In this excerpt of Chapter 3 from Cryptography for Dummies, author Chey Cobb explains how virtual private networks (VPNs) use encryption to secure data in transit.
When businesses communicate over the Internet, there is no protection promised or implied. Everything is done out in the open and can be seen, captured, destroyed or copied by anyone who cares to try. It's like cities, towns and villages connected by roads. You transport whatever is on those roads at your own risk. Businesses began to see the need for a safer alternative as they did business with remote partners and employees in remote locations. Thus, the Virtual Private Network (VPN) was invented.
VPNs use encryption to protect the traffic between any two points. It's like building a tunnel with special access controls between those cities, towns and villages. The tunnels aren't available to everyone, and to the people up above, they are invisible. Before you can enter the tunnel, you must prove your identity, your packages must be of certain types and the delivery address must be verifiable. If that isn't secure enough for you, a VPN also has the ability to disguise the packages through encryption. That way, if someone manages to gain unauthorized access by fooling the access guards or by digging another tunnel that intersects with your tunnel, the intruder won't know which packages to steal because he can't tell one from another.
VPNs have been around for enough years now to consider them a standard security mechanism. On the other hand, the way vendors create their VPN hardware and software is not necessarily interoperable. If you are communicating with someone who doesn't have the same sort of setup, it may take a few days or weeks of juggling cables and commands to get it working correctly. In general, VPNs are considered fairly reliable as far as security mechanisms go. Sure, there are hacks, but you really don't hear about too many of them. Either they are not happening often, or companies are just not telling.
VPNs are capable of encrypting two different ways: transport and tunneling. The transport encryption sets up a secure, encrypted link across the Internet wires, and it encrypts the data (payload) you are sending to the other end. This is the equivalent of the delivery truck carrying a package via the underground passageway. (I'm not using the word tunnel here because I don't want to confuse you!) The encryption is invisible to the user — other than passwords, passphrases, or a special card to plug into the computer, the user doesn't have to press a button that says "encrypt" or "decrypt." All the data in transit is protected from sight. The only drawback to transport encryption is the fact that the headers on the data are sent in the clear. In effect, that's like disguising the package and then putting a label on it that says what's inside. Maybe not the smartest thing to do considering that intruders may occasionally gain access.
The other form of VPN encryption, tunneling, not only sets up a secure, encrypted link between two points, but it also encrypts the headers of the data packets. That's better. Not only do you have a disguised package, but the address and the contents listed on the package's label are in code so they're not easily recognizable. As I mention earlier, the VPN standards aren't necessarily standard, so you'll have to see what protocols the vendor is using. The vendor will have tons of transfer protocols to choose from, but the tunneling protocols are fairly limited. Just to give you an introduction, here are the tunneling protocols:
- GRE = Generic Routing Encapsulation
- IPsec = Secure Internet Protocol
- L2F = Layer 2 Forwarding
- PPTP = Point To Point Tunneling Protocol
- L2TP = Layer 2 Tunneling Protocol (PPTP + L2F)
If you set up a VPN for your customers, business partners and employees, they can gain some comfort in the fact that their data isn't traveling in the clear. One point to remember, though: Many road warriors have automated the process of logging in to their VPN and have a shortcut on the desktop. On top of that, a laptop is not properly protected with proper access controls — turn it on and it's yours. In this instance, a stolen laptop can easily be used to log on to a VPN, and you'll never know it unless the employee alerts you. In addition to access controls for laptops, you may also want to consider disk encryption to protect the data stored on the laptop. Just something to keep in mind.
VPNs are relatively easy to set up now, and you can usually find experienced staff to install and manage them. As I mention earlier, sometimes it takes a little effort to get two different VPNs talking to one another, but that doesn't last forever. Many vendors are including VPN capabilities in their routers so the system is practically plug and play. Just remember to change the default settings such as the administrator password. VPNs are great at protecting the data in transport, but they do not encrypt the data on your drives — that data is still in the clear.
Read the rest of Chapter 3, Deciding what you really need
This was first published in July 2005