Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Virtual private network
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Security mechanisms== Whenever a VPN is intended to virtually extend a private network over a third-party untrusted medium, it is desirable that the chosen protocols match the following security model: * [[Information security#Confidentiality|confidentiality]] to prevent disclosure of private information or [[Packet analyzer|data sniffing]], such that even if the network traffic is sniffed at the packet level (see network sniffer or [[deep packet inspection]]), an attacker would see only [[Encryption|encrypted data]], not the raw data * message [[Data integrity|integrity]] to detect and reject any instances of tampering with transmitted messages, [[Network packet|data packets]] are secured by [[Tamperproofing|tamper proofing]] via a [[message authentication code]] (MAC), which prevents the message from being altered or [[Tamper-evident technology|tampered]] without being rejected due to the MAC not matching with the altered data packet. VPN are not intended to make connecting users anonymous or unidentifiable from the untrusted medium network provider perspective. If the VPN makes use of protocols that do provide those confidentiality features, their usage can increase user [[privacy]] by making the untrusted medium owner unable to access the private data exchanged across the VPN. ===Authentication=== In order to prevent unauthorized users from accessing the VPN, most protocols can be implemented in ways that also enable [[authentication]] of connecting parties. This secures the joined remote network confidentiality, integrity and availability. Tunnel endpoints can be authenticated in various ways during the VPN access initiation. Authentication can happen immediately on VPN initiation (e.g. by simple whitelisting of endpoint IP address), or very lately after actual tunnels are already active (e.g. with a [[Captive portal|web captive portal]]). Remote-access VPNs, which are typically user-initiated, may use [[passwords]], [[biometrics]], [[two-factor authentication]], or other [[cryptographic]] methods. People initiating this kind of VPN from unknown arbitrary network locations are also called "road-warriors". In such cases, it is not possible to use originating network properties (e.g. IP addresses) as secure authentication factors, and stronger methods are needed. Site-to-site VPNs often use passwords ([[Pre-shared key|pre-shared keys]]) or [[digital certificates]]. Depending on the VPN protocol, they may store the key to allow the VPN tunnel to establish automatically, without intervention from the administrator.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)