VPN & Remote Working - Computerphile
Published June 2, 2023, 9:20 p.m. by Monica Louis
As we move towards a remote working culture, Dr Steve Bagley remotely connects to explain what vpn is & how it works.
https://www.facebook.com/computerphile
https://twitter.com/computer_phile
This video was filmed by Dr Steve Bagley and Sean Riley and edited by Sean Riley.
computer science at the University of Nottingham: https://bit.ly/nottscomputer
computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
You may also like to read about:
oh hello
hello yes i can see you
so uh it's going to be a bit obvious
already but
steve you
apart from the fact that you've frozen
and turned into a load of garbled uh
mess suggesting i might need to turn the
video off what are we talking about
today
it's a bit of a different type of day as
you can see i'm not at the university
i'm working from home like most people
in the world so we're going to record a
computer file sean is at home with his
house we're socially distancing i'm at
my house i've got my camera out i'm
sitting in my dining room and we're
going to talk about working from home
one of the things that i've been doing
over the last week is i've been using
software like microsoft teams to
communicate with my students and things
everything now at the university of
nottingham is being done online and i
thought it'd be interesting to spend a
few computer files talking about the
technology that people are using to work
from home we'll do a series of videos on
these sort of things while we're all
locked down and we'll explore some in
sort of overview and others will go down
into the details of some of the
nitty-gritty stuff and i thought the
first one to start with would be to look
at what people are using to connect to
their work networks which is virtual
private networks there's two uses of
vpns it's a sort of use that people use
it at home perhaps and there's a sort of
use that people use in the business
world where they're trying to connect to
their corporate network so they can use
resources that exist on that corporate
network and it's that latter view that
we're going to talk about today the
technology you used to do both from when
using at home to sort of protect your
traffic if you're on a hostile network
and when you're the business world is
the same but the emphasis is slightly
different we're going to talk about it
from the business world emphasis because
of the current situations i think the
place decides to think about how people
use their computers and networks in a
business and then we can extrapolate
from that the problem that we need to
solve with a virtual private network and
then how the technology works
from that so i'm going to draw a little
diagram
i don't have any computer listing paper
here
but i have the next best thing i have my
ipad
with computer listing paper
on it and we'll draw on that and
hopefully the screen capture will work
and you'll be able to see what i'm doing
let's have a think about what a typical
corporate network would be we would have
some computers that people would use
and these would sort of be networked
together let's just have a couple it
would be a small office and they're all
connected to a single network and
alongside that there might be servers
that you'd use so there might be for
example
a file server which contains some secret
information we'll call this the files
and we might have a database which has
got some information on and on a normal
corporate network you can access that
quite easily the machines can send
packets out over the network to the file
server and access it and things are
generally secure you may have some
permissions set up so only the right
people can access the right services and
so on but these days that network is
going to be connected via
some sort of router to the internet and
if i can draw a cloud picture that will
be the internet and so those machines
can also access the internet via the
router and the router can act as a
firewall so that people can't get into
it from the outside and that all works
absolutely fine the problem comes is if
we have a person sitting out in a cafe
or working from home who wants to access
those same resources we need to provide
access to those resources without making
them insecure now some of these you
could secure and put directly out on the
web there's no problem doing that but
some of them may be devices that you
don't want accessible out on the wide
internet what we want to be able to do
is to have the person who's sitting here
on the outside be able to access as if
they were directly connected to that
network but of course they're not in the
physical premises so we can't just run a
cable to them
so how do we get around this well
what you could do at one point was you
could buy a dedicated connection from
your telecoms company and they would run
a wire from your business premises to
say the person's home and you could
connect them down where you'd have a
direct cable that ran across the whole
thing
the other thing you could do is use a
dial up modem and the person would ring
over the telephone network and connect
to it that way you'd have remote access
by that but
that requires specific resources
requires a dialogue modem it requires a
direct connection being put into place
what would be great is if someone could
just sit on the internet and access
those resources from wherever they are
but with the same level as access as if
they had a physical connection to the
network and this is what a virtual
private network is trying to solve now
how does that work well we need to think
about how the computer is actually
communicating over the local network and
then we can extrapolate out from that to
see how the data gets sent over a
virtual private network so let me bring
up a new sheet of virtual paper this is
an interesting experience doing a
computer file this way it's very
different from doing it with shawn in
the room so let's think about it we've
got a machine on the local network and
we've got a file server so it's trying
to access files through that now in the
way that modern networks work
particularly ip networks we take the
data we're trying to send and we break
it down into a series of chunks
which we call packets and we send
a series of chunks out over the network
but those chunks don't go as pure data
over the network we need to sort of wrap
them up so that when they get to the
other end they can be sort of unwrapped
and put back together in the right order
because depending on how the network's
configured depending on how complicated
the network is they may get take
different routes to get to the point so
there's various things generally would
have the data in a packet and then on
top of that we put a series of headers
that tell us things so on a standard
network these days you'd have a tcp
header there that would tell it with the
order that these packets need to go in
and then you'd have an ip header
put in front of that which would tell it
where it's going where it's come from
and then these days the local network
will almost certainly be ethernet and
that whole lot
will be put inside an ethernet packet
and so we'll have an ethernet header at
the top and then that can be sent either
directly to the machine that wants it or
to a machine that can pass it on to the
machine that wants it over the company's
local network so that's how we send data
over the local network
but we can actually do the same thing if
we had a direct connection rather than
having
the machine put it directly on the local
network we'd have another machine which
was connected to the local network and
connected to the direct connection and
it would give an ip address to the
remote machine remember this is a
physical direct connection either by a
dial up modem link or
a physical lease line from the telecoms
company and then it wouldn't put the
ethernet header on the front of that
there
so the internet header would disappear
but it would wrap it up in some other
form of header so the usual one that was
used on these lines was a
ppp a point-to-point protocol packet
header same thing we take the data wrap
it up in the tcp header wrap it up into
an ip header and then send it out using
ppp over the direct connection between
the two machines so that's how we can do
it there but what if we want to do this
with someone who's just sitting on the
internet
well we can do basically a very similar
thing
we give the remote machine an ip address
as if it was on our network but rather
than sending that packet directly
to the machines over the internet what
it does it takes that wrapped up ip
package and it wraps the whole lot up as
another
packet so it has a udp header here
that's another
way things communicate over the internet
and there's a reason why it uses udp
over tcp which we might cover in a later
video and then that gets wrapped up as
another ip packet
but this time rather than saying wait
once you go on the local network this is
going from the remote machines address
on the internet to a gateway server
on the that's running at the company
so that then gets sent
over the internet to the right machine
to the gateway server and then the
header can be removed the udp header to
leave the original ip packet
that was sent by the machine and the
same thing can happen in reverse but
there's a couple of issues one we're
sending data out over the internet so we
need to make sure that that data is
protected from being altered as someone
is sending it and also that someone
can't read the secret information that
might be in that data and we can do that
using cryptography we can use hashing to
hash the data that's in there and then
say whether it's been changed or not so
we can sign that hash in the same way
that mike's talked about in other videos
and we can also
use cryptography to encrypt the data so
that it can't be snooped on as it
travels over the internet so that's
relatively straightforward that gives us
the private part and we get the virtual
part because we're sending it
over the internet over a virtual link
that we've created just using a standard
internet connection you have to set up
your corporate network so that it knows
that i packets going to this particular
ip address need to go out
over a virtual private network link and
so we can send it out
over there and also you need to make
sure that the machine the remote machine
is sending packets that are going to
that machine over the virtual network
and so on there's actually two ways you
can get the remote machine to send
packets you can either
um just send the ones that are going to
that network there and let everything
else go out over the internet and that
works fine
you get good browsing speed but you
might also be using services on the
internet that you don't want people to
know about if you're working on
you might be accessing resources that
could compromise your business integrity
and so on and so you can also set it up
and this is what people use at home if
they're using a vpn to protect their
connection so that all your traffic is
sent over the virtual private network
and then it appears as if it's leaving
from the business network where it's
coming out of with their ip addresses
even though actually the machine is in a
different location and so the data is
con
encrypted and sent over that to the
destination and then sent on from there
as if you were connected to that network
and so it's not proxied it's as
literally as if your machine is
connected to that network of course the
problem you have here is if you're
sending all your data out
over the virtual private network you
need to make sure
that the virtual private network date
traffic itself isn't sent out over the
virtual private network otherwise it
wouldn't get there and the operating
system can usually take care of this
because the connection to the virtual
private network is created
before you start sending data over the
virtual private network so it can still
track where it needs to root that
information over the internet the only
other thing you need is some way to
authenticate who the person using the
network is and this is usually done when
you start up the connection so whereas
with a normal network connection these
days if you connect to wi-fi you connect
to ethernet you're immediately connected
to the network there may be some access
controls there to um say whether you can
actually use it and send things anywhere
but the technology immediately connects
to you with a virtual private network
you have to set that connection up you
need to set up that virtual connection
with the server at the company end
and the client at the
remote end is configuring the details so
that they know where the ip address is
where to send those wrapped up packets
back over the network i understand
what's being achieved there but does
this run into any problems at all
obviously it's blockable you could see
the vpn traffic going over and you can
just sort of stop those packets being
sent and so on um you shouldn't if the
encryption's good and actually setting
up all the encryption making it's right
is quite difficult there's a lot of sort
of commercial home use vpns where
actually if you're not careful it can be
set up so it's virtually not encrypted
at all the other thing to say from that
point of view is that it's still
possible to see
what people are doing even if they can't
see actually the data they're
transferring i mean certain activities
that you might do over the internet have
specific patterns that data is
transferred in and so you can infer from
the way the packets over the vpn are
going what's actually happening there so
it's not
a true
hidden things you could still see some
things for example the difference
between a sort of video conferencing
call like this and a web page you'd be
able to say looks like they're video
conferencing
looks like their sort of web page you
wouldn't have full detail but you could
sort of infer that from the way the
traffic is sort of being
transferred and things
the other thing is of course from more
practical point of view it will add
latency to your connection because
you've got to send the packet to the vpn
server and then out to its destination
um
it'll add latency depending on how bad
the network is where you are that might
actually be faster because if your
business has got a faster connection
that might be a more direct
route than you going directly if you
follow
and of course because each packet has to
be slightly smaller to fit the extra
headers in there then you will
run slightly slower than the maximum
speed you could transfer but that's
marginally less so
there are swings and roundabouts direct
connection and so on is always going to
be faster but this gives you a lot of
peace of mind it means you can have
access as if you were sitting on your
corporate network
if this is our data path with our
columns by sharing bytes around the
different columns when we combine it
with the mixed column step which we'll
do in a minute you'll see that actually
we're mixing everything up so within
just a couple of rounds we can either
make the computer processor faster or we
can have multiple cores each working on
part of the problem at the same speed
