VPN Topologies Review: The Wireless Perspective

written by: Krelle Xijao; article published: year 2007, month 04;


In: Categories » Electronics and communication » Wireless and mobile computing » VPN Topologies Review: The Wireless Perspective

There are a number of ways to categorize VPNs, but the three main design varieties are network-to-network, host-to-network, and host-to- host.

Network-to-Network

Also referred to as site-to-site, this term is often used to describe a VPN tunnel between two geographically separate private networks. This type of VPN is commonly used when the LANs have to be connected across a public network so that users on both networks can access resources located on the other LAN, as if they were located inside their home network. A major advantage is that in this configuration both networks are adjacent and the background operation of VPN gateways is transparent to the end users. In such a scenario, tunneling is also important, as private networks commonly use RFC 1918, reserved range addressing that is not "routable" through the Internet. Such traffic has to be encapsulated into a tunnel for successful interconnectivity. A common example of such a design application can be the connection of two offices of the same organization over a point-to-point wireless link. Even though the traffic in transit does not leave the internal infrastructure of an organization, the wireless part of the journey has to be treated with the utmost care, as if the traffic was routed through the public network. You have seen how easy it can be to bypass WEP, and even TKIP can be vulnerable, so we strongly encourage you to use additional layers of encryption wherever possible when using 802.11 nets.

Host-to-Network

The host-to-network scenario occurs when remote users connect to the corporate network over the Internet. The mobile client first establishes Internet connectivity and then initiates a request for an encrypted tunnel establishment with the corporate VPN gateway. Once the authentication is done, the tunnel is established over a public network and the client becomes just another machine on the internal network. The growing practice of employees working from home is stimulating an increase in this type of VPN connectivity. As opposed to the network-to-network situation, where the number of VPN participants is limited and is more or less predictable, a host-to-network VPN can easily grow beyond the controllable boundaries. Therefore, system administrators must prepare a scalable mechanism for client authentication and a key management system.


With respect to wireless point-to-multipoint links, second layer security might be insufficient to protect such networks or it might encounter serious compatibility and interoperability problems when running public hot spots or using legacy hardware. You should use scalable strong encryption, authentication, and user accounting for any organization that runs a wireless network in the office for its employees' laptops and other wireless devices. This might involve setting a central VPN concentrator with access control and accounting capability over the VPN tunnels ending in it. This could be a viable alternative to deploying a RADIUS server, user database, and 802.1x infrastructure. The host-to-network VPN topology assumes that wireless hosts connected via the VPN can access different networks, such as the Internet, through the VPN concentrator, but cannot communicate with other wireless hosts on the same WLAN.

Host-to-Host

Host-to-host is probably the least common scenario out of the three. It involves only two hosts participating in both encrypted and unencrypted communication. In such a configuration the tunnel is established between the two hosts and all the communications between them are encapsulated inside the VPN. The application of such networks is not common, but a suitable example might be a remote backup storage server located in a geographically distant location. Both hosts are connected to the Internet and the data from the central server is mirrored at the backup slave. In a wireless world, simple host-to-host VPNs can be employed to protect ad hoc WLANs.

Star

The networking world does limit the number of participants in the VPN, so having discussed the simple host and network topologies, let's examine more complex cases. Note that the variety of VPN topology designs closely mirrors the physical design of nonvirtual networks.

Star is the most common of all VPN topologies. You have a VPN concentrator that has an established tunnel to the remote client. For one of the hosts to communicate with the other host, the data must pass from remote host A to the VPN concentrator and then from the VPN concentrator to remote host B. Bear in mind that the scalability of such a network is generally limited by the throughput of the VPN concentrator. The concentrator has to be able to support a sufficient number of simultaneous connections. Also, the overall performance of such a network would be limited by the processing power of the concentrator, which is halved for each connection between two hosts, as the data will have to be decrypted on receipt and then encrypted again prior to transmission. The ease of centralized configuration, maintenance, access control, and accounting in this scenario is complicated by the presence of a single point of failure. Thus, if the VPN concentrator is down, no more communication between the nodes is possible. The star topology is applicable for point-to-multipoint wireless links, but it is less secure than the host-to-network topology because wireless hosts can communicate with each other (via the concentrator).

Mesh

In the mesh topology, each node is directly connected by a tunnel to another node on the network, thus creating a "wireframe" of interconnections. Such a topology eliminates the drawbacks of the star topology, but it has a great disadvantage in the huge increase in maintenance time and difficulties in adding new nodes to the network. Note that the end clients now need to be more powerful machines as the number of simultaneous tunnels each node needs to handle will be greater than one. Imagine that you have to deploy a secure wireless ad hoc network, maybe as part of a massive wireless distribution system (WDS) project. The mesh topology VPN is, perhaps, the solution you are looking for: You cannot implement an efficient 802.1x-based security solution on such a network lacking the Authenticator device (access point). Thus, both user authentication and key rotation, as defined by the 802.11i standard, may not work properly.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. Wireless Industry Standards
No technology works in a vacuum. Many entities work at different levels to bring the technology to a more mature and usable state. Standards and specifications are first conceived, developed, and then implemented. Currently, most standards bodies for the mobile e-commerce environment are focused on hardware- or infrastructure-related issues. Some of the more important standards organizations related to the wireless industry today include: Bluetooth Special Interest Group (SIG) is a volunteer...

2. How Do I Share Pictures on the Web
A popular way to electronically share pictures these days is via online photo services that publish web page galleries of your images. Only a few years ago, setting up an online gallery was a cumbersome process requiring some knowledge of web page design. But easy-to-use online services such as Flickr have streamlined this process so that anyone with an Internet connection can publish photos. In addition to sharing pictures, these services allow you to write short captions, add titles, and even include "tags" that serv...

3. Wireless Attacks ~ Jamming (Denial of Service)
Denial-of-service (DoS) attacks are those that prevent the proper use of functions or services. Such attacks can also be extrapolated to wireless networks. To understand this, we must first consider how wireless 802.11b networks operate, and over what frequencies. Effectively attacking (or securing) a wireless network requires a certain level of knowledge about how radio transmitters, frequencies, and wavelengths work and relate to each other. In the United States, the FCC governs frequencies and their allocation. Devices...

4. Wireless Communication Platforms for LANS
Despite the prevalence of standards committees in the wireless industry, there is no single unifying standard. It is important for enterprises to consider all the aspects involved in mobile support while contemplating a strategy for mobile e-commerce. Some of the key criteria in choosing a wireless network specification include: Average size of transfers Number of devices in the wireless network Others Range of transmission Secur...

5. Wireless Attacks ~ War Driving
When a surveillance attack is either impossible or too difficult, war driving is an effective alternative. In many situations, war driving follows and adds information to a prior surveillance attack. Conversely, the information obtained from random war driving often leads to a surveillance attack on a discovered location. The term war driving is borrowed from the 1980s phone hacking tactic known as war dialing. War dialing involves dialing all the phone numbers in a given sequence to search for modems. In fact, this method of ...

6. How To Get Photo Quality Prints
There are a variety of ways to get photo-quality prints from your digital images. You can make them yourself with a printer at home, or have a photo finisher do the work for you. Many camera stores offer photo finishing from digital images. Simply take in your memory card, order the prints, and pick them up the next day. This service is now available in most drugstore chains, too—instead of dropping off a roll of film while running your errands, you leave them your memory card instead. You can also order prints throu...

7. Wireless Privacy Protocols ~ WEP detailed
The Wired Equivalent Privacy protocol is incorporated as part of the IEEE 802.11b protocol. Actually, the standard only calls for 40-bit WEP, but almost all vendors offer up to 128-bit WEP. To secure data, WEP uses the RC4 algorithm to encrypt the packets of information as they are sent out from the access point or wireless network card. This is the same algorithm used in many other Internet applications that require security, such as Secure Sockets Layer (SSL). SSL is the most common protocol used by online stores to e...

8. Wireless Attacks ~ Rogue Access Points
Rogue access points are those connected to a network without planning or permission from the network administrator. For example, we know one administrator in Dallas who just did his first wireless security scan (war driving) on his eight-building office campus. To his surprise, he found over thirty access points. Worse, only four of them had authorization to be connected to the network. Needless to say, heads rolled. Rogue access points are becoming a major headache in the security industry. With the price of low-end ac...