The VPN technology is generally used to share services between different departments of an enterprise over public networks. Nowadays, VPN users want to spend less time and energy on network maintenance, and require carriers to do this task. Therefore, when designing a VPN, consider network operability first.
VPNs allow enterprises to seamlessly extend their network management from LANs to public networks, even to clients and business partners. After delegating nonessential network management tasks to the carrier, enterprises still need to fulfill many network management tasks. A complete VPN management system is absolutely necessary.
VPN management includes security management, equipment management, configuration management, access control list (ACL) management, and QoS management.
VPN management offers the following benefits:
Reduced network risks
After an intranet is extended to a public network using the VPN technology, the intranet faces new security risks and monitoring challenges. VPN management can guarantee the integrity of data resources on an intranet although; whereas allowing branches, clients, and business partners to access the intranet.
VPN management can quickly adapt to the increased numbers of clients and partners, such as upgrading network hardware and software, guaranteeing network quality, and maintaining security policies.
VPN management can control operation and maintenance expenses although; whereas ensuring service scalability.
VPNs are established over public networks. Compared with traditional wide area networks (WANs) established using leased lines, VPNs have lower controllability. VPN management must be performed to guarantee network stability and reliability.
VPN implementation is simple, convenient, and flexible. However, network risks arise at the same time.
A traditional IP VPN faces serious risks, such as data obtaining, data tampering, and access of unauthorized users. Extranet VPNs face even more serious risks.
The following solutions help to improve VPN security:
Tunneling and tunnel encryption
The tunneling technology uses multi-protocol encapsulation to enhance VPN flexibility and provide P2P logical channels on connectionless IP networks. Tunnel encryption helps to protect data privacy and ensure that data is not illegally obtained or tampered with.
On an insecure network, such as the public network used by a VPN, packets may be illegally obtained and tampered with. As a result, the receiver may receive incorrect packets. Data authentication helps receivers to determine the integrity and authenticity of received data.
User authentication allows a VPN to permit the access of authorized users and deny the access of unauthorized users. Authentication, Authorization and Accounting (AAA)-capable routers can authenticate users, authorize users for specific resources, and generate access records. User authentication greatly improves the security of access VPNs and extranet VPNs.
Firewalls and attack detection
Firewalls help to filter packets and prevent unauthorized access. Attack detection helps to determine the validity of packets, implement security policies in real time, disconnect unauthorized sessions, and record unauthorized access.
For more information about tunnel encryption, data authentication, user authentication, firewalls, and attack detection, see the HUAWEI NetEngine 8000 F SeriesRouterFeature Description - Security.
MPLS VPNs are created on the basis of labels and forwarding tables on network side. If an MPLS network does not connect to the Internet, internal resources on the MPLS VPN are secure. MPLS VPNs can ensure data security to some extent.
If an MPLS VPN needs to access the Internet, a channel with a firewall can be established to provide a secure connection for the VPN. The MPLS VPN is easy to manage because only one security policy is used.
An MPLS VPN is a private network that has the same security level as an FR network. Generally, user devices do not need to be configured with Internet Protocol Security (IPsec) or tunnels. On an MPLS VPN, data transmission delay is low because packets do not need to be encapsulated or encrypted. A mesh VPN is easy to create if no tunnel configuration is required.