What is a Virtual Private Network (VPN)?

by Raymond Poon

The Virtual Private Network (VPN) has risen fast to become a major networking technology in just a few years. With a VPN, you can send data, via a shared or public network in a manner that emulates a point-to-point private link, between two networks (routers), between two servers, or between a client and a server. In this article, we will focus only the VPN connection mode between a client and a server. In this mode, the remote PC (installed with a VPN client software) utilises the existing telecommunications infrastructure (e.g. phone lines, broadband services, dedicated Internet link, etc.), and a tunneling protocol (incorporated with other authentication and encryption protocols) to securely access resources inside the corporate Intranet through a VPN server.

The following diagram depicts the VPN connection:

 

 

Why Use VPN?

By using VPN, enterprises can use the same un-trusted public networks operated by the Internet Service Provider without the need of any additional expensive private communication link to securely connect remote users' computers to the corporate network. Moreover, as the remote computer will be authenticated and data encrypted before being sent through the tunnel, hence, once a VPN connection has been established, the remote computer can be trusted and logically be treated as a local computer on the corporate LAN. In fact, the remote client will even be allocated with an IP address from the corporate's IP address space once successfully authenticated.

How Will CityU Implement its VPN?

Initially two Cisco's VPN servers will be installed between the perimeter firewall and the campus network. Each VPN server is a dedicated network device that can handle hundreds of VPN connections in client/server mode simultaneously.

What is needed to Remote Access the Campus Network Through VPN?

To remote access CityU's Intranet through VPN, the remote PC must have the VPN client software installed. For most users of Windows, they can simply use the VPN Client software that comes with the operating system.

Under Windows, the VPN tunnel is facilitated by one of two protocols, namely, the PPTP or L2TP. PPTP is developed by Microsoft while L2TP is jointly developed by Microsoft and Cisco. Under UNIX or Linux environment, SSH is used for VPN.

PPTP uses the same authentication protocols as PPP (a communication protocol for making connection between two parties through dial-up), such as EAP, CHAP, PAP, and SPAP to authenticate the identity of the remote user. For encryption purposes, however, it is best to use EAP or MS-CHAP for authentication because it allows link encryption (see below) via MPPE.

L2TP, like PPTP, provides user authentication and data encryption. In addition, it provides mutual computer authentication, and data integrity (which ensures no data will be changed without undetected during transmission or transit). L2TP is also more secure as it provides end-to-end encryption through IPSec while PPTP provides only link encryption through MPPE. Link encryption is data encryption between VPN client and the VPN server while end-to-end encryption is data encryption between the client application and the server hosting the resource or service being accessed by the client application. However, VPN using L2TP is more difficult and complex to configure than using PPTP.

As the encapsulation and encryption process can add around 20-30 percent additional overhead, therefore, if you access campus services through VPN using a low speed dial-up connection, you can expect a slower delivery of service. Nevertheless, reliable file transfer and other basic remote access functions will still be provided.

When Will CityU's VPN Be Available?

The Computing Services Centre (CSC) is currently conducting a trial run on the VPN. Should you be interested in joining it, please visit the URL below for instructions on how to configure the VPN client software:

http://www.cityu.edu.hk/csc/deptweb/facilities/ctnet/vpn/vpn.htm

It is expected that the VPN service will be available in mid-January 2003.

Acronyms:

VPN: Virtual Private Network
TCP/IP: Transfer Control Protocol/Internet Protocol
PPTP: Point to Point Tunneling Protocol
L2TP: Layer 2 Transfer Protocol
SSH: Secure Shell
EAP: Extensible Authentication Protocol
MS-CHAP: Microsoft Challenge Handshake Authentication Protocol
CHAP: Challenge Handshake Authentication Protocol
PAP: Password Authentication Protocol
SPAP: Shiva Password Authentication Protocol
MPPE: Microsoft Point-to-Point Encryption
IPSec: Internet Protocol Security