Virtual Private Networks (VPNs)

The VPN idea

• End-to-end encryption and verification for multi-purpose IP traffic (not just single application, like login over ssh). (Although, ssh can be used to tunnel many types of traffic, as discussed in Toxen.)
• Being able to link from untrusted networks (i.e., the Internet) to trusted networks (i.e., intranets)
• Integrated authentication and verification (public/private server and user key pairs)
• Why? Because true private networks are very expensive, and not generally portable. The Internet, on the other hand, is open and highly accessible.

What's out there for VPNs?

• The IPSEC homepage at IETF. Cisco's VPN product is widely deployed, and other products exist as well.
• Microsoft has, so far, gone their own way, and have had a product for several years: PPTP. Here's their VPN FAQ page for NT.
• You can PPTP over Linux, too: Linux VPN Masquerade HOWTO for lots more information and background (also other HOWTOs)

VPN at UNC

• Students, faculty and staff are now able to use the Cisco VPN client to access the campus network from off-campus.
• Use is free. Visit ATN's software pages to download the client for Windows, Solaris, Linux, Mac, etc.
• The VPN is not currently configured for on-campus use
• The VPN offers strong end-to-end encryption for all traffic to and from .unc.edu. Meanwhile, through a split data channel, data going elsewhere than .unc.edu are not encrypted
• Once the software is downloaded, use and other information is available from help.unc.edu. Two good documents are:
  • Installing the VPN Client on Windows NT/2000/XP
  • VPN FAQ

VPN Uses

• IPSEC is likely to be as secure as anything is on the Internet. That is, quite secure when properly used. Products using IPSEC are available.
• Many environments, such as UNC and other campuses, as well as businesses, have a need to grant differential access to resources based on whether a system is inside or outside of the network. VPNs give the ability to place a system inside.
• Because VPNs often bypass (or tunnel through) firewalls, they are a grave security risk. How do you know that a SYSTEM on the network is operated by an authorized PERSON?
• In mostly open environments such as UNC, VPNs are likely to be widely deployed primarily for convenience.
• In mostly closed environments such as large high-tech businesses, VPNs are likely to force tighter security and monitoring, possibly with VPNs going to a lesser trusted network than systems on-site or connected via non-virtual private network.