A company wanting to connect two (or more) of its sites can choose from several different types of WAN services: leased lines, Frame Relay, or more likely Multiprotocol Label Switching (MPLS) today. All these services are typcially expensive. However, another much cheaper option exists for connecting company sites to each other. Each site can simply be connected to the Internet using a broadband Internet access technology like digital subscriber line (DSL), cable, WiMAX, or even 3G/4G. Different sites then can send data to each other using the public Internet as a wide area network (WAN).

There is one problem with using Internet as a WAN though. The Internet is not as secure as other WAN options. The vulnerability of the Internet is, to a great extent, due to the fact that it is a public network. Just anyone with a computer can access the Internet and possibly attack any other computer. Other WAN options mentioned here are relatively secure. For example, in order to steal data flowing over a leased line, the attacker has to physically tap into the line with specialized equipment or be present at the telco central office. These actions are punishable by law and not easy for just anyone.

The possibility to use the Internet as a WAN is quite tempting despite the security concerns. Virtual private network (VPN) technology provides answers to the security questions associated with using the Internet as a private WAN service. In this chapter, we introduce you to the basic concepts and terminology related to VPNs. We then discuss details of two main types of VPNs: IP Security (IPsec) and Secure Sockets Layer (SSL).

VPNs have several advantages over other WAN technologies, some of which are summarized here:

  • Cost: Internet VPN solutions can be much cheaper than alternate private WAN options available today.
  • Security: Modern VPN solutions can be as secure as private WAN options and are being used even by organizations with the most stringent security requirements such as credit card companies. 
  • Scalability: Internet VPN solutions can be scaled quickly and cost-effectively to a large number of sites. Each location can choose from multiple options of Internet connectivity. 

VPN Concepts

A virtual private network (VPN) is used to transport data from a private network to another private network over a public network, such as the Internet, using encryption to keep the data confidential. In other words, a VPN is an encrypted connection between private networks over a public network, most often the Internet. VPNs provide the following services:

  • Confidentiality: VPNs prevent anyone in the middle of the Internet from being able to read the data. The Internet is inherently insecure as data typically crosses networks and devices under different administrative controls. Even if someone is able to intercept data at some point in the network they won’t be able to interpret it due to encryption.
  • Integrity: VPNs ensure that data was not modified in any way as it traversed the Internet. 
  • Authentication: VPNs use authentication to verify that the device at the other end of VPN is a legitimate device and not an attacker impersonating a legitimate device. 
  • Anti-Replay: VPNs ensure that hackers are not able to make changes to packets that flow from source to destination. .
Key Concept: VPNs offer confidentiality, integrity, authentication, and anti-replay protection for user data.

A VPN is essentially a secure channel, often called a tunnel, between two devices or end points near the edge of the Internet. The VPN end points encrypt the whole of original IP packet, meaning the contents of the original packet cannot be understood by someone who even manages to see a copy of the packet as it traverses the network. The VPN end points also append headers to the original encrypted packet. The additional headers include fields that allow VPN devices to perform all their functions.

The graphic below and the explanation that follows should help you grasp basic VPN operation.  

Figure 12-1 VPN Concepts for a Site-to-Site VPN


The steps in the above graphic are explained here:

  1. A PC in the branch office sends a packet to a server in the headquarters, just as it would without a VPN.
  2. Cisco Adaptive Security Appliance (ASA) at the branch office, that is ASA1, encrypts the original packet, adds a VPN header, and adds a new IP header with public IP addresses.
  3. ASA2 at the headquarters receives the packet, authenticates the identity of the sender, confirms that the packet has not been changed in transit, and then decrypts the original packet.
  4. The server receives the decrypted packet.

Figure 12-1 shows Cisco Adaptive Security Appliance (ASA) performing VPN functions. However, several other hardware and software products are available for building VPNs. Some VPN products offered by Cisco are mentioned here.

  • Cisco Router: All Cisco routers that run Cisco IOS software can support IPsec VPNs. The only requirement is that you should use a Cisco IOS image with appropriate feature set. Examples of VPN-enabled routers include the Cisco 1800, Cisco 2800, Cisco 1900, and Cisco 2900 series.
  • Cisco Adaptive Security Appliance (ASA): The Cisco ASA is a versatile appliance that combines several security functions including firewall and VPN capabilities in a single piece of hardware. All ASA models support IPsec VPN provided you meet the licensing requirements to enable the VPN feature. 
  • Cisco VPN Clients: Cisco offers both hardware and software VPN clients. Cisco AnyConnect Secure Mobility Client is a software VPN client that runs on laptops as well as smartphones and tablets.