Security Service Taxonomy for VPNs
For VPNs, the tunnel endpoints are where authentication and access-control decisions are made, and where security services are negotiated and rendered. The choices of these tunnel endpoints and the rationale behind them are thus crucial to the design of a VPN solution. In practice, there are three possible kinds of security service endpoint locations:
The endpoint can be at the end host itself, where the data originates or terminates.
The endpoint can be at the corporate local area network (LAN) gateway device, where traffic has been aggregated.
The endpoint can be located outside the corporate network, within the ISP's infrastructure (POP), sometimes referred to as "in the cloud."
Because a VPN tunnel has two endpoints, six types of security models can be derived from the possible combinations of the different locations (see Figure 1): End-to-End, End-to-LAN, End-to-POP, LAN-to-LAN, LAN-to-POP, and POP-to-POP.
Figure 1 Six tunneling models for VPNs.
In the End-to-End model, the tunnel goes from one end system to the other. Therefore, security service is negotiated and rendered at the source and destination of the communication. This scenario presents the highest level of security because data always travels securely in any segment of the network, either public or private. However, as the total number of end systems rises, it becomes more difficult to manage the ever larger number of security services required by these end systems, unless the security service has only local significance and each end host is independent of the others. This security model is most often seen in the higher-layer implementations, as is the case with, for example, the Secure Sockets Layer (SSL). Such higher-layer implementations are generally not considered tunneling.
In the End-to-LAN model, the tunnel starts from an end system and terminates at the perimeter of the LAN on which the destination host resides. A VPN device located at the network perimeter is responsible for negotiating and rendering the security service on behalf of the other end systems. In this way, the security of a large number of devices on the corporate network can be managed at a single point, making it much easier to scale. Because the corporate network itself is considered more secure, there is usually no problem for the data to travel in the clear while within the corporate LAN. Most remote-access VPNs are implemented in this model.
The tunnel in the End-to-POP model starts from a host and terminates at the service provider's network POP. A VPN device, or VPN functions available in an ISP's POP device, is responsible for negotiating and rendering the security service on behalf of one of the destination end systems because the POP is the means by which the destination end system accesses the Internet. Data delivery from the POP to the other end system must be secured either through its physical infrastructure or through a separate secure tunnel. The POP is an even larger traffic aggregation point than the corporate LAN. In addition, this approach may avoid the need to deploy VPN devices or functionality on the customer premises; that is, the corporate network. Remote-access VPNs can also use this model.
With the LAN-to-LAN model, both hosts use VPN devices situated at the corporate network perimeter to negotiate and render security services. In this way, no security functions need to be implemented on the end systems, where data is generated and received. The implementation of security services is completely transparent to them. This approach can drastically reduce the complexity of managing security policies. Site-to-site intranet VPNs fit this model.
In the LAN-to-POP case, the tunnel starts at a VPN device located at the customer network perimeter and terminates at a VPN device or a VPN function associated with a device at the ISP's POP. This model can be used either alone or in conjunction with another LAN-to-POP or End-to-POP model. As a result of combining the models, the data travels through more than one secure tunnel from its source to the destination. Currently, there is no good example of a VPN scenario that applies to this model.
Finally, with the POP-to-POP model, both VPN devices are located within the ISP's network. Therefore, the security service is completely transparent. This model, also known as a network-based model, allows the service provider to provide value-added service easily without altering the customers' network infrastructures. This scheme can also be used in conjunction with the other POP-based security models.
Of the six tunneling models, the End-to-LAN and LAN-to-LAN models are being used extensively today to provide customer premises equipment (CPE)based VPN solutions. However, the POP-to-POP or network-based security model is attracting increasing attention because of its ability to allow the ISP to provide various value-added services. RFC 2764 provides a good overview of the various tunneling technologies that can be used in a network-based VPN model. It also presents some essential requirements of the tunneling protocols.