A VPN allows you to extend your local network to remote locations. Of course, if your local network is connected to the Internet, remote users may have access to the local network even without a VPN. A VPN offers two main advantages over direct non-VPN access:
The illusion of local access Many local networks include protections against unwanted outside access. These may include firewall computers or iptables -based firewall rules on individual computers (both covered in Chapter 25 , Configuring iptables), restrictions implemented in TCP Wrappers or xinetd (described in Chapter 4 , Starting Servers), or restrictions set in individual server programs. A VPN allows a remote computer to look to local computers as if it were local, thus simplifying the configuration of potentially dozens of servers. The tricky task of determining what remote systems should have access as if they were local is isolated to the VPN server.
Encrypting nonencrypted protocols The P in VPN stands for Private, so a VPN that doesn't include some sort of encryption to provide privacy isn't much of a VPN. By encrypting normally nonencrypted protocols like NFS and Telnet, a VPN allows you to transfer data over the Internet in a fairly straightforward way, at least from the point of view of the client and server. These clients and servers need no special security configuration, but benefit from the encryption provided by the VPN. Of course, there are encrypted protocols you might use instead of a VPN, and if you're only looking for encryption on one or two protocols, these may be easier to set up than a VPN.
One common use for a VPN is in linking multiple offices at distant locations. If your company has offices in Boston and San Francisco , you can use a VPN to tie them together, giving employees secure access to servers at one location from the other. Figure 26.1 illustrates this arrangement. The VPN routers in this figure are routers, much like ordinary routers, NAT routers, or firewall computers. Instead of or in addition to performing ordinary routing, though, the VPN routers set up an encrypted link over which they can transfer data destined for each other.
|
|
Although Figure 26.1 shows a VPN that links just two networks, that's not the limit of VPN technology. You can link three, four, or more networks via a VPN. |
Another use of a VPN is to grant individual users access to a larger network. This application is common to serve telecommuters and traveling employees. An individual can link a home computer or notebook to a larger network via a broadband or even a dial-up connection to get the benefit of the main office's servers. The VPN router in this scenario communicates directly with the individual remote systems; essentially, they are VPN routers as well, but they route only their own traffic for the remote system. This situation is illustrated in Figure 26.2 .
VPNs are not without their drawbacks, even over fast external connections. For one thing, although they're designed as a secure way to link networks, if they're implemented improperly they can actually degrade your security. Consider a telecommuter who connects to a larger network via a VPN. If the larger network is protected by firewalls and similar measures, it should be fairly safe. The home computer, though, may not be very well protected against intrusion. If a cracker breaks into this system, it serves as a gaping hole through the larger network's firewall. These security risks are covered in more detail in the upcoming section, " Potential Security Risks with a VPN ."
Another problem with VPNs is that they can be tedious to configure, particularly in conjunction with firewalls. If your need for linking telecom muters, traveling individuals, or remote offices is limited, you might find it simpler to use one or two secure protocols, such as SSH.