DrayTek were pioneers in bringing low-cost, easy to use hardware-based VPN products to the SME market. These products enable you to to carry confidential company data securely site-to-site using your standard Internet connection, saving on having dedicated leased lines or dial-up access. VPN has made the idea of true teleworking cheap and simple. In this short guide, we explain what VPN is and what it can do for you.
A company might have one office, or it might have many. It might have office based staff or teleworkers - workers who do company business from home or in the field. In a single office, Local Area Networking, perhaps using regular Ethernet, can connect all of your computers to each other and to any local servers. For remote offices or users, you need some other connection medium.
Traditionally, you might connect remote workers or offices to each other using dial-up modems. A server and modem at the receiving site woud answer the call, you would exchange whatever data you need and then disconnect. This had call costs, line rental costs, tied up phone lines and was limited in speed. It was, however considered to be reasonably secure as it was carried end-to-end across closed networks or private paths. This dial-up access was either analogue or digital (ISDN). If higher speeds or permanent connectivity are required, you can rent a 'leased line' but that was very costly - a dedicated point-to-point always-on connection. Leased lines are used as standard for high-reliability connectivity, for example between ISPs or corporate mission-critical applications where broadband is not considered reliable or secure enough.
With the introduction of the Internet, there is common public network over which any computer or other connected device can communicate with any other. Every Internet termination point has its own unique (at any one time) IP address. Therefore, in a simple scenario, a PC can talk to any other PC directly across the Internet. If you are using broadband (non-dialup) then your connection can be always on, so there are no ongoing call charges and you're not tying up your regular voice line. This is illustrated in the above diagram: the teleworker can send data directly to the HQ over the Internet, but, being a public network, and specifically a network in which you data will pass through many other locationed en-route, the connection is insecure - anyone en-route can capture and read/use that data. This is clealy unacceptable for a business, and in fact for much domestic usage too. It also means that your computers must be directly accessible on the Internet, with an IP address, which makes you vulnerable to hacking. This arrangement is therefore highly undesirable.
A VPN provides the security of a private network, with the convenience and low cost of a public network, hence it's a "Virtual" Private Network.
Firstly, before you set about creating a VPN both sides of your connection are isolated from the Internet, normally in a private IP address range. In that way, your PCs cannot be reached from the outside work, providing protection from hackers. A firewall is then put on the Internet connection, providing security from the outside world (any normally also providing NAT and Internet browsing capability for the LAN users). Let us assume that the firewall in this case is a DrayTek Vigor firewall - one at the branch office and one at the headquarters.
The main concept in creating a VPN is that of 'tunnelling'. A VPN tunnel consists of encrypted packets of data sent between the two Vigors (the VPN 'endpoints'). These packets of data will contain a payload of private data, which is decrypted and unpacked at the other end of the tunnel and delivered to the destination, behind the remote firewall. To the outside world, i.e. anyone spying on your data as it passess across the Internet, they just see the outside of the tunnel, the encrypted data but not the actual data within - that can be encrypted with strong 3DES or even strong AES encryption. If high security is less important, and you just want to join two networks for convenience, you can use simpler tunnelling protocols such as PPTP.
In the diagram above, you can see the branch office and the Headquarters. Each has a private network behind the Vigor Firewall, and the Vigor is then creating a VPN endpoint at each end. Through that green VPN tunnel, your private data can flow. The teleworker doesn't have a Vigor router - he could, of course, but in this example he would be using a software VPN client and firewall, such as that built into Windows XP.
|
VPN between Branch Offices |
The diagram above shows VPN tunnels between two offices in more detail, with respect to their individual IP Address ranges (subnets) and also single teleworker. In both examples, all PCs shown have access to all PCs at all ends of the link. The Teleworker may only have one VPN tunnel if he needs access to only one of the offices.
| Now that you have your remote networks or users connected to each other, through an encrypted tunnel, what can you do with it? The tunnel carries any TCP/IP data from one device to another. This can be remote control data (widely used by teleworkers to operate their office PC from home) or access remote resources such as shared drives or printers. On the right you can see an example of a remote PC being accessed. Remember that your VPN is being carried over a broadband (or slower Internet) link which is considerably slower than your local Ethernet connection so tranfer (opening) of larger files which take proportionally longer. Note : VPN users don't actually have to use broadband - they can use any type of Internet connectivity, including dial-up. |
|
A Vigor router with VPN support can operate multiple VPN tunnels simultaneously - for example if you have five offices, you can have five VPN tunnels so that you can commuicate with all of them. The Vigor will display the current VPN status:
Vigor routers with VPN capability provide a wide array of standard protocol support, providing flxible configuration options to suit your own prererences and good cross-compatiblity with other vendors products.
The Vigor routers have also been tested with VPN devices from other manufacturers. This includes Cisco™ Pix, Nokia™, Sonicwall™, Checkpoint™, ZyWall™ and Watchguard™ products. Please note that DrayTek can only offer technical support for their own products any many not be familiar with your own particular 3rd party product, but some setup guides are available on the web site.
To find a Vigor router with the right line interface and VPN capability, you can check the Router Comparison Chart.
NOTICE : This document is ©2005 SEG Communications and may not be distributed without specific written consent. Information and products subject to change at any time without notice.
