Virtual networks. Vpn connection: what is it and what is a vpn channel for? The concept of "tunnel" in the transmission of data in networks

Virtual private network

Most often to create virtual network encapsulation of the PPP protocol into some other protocol is used - Ethernet (providers of the "last mile" to provide access to the Internet.

With the proper level of implementation and the use of special software VPN can provide high level encryption of transmitted information. At correct setting of all components, VPN technology ensures anonymity on the Web.

VPN Structure

A VPN consists of two parts: an "internal" (controlled) network, of which there may be several, and an "external" network through which the encapsulated connection passes (usually the Internet is used). It is also possible to connect a single computer to a virtual network. A remote user is connected to the VPN through an access server that is connected to both the internal and external (public) networks. When connecting a remote user (or when establishing a connection to another secure network), the access server requires the identification process to go through, and then the authentication process. After successful completion of both processes, the remote user ( remote network) is empowered to work on the network, that is, the authorization process takes place.

VPN classification

VPN classification

VPN solutions can be classified according to several main parameters:

By type of environment used

• Protected

The most common version of virtual private networks. With its help, it is possible to create a reliable and secure subnet based on an unreliable network, usually the Internet. Examples of secure VPNs are: IPSec, PPTP.

• Trust

They are used in cases where the transmission medium can be considered reliable and it is only necessary to solve the problem of creating a virtual subnet within a larger network. Security issues become irrelevant. Examples of such VPN solutions are: Multi-protocol label switching (L2TP (Layer 2 Tunnelling Protocol). (more precisely, these protocols shift the security task to others, for example, L2TP is usually used in conjunction with IPSec).

By way of implementation

• In the form of special software and hardware

Implementation of the VPN network is carried out using a special set of software and hardware. This implementation provides high performance and, as a rule, a high degree security.

• As a software solution

They use a personal computer with special software that provides VPN functionality.

• Integrated Solution

VPN functionality is provided by a complex that also solves filtering tasks network traffic, organizing a firewall and ensuring the quality of service.

By appointment

They are used to combine several distributed branches of one organization into a single secure network, exchanging data via open communication channels.

• Remote Access VPN

Used to create a secure channel between a corporate network segment (central office or branch office) and a single user who, while working at home, connects to corporate resources With home computer, corporate laptop, smartphone or internet kiosk.

• Extranet VPN

Used for networks to which "external" users (for example, customers or clients) connect. The level of trust in them is much lower than in the company's employees, therefore, it is necessary to provide special “frontiers” of protection that prevent or limit the access of the latter to especially valuable, confidential information.

• Internet VPN

Used to provide access to the Internet by providers.

• Client/Server VPN

It ensures the protection of transmitted data between two nodes (not networks) of a corporate network. The peculiarity of this option is that the VPN is built between nodes that are usually located in the same network segment, for example, between workstation and server. Such a need very often arises in cases where it is necessary to create several logical networks. For example, when it is necessary to divide the traffic between the financial department and the human resources department, accessing servers located in the same physical segment. This option is similar to VLAN technology, but instead of separating traffic, it is encrypted.

By type of protocol

There are implementations of virtual private networks under TCP/IP, IPX and AppleTalk. But today there is a trend towards a general transition to the TCP / IP protocol, and the vast majority of VPN solutions support it.

By network protocol level

By network protocol layer, based on a mapping to the layers of the ISO/OSI network reference model.

VPN Examples

Many major providers offer their VPN services for business customers.

Literature

• Ivanov M. A. Cryptographic methods information protection in computer systems and networks. - M.: KUDITS-OBRAZ, 2001. - 368 p.
• Kulgin M. Technologies of corporate networks. Encyclopedia. - St. Petersburg: Peter, 2000. - 704 p.
• Olifer V. G., Olifer N. A. Computer networks. Principles, technologies, protocols: A textbook for universities. - St. Petersburg: Peter, 2001. - 672 p.
• Romanets Yu. V., Timofeev PA, Shangin VF Protection of information in computer systems and networks. 2nd ed. - M: Radio and communication, 2002. -328 p.
• Stallings W. Fundamentals of network protection. Applications and Standards = Network Security Essentials. Applications and Standards. - M.: "Williams", 2002. - S. 432. - ISBN 0-13-016093-8
• Virtual Private Network Products [ Electronic document] - http://www.citforum.ru/nets/articles/vpn_tab.shtml
• Anita Karve Real virtual opportunities//LAN. - 1999.- No. 7-8 http://www.osp.ru/lan/1999/07-08/107.htm
• Linux’s answer to MS-PPTP [Electronic document] / Peter Gutmann. - http://www.cs.auckland.ac.nz/~pgut001/pubs/linux_vpn.txt
• Joel Snyder VPN: a shared market // Networks. - 1999.- No. 11 http://www.citforum.ru/nets/articles/vpn.shtml
• VPN Primer [Electronic Document] - www.xserves.com/downloads/anexgate/VPNPrimer.pdf
• PKI or PGP? [Electronic document] / Natalya Sergeeva. - http://www.citforum.ru/security/cryptography/pki_pgp/
• IPSec - protocol for protecting network traffic at the IP level [Electronic document] / Stanislav Korotygin. - http://www.ixbt.com/comm/ipsecure.shtml
• OpenVPN FAQ [Electronic Document] - http://openvpn.net/faq.html
• Purpose and structure of encryption algorithms [Electronic document] / Panasenko Sergey. - http://www.ixbt.com/soft/alg-encryption.shtml
• On modern cryptography [Electronic document] / V. M. Sidelnikov. - http://www.citforum.ru/security/cryptography/crypto/
• Introduction to Cryptography / Ed. V. V. Yashchenko. - M.: MTsNMO, 2000. - 288 from http://www.citforum.ru/security/cryptography/yaschenko/
• Security pitfalls in cryptography [Electronic document] / Bruce Schneier. - http://www.citforum.ru/security/cryptography/pitfalls.shtml
• IPSec: a panacea or a forced measure? [Electronic document] / Yevgeny Patiy. - http://citforum.ru/security/articles/ipsec_standard/
• VPN and IPSec at your fingertips [Electronic document] / Dru Lavigne. - http://www.nestor.minsk.by/sr/2005/03/050315.html
• A Framework for IP Based Virtual Private Networks [Electronic document] / B. Gleeson, A. Lin, J. Heinanen. - http://www.ietf.org/rfc/rfc2764.txt
• OpenVPN and the SSL VPN Revolution [Electronic Document] / Charlie Hosner. - http://www.sans.org/rr/whitepapers/vpns/1459.php
• Markus Feilner New Generation Virtual Private Networks // LAN.- 2005.- No. 11
• What is SSL [Electronic document] / Maxim Drogaytsev. - http://www.ods.com.ua/win/rus/security/ssl.html
• Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2) [Electronic Document] / Bruce Schneier. - http://www.schneier.com/paper-pptpv2.html
• Point to Point Tunneling Protocol (PPTP) Technical Specifications [Electronic Document] / Kory Hamzeh, Gurdeep Singh Pall, William Verthein, Jeff Taarud, W. Andrew Little. - http://infodeli.3com.com/infodeli/tools/remote/general/pptp/pptp.htm
• Ryan Norman Choosing a VPN Protocol // Windows IT Pro. - 2001. - No. 7 http://www.osp.ru/win2000/2001/07/010.htm
• MPLS: a new order in IP networks? [Electronic document] / Tom Nolle. - http://www.emanual.ru/get/3651/
• Layer Two Tunneling Protocol "L2TP" [Electronic document] / W. Townsley, A. Valencia, A. Rubens. - http://www.ietf.org/rfc/rfc2661.txt
• Alexey Lukatsky Unknown VPN // Computer Press. - 2001. - No. 10 http://abn.ru/inf/compress/network4.shtml
• First brick in the wall VPN Overview entry-level VPN devices [Electronic document] / Valery Lukin. - http://www.ixbt.com/comm/vpn1.shtml
• Overview of VPN hardware [Electronic document] - http://www.networkaccess.ru/articles/security/vpn_hardware/
• Pure hardware VPNs rule high-availability tests [Electronic document] / Joel Snyder, Chris Elliott. - http://www.networkworld.com/reviews/2000/1211rev.html
• VPN: Type of VPN [Electronic Document] - http://www.vpn-guide.com/type_of_vpn.htm
• KAME FAQ [Electronic Document] - http://orange.kame.net/dev/cvsweb2.cgi/kame/FAQ?rev=HEAD&content-type=text/x-cvsweb-markup
• Features of the Russian VPN market [Electronic document] - http://www.cnews.ru/reviews/free/security2006/articles/vpnmarket/
• Domestic means of building virtual private networks [?] / I. Gvozdev, V. Zaichikov, N. Moshak, M. Pelenitsyn, S. Seleznev, D. Shepelyavy
• Sergey Petrenko Secure virtual private network: a modern view on the protection of confidential data // Internet World. - 2001. - No. 2

A virtual local area network (Virtual Local Area Network, VLAN) is a group of network nodes, the traffic of which, including broadcasting, is completely isolated at the link level from the traffic of other network nodes.

Rice. 14.10. Virtual Local Area Networks.

This means that frame transfer between different virtual networks based on the link layer address is not possible, regardless of the type of address (unique, multicast, or broadcast). At the same time, within the virtual network, frames are transmitted using switching technology, then only on the port that is associated with the frame's destination address.

VLANs can overlap if one or more computers are part of more than one VLAN. On fig. 14.10, the email server is part of virtual networks 3 and 4. This means that its frames are transmitted by switches to all computers included in these networks. If a computer is only part of virtual network 3, then its frames will not reach network 4, but it can interact with network 4 computers through a common mail server. Such a scheme does not fully protect virtual networks from each other, for example, a broadcast storm that occurred on the server Email, will flood both network 3 and network 4.

A virtual network is said to form a broadcast traffic domain similar to the collision domain that is formed by Ethernet repeaters.

Purpose of virtual networks

As we saw in the example from the previous section, custom filters can interfere with the normal operation of switches and limit the interaction of nodes. local network according to the required access rules. However, the custom filter mechanism of switches has several disadvantages:

You have to set separate conditions for each network node, using cumbersome MAC addresses. It would be much easier to group nodes and describe the interaction conditions for the groups at once.

Cannot block broadcast traffic. Broadcast traffic can cause a network to be unavailable if some of its nodes intentionally or unintentionally generates broadcast frames at a high rate.

The technique of virtual local networks solves the problem of limiting the interaction of network nodes in a different way.

The main purpose of VLAN technology is to facilitate the creation of isolated networks, which are then usually interconnected using routers. This network design creates powerful barriers to unwanted traffic from one network to another. Today it is considered obvious that any large network must include routers, otherwise streams of erroneous frames, such as broadcasts, will periodically “flood” the entire network through switches that are transparent to them, bringing it to an inoperable state.

The advantage of virtual network technology is that it allows you to create completely isolated network segments by logically configuring switches without resorting to changing the physical structure.

Before the advent of VLAN technology, either physically isolated coaxial cable segments or unconnected segments built on repeaters and bridges were used to create a separate network. Then these networks were connected by routers into a single composite network (Fig. 14.11).

Changing the composition of segments (user transition to another network, splitting large segments) with this approach implies physical reconnection of connectors on the front panels of repeaters or on cross panels, which is not very convenient in large networks- a lot of physical work, besides, the probability of error is high.

Rice. 14.11. Composite network consisting of networks built on the basis of repeaters

Linking virtual networks into a common network requires the involvement of network layer funds. It can be implemented in a separate router or as part of the switch software, which then becomes a combined device - the so-called layer 3 switch.

Virtual network technology has not been standardized for a long time, although it has been implemented in a very wide range of switch models different manufacturers. The situation changed after the adoption in 1998 of the IEEE 802.1Q standard, which defines the basic rules for building virtual local networks that do not depend on the link layer protocol supported by the switch.

Creating virtual networks based on a single switch

When creating virtual networks based on a single switch, the switch port grouping mechanism is usually used (Fig. 14.12). In addition, each port is assigned to a particular virtual network. A frame coming from a port that belongs, for example, to virtual network 1, will never be transmitted to a port that does not belong to this virtual network. A port can be assigned to several virtual networks, although in practice this is rarely done - the effect of complete isolation of networks disappears.

Creating virtual networks by grouping ports does not require a lot of manual work from the administrator - it is enough to assign each port to one of several pre-named virtual networks. Typically, this operation is performed using a special program that came with the switch.

The second way to form virtual networks is based on the grouping of MAC addresses. Each MAC address learned by the switch is assigned to a particular virtual network. When there are many nodes in the network, this method requires a lot of manual work from the administrator. However, when building virtual networks based on multiple switches, it is more flexible than port trunking.

Rice. 14.12. Virtual networks built on a single switch

Create virtual networks based on multiple switches

Figure 14.13 illustrates the problem when creating virtual networks based on multiple switches that support the port trunking technique.

Rice. 14.13. Building virtual networks on multiple switches with port trunking

If the nodes of any virtual network are connected to different switches, then a special pair of ports must be allocated on the switches to connect each such network. Thus, port trunking switches require as many ports for their connection as they support VLANs. Ports and cables are used in this case very wastefully. In addition, when connecting virtual networks through a router, each virtual network is allocated a separate cable and a separate router port, which also causes a lot of overhead.

Grouping MAC addresses into a virtual network on each switch eliminates the need to bind them across multiple ports, as the MAC address then becomes a virtual network label. However, this method requires a lot of manual operations to mark MAC addresses on each switch in the network.

The two approaches described are based only on adding additional information to the address tables of the switch and they do not have the ability to embed information about the ownership of the virtual network frame into the transmitted frame. In other approaches, existing or additional fields of the frame are used to save information about the frame belonging to a particular virtual local area network when it moves between network switches. In this case, there is no need to remember in each switch that all MAC addresses of the composite network belong to virtual networks.

The extra field marked virtual network number is used only when the frame is being sent from switch to switch, and is usually removed when the frame is sent to the end node. At the same time, the "switch-switch" interaction protocol is modified, and the software and Hardware end nodes remain unchanged.

Ethernet introduces an additional header called the VLAN tag.

The VLAN tag is optional for Ethernet frames. A frame that has such a header is called a tagged frame. Switches can simultaneously work with both tagged and untagged frames. Because of the added tag VLAN maximum the length of the data field has decreased by 4 bytes.

In order for LAN equipment to distinguish and understand tagged frames, a special EtherType field value of 0x8100 has been introduced for them. This value indicates that it is followed by a TCI field and not a standard data field. Note that in a tagged frame, the VLAN tag fields are followed by another EtherType field indicating the type of protocol carried by the data field of the frame.

The TCI field contains a 12-bit VLAN number (identifier) ​​field, called the VID. The width of the VID field allows switches to create up to 4096 virtual networks.

Using the VID value in tagged frames, network switches perform group traffic filtering, dividing the network into virtual segments, that is, into VLANs. To support this mode, each switch port is assigned to one or more VLANs, that is, port grouping is performed.

To simplify network configuration, the 802.1Q standard introduces the concepts of access line and trunk.

An access line connects a switch port (called an access port in this case) to a computer that belongs to some VLAN.

A trunk is a communication line that connects the ports of two switches; in the general case, the traffic of several virtual networks is transmitted through the trunk.

In order to form a VLAN in the source network, you must first select a VID value for it other than 1, and then, using the switch configuration commands, assign to this network those ports to which the computers included in it are attached. An access port can only be assigned to one VLAN.

Access ports receive untagged frames from network endpoints and tag them with a VLAN tag containing the VID value assigned to that port. When tagged frames are sent to the end node, the access port removes the VLAN tag.

For a more visual description, let's return to the previously discussed network example. Fig. 14.15 shows how the problem of selective access to servers is solved based on the VLAN technique.

Rice. 14.15. Splitting a network into two VLANs

To solve this problem, you can organize two virtual local networks in the network, VLAN2 and VLAN3 (recall that VLAN1 already exists by default - this is our source network), one set of computers and servers is assigned to VLAN2, and the other is assigned to KVLAN3.

To assign end nodes to a specific VLAN, the corresponding ports are advertised as the access ports of that network by assigning them the appropriate VID. For example, port 1 of switch SW1 should be declared access port of VLAN2 by assigning VID2 to it, the same should be done with port 5 of switch SW1, port 1 of switch SW2 1 port 1 of switch SW3. VLAN3 access ports must be assigned a VID3.

In our network, you also need to organize trunks - those communication lines that connect the ports of the switches. Ports connected to trunks do not add or remove tags, they simply transmit frames as they are. In our example, these ports should be ports 6 of the switches SW1 and SW2, as well as ports 3 and 4 of the switchboard. The ports in our example must support VLAN2 and VLAN3 (and VLAN1 if there are hosts on the network that are not explicitly assigned to any VLAN).

Switches that support VLAN technology provide additional traffic filtering. In the event that the switch forwarding table says that the incoming frame needs to be transmitted to a certain port, before transmitting, the switch checks whether the VTD value in the VL AN tag of the frame matches the VLAN assigned to this port. In case of a match, the frame is transmitted; if it does not match, it is discarded. Untagged frames are processed in the same way, but using the conditional VLAN1. MAC addresses are learned by network switches separately, but each VLAN.

The VLAN technique turns out to be very effective for delimiting access to servers. Configuring a virtual local area network does not require knowledge of the MAC addresses of the nodes, in addition, any change in the network, such as connecting a computer to another switch, requires configuring only the port of this switch, and all other network switches continue to work without making changes to their configuration.

Virtual Private Networks (VPNs) are getting a lot of attention as providers network services and Internet providers, and corporate users. Infonetics Research predicts that the VPN market will grow by more than 100% annually through 2003 and reach $12 billion.

Before telling you about the popularity of VPNs, let me remind you that just private (corporate) data networks are built, as a rule, using leased (dedicated) communication channels of public switched telephone networks. For many years, these private networks have been designed with specific corporate requirements in mind, resulting in proprietary protocols that support proprietary applications (however, Frame Relay and ATM protocols have recently gained popularity). Dedicated channels allow you to provide reliable protection of confidential information, but the flip side of the coin is the high cost of operation and difficulties in expanding the network, not to mention the ability of a mobile user to connect to it at an unintended point. At the same time, modern business is characterized by a significant dispersal and mobility of the workforce. More and more users need access to corporate information via dial-up channels, and the number of employees working from home is also increasing.

Further, private networks are unable to provide the same business opportunities that the Internet and IP-based applications provide, such as product promotion, customer support, or ongoing communication with suppliers. This on-line interaction requires the interconnection of private networks, which typically use different protocols and applications, different network management systems, and different communication service providers.

Thus, the high cost, static nature and difficulties that arise when it is necessary to combine private networks based on different technologies, are in conflict with the dynamically developing business, its desire for decentralization and the recent trend towards mergers.

At the same time, in parallel, there are public data transmission networks devoid of these shortcomings and the Internet, which literally enveloped the entire globe with its “web”. True, they are deprived of the most important advantage of private networks - reliable protection corporate information. Virtual Private Network technology combines the flexibility, scalability, low cost, and availability of literally "anytime anywhere" Internet and public networks with the security of private networks. At their core, VPNs are private networks that use global networks public access(Internet, Frame Relay, ATM). Virtuality is manifested in the fact that for a corporate user they appear to be dedicated private networks.

COMPATIBILITY

Compatibility issues do not arise if VPNs directly use Frame Relay and ATM services, as they are quite well adapted to work in a multiprotocol environment and are suitable for both IP and non-IP applications. All that is required in this case is the availability of an appropriate network infrastructure covering the required geographical area. The most commonly used access devices are Frame Relay Access Devices or routers with Frame Relay and ATM interfaces. Numerous permanent or switched virtual circuits can operate (virtually) with any mixture of protocols and topologies. The matter becomes more complicated if the VPN is based on the Internet. In this case, applications are required to be compatible with the IP protocol. Provided that this requirement is met, you can use the Internet “as it is” to build a VPN, having previously provided the necessary level of security. But since most private networks are multiprotocol or use unofficial, internal IP addresses, they cannot directly connect to the Internet without appropriate adaptation. There are many compatibility solutions. The most popular are the following:
- conversion of existing protocols (IPX, NetBEUI, AppleTalk or others) into an IP protocol with an official address;
- conversion of internal IP addresses to official IP addresses;
— installation of special IP-gateways on servers;
— use of virtual IP-routing;
— use of universal tunneling technique.
The first way is clear, so let's briefly look at the others.
Converting internal IP addresses to official ones is necessary when the private network is based on the IP protocol. Address translation for the entire corporate network is not necessary, since official IP addresses can coexist with internal ones on switches and routers in the enterprise network. In other words, the server with the official IP address is still available to the private network client through the local infrastructure. The most commonly used technique is the division of a small block of official addresses by many users. It is similar to splitting a modem pool in that it also relies on the assumption that not all users need access to the Internet at the same time. There are two industry standards here: the Dynamic Host Configuration Protocol (DHCP) and broadcast network addresses(Network Address Translation - NAT), whose approaches differ slightly. DHCP “leases” an address to a host for a time determined by the network administrator, while NAT translates an internal IP address into an official one dynamically, for the duration of a communication session with
Internet.

Another way to make a private network compatible with the Internet is to install an IP gateway. The gateway translates non-IP protocols to IP protocols and vice versa. Most network operating systems that use native protocols have IP gateway software.

The essence of virtual IP routing is to extend the private routing tables and address space to the infrastructure (routers and switches) of the ISP. A virtual IP router is a logical part of a physical IP router owned and operated by a service provider. Each virtual router serves a specific group of users.
However, perhaps the most the best way interoperability can be achieved using tunneling techniques. These techniques have been used for a long time to transmit a multiprotocol packet stream over a common backbone. This proven technology is currently optimized for Internet-based VPNs.
The main components of the tunnel are:
— tunnel initiator;
— routed network;
- tunnel switch (optional);
— one or more tunnel terminators.
Tunneling must be performed at both ends of the end-to-end link. The tunnel must start with a tunnel initiator and end with a tunnel terminator. Initialization and termination of tunnel operations can be performed by various network devices and software. For example, a tunnel can be initiated by a remote user's computer that has a modem and necessary VPN software installed, a front-end router at a corporate branch office, or a network access concentrator at a service provider.

For transmission over the Internet of packets other than IP network protocols, they are encapsulated in IP packets from the source side. The most commonly used method for creating VPN tunnels is to encapsulate a non-IP packet in a PPP (Point-to-Point Protocol) packet and then encapsulate it in an IP packet. Let me remind you that the PPP protocol is used for a point-to-point connection, for example, for client-server communication. The IP encapsulation process involves adding a standard IP header to the original packet, which is then treated as helpful information. The corresponding process at the other end of the tunnel removes the IP header, leaving the original packet unchanged. Since tunneling technology is quite simple, it is also the most affordable in terms of cost.

SAFETY

Ensuring the required level of security is often the primary consideration when a corporation considers using Internet-based VPNs. Many IT managers are accustomed to the inherent privacy of private networks and view the Internet as too "public" to be used as a private network. If you use the English terminology, then there are three "P", the implementation of which together provides complete protection of information. This:
Protection - protection of resources using firewalls (firewall);
Proof - verification of the identity (integrity) of the package and authentication of the sender (confirmation of the right to access);
Privacy - protection of confidential information using encryption.
All three P's are equally important for any corporate network, including VPNs. In strictly private networks, to protect resources and confidentiality of information, it is enough to use quite simple passwords. But once a private network is connected to a public one, none of the three P's can provide the necessary protection. Therefore, for any VPN, firewalls must be installed at all points of its interaction with the public network, and packets must be encrypted and authenticated.

Firewalls are an essential component in any VPN. They allow only authorized traffic for trusted users and block everything else. In other words, all access attempts by unknown or untrusted users are crossed. This form of protection must be provided for every site and user, as not having it anywhere means not having it everywhere. Special protocols are used to ensure the security of virtual private networks. These protocols allow hosts to "negotiate" the encryption and digital signature technique to be used, thus maintaining the confidentiality and integrity of data and authenticating the user.

The Microsoft Point-to-Point Encryption Protocol (MPPE) encrypts PPP packets on the client machine before they are sent to the tunnel. The encryption session is initialized during the establishment of communication with the tunnel terminator using the protocol
PPP.

Secure IP protocols (IPSec) are a series of preliminary standards being developed by the Internet Engineering Task Force (IETF). The group proposed two protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). AH protocol adds digital signature header that authenticates the user and ensures data integrity by keeping track of any changes in transit. This protocol protects only the data, leaving the address part of the IP packet unchanged. The ESP protocol, on the other hand, can encrypt either the entire packet (Tunnel Mode) or just the data (Transport Mode). These protocols are used both separately and in combination.

To manage security, the industry standard RADIUS (Remote Authentication Dial-In User Service) is used, which is a database of user profiles that contain passwords (authentication) and access rights (authorization).

The security features are far from being limited to the examples given. Many router and firewall manufacturers offer their own solutions. Among them are Ascend, CheckPoint and Cisco.

AVAILABILITY

Availability includes three equally important components: service time, throughput, and latency. The time of service provision is the subject of the contract with the service provider, and the other two components are related to the elements of quality of service (Quality of Service - QoS). Modern technologies transport allow you to build a VPN that meets the requirements of almost all existing applications.

CONTROLLABILITY

Network administrators always want to be able to perform end-to-end, end-to-end management of the corporate network, including the part that relates to the telecommunications company. It turns out that VPNs provide more options in this regard than regular private networks. Typical private networks are administered "from border to border", i.e. the service provider manages the network up to the front routers of the corporate network, while the subscriber manages the corporate network itself up to the WAN access devices. VPN technology allows you to avoid this kind of division of "spheres of influence", providing both the provider and the subscriber single system managing the network as a whole, both its corporate part and the network infrastructure of the public network. The enterprise network administrator has the ability to monitor and reconfigure the network, manage front access devices, and determine the network status in real time.

VPN ARCHITECTURE

There are three virtual private network architecture models: dependent, independent, and hybrid as a combination of the first two alternatives. Belonging to a particular model is determined by where the four main requirements for VPN are implemented. If a global network service provider provides a complete VPN solution, i.e. provides tunneling, security, performance and management, it makes the architecture dependent on it. In this case, all VPN processes are transparent to the user, and he sees only his native traffic — IP, IPX, or NetBEUI packets. The advantage of the dependent architecture for the subscriber is that he can use the existing network infrastructure "as is", adding only a firewall between the VPN and the private network.
WAN/LAN.

Independent architecture is implemented when the organization provides all technological requirements on its equipment, delegating only transport functions to the service provider. This architecture is more expensive, but gives the user full control over all operations.

The hybrid architecture includes dependent and independent from the organization (respectively, from the service provider) sites.

What are the promises of VPN for corporate users? First of all, according to industrial analysts, this is a reduction in costs for all types of telecommunications from 30 to 80%. And also it is almost ubiquitous access to the networks of a corporation or other organizations; it is the implementation of secure communications with suppliers and customers; it is an improved and enhanced service not available on PSTN networks, and much more. Specialists see VPNs as a new generation of network communications, and many analysts believe that VPNs will soon replace most private networks based on leased lines.

In addition to its main purpose - to increase bandwidth connections in the network - the switch allows you to localize information flows, as well as control and manage these flows using a custom filter mechanism. However, the user filter is able to prevent the transmission of frames only to specific addresses, while it transmits broadcast traffic to all network segments. This is the principle of operation of the bridge algorithm implemented in the switch, therefore, networks created on the basis of bridges and switches are sometimes called flat - due to the absence of barriers to broadcast traffic.

Introduced a few years ago, the technology of virtual local area networks (Virtual LAN, VLAN) overcomes this limitation. A virtual network is a group of network nodes whose traffic, including broadcast traffic, is completely isolated from other nodes at the data link layer (see Figure 1). This means that direct frame transfer between different virtual networks is not possible, regardless of the type of address - unique, multicast or broadcast. At the same time, within the virtual network, frames are transmitted in accordance with the switching technology, i.e., only to the port to which the frame's destination address is assigned.

Virtual networks can overlap if one or more computers are included in more than one virtual network. In Figure 1, the email server is part of virtual networks 3 and 4, and therefore its frames are sent by switches to all computers that are members of these networks. If a computer is assigned only to virtual network 3, then its frames will not reach network 4, but it can interact with computers in network 4 through a common mail server. This scheme does not completely isolate the virtual networks from each other - thus, the broadcast storm initiated by the email server will overwhelm both network 3 and network 4.

It is said that the virtual network forms a broadcast traffic domain (broadcast domain), by analogy with the collision domain, which is formed by repeaters of Ethernet networks.

VLAN ASSIGNMENT

VLAN technology makes it easy to create isolated networks that communicate through routers that support a network layer protocol such as IP. This solution creates much more powerful barriers to erroneous traffic from one network to another. Today it is believed that any large network must include routers, otherwise the streams of erroneous frames, in particular broadcasts, through switches transparent to them, will periodically “flood” it entirely, resulting in an inoperable state.

Virtual network technology provides a flexible basis for building a large network connected by routers, since switches allow you to create completely isolated segments programmatically without resorting to physical switching.

Before the advent of VLAN technology, a single network was deployed either with physically isolated lengths of coaxial cable or unconnected segments based on repeaters and bridges. Then the networks were combined through routers into a single composite network (see Figure 2).

Changing the composition of the segments (user transition to another network, splitting large sections) with this approach implied physical reconnection of connectors on the front panels of repeaters or in cross panels, which is not very convenient in large networks This is a very time-consuming job, and the probability of error is very high. Therefore, to eliminate the need for physical reswitching of nodes, multi-segment hubs began to be used so that the composition of a shared segment could be reprogrammed without physical reswitching.

However, changing the composition of segments with the help of hubs imposes great restrictions on the network structure - the number of segments of such a repeater is usually small, and it is unrealistic to allocate each node its own, as can be done using a switch. In addition, with this approach, all the work of transferring data between segments falls on routers, and switches with their high performance remain "out of work". Thus, configuration-switched repeater networks still require sharing transmission environments with a large number of nodes and, therefore, have a much lower performance compared to switch-based networks.

When using virtual network technology in switches, two tasks are simultaneously solved:

• performance improvement in each of the virtual networks, since the switch sends frames only to the destination host;
• isolate networks from each other to manage user access rights and create protective barriers against broadcast storms.

Consolidation of virtual networks in common network performed at the network layer, which can be accessed using a separate router or switch software. The latter in this case becomes a combined device - the so-called third-level switch.

The technology for the formation and operation of virtual networks using switches has not been standardized for a long time, although it has been implemented in a very wide range of switch models from different manufacturers. The situation changed after the adoption in 1998 of the IEEE 802.1Q standard, which defines the basic rules for building virtual local networks, regardless of which link layer protocol is supported by the switch.

Due to the long absence of a VLAN standard, each major switch company has developed its own virtual network technology, and, as a rule, is incompatible with technologies from other manufacturers. Therefore, despite the emergence of the standard, it is not uncommon for a situation where virtual networks created on the basis of switches from one vendor are not recognized and, accordingly, are not supported by switches from another.

CREATING A VLAN ON THE BASIS OF A SINGLE SWITCH

When creating virtual networks based on a single switch, the switch port grouping mechanism is usually used (see Figure 3). Moreover, each of them is assigned to one or another virtual network. A frame received from a port belonging to, for example, virtual network 1 will never be transmitted to a port that is not part of it. A port can be assigned to several virtual networks, although this is rarely done in practice - the effect of complete isolation of networks disappears.

Grouping the ports of one switch is the most logical way to form a VLAN, since in this case there cannot be more virtual networks than ports. If a repeater is connected to some port, then it makes no sense to include the nodes of the corresponding segment in different virtual networks - all the same, their traffic will be common.

This approach does not require a large amount of manual work from the administrator - it is enough to assign each port to one of several pre-named virtual networks. Typically, this operation is performed using a special program that came with the switch. The administrator creates virtual networks by dragging the port icons onto the network icons.

Another way to form virtual networks is based on MAC address grouping. Each MAC address known to the switch is assigned to one or another virtual network. If the network has many nodes, the administrator will have to perform a lot of manual operations. However, when building virtual networks based on several switches, this method is more flexible than port trunking.

CREATING A VLAN BASED ON MULTIPLE SWITCHES

Figure 4 illustrates the situation that occurs when creating virtual networks based on multiple switches through port trunking. If the nodes of any virtual network are connected to different switches, then a separate pair of ports must be allocated to connect the switches of each such network. Otherwise, information about the frame belonging to a particular virtual network will be lost during transmission from switch to switch. Thus, the port trunking method requires as many ports to connect switches as they support VLANs, resulting in a very wasteful use of ports and cables. In addition, to organize the interaction of virtual networks through the router, each network requires a separate cable and a separate router port, which also leads to high overhead costs.

Grouping MAC addresses into a virtual network on each switch eliminates the need to connect them through multiple ports, because in this case, the label of the virtual network is the MAC address. However, this method requires a lot of manual MAC address tagging on each switch in the network.

The two described approaches are based only on adding information to the address tables of the bridge and do not include information about the frame belonging to a virtual network in the transmitted frame. Other approaches use existing or additional fields frame to record information about frame ownership when it moves between network switches. In addition, there is no need to remember on each switch which virtual networks the internetwork MAC addresses belong to.

The extra field marked virtual network number is used only when the frame is being sent from switch to switch, and is usually removed when the frame is sent to the end node. At the same time, the “switch-switch” interaction protocol is modified, while the software and hardware of the end nodes remain unchanged. There are many examples of such proprietary protocols, but they have one common drawback - they are not supported by other manufacturers. Cisco has proposed the 802.10 protocol header as a standard addition to frames of any LAN protocols, the purpose of which is to support security features. computer networks. The company itself refers to this method in cases where switches are interconnected using the FDDI protocol. However, this initiative was not supported by other leading switch manufacturers.

To store the virtual network number, the IEEE 802.1Q standard provides an additional two-byte header that is used in conjunction with the 802.1p protocol. In addition to the three bits for storing the frame's priority value, as described by the 802.1p standard, 12 bits in this header are used to store the number of the virtual network to which the frame belongs. This Additional Information called a virtual network tag (VLAN TAG) and allows switches from different manufacturers to create up to 4096 shared virtual networks. Such a frame is called "tagged". The length of the marked Ethernet frame is increased by 4 bytes, because in addition to the two bytes of the tag itself, two more bytes are added. The structure of the marked Ethernet frame is shown in Figure 5. When the 802.1p/Q header is added, the data field is reduced by two bytes.

Figure 5. The structure of the marked Ethernet frame.

The advent of the 802.1Q standard made it possible to overcome differences in proprietary VLAN implementations and achieve compatibility when building virtual local area networks. The VLAN technique is supported by both switch and NIC manufacturers. In the latter case, the NIC can generate and receive tagged Ethernet frames containing a VLAN TAG field. If the network adapter generates tagged frames, then by doing so it determines whether they belong to one or another virtual local network, so the switch must process them accordingly, i.e. transmit or not transmit to the output port, depending on the port ownership. The network adapter driver obtains its VLAN number (or its own) from the network administrator (by manual configuration) or from some application running on the host. Such an application is able to function centrally on one of the network servers and manage the structure of the entire network.

Supported by VLAN network adapters you can bypass static configuration by assigning a port to a specific virtual network. However, the static VLAN configuration method remains popular because it allows you to create a structured network without involving end-node software.

Natalya Olifer is a columnist for the Journal of Network Solutions/LAN. She can be contacted at:

Virtual Private Network is a virtual private network that is used to provide secure connectivity within corporate connections and Internet access. The main advantage of VPN is high security due to encryption of internal traffic, which is important when transferring data.

What is a VPN connection

Many people, when faced with this abbreviation, ask: VPN - what is it and why is it needed? This technology opens up the possibility of creating network connection on top of the other. VPN works in several modes:

• node-network;
• network-network;
• node-node.

The organization of a private virtual network at the network levels allows the use of TCP and UDP protocols. All data that passes through computers is encrypted. This is additional protection for your connection. There are many examples that explain what a VPN connection is and why you should use one. Below will be detailed this question.

Why you need a VPN

Each provider is able to provide, at the request of the relevant authorities, logs of user activities. Your Internet company records all the activities that you performed on the network. This helps to relieve the provider of any responsibility for the actions that the client carried out. There are many situations in which you need to protect your data and gain freedom, for example:

1. The VPN service is used to send confidential company data between branches. This helps protect important information from interception.
2. If you need to bypass the binding of the service by geographic area. For example, the Yandex Music service is available only to residents of Russia and residents of the former CIS countries. If you are a Russian-speaking resident of the United States, then you will not be able to listen to the recordings. A VPN service will help you bypass this ban by replacing the network address with a Russian one.
3. Hide site visits from the provider. Not every person is ready to share their activities on the Internet, so they will protect their visits with the help of VPN.

How a VPN Works

When you use another VPN channel, your IP will belong to the country where this secure network is located. When connected, a tunnel will be created between the VPN server and your computer. After that, in the logs (records) of the provider there will be a set incomprehensible characters. Data analysis special program will not give results. If you do not use this technology, then the HTTP protocol will immediately indicate which site you are connecting to.

VPN Structure

This connection consists of two parts. The first is called the "internal" network, you can create several of these. The second is the “external” one, through which the encapsulated connection occurs, as a rule, the Internet is used. It is also possible to connect a single computer to the network. The user is connected to a specific VPN through an access server connected simultaneously to the external and internal networks.

When a VPN program connects a remote user, the server requires two important processes to go through: first identification, then authentication. This is necessary to obtain rights to use this connection. If you have successfully passed these two stages, your network is empowered, which opens up the possibility of work. In essence, this is the authorization process.

VPN classification

There are several types of virtual private networks. There are options for the degree of security, the method of implementation, the level of work according to the ISO / OSI model, the protocol involved. You can use paid access or a free VPN service from Google. Based on the degree of security, channels can be "secure" or "trusted". The latter are needed if the connection itself has the desired level of protection. To organize the first option, the following technologies should be used:

• PPTP
• OpenVPN;
• IPSec.

How to create a VPN server

For all computer users, there is a way to connect a VPN yourself. The operating room option will be considered below. Windows system. This manual does not provide for the use of additional software. The setting is carried out as follows:

1. To make a new connection, you need to open the view panel network access. Start typing in the search words " Network connections».
2. Press the "Alt" button, click on the "File" section in the menu and select "New incoming connection".
3. Then set the user who will be granted a VPN connection to this computer (if you have only one Account on a PC, you must create a password for it). Install the bird and click "Next".
4. Next, you will be prompted to select the type of connection, you can leave a checkmark in front of "Internet".
5. The next step is to enable network protocols that will work on this VPN. Check all boxes except the second one. You can optionally set specific IP, DNS gateways, and ports in IPv4, but it's easier to leave automatic assignment.
6. When you click on the "Allow access" button, the operating system will create the server on its own, display a window with the computer name. You will need it to connect.
7. This completes the creation of a home VPN server.

How to set up a VPN on Android

The method described above was how to create a VPN connection on personal computer. However, many have long been performing all actions using the phone. If you don’t know what a VPN on Android is, then all the above facts about this type connections are valid for a smartphone as well. The configuration of modern devices provides comfortable use of the Internet at high speed. In some cases (for launching games, opening websites) they use proxy substitution or anonymizers, but VPN is better for a stable and fast connection.

If you already understand what a VPN is on a phone, then you can go directly to creating a tunnel. You can do this on any Android device. The connection is made as follows:

1. Go to the settings section, click on the "Network" section.
2. Look for an item called " Additional settings" and go to the "VPN" section. Next, you will need a pin code or password that unlocks the ability to create a network.
3. The next step is to add a VPN connection. Specify the name in the "Server" field, the name in the "username" field, set the connection type. Tap on the "Save" button.
4. After that, a new connection will appear in the list, which you can use to change your standard connection.
5. An icon will appear on the screen indicating that a connection is available. If you tap on it, you will be provided with statistics of received / transmitted data. You can also disable the VPN connection here.

Video: Free VPN Service