SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Types of VPN networks and how they work: Do you know which kind to use?
Mon, 11th Jul 2016
FYI, this story is more than a year old

No doubt you are already aware of the importance of using VPN networks to guarantee the privacy of your information. In fact, this has been one of our most repeated recommendations—we have already talked about what a VPN is, some of its uses, the most popular encryption protocols, and some of the vulnerabilities it can have in terms of remote access.

With this post our intention is to go deeper into how it works, explaining the most common types of VPN networks that can be implemented. But before we do so, it's worth taking the time to explain in detail the technique of tunneling, so that we have a better understanding of how this type of network works.

Tunneling: encapsulating data

When we talk about how a VPN works, what is really happening in the communication is that the data which is sent in this type of communication, get encapsulated by using an encrypted network protocol to travel across the communication network. This technique, known as tunneling, actually creates an encrypted communication tunnel – or channel – within a computer network.

As the important information travels encrypted within the communication's protocol data unit (PDU), all of the intermediate nodes that are involved in the communication will interact with the packet. However, de-encapsulation and decryption of the information – for it to be used – will be possible only at the end of the communication. So, the tunnel is established between the endpoints of the communication using one of the most popular encryption protocols  – SSH (Secure Sockets Layer).

Now let's look at the two most common types of VPN and their main characteristics.

Client-based VPNs

This type of VPN allows you to have a user connected to a remote network through an application that takes care of initiating the communication and establishing the VPN. To access the secure connection, the user needs to launch the application and authenticate with a username and password. This is how the encrypted channel is created between the computer and the remote network to exchange data securely.

When it comes to implementing this type of VPN, we find that operating systems like Windows and Mac, and mobile systems like Android, offer the option to configure an encrypted channel to communicate with another network based on different standards. In the case of devices from the Apple and Windows family, there are options such as L2TP (Layer 2 Tunneling Protocol), PPTP, and SSTP.

This type of VPN is a simple mechanism so that users can connect their computers or mobile devices to a network that guarantees privacy of information. As such, it's a great option for employees to access their company's sensitive information while working from home or a hotel, for example.

Network-based VPNs

This approach is for when you want to connect different networks to each other through an unsecured network, mainly the internet. It's the approach taken by companies to connect the networks of different head offices that are geographically dispersed in order to share information securely. There are various types of network-based VPNs. Within this approach we can find IPsec tunnels.

IPsec tunnels are the simplest approach to a VPN, and most network firewalls and routers use them. This type of approach consists in nothing more than establishing a tunnel (by tunneling) so that all the traffic to be exchanged between the two networks travels in an encrypted form. However, this approach can also be used to encapsulate the traffic for a single device.

In this type of approach, it is necessary to establish the endpoints of the tunnel – in other words the devices responsible for encapsulating and de-encapsulating the information that travels in an encrypted form. In addition, you have to decide how to carry out authentication (passwords or certificates) and which type of traffic will flow through the tunnel.

To define which traffic can travel through the VPN, you can have policies in the IPsec tunnels to restrict the traffic that flows through them. Access control lists (ACL) are used to establish policy-based VPNs.

When this type of approach is taken, a single tunnel is established between two locations to provide access to resources and to do so in a more controlled way. For example, it could be used to give a provider or client access to a specific part of the company's information.

In contrast with policy-based IPsec tunnels, we also have route-based IPsec tunnels, which work as virtual links that enable any type of traffic to flow through them.

There is no excuse for not protecting communications

Whether you want to protect access to a work-related network while you are travelling, protect your browser data while using a public Wi-Fi network, enter websites that are blocked on geographic grounds, or get around internet censorship, using a VPN is the best option we have to guarantee that when we exchange our information it happens securely.

There are various VPN services we can use to ensure the privacy of our data. We can choose free VPNs or ones that charge a small fee. Of course, like many other services, the free options make their money by other means, often through the collection of personal and browser data.

If you combine this form of protection with an anti-malware solution, a properly configured firewall and responsible user behaviour, you can give yourself a level of security that matches the importance of your information.