VPNs and Proxies
Table of Contents
Virtual Private Network
Businesses have lots of reasons to want to keep their network secure, and they do this by using some of the technologies we've already discussed firewalls, Nat, use of non routable address space, things like that. Organizations often have proprietary information that needs to remain secure. Network services that are only intended for employees to access and other things. One of the easiest ways to keep network secure is to use various securing technologies, so only devices physically connected to their local area network can access these resources. But employees aren't always in the office. They might be working from home or on a business trip, and they might still need access to these resources in order to get their work done. That's where VPNs come in.
Virtual private networks or VPNs are a technology that allows for the extension of a private or local network to host that might not work on that same local network.
VPNs come in many flavors and accomplish lots of different things. But the most common example of how VPNs are used is for employees to access their business's network when they're not in the office. VPNs are a tunneling protocol, which means they provision access to something not locally available. When establishing a VPN connection, you might also say that a VPN tunnel has been established. Let's go back to the example of an employee who needs to access company resources while not in the office. The employee could use a VPN client to establish a VPN tunnel to their company network. This would provision their computer with what's known as a virtual interface with an IP that matches the address space of the network they've established a VPN connection to. By sending data out of this virtual interface, the computer could access internal resources just like if it was physically connected to the private network.
Most VPNs work by using the payload section of the transport layer to carry an encrypted payload that actually contains an entire second set of packets. The network, the transport and the application layers of a packet intended to traverse the remote network.
Basically, this payload is carried to the VPNs end point where all the other layers are stripped away and discarded. Then the payload is unencrypted, leaving the VPN server with the top three layers of a new packet. This gets encapsulated with the proper data link layer information and sent out across the network. This process is completed in the inverse, in the opposite direction. VPNs usually requires strict authentication procedures in order to ensure that they can only be connected to by computers and users authorized to do so.In fact, VPNs were one of the first technologies where two-factor authentication became common.
Two-factor authentication is a technique where more than just a username and password are required to authenticate.
Usually a short lived numerical token is generated by the user through a specialized piece of hardware or software. VPNs can also be used to establish site to site connectivity. Conceptually, there isn't much difference between how this works compared to our remote employees situation. It's just that the router, or sometimes a specialized VPN device on one network establishes the VPN tunnel to the router or VPN device on another network.
This way two physically separated offices might be able to act as one network and access network resources across the tunnel. It's important to call out that, just like Nat, VPNs are a general technology concept, not a strictly defined protocol. There are lots of unique implementations of VPNs, and the details of how they all work can differ a ton. The most important takeaway is that VPNs are a technology that use encrypted tunnels to allow for a remote computer or network to act as if it's connected to a network that it's not actually physically connected to.
Proxy Services
Proxy
A proxy service is a server that acts on behalf of a client in order to access another service.
Proxies sit between clients and other servers, providing some additional benefit, anonymity, security, content filtering, increased performance, a couple other things. If any part of this sounds familiar, that's good. We've already covered some specific examples of proxies, like gateway routers. You don't hear them referred to this way, but a gateway definitely meets the definition of what a proxy is and how it works. The concept of a proxy is just that, a concept or an abstraction. It doesn't refer to any specific implementation. Proxies exist at almost every layer of our networking model. There are dozens and dozens of examples of proxies you might run into during your career, but we'll cover just a few of the most common ones here. Most often, you'll hear the term, proxy, used to refer to web proxies. As you might guess, these are proxies specifically built for web traffic.
A web proxy can serve lots of purposes. Many years ago, when most Internet connections were much slower than they are today, lots of organizations used web proxies for increased performance. Using a web proxy, an organization would direct all web traffic through it, allowing the proxy server itself to actually retrieve the webpage data from the Internet. It would then cache this data. This way, if someone else requested the same webpage, it could just return the cached data instead of having to retrieve the fresh copy every time. This kind of proxy is pretty old and you wont often find them in use today, why? Well, for one thing, most organizations now have connections fast enough that caching individual webpages doesn't provide much benefit. Also, the Web has become much more dynamic. Going to www.twitter.com is going to look different to every person with their own Twitter account, so caching this data wouldn't do much good.
A more common use of a web proxy today might be to prevent someone from accessing sites, like Twitter, entirely.
A company might decide that accessing Twitter during work hours reduces productivity. By using a web proxy, they can direct all web traffic to it, allow the proxy to inspect what data is being requested, and then allow or deny this request, depending on what site is being accessed. Another example of a proxy is a reverse proxy.
Reverse Proxy
A reverse proxy is a service that might appear to be a single server to external clients, but actually represents many servers living behind it.
- A good example of this is how lots of popular websites are architected today.
Very popular websites, like Twitter, receive so much traffic that there's no way a single web server could possibly handle all of it. A website that popular might need many, many web servers in order to keep up with processing all incoming requests. A reverse proxy, in this situation, could act as a single front-end for many web servers living behind it. From the clients' perspective, it looks like they're all connected to the same server. But behind the scenes, this reverse proxy server is actually distributing these incoming requests to lots of different physical servers. Much like the concept of DNS Round Robin, this is a form of load balancing.
- Another way that reverse proxies are commonly used by popular websites is to deal with decryption.
More than half of all traffic on the Web is now encrypted, and encrypting and decrypting data is a process that can take a lot of processing power. You'll learn a lot more about encryption and how it works in another course in this program. Reverse proxies are now implemented in order to use hardware built specifically for cryptography, to perform the encryption and decryption work. So that the web servers are free to just serve content. Proxies come in many other flavors, way too many for us to cover them all here. But the most important takeaway is that proxies are any server that act as a intermediary between a client and another server.
References:
https://www.coursera.org/learn/computer-networking/lecture/c9tV0/virtual-private-networks
https://www.coursera.org/learn/computer-networking/lecture/e5sGp/proxy-services
网友评论