All Categories :
Intranets
Chapter 22
How Virtual Secure Private Networks
Work
CONTENTS
An intranet by itself may help a company make better use of its
computing resources, allow for better intra-company communications,
and allow for the company to present a better face to the world.
But for many corporations, that isn't enough. Many companies also
need to do business directly with other business partners, such
as subcontractors, or companies from whom they're buying goods
and services.
Intranets can help there as well. They can allow companies to
do business directly with each other over the Internet - and to
do so securely. The technology that allows this to be done is
called Virtual Secure Private Networks (VSPNs) or Virtual Private
Networks (VPNs). In essence, the technology allows two companies
with intranets to create a "virtual" link between them
across the Internet that is as secure as if they were connected
via a private connection. VSPN technology can also be used to
create a "virtual" intranet for a company that can link
branch offices together over the Internet, while at the same time
ensuring that the data that passes between them can't be seen
by anyone except people in the "virtual" intranet.
These VSPNs can save corporations a substantial amount of money,
both for communicating with business partners and for hooking
together branch offices. Today, businesses commonly spend significant
amounts of money every month leasing private lines that no one
else can use. The data sent along these private lines cannot be
seen by anyone else; they are used by the company only. Because
of that, they are secure from prying eyes. If, however, there
were a way to link company's intranets over the Internet, there
would be no need to pay for leased lines-all the traffic could
be handled over the Internet. In addition to saving money on lines,
the creation of secure links from intranet to intranet would also
allow companies to communicate more effectively electronically,
leading to more efficiency and even more in savings.
VSPNs use a combination of routing technology, encryption technology,
and a technique called tunneling. When someone from one intranet
wants to send information to another intranet via a VSPN, VSPN
server software recognizes that the destination is a VSPN, and
so knows to handle the data differently than if it is being sent
to an unsecured site on the Internet. Using powerful encryption
technology, the software encrypts the IP packets so that no one
will be able to read it. It then places those IP packets inside
an IP "envelope" or "wrapper." That envelope
is essentially a normal IP packet, so it gets delivered as does
any other data, via routers. No one can read what is inside the
wrapper, though, because it has been encrypted. When packets are
sent this way over the Internet, it is called tunneling.
On the receiving intranet, the VSPN software throws away the wrapper,
and then decrypts the data inside of it. The data is then delivered
over the intranet via intranet routers.
A Virtual Secure Private Network (VSPN) or Virtual Private Network
(VPN) allows business partners, each of whom has an intranet,
to send secure communications to each other over the Internet,
and know that no one else will be able to read the data. In essence,
it creates a private, secure channel between intranets, even though
the data sent between them travels over the public Internet. This
means that companies will not have to lease expensive lines between
them to send data over a secure link. The technology can also
be used to allow a company to link branch offices with each other,
without having to lease expensive lines, and know that the data
can only be read by people on the VSPN.
- When someone on an intranet wants to send private data to
another company via a VSPN, they don't do anything different than
when they send public data-they merely send the data as they would
to any location on the Internet. As with any data sent through
an intranet, it is broken up into TCP/IP packets.
- All packets sent out from the intranet go through a special
VSPN server. The server examines each IP packet to see whether
the packet is bound for another VSPN intranet, or instead to the
Internet. It determines whether it's bound for another VSPN by
examining the IP addresses in the packet headers. It checks the
destination address against a database of VSPN addresses. If the
packet doesn't match a VSPN address in the database, it means
that the packet is bound for the general Internet, not a VSPN,
and so the VSPN software takes no further action. The packet is
sent to its destination as a normal packet, via routers.
- If the packet matches a VSPN ad-dress, the software knows
to take further action. It takes the entire TCP/IP packet-the
header as well as the data-and encrypts it with powerful encryption
technology. This means that no one who looks at the packet would
be able to read any part of it.
- A new IP "envelope" or "wrapper" is put
around the encrypted packet. This envelope contains IP information
such as destination and source address, so that the encrypted
packet can be delivered over the Internet. To the Internet, it
looks like a normal TCP/IP packet, but the encrypted information
in the packet will not be able to be read by anyone.
- The packet is sent to a router, and then sent over the Internet
to its VSPN destination. When an encrypted packet inside a normal
IP envelope or wrapper like this is sent over the Internet like
this, it is often referred to as "tunneling."
- The packet is delivered to the destination VSPN, where the
VSPN server examines the packet. It checks the IP address of the
sender. If the address is not in the database of other VSPN intranets,
it simply sends the packet along to an intranet router to deliver
it. If the address is in the database, it strips off the IP wrapper,
and decrypts the original TCP/IP packet. The packet is now in
its original form.
- The packet is sent to an intranet router, which delivers it
to its final destination. It can be used as any normal TCP/IP
packet.
Contact
reference@developer.com with questions or comments.
Copyright 1998
EarthWeb Inc., All rights reserved.
PLEASE READ THE ACCEPTABLE USAGE STATEMENT.
Copyright 1998 Macmillan Computer Publishing. All rights reserved.
SHOPPING
JOB BANK
REFERENCE
JOURNAL
COMMUNITY
ABOUT US