Virtual Private Network

Fig 1: VPN

VPN stands for virtual private network its work is to confirm the safe delivery of user data across public networks by doing this it allows the user to send data. As if they were directly connected to that private network let me explain you what i mean let's assume now your head office is where all of your business critical servers and applications are located as well as your head office you also have a smaller branch office the smaller branch office also needs access to your business critical servers. And applications there are different connectivity options available to you for example you might use a private MPLS network this would be a great option. However it comes at a price internet access however is very affordable but there is a problem with that the public internet is full of bad guys and these bad guys are just waiting to get their hands on your company's sweet data. One solution is to use a virtual private network or VPN. A VPN is often described as a tunnel your data is encrypted before it passes through the public internet this way if one of the bad guys does get their hands on your data they won't be able to make any sense of it once your data is received it can then be decrypted using a special key. So it can be read as normal there are two main types of VPN the one you see here is known as a site-to-site VPN. This VPN connects one entire site to another entire site and is always active meaning it's always on a site-to-site VPN needs to be configured on both networks. So it's ideal for situations like this when you have multiple remote sites but that's not always the case you may have specific users that work from home shops or anywhere else in the world these users still require access to the corporate network but a side-to-side VPN won't work because you have no control over the networks they are connecting from instead they can use the second type of VPN this is called a remote access. VPN a remote access VPN grants access to the corporate network but only for one device for example a user's laptop in a coffee shop this is unlike the site-to-site VPN which connects to entire networks okay so now we know what a VPN is and the two different types let's look at each in a bit more detail 

Site to Site VPNs

First let's start with site-to-site VPNs here we have site a and site b both sites are connected to the public internet site-to-site VPNs are typically configured on either a router or a firewall on both sites a popular site-to-site VPN is ipsec ipsec is a framework or set of rules for creating VPNs over a network it does not define any one way to create a VPN but rather allows several protocols to be used for each VPN feature ipsec is often used for site-to-site VPNs but it can similarly be used for remote access VPNs as well once the VPN is established all devices on each site can send data securely over the VPN so how does this work well let's say a host from site a sends some data over to site  the router will look at this data see that it's destined for site b and realize it needs to send this over the VPN before it can send it over the VPN though it first needs to encrypt the data it does this by taking the original data and then the encryption key to produce the encrypted data let's take a closer look at this when the ip packet is received it is put through an encryption formula along with the session key which was exchanged previously once encrypted the router then encapsulates this data with the VPN header and trailer then it adds a new ip header this new ip header will have the public ip address of the remote site now there is a bit more to it when it comes to VPN headers and trailers but this is the general idea when the router sends the encrypted data the data will make its way over the public internet safely to the remote site then the encryption process is reversed again let's take a closer look the router receives the encrypted packet using that session key that has already been exchanged the router can decrypt the data back to the original form from there the router can forward this packet onto the destination okay so that is a site to cite VPN this is great when you want to connect one or more offices together sometimes though you need users to be able to connect to the corporate network from anywhere in the world this could be a coffee shop on the train or working from home during a pandemic for this situation a different type of VPN exists. 

Remote access VPNs

Remote access VPNs a remote access VPN allows a single device to connect to a corporate network this could be a laptop desktop or even a smartphone or tablet just like a site-to-site VPN. A remote access VPN allows a host computer to safely send and receive encrypted data over the public internet. This is great news if you're connecting to a public wi-fi where you have no idea about who could be snooping now unlike sites like VPNs which are always consecutively running remote access VPNs need an application on the host to connect back to the corporate network the corporate network will be listening for these connection request. 

Example

An example of a VPN client application is cisco anyconnect or openVPN here is openVPN running on my computer while ipsec is used for site-to-site VPNs tls is usually used for remote access VPNs tls is the same security protocol used to encrypt your web traffic when connecting to https sites it's also hand because some public wi-fi might block ipsec ports although tls usually uses port 443 which is generally allowed when configuring remote access.

VPNs you need to decide if you want to use something called  full tunnel or a split tunnel what does that mean well a full tunnel means that once connected to the VPN all traffic from the host will be forwarded to the corporate network even if you're just browsing facebook this will all be tunneled through the corporate network this is great if you want to enforce your corporate firewall policie now a split tunnel means that only traffic destined for the corporate network is sent over the VPN all other traffic is rooted as normal this is great to save bandwidth and also provide a bit more privacy to your users which one you choose is really up to you and your security needs and i do want to briefly mention VPN services in recent years several companies have emerged offering VPN services that promises to keep all of your internet usage private secure and away from hackers you've probably seen their adverts these are like remote access VPNs you connect to that company's network before they forward it over to the internet by using these services the idea is that only the VPN provider will see your traffic so not even your isp can see what you're doing now while there are some understandable reasons to use these services.