What is a VPN Network?

The function of a virtual private network (VPN) is to establish a private network on a public network for encrypted communication. It is widely used in enterprise networks. The VPN gateway realizes remote access through the encryption of the data packet and the conversion of the destination address of the data packet. VPNs can be implemented in a variety of ways, including servers, hardware, and software. ^[1]

Chinese name: Virtual private network
Foreign name: Virtual Private Network
Short name: VPN, VPN

Use: Encrypted communication
General type: 4GIPVPN
Connection agreement: PPTP, L2TP, IPSec

Introduction to virtual private networks

VPN belongs to remote access technology. Simply put, it is to use a public network to set up a private network. For example, if a company employee travels to a foreign country and wants to access server resources on the intranet, such access is remote access. ^[2]

In traditional enterprise network configuration, for remote access, the traditional method is to lease a DDN (Digital Data Network) leased line or Frame Relay. Such a communication scheme will inevitably lead to high network communication and maintenance costs. For mobile users (mobile workers) and remote individual users, they usually enter the corporate LAN through a dial-up line (Internet), but this will inevitably bring security risks. ^[2]

To allow foreign employees to access intranet resources, the solution to using a VPN is to set up a VPN server on the intranet. After the local employees connect to the Internet locally, they connect to the VPN server through the Internet, and then enter the corporate intranet through the VPN server. In order to ensure data security, the communication data between the VPN server and the client are encrypted. With data encryption, you can think of data as being transmitted securely over a dedicated data link, just like a dedicated network was set up, but in fact VPN uses public links on the Internet, so VPN is called Virtual private network, in essence, uses encryption technology to encapsulate a data communication tunnel on the public network. With VPN technology, users can use VPNs to access internal network resources as long as they can access the Internet, whether they are traveling abroad or working from home. This is why VPNs are so widely used in enterprises. ^[3]

How Virtual Private Networks Work

Generally, the VPN gateway adopts a dual network card structure, and the external network card uses the public network IP to access the Internet. ^[4]
The terminal A of the network 1 (assuming the public network) accesses the terminal B of the network 2 (assuming the company intranet), and the destination address of the access packet sent by the terminal A is the internal IP address of the terminal B. ^[4]
The VPN gateway of network one checks its destination address when receiving the access packet from terminal A. If the destination address belongs to the address of network two, it encapsulates the packet. The encapsulation method is different according to the VPN technology used. However, at the same time, the VPN gateway will construct a new VPN data packet, and use the encapsulated original data packet as the payload of the VPN data packet. The destination address of the VPN data packet is the external address of the VPN gateway of network two. ^[4]
The VPN gateway of network one sends the VPN data packet to the Internet. Because the destination address of the VPN data packet is the external address of the VPN gateway of network two, the data packet will be correctly routed by the Internet to the VPN gateway of network two. ^[4]
The VPN gateway of the network 2 checks the received data packet. If it is found that the data packet is sent from the VPN gateway of the network 1, it can be determined that the data packet is a VPN data packet, and the data packet is unpacked. The process of unpacking is mainly to strip the header of the VPN data packet first, and then reverse process the data packet to restore the original data packet. ^[4]
The VPN gateway of the second network sends the restored original data packet to the target terminal B. Since the destination address of the original data packet is the IP of the terminal B, the data packet can be correctly sent to the terminal B. From the perspective of terminal B, the data packets it receives are the same as those sent directly from terminal A. ^[4]
The processing procedure of the data packet returned from terminal B to terminal A is the same as the above process, so that the terminals in the two networks can communicate with each other. ^[4]

Through the above description, it can be found that when the VPN gateway processes the data packet, there are two parameters that are very important for VPN communication: the destination address of the original data packet (the VPN destination address) and the remote VPN gateway address. According to the VPN destination address, the VPN gateway can determine which packets are processed by the VPN. Normally, the packets that do not need to be processed can be directly forwarded to the superior route. The remote VPN gateway address specifies the destination of the processed VPN packets. Address, which is the VPN gateway address at the other end of the VPN tunnel. Because the network communication is bidirectional, when performing VPN communication, the VPN gateways at both ends of the tunnel must know the VPN destination address and the corresponding remote VPN gateway address. ^[4]

Working process of virtual private network

The basic process of VPN is as follows:

The host must be protected to send clear text messages to other VPN devices. ^[2]

The VPN device determines whether the data is encrypted or directly transmitted according to the rules set by the network administrator. ^[2]

For the data that needs to be encrypted, the VPN device encrypts the entire data packet (including the data to be transmitted, the source IP address and the destination IP address) and attaches a data signature, plus a new data header (including the destination VPN device needs Security information and some initialization parameters). ^[2]

The encapsulated data packet is transmitted on the public network through a tunnel. ^[2]

After the data packet arrives at the destination VPN device, it is unsealed. After verifying that the digital signature is correct, the data packet is decrypted. ^[2]

Virtual Private Network Taxonomy

According to different classification standards, VPNs can be classified according to several standards: ^[5]

VPN VPNs are classified by VPN protocol

There are three main types of VPN tunneling protocols: PPTP, L2TP, and IPSec. PPTP and L2TP work at the second layer of the OSI model, which is also known as the Layer 2 tunneling protocol. IPSec is a Layer 3 tunneling protocol. ^[5]

VPN VPNs are classified by VPN application

(1) Access VPN: Client to gateway, using the public network as the backbone network to transmit VPN data traffic between devices; ^[5]

(2) Intranet VPN (Intranet VPN): gateway-to-gateway, connecting resources from the same company through the company's network architecture; ^[5]

(3) Extranet VPN (Extranet VPN): forms an extranet with a partner enterprise network to connect the resources of one company with another company. ^[5]

VPNs are categorized by the type of device used

Network equipment providers have developed different VPN network equipment based on the needs of different customers, mainly switches, routers and firewalls: ^[5]

(1) Router-type VPN: Router-type VPN is easier to deploy, as long as you add a VPN service to the router; ^[5]

(2) Switched VPN: mainly used in VPN networks with fewer users; ^[5]

Virtual private network is divided according to implementation principles

(1) Overlapping VPN: This VPN requires the user to establish a VPN link between the end nodes, which mainly includes: GRE, L2TP, IPSec and many other technologies. ^[5]

(2) Peer-to-Peer VPN: The network operator completes the establishment of VPN tunnels on the backbone network, mainly including MPLS and VPN technologies. ^[5]

Virtual private network implementation

There are many ways to implement VPN, and the following four are commonly used: ^[6]

1. VPN server: In a large-scale local area network, you can implement a VPN by setting up a VPN server in the network center. ^[6]

2. Software VPN: VPN can be implemented through dedicated software. ^[6]

3 Hardware VPN: VPN can be implemented with dedicated hardware. ^[6]

4 Integrated VPN: Some hardware devices, such as routers, firewalls, and so on, all contain VPN functions, but generally hardware devices with VPN functions are more expensive than those without this function. ^[6]

Advantages and disadvantages of virtual private networks

Virtual Private Network Benefits

VPN enables mobile employees, remote employees, business partners, and others to connect to corporate networks using locally available high-speed broadband network connections (such as DSL, cable TV, or WiFi networks). In addition, high-speed broadband network connections provide a cost-effective way to connect remote offices. ^[6]
A well-designed broadband VPN is modular and scalable. VPNs allow users to use an Internet infrastructure that is easy to set up, allowing new users to quickly and easily add to the network. This capability means that businesses can provide a large amount of capacity and applications without adding additional infrastructure. ^[6]
VPNs provide a high level of security, use advanced encryption and identification protocols to protect data from prying eyes, and prevent data thieves and other unauthorized users from accessing this data. ^[6]
Full control, virtual private network allows users to take advantage of ISP's facilities and services while fully controlling their network. Users only use the network resources provided by the ISP. Other security settings and network management changes can be managed by themselves. You can also build your own virtual private network within the enterprise. ^[6]

Disadvantages of virtual private networks

Enterprises cannot directly control the reliability and performance of Internet-based VPNs. Organizations must rely on Internet service providers that provide VPNs to keep their services running. This factor makes it very important for companies to sign a service-level agreement with an Internet service provider, and to sign an agreement that guarantees various performance indicators. ^[6]
It is not easy for enterprises to create and deploy VPN lines. This technology requires a high level of understanding of network and security issues and requires careful planning and configuration. Therefore, it is a good idea to choose an Internet service provider responsible for most things running a VPN. ^[6]
VPN products and solutions from different vendors are always incompatible, because many vendors are unwilling or unable to comply with VPN technology standards. As a result, technical problems may arise with the use of products from different manufacturers. On the other hand, using equipment from one vendor may increase costs. ^[6]
VPNs pose security risks when using wireless devices. Roaming between access points is particularly prone to problems. When users roam between access points, any solution using advanced encryption technology may be compromised. ^[6]

Laws, regulations and policies related to virtual private networks

In April 2003, the Ministry of Information Industry issued the "Telecommunications Business Classification Catalog", which cancelled the classification of international telecommunication services, and at the same time separated the virtual private network business from the basic telecommunications business, becoming an independent value-added telecommunications business classification. But the concept of "virtual private network" here is different from the VPN service in the industry. The new "Telecommunications Business Classification Catalog" explains the classification as follows: The domestic Internet virtual private network service (IP-VPN) refers to the use of its own or leased public Internet network resources by the TCP / IP protocol for domestic use. Users customize Internet closed user group services. This classification of interpretation emphasizes two characteristics, one is the use of Internet network resources, and the other is the use of TCP / IP protocol. This explanation corresponds to the market situation at that time. At that time, it focused on the Internet-based IPSec VPN. Although the explanation could basically cover the later SSL VPN models, it did not focus on MPLS VPN. ^[7]

In January 2006, the Ministry of Information Industry issued the "Notice on Two Value-added Telecom Services and Domestic Multi-party Communication Services", and officially opened two domestic value-added telecommunications services, "Domestic Internet Virtual Private Network Services" and "Online Data Processing and Transaction Processing Services" , The above two value-added telecommunications services have been transformed from commercial trials to formal commercial use. ^[8]

In 2013, the "Telecommunication Business Classification Catalog (Consultation Draft)" published by the Ministry of Industry and Information Technology still did not make any changes to this. ^[9]

On January 27, 2015, the Ministry of Industry and Information Technology responded to the VPN closure incident, saying that some bad information should be managed in accordance with Chinese law. The Ministry of Industry and Information Technology previously issued regulations that companies providing VPN services in China must be registered, or they will "not be protected by Chinese law." ^[10]

In January 2017, the Ministry of Industry and Information Technology issued the "Notice on Cleaning Up and Regulating the Market for Internet Network Structure Services." Enterprises and individuals with business operation qualifications lease international dedicated lines or VPNs to conduct cross-border telecommunication business operations in violation of regulations. These regulations are mainly for those who operate without a certificate and do not comply with the regulations. They will not have any impact on enterprises and individuals that comply with laws and regulations. ^[11]

On the issue of VPN, Wen Ku, director of the Ministry of Information and Communication Development of the Ministry of Industry and Information Technology, added that operating related businesses in China should apply for permits in accordance with Chinese laws and regulations, which is actually done in many countries around the world. This is done in the United States, in Europe, and in Asia, and management methods vary from country to country. A lot of work has been done in the three major operators in China to provide services to ordinary people. The network speed has been continuously improved and has achieved good results. ^[11]

Wen Ku said that, especially in the digital economy, streets and lanes, especially shared bicycles near subway entrances, etc., show that the network coverage is very complete and the application is increasingly widespread. At the same time, we will also pay attention to some needs of the people. But spreading harmful or even violent terrorist information via the Internet is not allowed by Chinese law. ^[11]