How is confidentiality ensured using the ipsec vpn protocol?

Running head: SECURE VPN CONNECTIONS 1

SECURE VPN CONNECTIONS 23

VPN Connections

Name

Institution

Abstract

Virtual Private Networks (VPNs) are beneficial to a company to create secure connections within, and remotely. However, establishing VPN is a complex task that requires making choices on what type of VPN and what VPN technologies to use. There are two types of VPN, but each type serves a different purpose. Further, establishing these types of VPNs require different hardware and software. Therefore, it is important to understand what is required for the type of VPN that one intends to establish. Above all, security is a major concern for VPNs. In addition to enjoying the benefits of VPN companies want to have their connection secure. This means ensuring data confidentiality so that the sent data is seen by the authorized users only. Data integrity defines that the data sent over the network is not altered or tampered with, and authentication entails users of the network to verify their identity. Different protocols provide different aspects of security. In addition, to set up a VPN one should choose the most appropriate protocol that offers the desired security elements. Therefore this paper explores VPN types, hardware and software required for the different types of VPNs and the VPN topologies. The paper starts with an introduction which is followed by a detailed discussion of VPN and the VPN types namely; the remote access VPN and the site to site VPN. VPN technologies continue within the paper and discusses how VPN meets the confidentiality, integrity and availability factors. Under the VPN technologies a more detailed discussion is provided for the IP Sec and GRE tunnelling and SSL VPN.

Table of Contents Introduction 4 Virtual Private Networks 6 Site to Site VPN 7 Remote Access VPN 10 VPN Technologies 12 Generic Routing Encapsulation (GRE) 15 IPsec VPN 16 SSL VPN 20 Conclusion 21 References 23

Secure VPN Connections

Introduction
The world is changing rapidly every day, more so in the technology industry. Businesses are now forced to cope with regional concerns in addition to their local ones. Many businesses are forced to consider the global markets and logistics. These organizations have established branches in different regions of the country or the world. Additionally, these companies need to be secure, fast, connected, and able to communicate effectively.

Until recently, communication between distant branches has been done using leased lines in a Wide Area Network (WAN) form of connection. Leased lines used have ranged from optical carrier-3 which has a speed of 155Mbps or ISDN with a speed of 144Kbps (Comer, 2015). These WAN networks have been advantageous in that the security, performance and reliability resulting in high proficiency. However, setting up and maintaining WAN networks over a large area using leased lines is expensive. Further, leased lines are not viable in terms of mobility (Comer, 2015). WAN highly limits the employees' mobility. For example, a marketing staff might need to frequently connect remotely to the company's network to access sensitive information.

With the growing popularity of the internet, businesses have sought ways to extend their connections. First, came the intranet by which sites meant to be used by the company employees were created. Currently, companies create Virtual Private Networks with an aim to meet the need of connecting distant offices and giving access to remote employees (Bays et al, 2015). A typical VPN may have the LAN established at the main headquarter and the other LANs set up at the remote facilities such that users can connect from remote areas. Therefore, from this description, a VPN can be described as a private network that makes use of the public network such as the internet to connect to the company's resources (Bays et al, 2015). Further, instead of using a wired connection the VPN is a virtual connection that has been routed from the organization's private network through the internet to form a remote connection.

To create and enable a VPN, tunnelling protocols are required whereby one can establish a tunnel between the endpoints on the network. VPN makes use of tunnelling and advanced encryption techniques to enable organizations to establish an end to end network connections over a public network that are secure. The three main elements that VPNs seek to achieve are; data integrity; data confidentiality and authentication. Data integrity ensures that data communicated over the network is not altered or tampered with (Computer-solutions.com, 2015). In this regard, the data is transmitted from the source to the destination whereas unauthorized personnel cannot tamper with it. To ensure data integrity VPNs use hashes that act like a seal to guarantee no unauthorized persons read the message content. On the other hand, data confidentiality entails protecting data from unauthorized persons such as hackers (Computer-solutions.com, 2015). The main aim of data confidentiality is to protect the message content for unauthorized interceptions, to achieve this VPN uses encapsulation.

Authentication makes sure that the message comes from a reliable source and is received at the authentic destination (Computer-solutions.com, 2015). To achieve authentication, VPNs identify parties on both ends of the network using digital certificates, passwords, biometrics, and smart cards. Most organizations deploy VPNs aimed at providing data confidentiality, data integrity and authentication of packets transmitted over the unsecure network.

Virtual Private Networks
When using a public internet, security is always a concern. Virtual Private Networks (VPNs) not only enable the connection of two sites, but also ensures that they are secure. To do so, the VPN creates a private tunnel over the public network. Once the VPN connection is established data is protected through authentication and encryption making it possible to securely shared information through the tunnel (Chamberlain et al, 2017). Tunnelling comprises of three protocols; the passenger protocol which is the original data; the encapsulating protocol which is the protocol wrapped with original data such as GRE; and the carrier protocol which is the protocol over which information travels over the network (Mano et al, 2017). The passenger packet is encapsulated inside the encapsulating protocol which is later put into the carrier protocol header to be transmitted over the network. Further, the encapsulating protocol encrypts data protocols such as IPX can be successfully transmitted (Mano et al, 2017).

Virtual Private Network (VPN) is a technology that makes it possible to create a secure network connection over an insecure network (Salman, 2017). VPN protects the privacy of the computer user accessing the internet. VPNs are highly preferred for their beneficial features. To start with, VPNs are able to extend connections across different locations without necessarily using leased lines (Salman, 2017). Secondly, VPNs implement security mechanisms such as encryption that makes it possible to share data safely. In addition, VPNs provides a high level of flexibility for remote employees and offices, so they are able to access the company's intranet over the internet connection created. This saves time and cost of commuting of employees and for establishing multiple networks within the company. Lastly, establishing VPNs is cheaper that connecting sites using leased lines (Salman, 2017).

The two main VPN technologies are; (1) site to site VPN; (2) Remote access VPN. A site to site VPN makes it possible for sites in fixed locations to connect with each other securely over a public network (Han, Gopalakrishnan, Ji & Lee, 2015). This type of connection enables resource sharing by employees in the different locations/sites. On the other hand, the remote access VPN securely connects to a remote computer network, so individuals can access these secured resources over the internet (Han, Gopalakrishnan, Ji & Lee, 2015). To implement VPN over a Wide Local Area Network (WLAN), the two most widely used solutions are IPsec VPN and SSL VPN.

Site to Site VPN
A site to site connection is established by connecting multiple sites over the public network. A local connection to the public network is set up for each site. This saves the cost that would have been used to buy leased lines to connect the sites. Site to site connections can further be classified as intranets and extranets. When a site to site VPN connects branches of a company it is referred to as an intranet VPN. On the other hand, when a site to site VPN connects a company to its customers or partners then it is referred to as an extranet VPN.

A site-to-site VPN acts as an extension to the Wide Area Network, connecting other networks (Liyanage et al,2015). For example, a headquarters office can be connected to all the other branches using a site to site VPN. Previously leased lives have been used to create connections, however they have since been replaced by the highly configurable and manageable VPN (Liyanage et al,2015).

A site to site VPN occurs when devices on both sides of the VPN know about the VPN configuration, but the internal host is unaware. In a site to site VPN hosts on the host end receive and send TCP/IP traffic which passes through the VPN gateway (Han, Gopalakrishnan, Ji & Lee, 2015). The work of the VPN gateway is to encapsulate and encrypt outgoing traffic which forwards it through the VPN tunnel to the VPN gateway located at the distant end. The VPN gateway on the receiving side will remove the headers, decrypt the available content and then relay the packet to the target host in the private network. In this case, to backup security, the routers have some add-on cards to assist the router to encrypt data quickly. The Adaptive Security Appliances (ASA) also is configured to act as a VPN concentrator that supports many VPN tunnels (Bays et al, 2015).

From the diagram above a branch office located in a remote location connects to the corporate head office using a site-to-site VPN. The hosts in the remote branch office receive and send files from TCP/IP traffic through the VPN gateway. Further, the VPN gateway is responsible for routing the firewall appliance. In addition, the VPN gateway encrypts and encapsulates the outbound traffic from the office then transmits it over the internet through the VPN tunnel to the VPN gateway located at the distant end. Upon receipt, the branch VPN gateway strips the header then decrypts the message content before relaying the packet to the target client who is inside the private network. To establish such a Site to Site connection each side is required to have a device that has the software and hardware needed which understands the set of VPN protocols and security standards implemented in the network.

Remote Access VPN
Remote VPN is also referred to as the Virtual Private Dial−up Network (VPDN). Remote VPN is a user-to-LAN connection established to make it possible for employees at remote locations to connect to the company's private network (Salman, 2017). Companies wishing to set up large remote VPN connections provide an internet dial-up number and set up an internet dial-up account using the Internet Service provider (ISP) (Comer, 2015). The remote VPN uses third party service providers to secure and encrypt connections between the remote users and the organization's private network.

The remote access VPN caters to the mobile users, telecommuters, consumer to business traffic, and the extranet. Unlike the site to site VPN, the remote access VPN creation does not entail a static set up, but rather it allows for dynamic disabling and enabling where information can also be changed (Salman, 2017). The remote access VPN can further be described as a client/server architecture where a remote user is allowed access to an enterprise network securely through a VPN server device located at the network edge. To establish a connection, the VPN client software will need to be installed at the user's device. Security is ensured since data is sent over the internet to be encrypted, upon receipt the VPN gateway here removes the headers, decrypts the received content and finally relays the packets just like in a Site to Site VPN (Salman, 2017).

For example, in the diagram above, User 1 and User 2 both want to connect to the Head office intranet and access marketing files. To do so, the users must have a VPN application installed on their laptops. Additionally, they will dial up a number provided by the company. As this progress, the user will be prompted to enter their username and password. Only after the password and username match with the database record details that the user is allowed to access the intranet. Based on the user’s level he/she will only be allowed to access permitted files and perform the authorized functions. Assuming user 1 is only allowed to copy files from the system then he/she will not be able to alter or update these files. Further, if user 2 is allowed to update certain files he/she will have the capability to update but not to copy and so forth. All these transactions will happen over the internet through a VPN tunnel as demonstrated by the diagram. Further, to ensure secure transactions protocols such as IPSec can be implemented. In the case of IPSec, the remote access VPN client has the VPN software installed. When the client tries to transmit information, the client software encrypts and encapsulates the information prior to transmitting it over the public network to the VPN gateway located at the edge of the distant end.

VPN Technologies
VPNs use different technologies to keep their connections safe and secure. To ensure, data confidentiality, integrity and authentication various applications are used. VPN implementations use many different protocols namely; Internet Protocol Security (IPsec); Point-to-Point Tunneling Protocol (PPTP); Secure Socket Layer (SSL); Generic Routing Encapsulation (GRE) Protocol; Layer 2 Tunneling Protocol (L2TP); and Layer 2 Forwarding (L2F) Protocol (Computer-solutions.com, 2015). Among these protocols, IPsec and SSL provide data confidentiality, data integrity and authentication. However, one can combine two or three of the insecure protocols with one secure protocol. For example, GRE can be used with L2TP, IPsec and MPLS. Within most large organizations, IPSec is used since it caters to all the three security elements.

Data confidentially happens to be the most important service provided by VPNs. In the case of IPsec confidentiality is met by using comprehensive authentication models and stronger encryption techniques (Mano et al, 2017). The authentication models used transport mode and tunnel mode. The tunnel mode encrypts the payload and the header of the packet while the transport mode encrypts only the payload. In addition, devices under IPSec have a common key and share similar security policies. IPSec implements confidentiality through tunnelling. Mano et al (2017), defined tunnelling as a process that entails encapsulating the entire packet within another packet before sending it over the network. In the case of IPsec, tunnelling works by adding a header to the existing packets such that the source of the packet is hidden, thus hiding the identity of the device. While using tunnelling, the trusted receiver of the message is the only person who can determine the origin of the packet after stripping the added header further implementing integrity checks (Mano et al, 2017). For security of data it is important to encrypt information transmitted over the network, it is equally important to verify the originality of data. IPSec has a mechanism to verify that the encrypted packet, the headers and the data is not tampered with. More so, if tampering is detected then it is dropped to ensure that integrity is met. IPsec also authenticates the remote peers to make sure data comes from the intended source and is received by the trusted receiver (Mano et al, 2017).

Liyanage et al (2015), defines Point-to-Point Tunneling Protocol as an extension which utilizes compression, authentication and encryption mechanisms. PPTP uses dial-up remote access. Point-to-Point Tunneling Protocol is commonly used for single client to server connections. Considering that it permits only a single point to point connection for every session it is highly preferred. PPTP encapsulates point to point frames into datagrams then transmits them over the IP network (Liyanage et al,2015). While using the Point-to-Point Tunneling Protocol the firewall is set to permit IP protocol 47. PPTP can be used together with Generic Routing Encapsulation (GRE) in which case the firewall will be set to allow IP protocol 47 and TCP port 1723 (Liyanage et al,2015).

Layer 2 Forwarding (L2F) protocol is able to create a VPN by tunnelling data link layer frames in protocols such as Serial Line Internet Protocol (SLIP and Point-to-Point Protocol (PPP) (Han, Gopalakrishnan, Ji & Lee, 2015). In addition, L2F can be used on the server side for user authentication. For example, when L2F is used with PPP the point to point protocol to connect the network access server and the dial-up client. Normally under PPP, when a client initiates a connection it ends at the network access server located at the service provider of the PPP. However, when using L2F the connection is extended beyond the network access server to a node in a remote destination (Han, Gopalakrishnan, Ji & Lee, 2015). In this manner, the client connection can be connected directly to the remote node rather than the network access server. Further, when using L2F and PPP network access server function, it can be used to forward point to point frames to the remote gateway from the client.

Layer 2 Tunneling Protocol (L2TP) has replaced L2F since it is a vendor-neutral solution for tunnelling (Comer, 2015). Just like L2F, L2TP acts as an extension for the point to point protocol. Layer 2 Tunneling Protocol (L2TP) can be used over IPSec protocol as it provides security on the IPSec protocol over the Layer 2 tunnelling protocol. L2TP is commonly used for remote access VPNs (Comer, 2015). It is also used to provide dial-in connections between the remote office and the access point to users encrypted with IPSec.

Multiprotocol Label Switching (MPLS) protocol shapes the network traffic by sorting and prioritizing data packets. Normally, in a network, the routers have to perform an IP lookup on the routing table of packets to determine the destination. MPLS works within ingress mode within the router in a way that data packets can be labelled as they enter the network. Consequently, labelling data packets within the router is able to easily know the destination of the packets (Nanog.org, 2015).

Remote access VPNs can use the AAA mechanism which stands for Authentication, Authorization, and Accounting. Authentication is used to verify that only the authorized user uses the preconfigured VPN connection to access the company's resources (Chamberlain et al, 2017). Authentication is accomplished by the use of a username and password. These username and password can further be stored on the VPN terminal device or in the external AAA server. When a user requests to connect to the tunnel using the dial-up access the VPN device responds by prompting the user to enter their username and password (Chamberlain et al, 2017). Once the user enters the username and password, these details are sent to the external AAA server which checks the user's identity, what the user is allowed to access, and what the user is allowed to do. It then allows the user to access the system by only performing actions that they are allowed to do. The AAA mechanism is important in ensuring non-repudiation. Once a user is authenticated then he/she is responsible for all action taken as long as they are under his/her authorized tasks for allocated privileges (Chamberlain et al, 2017).

Site-to-Site VPNs can use Generic Routing Encapsulation (GRE) protocol as the encapsulation protocol. GRE entails information on the type of packet being encapsulated and the information about the client-server connection (Mano et al, 2017). On the other hand, remote access VPNs using tunnels takes place using point to point protocol (PPP). PPP is a part of the TCP/IP stack and is used to carry the IP protocols during communication between the remote system and the host over the network (Salman, 2017).

Generic Routing Encapsulation (GRE)
Generic Routing Encapsulation (GRE) is a non-secure site to site VPN tunnelling protocol. Its main feature is that it can encapsulate many different types of protocol packets inside an IP tunnel (Liyanage et al,2015). GRE works over an IP network by establishing a virtual point to point link to remote points at Cisco routers.

GRE routing encapsulates many types of protocols within an IP tunnel. To do so, the GRE tunnel supports a header for the encapsulated carrier protocol such as GRE, the encapsulated passenger protocol such as IPv6 / IPv4, and the transport delivery protocol such as the IP (Liyanage et al,2015). The GRE makes it possible to expand the network across a single environment by connecting multiple protocols in a network into a single network.

To configure a GRE tunnel, one requires specifying the source and destination addresses of the tunnel. Further, one has to configure the IP connectivity along the tunnel. The first thing the network administrator should do is learn the IP addresses at the endpoints (Han, Gopalakrishnan, Ji & Lee, 2015). Secondly, the administrator should create an interface number where he/she will specify the IP addresses of the source and the destination (Han, Gopalakrishnan, Ji & Lee, 2015). Thirdly, the network administrator should configure the tunnel interface IP address. Lastly, the network administrator specifies the tunnel interface mode as GRE tunnel mode (Han, Gopalakrishnan, Ji & Lee, 2015). Also, the network administrator should test to ensure that the GRE tunnelling is working properly by pinging across the tunnel using the source and destination IP addresses of the tunnel.

IPSec VPN

IPSec is a protocol used to secure traffic on IP networks such as the internet. IPSec works by encrypting data between two devices. These devices could be two routers, a firewall and a router, and so forth. This makes the IPSec operate like an internet layer over the protocol suite. The IPSec works by creating a virtual tunnel that is used to connect two end-points. Once configured, peers can send packets over the network through the tunnel. All traffic within the VPN tunnel is encrypted which makes it secure considering that other public internet users cannot view communications (Salman, 2017). Additionally, when a computer is connected virtually it can view the entire network.

The IPSec is beneficial in that it provides data confidentiality by preventing possible eavesdropping. Furthermore, IPsec also ensures data integrity and authenticity is maintained through the AH and ESP such that only the senders and the receivers can view the data (Chamberlain et al, 2017). IPSec VPN provides an end to end data encryption. Most importantly, IPSec offers application transparency provided by the fact that IPSec operates in layer 3 and hence does not impact the network layer (Salman, 2017). Despite the advantages, IPSec faces some disadvantages. The first one is that using an IPSec VPN requires configuration and installation of a VPN client on all the terminals. Further, managing these terminals becomes a challenge since there is hardware and software installed on the client side. The IPSec has three main components namely; (1) Authentication Header (AH); (2) Encapsulating Security Payload (ESP); and (3) Internet Key Exchange (IKE) protocols.

Authentication Header (AH)

The IP authentication header ensures connectionless integrity is maintained, unauthorized retransmission of packets which may be caused by anti-play attacks are prevented, and the origin of data of IP datagrams is authenticated (Salman, 2017). AH can be used in two modes; (1) transport mode; (2) tunnel mode. Under the tunnel mode, the AH ensures every packet gets a new header but under the transport mode AH does not create new headers.

AH provides for authentication and integrity by placing the AH header between the transport layer and IP header. However, the Authentication header does not cater to confidentially since it does not encrypt the data which makes it prone to access and modification (Salman, 2017). Therefore, to be safe, the authentication header is implemented with the IP Encapsulating Security Payload (ESP). Using AH with ESP ensures that anti-replay attacks are prevented and the integrity and confidentiality are backed up.

Encapsulating Security Payload (ESP)

ESP provides integrity, confidentiality and authentication. It protects data from unauthorized access, modification and altering (Salman, 2017). Further, ESP protects the content of the messages by implementing encryption. Encryption works by translating a readable message into the unreadable message. Encrypted messages are later decrypted by the authorized receiver from the unreadable format to readable format. Similar to Authentication header, the ESP can be used on tunnel mode and transport mode. The ESP header is located before the IP payload data or the transport layer header (TCP/UDP) (Salman, 2017).

Internet Key Exchange (IKE)

In the IPSec protocol, the IKE is used to establish a security association (SA) through which keys are exchanged between parties to be able to transfer data (Salman, 2017). This requires the two computers to agree on how to securely exchange data by protecting it from unauthorized access. The two computers use the Internet Engineering Task Force (IETF) standard method presented on how to exchange keys using IKE. IKE, therefore, entails; providing a framework for managing security association which saves time; generating and managing the secret shared keys used to protect information access; and lastly, using keys to make sure that only the sender and receiver gain access to the message (Salman, 2017).

To ensure confidentiality, integrity and authentication, IPSec uses Internet Key Exchange (IKE) to establish secure remote access or Site to Site VPN tunnels. According to Comer (2015), IKE is a framework that is provided by Key management protocol and Internet Security Association to ensure data security. To use IKE a number of steps are involved. First, a secure bidirectional communication channel is created between IPSec peers. At this point features such as the encryption algorithms, authentication method, hashing algorithms and vendor-specific attributes are negotiated (Mano et al, 2017). Some of the encryption algorithms that are mainly used are; Data Encryption Standard (DES); Triple-DES; and Advanced Encryption Standard (AES). In addition, the hashing algorithms used include; Message digest algorithm 5 (MD5); and Secure Hash Algorithm (SHA) (Mano et al, 2017). In IPSec authentication is ensured by using pre-shared keys whereby the peers involved agreeing on the shared secret they will use by using Public Key Infrastructure (PKI) (Mano et al, 2017).

Next, the negotiation of IPSec Security Associations (SAs) takes place. Though the ISAKMP IPSec is protected by SA, the payloads are encrypted such that data transmitted over the tunnel is encrypted using two different protocols in IPSec (Mano et al, 2017). These protocols include Authentication Header (AH) and Encapsulation Security Payload (ESP). These two protocols can be used in transport mode or tunnel mode. The transport mode is used to authenticate and encrypt data packets from the different peers, whereas the tunnel mode is used to protect the entire IP packet. Further, the tunnel mode authenticates and encrypts these IP packets as they originate from the hosts (Mano et al, 2017).

SSL VPN
Internet of Things (IoT) SSL-based VPNs are the most widely used. The Secure Sockets Layer (SSL) virtual private network is a VPN used with web browsers. The SSL VPN is used to give secure connections to internet users. SSL is most popular for its ability to launch browsers such as Firefox, Internet Explorer, and Chrome used to connect to an address of a VPN device (Liyanage et al,2015). Further, SSL makes it possible for users to access portals, corporate intranets and emails from remote locations. According to Bays et al (2015), most people allow SSL over their firewalls by opening the TCP port 443. In addition, vendors such as CISCO provide devices that support lite-client and clientless SSL VPN. A client using SSL VPN allows remote users to enjoy the benefits of IPSec without having to install and configure IPSec VPN client on the computer, but rather authenticate the VPN device using SSL encryption present on the remote computer (Bays et al, 2015).

Therefore, unlike the IPSec VPN, SSL VPN does not require the installation of client software on the terminals (Comer, 2015). Some of the protocols used with SSL record protocol, alert protocol and the handshaking protocol. The handshaking protocol determines the conversation encryption parameters between the server and the client (Comer, 2015). The record protocol is tasked with the exchange of applied data (Comer, 2015). The alert protocol is responsible for terminating conversations between hosts in case of an error (Comer, 2015).

An SSL VPN works by having VPN devices connect to the internet using a web browser. The traffic between the SSL VPN device and the web browser is encrypted using the SSL protocol. SSL provides some very useful cryptographic features to ensure security. These features are integrity, confidentiality and digital signatures (Bays et al, 2015). In SSL the cryptographic functions used by the client and server to communicate are cipher suites unlike in IPsec where parties agree on the cryptographic functions to use. The SSL gateway uses the SSL server certificate which is signed by the CA to authenticate itself to a web user (Bays et al, 2015). This enables the user to verify that they are talking to the authentic server through the browser. In most cases, the SSL VPNs uses a digital signature that is self-signed. Further, the user is required to add an SSL server certificate to the list of trusted certificates to show that they agree to trust the certificate (Bays et al, 2015).

The SSL VPN has some significant benefits. To start with, SSL is supported by most modern web browsers and other web programs. Further, SSL VPN does not require software installation and configuration at the user's end which makes it easy to use. Finally, SSL is mobile allowing users to access the network using any web browser (Chamberlain et al, 2017). However, SSL has some challenges, as it operates at the application layer which limits access to browser accessible resources. In addition, SSL VPN is not supported by Linux and other non-Windows operating systems (Chamberlain et al, 2017).

Conclusion
In conclusion, we can deduce that it is possible to achieve data integrity, data confidentiality and authentication when using VPNs. One only needs to choose from the various protocols considering that not all of them offer the three elements of security. The most commonly used protocol is IPsec VPN that provides all the three security elements. In addition, SSL VPN is also used widely over the web since it is easy to set up. Other protocols such as GRE, L2TP, L2F, and PPTP would require combining two or more protocols to achieve the data integrity, data confidentiality and authentication. Further, from the discussion, it is evident that there are different types of VPNs. Therefore, to set up a VPN that will meet the intended needs at the budgeted cost will require an understanding of what VPN to set up. From the discussion, the two types of VPN discussed are a Site to Site connection that connects two or more remote sites to the main site and the remote access VPN that provide the framework for remote employees of a company to access company resources securely over the public network. To set up these VPNs it is important to establish the software and hardware required for your application. Therefore, we can conclude, it is possible to set up a beneficial and secure VPN by choosing the most appropriate type of VPN, protocols to use, and most cost effective for your company.

References
Bays, L. R., Oliveira, R. R., Barcellos, M. P., Gaspary, L. P., & Madeira, E. R. M. (2015). Virtual Network Security: Threats, Countermeasures, and Challenges. Journal of Internet Services and Applications, 6(1), 1.

Chamberlain, R. D., Chambers, M., Greenwalt, D., Steinbrueck, B., & Steinbrueck, T. (2018). Devices Can Be Secure and Easy to Install on the Internet of Things. In Integration, Interconnection, and Interoperability of IoT Systems (pp. 59-76). Springer, Cham.

Comer, D. (2015). Computer Networks and Internets. Pearson.

Computer-solutions.com. (2015). Features of a Secure VPN. Accessed on 6/27/2018 from www.orbit-computer-solutions.com/features-of-secure-vpn/.

Han, B., Gopalakrishnan, V., Ji, L., & Lee, S. (2015). Network Function Virtualization: Challenges And Opportunities For Innovations. IEEE Communications Magazine, 53(2), 90-97.

Liyanage, M., Okwuibe, J., Ylianttila, M., & Gurtov, A. (2015, June). Secure Virtual Private LAN Services: An Overview with Performance Evaluation. In Communication Workshop (ICCW), 2015 IEEE International Conference on (pp. 2231-2237). IEEE.

Mano, T., Inoue, T., Ikarashi, D., Hamada, K., Mizutani, K., & Akashi, O. (2016). Efficient Virtual Network Optimization across Multiple Domains Without Revealing Private Information. IEEE Transactions on Network and Service Management, 13(3), 477-488.

Nanog.org. (2015).MPLS for Dummies. Accessed on 6/27/2018 from www.nanog.org/meetings/nanog49/presentations/Sunday/mpls-nanog49.pdfnetworkworld.com.

Salman, F. A. (2017). Implementation of IPsec-VPN Tunneling using GNS3. Indonesian Journal of Electrical Engineering and Computer Science, 7(3), 855-860.\

�

�

Heading�

�

�

�

Text�

VPN Concentrator

Server

Server

Remote VPN enabled Router

Remote VPN enabled Router

Remote Branch

LAN

Remote Branch

LAN

Head office LAN

ISP

ISP

ISP

I

n

t

e

r

n

e

t

VPN Tunnel

V

P

N

T

u

n

n

e

l

�

�

�

�

�

Heading�

�

Text�

VPN Concentrator

Intranet web Server

User 1

User 2

DSL

Cable

ISP

Head office LAN

Internet

V

P

N

T

u

n

n

e

l

V

P

N

T

u

n

n

e

l