Remote-access VPN [1] 

Context in source publication

Context 1

... common practice is to use a virtual private network (VPN) when you need to utilize the systems and resources – part of your corporate local network from external networks such as the Internet. A VPN network often is a client-server application which handles the secure transfer of data between sites or remote clients via encrypted virtual tunnel. The process is transparent to the participants and communication between them is as they are locally connected. A VPN is a private network that is created via tunneling over a public network, usually the Internet [1, 2]. Instead of using a dedicated physical connection, a VPN uses virtual connections routed through the Internet from the organiza- tion to the remote site. The tunnel is separate logical channel between endpoints and in combination of appropriate protocols supports verification of the identity, integrity and confidentiality achieved by encrypting the traffic through the public network, within the VPN. This type of connection is closed for other network members. The logical connections can be made at either Layer 2 or Layer 3 of the OSI model [1]. Layer 3 VPNs can be point-to-point site connections or they can establish any-to-any connectivity to many sites. A VPN is a communications environment in which access is strictly con- trolled. There are two VPN topologies: a site-to-site which connect entire networks to each other, for example branch office network to corporate headquar- ters network; and remote-access VPNs which support a client/server architecture where the remote user (VPN client) requires a secure access to the local corporate resources and services via VPN server device at the network edge. In the site-to-site VPN topology (Fig. 1) the connection devices on both ends (VPN gateways) are pre-configured and the VPN remains static. The process is transparent for the internal hosts. They send/receive normal TCP/IP traffic through their VPN gateways which are responsible for encapsulating and encrypting (decapsulating and decrypting) traffic from one site to another and sending it through a VPN tunnel over the Internet to a peer VPN gateway. In the remote-access VPN (Fig. 2) configuration setup is assigned dynami- cally to VPN clients. The VPN connection can be enabled and disabled depend- ing on the telecommuter needs. Permanent connection is not needed all the time. The client is the initiator for the VPN connection and is responsible for estab- lishing the VPN. The VPN server running inside the local network is configured with a virtual network interface on a different subnet. VPN server is waiting for connections on the external network interface where it performs authentication of the VPN client application. If the authentication is successful, VPN client ob- tains appropriate settings which are part of that virtual network subnet. Then the encrypted tunnel is created between VPN client and VPN server [2]. If client needs other services they could be defined additionally at any time. The change of client’s location will not affect the VPN connection. There are some questions that a traditional approach of accessing the VPN could not answer: – What will happen if the topology is not known in advance? – Is it possible to have a VPN access without existence of a configured server? The aim of current research is to answer the questions exploring the latest innovative information and communication technologies and to find absolutely new possibilities for the design and creation of a new access model to virtual private networks in which the topology is not known in advance and there are no pre-configured VPN servers or VPN gateways. Nowadays many organizations use VPN so their users can transmit private information over the Internet in a secure way. As a result of a rapid technological development of different complex virtual or cloud-based environments arises the new challenge to access control for VPN [4]. Different varieties of VPN models were made to accomplish the new requirements of the modern networks – to have simple configuration, to be flexible and scalable, to be secure. Such implementation is the proposed on-demand VPN architecture used for communication between multiple VPN users based on a star topology [5]. Another model have realized a web-based interface for full tunneling support VPN architecture, using structured P2P approach for creation and management of the network setups and a central server for all processes related to keys management [6]. The final goal of the proposed model in this paper is the creation of decen- tralized peer-to-peer shared network infrastructure architecture used securely by users working in collaborative groups at the institutions like university or academia. The participants of such group (who are in the same VPN session) have to communicate directly with each other without a central connection point and the rules they use have to be dynamic depend on situation. In that VPN infrastructure management responsibilities are not just for one entity which im- proves productivity. The configuration of connection admission control has to be simple and easy to deploy. These features together with an appropriate security setting have to build up a scalable, flexible and cost saving network solution. The model (Fig. 3) follows the principles of a torrent system. Instead of dedicated server with pre-defined VPN settings and a client who send a request to that server for access to the private channel, there is an initiator who creates a new VPN session itself with a fixed identification number (ID). Peers, part of the same ‘network’ as initiator, are participants using that VPN session. They should have the same ID like the initiator’s. The secure and encrypted connections are setup between the initiators and all remote participants. Tables with all participants associated IDs are created. The information in them is dynami- cally added and filled out between the participants, synchronized and distributed among all of them via a virtual cloud. In that scenario the topology is not known at the beginning of a process. The main key parts of the model are as ...