works by using shared public networks while maintaining privacy through security procedures and protocols that encrypt communications between two end points. To provide an additional level of security, a VPN can encrypt not only the data, but also the originating and receiving network addresses. There are two main VPN technologies, which differ in their methods of encrypting data for secure transmission over Internet connections. The first method is based on “tunneling” protocols that encrypt packets at the sending end and decrypt them at the receiving end. This process is commonly referred to as "encapsulation," because the original, unsecured packet is placed within another packet that has been secured by encryption. The encapsulated packets are then sent through a “tunnel” that cannot be traveled by data that have not been properly encrypted.
A commonly used tunneling protocol is IPSec. IPSec VPNs connect hosts to entire private networks, encrypt IP packets, and ensure that the packets are not deleted, added to, or tampered with during transmission. Because they are based on the IP protocol, IPSec VPNs can secure any IP traffic and can be configured to support any IP-based application.
In addition to using tunneling protocols, VPNs can also use the SSL protocol, which uses a limited form of public key cryptography. SSL VPNs connect users to services and applications inside private networks , but they secure only the applications’ services or data. SSL is a feature of commonly available commercial Web browsers (such as Microsoft’s Internet Explorer and America Online’s Netscape Navigator), and SSL VPNs use standard browsers instead of the specialized client software that is required by IPSec VPNs.
VPNs can be a cost-effective way to secure transmitted data across public networks. However, the cost of implementing IPSec VPNs includes the installation and configuration of specialized software that is required on every client computer. SSL VPNs use standard Web browsers, eliminating the need for client administration, but the SSL protocol often requires that applications be customized.
In addition, VPNs are only as secure as the computers that are connected to them. Because of the interconnected environment, any unsecured client computer could be used to launch an attack on the network. In particular, VPNs may be susceptible to man-in-the-middle attacks, message replay attacks, and denial-of-service attacks.
- RFC 4949, at 333.
- GAO, Technology Assessment: Cybersecurity for Critical Infrastructure Protection, ar 182. See also NIST Special Publication 800-46.
- Fraud Advisory for Businesses: Corporate Account Take Over, at 5 n.12.
- Security Over Computers Used in Telecommuting Needs to Be Strengthened, at 2 n.5.
- Privacy and Civil Liberties Policy Development Guide and Implementation Templates, App. E, Glossary.
- Other tunneling protocols include Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).