Get your own private network

Database News - Wednesday December 12, 2007

HOME BUILDER

Get your own private network

JAMES HEIN

In a continuation of the security theme from last week, we're going to cover the topic of VPNs, or virtual private networks. VPN is a technology that overlays or works on an existing communications network. Common terms you will hear in relation to VPNs are tunneling, dedicated, secure, authentication, encryption and nonrepudiation.

So a VPN is like a network within a network. The larger network can be the Internet, some local WAN (Wide Area Network) or even a sub network inside a LAN (Local Area Network), though the latter one doesn't make a lot of sense unless you are trying to isolate a group of computers.

I use a VPN connection to my office. No matter where I am in the world I can specify a new connection by right-clicking on Network Connections, New Connection Wizard and Connect to the Network at my Office. In this case I need to provide an IP address, some security information, be registered for the network at my office and then I can "VPN in" to access servers there.

In the near future I will need to have the hardware I am using registered with the network. This reduces the accessibility but increases security. If you remember from last week, security is a balance between usability and protection. Typically this means that more protection means less convenience and usability.

If you are working in a business environment then a VPN system will typically mean cheaper costs, as facilities are shared and you don't need to bring in specialised connectivity. It is a quick and easy way to link together different branches, mobile workers and groups of people. The VPN system has fairly decent security on its own but you can successively add secure layers depending on your needs. VPNs are easily scaled and you can save on support because it is outsourced as required.

Stop and think about this in terms of your web site building. If your site is for a specifically controlled group of people then you can move it off the Internet and into a VPN. The word "off" here is a little misleading because your communications pathway will still be the Internet, with the VPN operating inside this.

If you want a more secure system then your members may have two connections at home: one for the VPN at a known IP address that is allowed access, and the other one for general Internet use. Another option is to check the physical address of the PC, notebook or LAN card to ensure that only specific machines have access. You can check this address on your PC by clicking on Start, selecting Run and typing IPCONFIG /ALL at the prompt in the panel that appears.

You can also set it up so that when you start a VPN session all other connectivity is blocked on your machine so that nothing can break into the computer session. In this case the Internet connectivity can still be out through the enterprise connection. This approach is a fairly common one.

So returning to those terms outlined above, a VPN uses encryption to keep the data confidential from anyone who might be snooping on your connection. It uses a system of authentication to validate the two parties that are communicating together via username passwords, IP addresses or a MAC physical address - or a combination of these.

The VPN keeps the identities of the communicating parties confidential through a process known as tunneling and makes sure that the data being sent is accurate and hasn't been tampered with - or nonrepudiation. It also protects against packets being sent multiple times through relay prevention.

Tunneling is also a method used in point-to-point protocols and may be associated with a VPN or a PPVPN, although not always, such as with a point to point download service. Beyond this, VPNs get quite technical and this starts to stray out of the web programmer's concern to the networking person's realm - something that I will be covering next week.

So do you need to set up a VPN for your web site? Probably not, unless you are planning to have a fairly select group of users that will be part of your network. Under normal conditions you will have some kind of membership-based system, where a username and a logon will provide enough security. In some countries however (although not Thailand), the kind of data you are storing on the server may require specialist access requirements.

Email: jamesh@inet.co.th

Bangkok Post