Virtual Private Network (VPN)

Introduction of VPN

Connection Setup Guide

FAQ

What is VPN? 

The Virtual Private Network (VPN) has risen fast to become a major networking technology in just a few years. With a VPN, you can send data, via a shared or public network in a manner that emulates a point-to-point private link, between two networks (routers), between two servers, or between a client and a server. In this article, we will focus only the VPN connection mode between a client and a server. In this mode, the remote PC (installed with a VPN client software) utilizes existing telecommunications infrastructures (e.g., phone lines, broadband services, dedicated Internet link, etc), and a tunneling protocol (incorporated with other authentication and encryption protocols) to securely access resource inside the corporate Intranet through a VPN server which sits at the perimeter of the corporate network.

The following diagram depicts the VPN connection:

VPN connection diagram

Why use VPN? 

By using VPN, enterprises can use the same un-trusted public networks operated by the Internet Service Provider without ever the need of any additional expensive private communication link to securely connect remote users' computers to the corporate network. Moreover, as the remote computer will be authenticated and the data exchanged with the VPN server are encrypted, hence, once a VPN connection has been successfully formed, the remote computer can be trusted by all local computers on the corporate LAN and logically be treated as a local computer.

How VPN works? 

To make use of the VPN, the remote computer (i.e., off-campus computers bearing non-corporate-owned IP addresses assigned by the Internet Service Provider (ISP)) must have the VPN client software installed. When connection to the corporate network is attempted, the VPN client software will first connect to the VPN server using a tunneling protocol (into which other authentication and encryption protocols have also been incorporated). After the remote computer has been successfully authenticated, a secure connection (secret tunnel) between it and the VPN server will then be formed as all subsequent data being exchanged through this tunnel will be encrypted at the sending end and correspondingly decrypted at the receiving end of the tunnel. As such, the network tunnel between them, even though established through the un-trusted Internet, is still considered secure enough that the remote computer can be trusted by local computers on the corporate LAN. In fact, the remote computer will even be allocated with an IP address from corporate's IP address space by the VPN server once successfully authenticated so that other local computers can communicate with it via the VPN server using that IP address. It is this automatic IP address translation between ISP's IP address and corporate's IP address offered by the VPN server which makes the remote PC look like a local computer.

How CityU implements its VPN? 

Initially two Cisco VPN servers are installed between the perimeter firewall and the campus network. Each VPN server is a dedicated network device that can handle hundreds of VPN connections in client/server mode simultaneously.

What is needed to remote access the campus network through VPN? 

To remote access CityU's Intranet through VPN, the remote PC must have the VPN client software installed. For most users of Windows, they can simply use the VPN Client software that comes with the operating system.

Under Windows, the VPN tunnel is facilitated by one of two protocols, namely, the PPTP or L2TP. PPTP is developed by Microsoft while L2TP is jointly developed by Microsoft and Cisco. Under UNIX or Linux environment, SSH is used for VPN.

PPTP uses the same authentication protocols as PPP (a communication protocol for making connection between two parties through dial-up), such as EAP, CHAP, PAP, and SPAP to authenticate the identity of the remote user. For encryption purposes, however, it is best to use EAP or MS-CHAP for authentication because it allows link encryption (see below) via MPPE.

L2TP, like PPTP, provides user authentication and data encryption. In addition, it provides mutual computer authentication, and data integrity (which ensures no data will be changed without undetected during transmission or transit). L2TP is also more secure as it provides end-to-end encryption through IPSec while PPTP provides only link encryption through MPPE. Link encryption is data encryption between VPN client and the VPN server while end-to-end encryption is data encryption between the client application and the server hosting the resource or service being accessed by the client application. However, VPN using L2TP is more difficult and complex to configure than using PPTP.

As the encapsulation and encryption process can add around 20-30 percent additional overhead, therefore, if you access campus services through VPN using a low speed dial-up connection, you can expect the service will be delivered slower. Nevertheless, they will still provide reliable file transfer and other basic remote access functions.

Acronyms:

VPN: Virtual Private Network

TCP/IP:Transfer Control Protocol/Internet Protocol

PPTP:Point to Point Tunneling Protocol

L2TP: Layer 2 Transfer Protocol

SSH:Secure Shell

EAP: Extensible Authentication Protocol

PAP: Password Authentication Protocol

IPSec: Internet Protocol Security

MS-CHAP:Microsoft Challenge Handshake Authentication Protocol

CHAP:Challenge Handshake Authentication Protocol

MPPE:Microsoft Point-to-Point Encryption

SPAP: Shiva Password Authentication Protocol

csc@cityu.edu.hk