In this excerpt of Chapter 3 from Cryptography for Dummies, author Chey Cobb explains how virtual private networks (VPNs) use encryption to secure data in transit.
When businesses communicate over the Internet, there is no protection
promised or implied. Everything is done out in the open and can be seen,
captured, destroyed or copied by anyone who cares to try. It's like cities,
towns and villages connected by roads. You transport whatever is on those
roads at your own risk. Businesses began to see the need for a safer alternative
as they did business with remote partners and employees in remote locations.
Thus, the Virtual Private Network (VPN) was invented.
VPNs use encryption to protect the traffic between any two points. It's like
building a tunnel with special access controls between those cities, towns and villages. The tunnels aren't available to everyone, and to the people up
above, they are invisible. Before you can enter the tunnel, you must prove
your identity, your packages must be of certain types and the delivery
address must be verifiable. If that isn't secure enough for you, a VPN also has
the ability to disguise the packages through encryption. That way, if
someone manages to gain unauthorized access by fooling the access guards
or by digging another tunnel that intersects with your tunnel, the intruder
won't know which packages to steal because he can't tell one from another.
VPNs have been around for enough years now to consider them a standard
security mechanism. On the other hand, the way vendors create their VPN
hardware and software is not necessarily interoperable. If you are communicating
with someone who doesn't have the same sort of setup, it may take a
few days or weeks of juggling cables and commands to get it working correctly.
In general, VPNs are considered fairly reliable as far as security mechanisms
go. Sure, there are hacks, but you really don't hear about too many of
them. Either they are not happening often, or companies are just not telling.
VPNs are capable of encrypting two different ways: transport and tunneling.
The transport encryption sets up a secure, encrypted link across the Internet
wires, and it encrypts the data (payload) you are sending to the other end.
This is the equivalent of the delivery truck carrying a package via the underground
passageway. (I'm not using the word tunnel here because I don't want
to confuse you!) The encryption is invisible to the user — other than passwords,
passphrases, or a special card to plug into the computer, the user
doesn't have to press a button that says "encrypt" or "decrypt." All the data
in transit is protected from sight. The only drawback to transport encryption
is the fact that the headers on the data are sent in the clear. In effect, that's
like disguising the package and then putting a label on it that says what's
inside. Maybe not the smartest thing to do considering that intruders may
occasionally gain access.
The other form of VPN encryption, tunneling, not only sets up a secure,
encrypted link between two points, but it also encrypts the headers of the
data packets. That's better. Not only do you have a disguised package, but
the address and the contents listed on the package's label are in code so they're
not easily recognizable. As I mention earlier, the VPN standards aren't necessarily
standard, so you'll have to see what protocols the vendor is using. The
vendor will have tons of transfer protocols to choose from, but the tunneling
protocols are fairly limited. Just to give you an introduction, here are the tunneling
protocols:
If you set up a VPN for your customers, business partners and employees,
they can gain some comfort in the fact that their data isn't traveling in the
clear. One point to remember, though: Many road warriors have automated
the process of logging in to their VPN and have a shortcut on the desktop. On
top of that, a laptop is not properly protected with proper access controls —
turn it on and it's yours. In this instance, a stolen laptop can easily be used
to log on to a VPN, and you'll never know it unless the employee alerts you. In
addition to access controls for laptops, you may also want to consider disk
encryption to protect the data stored on the laptop. Just something to keep
in mind.
VPNs are relatively easy to set up now, and you can usually find experienced
staff to install and manage them. As I mention earlier, sometimes it takes a
little effort to get two different VPNs talking to one another, but that doesn't
last forever. Many vendors are including VPN capabilities in their routers
so the system is practically plug and play. Just remember to change the
default settings such as the administrator password. VPNs are great at protecting
the data in transport, but they do not encrypt the data on your
drives — that data is still in the clear.
Read the rest of Chapter 3, Deciding what you really need
