TweetFollow Us on Twitter

Virtual Private Networks

Volume Number: 21 (2005)
Issue Number: 3
Column Tag: Programming

Virtual Private Networks

by Brad Belyeu

Secure E-commuting

How to securely get to the office on the information super-highway

Introduction

Let's say your working on a big project at the office. Of course, the project is saved on the fileserver for security and accessibility reasons. The big deadline is Friday at five, and you or one of your team-members becomes deathly ill a couple days before. Or what if there was a blizzard? How in the world are you going to work on this project for your biggest client when you can't make it to the office? Create a virtual office! Using a virtual private network, you could access the network file, application, & print servers just as if you were there. When you connect to a VPN, it appears as though your computer sits right on the local network. Access is not as fast as physically being on the LAN, but when you can't be there it's the next best thing.

Defining VPN

VPNs (or Virtual Private Networks) come in many shapes and sizes. It has been a buzzword that is fairly ambiguous and has taken on different meanings over time. VPNs provide secure remote access to internal (private) networks over public networks, usually the Internet. The problem in defining VPNs has to do with its ambiguity. Virtually all networks are virtual in some sense of the word. I don't have a direct cable connection to all the Internet resources I use on a daily basis. But I get to those resources through a public network, and they are often located on someone else's private network. Besides, what one person considers private is often not private enough for someone else. VPNs can't be defined by any specific software protocols because there are several different common protocols that work effectively.

Virtual private networks can be hardware or software based. Using Mac OS X Server or a software application like VPN Tracker Server allows you to create a software VPN server, but most VPN servers are pieces of hardware external to your computer. VPN hardware is often included inside a firewall or router. For example, I use the Linksys WRV54G, which is an Internet connection-sharing router, wireless access point, VPN endpoint, & firewall all wrapped up in a single box. Cisco makes some very powerful VPN hardware for large networks. Most software servers are created for a one to one connection using client-server based technology.

There are two main types of VPNs and I will define them by the endpoints they connect. The first is the client to LAN (local area network) connection. A local area network is your private internal network. You normally use this connection for remote users to connect to a single office from anywhere with Internet access. This is useful for telecommuting. If you have employees that work in the field but need access to office databases, this is the type of VPN that you need. The other VPN type is LAN to LAN. This VPN type is usually used to connect the resources at two office locations so they look like a single LAN. This is often used when a company has a corporate location and other locations that need access to the corporate resources, or when resources are distributed across a couple of locations.

But Why?

When companies wanted to connect different office locations together before the Internet was widespread, they normally had to lease lines from a cable company to connect the locations. This kind of a network is referred to as a trusted VPN. This was a secure way to build a network since no one outside the buildings had access to the network as long as the cable company protected their switches, but it was also a very expensive way to share resources. With the advancement of the Internet, it became clear that using public lines instead of privately leased lines could connect offices much less expensively. But could a network over public lines be trusted for private (secure) communication? Because of the need to protect data, secure VPNs were developed. Secure VPNs use network protocols to encrypt data as it leaves the originating network and then decrypt it when it arrives at its destination. If you are using a combination of both trusted and secure VPN technology, it is referred to as a hybrid VPN.

VPN Protocols

PPP (point-to-point protocol) is a protocol that allows users to dial-up a connection to access the Internet. This connection is basically a VPN. You're using public telephone lines to access the Internet, but the access is insecure. Point-to-point tunneling protocol (PPTP) is a protocol developed by several companies but usually associated with Microsoft. Microsoft added it into every OS release since Windows 98. PPTP was built on PPP technology to create a "tunnel" allowing secure passage of information. PPP is the parent technology of PPTP, and PPTP couldn't exist without PPP. PPTP sends data in encapsulated PPP packets, which are then encapsulated within IP packets. Encapsulation allows you to send different protocols over IP. That means you can send more than just IP packets over the VPN. It's like wrapping presents. You normally use different kinds of wrapping paper for different occasions, Christmas paper, birthday paper, etc. PPTP can only deliver IP packets over the Internet, which would be like demanding a present be wrapped in Christmas paper to be delivered. But if it's really a birthday present, PPTP allows you to wrap the present in birthday paper, then wrap it in Christmas paper for delivery. After the packet is delivered, the packet header knows that it is really a birthday present and takes off the Christmas wrapping paper at its final destination. That is how you can send IPX or NetBEUI packets over IP with PPTP. The trick of PPTP being able to send other packets over IP lies in the fact that it runs at the OSI (open systems interconnection) layer 2, or link layer. PPTP relies on PPP for its authentication and encryption methods. PPTP can be used to create a 'tunnel' between two locations using TCP port 1723. Once the TCP connection is established, both control messages and data packets are sent from one endpoint to the other. These control messages do everything from initializing the VPN, to keeping it alive, and closing the VPN session. Control messages also serve other maintenance functions for the VPN. The weaknesses of PPTP are that it does not provide strong encryption for protecting data nor does it support any token-based methods of authenticating users.

L2TP (layer 2 tunneling protocol) combines the best features of PPTP and L2F from Cisco Systems into one protocol. The Internet Engineering Task Force (IETF) standardized L2TP for tunneling PPP across a public network. The main two components of L2TP are the Access Controller (LAC) and the Network Server (LNS). L2TP is similar to PPTP and runs over the OSI layer 2 so it can also route other protocols through IP packets. Data is forwarded from the LAC, which can be your own computer or your ISPs, to the LNS. If you're inside a private network, L2TP may be fine by itself. Because L2TP can't prevent packets from being changed, stolen, or faked, it is usually combined with IPSec when used across the Internet.

IPSec is the most secure way to connect to a VPN network. There are two components to IPSec: the authentication header (AH) and the Encapsulating Security Payload (ESP). The AH creates a special hashing algorithm and a specific key known only to the source and destination, which is used to check for packet integrity. A security association is setup between the devices and the AH stores the output of the special computation. Then the receiving device does the same computations, it checks the AH to make sure the computations are the same. This verifies that the packet has not been altered from its original state. It is a checksum type of authentication. The AH provides authentication but not privacy; the ESP does that by encrypting the data. The ESP encryption algorithm is a key known only to the source and destination so no one in-between can decrypt the transmitted data.

IPSec can run in two different modes. These modes relate to how IPSec is set up. If two routers are creating a VPN connection, it uses tunnel mode; but if the VPN is host to host, it uses transport mode. In transport mode, only the data portion of the packet is encrypted. To obtain maximum security, one should use tunneling mode where the entire IP packet is encrypted and authenticated. The only downfall of IPSec is that it runs on OSI layer 3 and only supports IP packets. There is a way to overcome this however. Bundling L2TP with IPSec allows a VPN with maximum security and multiple protocols. Because IPSec by itself has no way of tunneling, it is normally only used with L2TP. L2TP creates the tunnel and IPSec allows it to be secure. This is the most secure way to create a private network and is being adopted as the best standard. RFC 3193 describes the standard for bundling L2TP & IPSec. (http://www.faqs.org/rfcs/rfc3193.html)

OS 10.3 & VPNS

OS 10.3 Panther has built in VPN client support through the Internet Connect application (see figure 1). It currently allows for two different kinds of VPN connections: PPTP or L2TP over IPSec in transport mode.


Figure 1. VPN Connections

Apple doesn't allow for plain IPSec connections because, "Pure IPSec only provides user authentication or configuration of the client machine through protocols which are either proprietary or defined by the long-expired IETF drafts, which are not standards. Using PPP/L2TP over IPSec is the only "standard" way of doing remote access with user authentication and IP address assignment over IPSec at this time." (http://docs.info.apple.com/article.html?artnum=108088) What Apple means by "Pure IPSec" is using IPSec without the internal encapsulation. The built-in functionality of the VPN client for OS X is very limited, but there are good applications for expanding that functionality. VPN Tracker (http://www.apple.com/downloads/macosx/networking_security/vpntracker.html) is an excellent application for customizing your VPN connection. VPN Tracker is one of many products developed by equinux for VPNs. VPN Tracker allows you to customize every option of the connection (see figure 2). It also has built in support for a large number of VPNs from major vendors. If you choose the option for that specific VPN server, it will automatically set all the necessary options for you.


Figure 2. VPN Tracker

Equinux also makes a VPN Tracker Server in case you want to setup a VPN connection to a specific computer on your network. If you decide to setup a software VPN and you are behind a NAT (Network Address Translation) router, you need to make sure it has VPN pass-through enabled or the proper TCP/UDP ports are being forwarded.

Conclusion

Setting up a VPN can be complicated; but with the proper hardware & software, the average Macintosh user can do it. With all the different protocols, setup needs to be thought out before hand. If you choose a hardware router/VPN, research the manufacturers products first to see which protocols they work with. I've had no problem with my Linksys router, and I've setup other common brands that have worked as well (D-Link, Netgear, etc.) I would suggest viewing equinux's website at http://www.equinux.com/us/products/vpntracker/interoperability.html for a list of products that work with VPN Tracker. If you're going to use Internet Connect, it is very compatible with a large range of products; but doesn't offer near as much customization as VPN Tracker. I strongly suggest downloading and trying out equinux's VPN Tracker to keep those private networks secure!


Brad Belyeu is the President of ABConsulting based out of Oklahoma City, OK. He is an Apple Certified Technician and a member of the Apple Consultant Network.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

MacFamilyTree 8.2.7 - Create and explore...
MacFamilyTree gives genealogy a facelift: modern, interactive, convenient and fast. Explore your family tree and your family history in a way generations of chroniclers before you would have loved.... Read more
WhatsApp 0.2.8000 - Desktop client for W...
WhatsApp is the desktop client for WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for... Read more
TotalFinder 1.10.7 - Adds tabs, hotkeys,...
TotalFinder is a universally acclaimed navigational companion for your Mac. Enhance your Mac's Finder with features so smart and convenient, you won't believe you ever lived without them. Features... Read more
Box Sync 4.0.7886 - Online synchronizati...
Box Sync gives you a hard-drive in the Cloud for online storage. Note: You must first sign up to use Box. What if the files you need are on your laptop -- but you're on the road with your iPhone? No... Read more
Espresso 5.1 - Powerful HTML, XML, CSS,...
Note from the developer: For the new Espresso, we changed our versioning and licensing approach with more consistent pricing and a simpler development timeline: "X+1". Each new update would increase... Read more
VueScan 9.6.04 - Scanner software with a...
VueScan is a scanning program that works with most high-quality flatbed and film scanners to produce scans that have excellent color fidelity and color balance. VueScan is easy to use, and has... Read more
Slack 3.0.5 - Collaborative communicatio...
Slack is a collaborative communication app that simplifies real-time messaging, archiving, and search for modern working teams. Version 3.0.5: Bug Fixes: An important security update. Security... Read more
VirtualBox 5.2.6 - x86 virtualization so...
VirtualBox is a family of powerful x86 virtualization products for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers... Read more
Vivaldi 1.13.1008.40 - An advanced brows...
Vivaldi is a browser for our friends. In 1994, two programmers started working on a web browser. Our idea was to make a really fast browser, capable of running on limited hardware, keeping in mind... Read more
WhatRoute 2.1.1 - Geographically trace o...
WhatRoute is designed to find the names of all the routers an IP packet passes through on its way from your Mac to a destination host. It also measures the round-trip time from your Mac to the router... Read more

Latest Forum Discussions

See All

JYDGE (Games)
JYDGE 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: Build your JYDGE. Enter Edenbyrg. Get out alive. JYDGE is a lawful but awful roguehate top-down shooter where you get to build your... | Read more »
Tako Bubble guide - Tips and Tricks to S...
Tako Bubble is a pretty simple and fun puzzler, but the game can get downright devious with its puzzle design. If you insist on not paying for the game and want to manage your lives appropriately, check out these tips so you can avoid getting... | Read more »
Everything about Hero Academy 2 - The co...
It's fair to say we've spent a good deal of time on Hero Academy 2. So much so, that we think we're probably in a really good place to give you some advice about how to get the most out of the game. And in this guide, that's exactly what you're... | Read more »
Everything about Hero Academy 2: Part 3...
In the third part of our Hero Academy 2 guide we're going to take a look at the different modes you can play in the game. We'll explain what you need to do in each of them, and tell you why it's important that you do. [Read more] | Read more »
Everything about Hero Academy 2: Part 2...
In this second part of our guide to Hero Academy 2, we're going to have a look at the different card types that you're going to be using in the game. We'll split them up into different sections too, to make sure you're getting the most information... | Read more »
Everything about Hero Academy 2: Part 1...
So you've started playing Hero Academy 2, and you're feeling a little bit lost. Don't worry, we've got your back. So we've come up with a series of guides that are going to help you get to grips with everything that's going on in the game. [Read... | Read more »
What mobile gaming can learn from the Ni...
While Nintendo might not have had things all its own way since it began developing for mobile, one thing it has got right is the release of the Switch. After the disappointment of the WiiU, which I still can't really explain, the Switch felt a... | Read more »
Programmer of Sonic The Hedgehog launche...
Japanese programmer Yuji Naka is best known for leading the team that created the original Sonic The Hedgehog. He’s moved on from the speedy blue hero since then, launching his own company based in Tokyo – Prope Games. Legend of Coin is the... | Read more »
Why doesn't mobile gaming have its...
The Overwatch League is a pretty big deal. It's an attempt to really push eSports into the mainstream, by turning them into, well, regular sports. But slightly less sweaty. It's a lavish affair with teams from all around the world, and more... | Read more »
Give Webzen’s new billiard game PoolTime...
Best known for producing hugely popular MMO titles, South Korean publisher Webzen is now taking aim at a different genre altogether. PoolTime is a realistic eight ball pool simulator, allowing you to compete in real-time matches against players... | Read more »

Price Scanner via MacPrices.net

9.7-inch 2017 WiFi iPads on sale starting at...
B&H Photo has 9.7″ 2017 WiFi #Apple #iPads on sale for $30 off MSRP for a limited time. Shipping is free, and pay sales tax in NY & NJ only: – 32GB iPad WiFi: $299, $30 off – 128GB iPad WiFi... Read more
Wednesday deal: 13″ MacBook Pros for $100-$15...
B&H Photo has 13″ #Apple #MacBook Pros on sale for up to $100-$150 off MSRP. Shipping is free, and B&H charges sales tax for NY & NJ residents only: – 13-inch 2.3GHz/128GB Space Gray... Read more
Apple now offering Certified Refurbished 2017...
Apple has Certified Refurbished 9.7″ WiFi iPads available for $50-$80 off the cost of new models. An Apple one-year warranty is included with each iPad, and shipping is free: – 9″ 32GB WiFi iPad: $... Read more
10″ iPad Pros on sale for $50-$75 off MSRP, n...
B&H Photo has 10″ and #Apple #iPad Pros on sale for up to $75 off MSRP. Shipping is free, and B&H charges sales tax in NY & NJ only. Note that some sale prices are restricted to certain... Read more
Apple refurbished Mac minis available startin...
Apple has restocked Certified Refurbished Mac minis starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: – 1.4GHz Mac mini: $419 $80 off MSRP – 2.6GHz Mac... Read more
Amazon offers Silver 13″ Apple MacBook Pros f...
Amazon has new Silver 2017 13″ #Apple #MacBook Pros on sale today for up to $150 off MSRP, each including free shipping: – 13″ 2.3GHz/128GB Silver MacBook Pro (MPXR2LL/A): $1199.99 $100 off MSRP – 13... Read more
Sale: 12″ 1.3GHz MacBooks on sale for $1499,...
B&H Photo has Space Gray and Rose Gold 12″ 1.3GHz #Apple MacBooks on sale for $100 off MSRP. Shipping is free, and B&H charges sales tax for NY & NJ residents only: – 12″ 1.3GHz Space... Read more
Apple offers Certified Refurbished 2017 iMacs...
Apple has a full line of Certified Refurbished iMacs available for up to $350 off original MSRP. Apple’s one-year warranty is standard, and shipping is free. The following models are available: – 27... Read more
13″ MacBook Airs on sale for $120-$100 off MS...
B&H Photo has 2017 13″ 128GB MacBook Airs on sale for $120 off MSRP. Shipping is free, and B&H charges sales tax for NY & NJ residents only: – 13″ 1.8GHz/128GB MacBook Air (MQD32LL/A): $... Read more
15″ Touch Bar MacBook Pros on sale for up to...
Adorama has Space Gray 15″ MacBook Pros on sale for $200 off MSRP. Shipping is free, and Adorama charges sales tax in NJ and NY only: – 15″ 2.8GHz MacBook Pro Space Gray (MPTR2LL/A): $2199, $200 off... Read more

Jobs Board

*Apple* Solutions Consultant - Apple (United...
# Apple Solutions Consultant Job Number: 113384559 Brandon, Florida, United States Posted: 10-Jan-2018 Weekly Hours: 40.00 **Job Summary** Are you passionate about Read more
Art Director, *Apple* Music + Beats1 Market...
# Art Director, Apple Music + Beats1 Marketing Design Job Number: 113258081 Santa Clara Valley, California, United States Posted: 05-Jan-2018 Weekly Hours: 40.00 Read more
*Apple* Pay & Wallet Engineering Manager...
# Apple Pay & Wallet Engineering Manager, Apple Watch Job Number: 83769531 Santa Clara Valley, California, United States Posted: 06-Nov-2017 Weekly Hours: 40.00 Read more
UI Tools and Automation Engineer, *Apple* M...
# UI Tools and Automation Engineer, Apple Media Products Job Number: 113136387 Santa Clara Valley, California, United States Posted: 11-Jan-2018 Weekly Hours: 40.00 Read more
Senior Product Architect, *Apple* Pay - App...
# Senior Product Architect, Apple Pay Job Number: 58046427 Santa Clara Valley, California, United States Posted: 04-Jan-2018 Weekly Hours: **Job Summary** Apple , Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.