Virtual Private Networks allow us to communicate securely over public networks. In this video, you’ll learn about client-to-site VPNs, clientless VPNs, and compare full VPN tunnels and split tunnels.
A VPN is a Virtual Private Network. That is a way of taking information that would normally be sent across a network in the clear and encrypting all of that data so that we’re then able to send it over a public network, such as the internet. If you’re using a VPN from your workstation, then you’re probably connecting to a VPN concentrator. This is a functionality that’s usually built into our modern firewalls that allows us to encrypt and decrypt information on that concentrator.
This means we can encrypt information, send it across that public network. And on the concentrator, we can decrypt that information and send it on its way. This might be a piece of hardware that is specifically designed for this encryption and decryption process. Or all of this may occur within software that we can install on an existing server.
VPN clients can be installed on many different operating systems. And some operating systems may include VPN clients built into the operating system itself. If you’re using a client-to-site VPN, then you would have software that’s installed onto the client workstation. And that client workstation would be communicating back to a central site.
For example, you could be using a laptop at a coffee shop. And you may want to enable this VPN functionality so that you can communicate securely to a concentrator that’s located on your corporate network. Sometimes this is software that you can manually enable or disable, depending on when you might want to use it. But some VPN software can be configured as an always-on connection. So when you turn on your laptop and log in, it has already created the VPN connection back to your corporate network.
So you would either start your VPN software and enable it manually, or that software would be automatically loaded. And as soon as you begin sending information across the network, all of that communication will be encrypted. When that encrypted data is received by your VPN concentrator, it decrypts that data and then sends all of that into your internal network. Whenever you’re sending information back to the laptop, it reverses this process, where it takes the information from the corporate network, encrypts it, sends it across the internet, and it will decrypt down at your laptop.
Another type of VPN connectivity is between different sites. This is a site-to-site VPN, where all of the communication between one site and another is encrypted over this VPN tunnel. This is something that’s commonly used as an always-on connection so that you can be assured that everything between those locations will always be encrypted.
This is usually built into an existing firewall. So you would turn on the VPN concentrator function on each firewall at each location. And you would have all of the data sent between these locations traverse this encrypted tunnel. Of course, the concentrators will be decrypting this data on either side of the connection. So the users at the different remote sites have no idea that this data is being encrypted between the two locations.
Instead of installing a separate piece of software just for this VPN connectivity, your organization may choose to use clientless VPNs that don’t require any specific VPN client. This is something that usually runs inside of a browser using HTML5. This is the Hypertext Markup Language version 5. HTML5 allows us to use an application programming interface to be able to interact with the browser. And one of those APIs is a web cryptography API, which allows us to run a VPN client inside of our browser without using a separate client.
This means we don’t have to install any additional software. We just visit the appropriate web page. And the VPN software within that API takes over and provides that encrypted tunnel. All you have to do is make sure you’re using an HTML5-compliant browser. And you’ll be able to use this clientless functionality within the browser on your system.
The administrator of your VPN system may configure the connectivity in a number of different ways. One of these methods may be through the use of a full tunnel. A full VPN tunnel means that all traffic that’s being sent out of your machine is traversing that VPN tunnel and is encrypted on the other side, where the concentrator is located. Your local machine doesn’t make any special forwarding decisions, where some traffic is sent through the tunnel and other traffic is not. Instead, everything is being sent over that VPN connection.
In some cases, though, the administrator of your VPN may configure a split tunnel. A split tunnel means that some traffic will be sent over the encrypted VPN. But other types of traffic, perhaps something that is not related to your corporate environment, is sent outside of the VPN connection.
So let’s take this scenario where we’re using a VPN. We are connected over this VPN connection to a VPN concentrator that’s at our corporate office. But we might also want to communicate to a web server that’s on the internet that’s not part of our organization. So you might want to connect to my server at professormesser.com. This means that normally traffic that’s destined for your corporate network would go from your remote user’s workstation to the VPN concentrator. That would then be decrypted and sent to the inside of your corporate network.
But if traffic needs to go to professormesser.com, that traffic still needs to traverse that VPN tunnel. It is decrypted at the concentrator, just like all of the other VPN traffic, but then is redirected to the internet and to the external web server. Any communication back to the client would then need to go back to the concentrator and then be sent back through that VPN tunnel.
With a split tunnel, we can avoid that additional routing that occurs when you’re talking to a third-party website. So now, at the remote user’s workstation, we effectively have two different paths. We have our VPN tunnel back to our corporate network. And then we would have a separate path that is used for other third-party traffic.
If we want to communicate to our corporate network, we would send that traffic through the VPN, as usual, to our VPN concentrator, which then decrypts the traffic and sends it to our corporate network. But if we also, at the same time, would like to communicate to professormesser.com, we would then at the remote user’s workstation, simply send that traffic as normal. The VPN client would recognize that we’re talking to a device that’s not part of our corporate network and would directly send that traffic to the third-party website without traversing the VPN tunnel.
And of course, the traffic back to our device would also not use that VPN connection. This means we can continue to have an encrypted and secure connection to our corporate network but use a more efficient process of communicating to third-party websites.