A Survey on the Implementation and Management of Secure Virtual Private Networks (VPNs) and Virtual LANs (VLANs) in Static and Mobile Scenarios
Abstract
:1. Introduction
- (a)
- Cost effectiveness (cost of infrastructure is lower, and the appropriate choice of the implementation phase allows one to choose the best solution at the lowest sustainable cost);
- (b)
- Simplicity (the technology is very mature and does not require esoteric skills);
- (c)
- Safety (the technology is based on open standards and is mostly universally safe).
- (a)
- An extensive literature review is given, providing the reader with insight into the key contributions in the area of VPN and VLAN implementations in static and dynamic networks;
- (b)
- Several details about the protocols and signaling used in VPN/VLAN systems are given, providing the reader with detailed information about security management in the considered scenario;
- (c)
- Mobility issues are addressed, and some solutions (such as available software tools) are described in detail and suggested for some mobile environments;
- (d)
- Some command lines are also described, providing the reader with instructions on how to address some VPN security issues.
2. Virtual Private Networks in Static and Dynamic Networks
2.1. Classical VPN Solutions for Static Networks
- (a)
- Layer 2 Tunneling Protocol (L2TP)/IPsec [7] is a built-in solution for all modern operating systems and VPN-capable devices. L2TP protocol uses UDP port 1701 and IPsec ports 500 and 4500 for NAT purposes. It requires an advanced configuration (port forwarding) when using a firewall (this is in contrast to SSL, which can use the TCP port 443 to make it indistinguishable from normal HTTPS traffic). On the other hand, IPsec encryption is considered very safe, using an algorithm such as AES, and it is considered a “de facto” standard, although data is encapsulated twice and therefore it is slightly slower than an SSL;
- (b)
- OpenVPN is a very recent open-source technology that uses the Open Secure Sockets Layer (OpenSSL) [9] and SSLv3/TLSv1 [10] library protocols (TLS stands for Transport Layer Security), provided by the OpenVPN company (6200 Stoneridge Mall Road, Pleasanton, CA 94588, USA). It is able to provide a strong and reliable VPN solution. It is highly configurable, it can be set to run on any port, including TCP 443; its default transport protocol is UDP, with port 1194. Using port TCP 443 makes its traffic undistinguishable from the HTTPS traffic, and therefore, it is extremely difficult to block. Another advantage of OpenVPN is that the OpenSSL library provides several encryption algorithms (such as AES, Blowfish, 3DES, CAST-128, etc.) [11]. The speed of execution of an OpenVPN connection depends on the used coding level, but it is generally faster than IPsec;
- (c)
- Secure Socket Tunneling Protocol (SSTP) [12] was introduced by Microsoft (Redmond, WA, USA) in Windows Vista SP1 and, although it is now available for any Linux (a California Public Benefit Corporation) platform, it is still largely a single Windows platform. SSTP uses SSL v3, and it works like OpenVPN (it has also the ability to use TCP port 443 to avoid problems with NAT firewall). It is integrated into Windows and it might be considered easier to use and more stable;
- (d)
- Point-to-Point Tunneling Protocol (PPTP) [13] is a Microsoft product for the creation of VPN-based dial-up networks; for a long while it has been the standard protocol for private corporate networks. It is a VPN protocol based on different authentication methods, able to ensure security, e.g., Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) v2. By changing MS-CHAP-v2 with Protected Extensible Authentication Protocol (PEAP) the security level of PPTP increases, although it is recommended to use L2TP/IPsec [8] or Secure Socket Tunneling Protocol (SSTP) [12]. PPTP offers an integrated client for almost all platforms, including smartphones. Its implementation requires a very low computational overhead and it is very easy to set up, enabling fast data management;
- (e)
- Internet Key Exchange version 2 (IKEv2) is an IPSec-based [14] tunneling protocol developed by Microsoft and Cisco (San Jose, CA, USA), installed by default in Windows 7 and above. It is not a real VPN protocol at all, but a control protocol for IPSec key exchange, supported by Blackberry (Waterloo, ON, Canada) devices. It can be independently developed and implemented as open source in Linux, BSD and other proprietary OSes. IKEv2 provides the automatic re-establishing of a VPN connection when users temporarily loses their Internet connections; in addition it supports Mobility and Multi-homing protocols [17]. This feature is great for mobile phone users who, for example, connect their smart phones to a WiFi network, but then switch to mobile data connection, based on the best signal or WiFi availability. IKEv2 is faster than PPTP, SSTP and L2TP, as it does not involve the overhead associated with Point-to-Point protocols (PPP). It is very stable and secure (supporting AES 128, AES 192, AES 256 and 3DES ciphers) and easy to setup on the client side, although not yet supported on many platforms.
2.2. Possible Solutions When Dealing with Mobility in VPNs
3. The Virtual LAN Segmentation in Static and Dynamic Networks
- (1)
- Port-based VLAN (or Trunked VLAN): inside a switch, each network participant is directed to a port. Ports are also used to connect the switches together. If two VLANs should be obtained from a single physical network, the related ports are assigned to the desired virtual network. The configuration through different switches is also possible when the port-based VLAN installation is implemented on small networks and is carried out within a single switch. Thus, for example, ports one to three on the first switch and port one on the second switch can be connected together to a single VLAN. To do this, the two switches must be connected to each other with two cables, providing a connection for each VLAN. Network administrators set up and assign ports to their respective VLANs. In this case, the VLAN is defined as static. If VLANs need to be configured differently, the ports need to be redistributed when configuring the switch. Furthermore, each port (and therefore, each device connected to it) belongs only to a single VLAN. This type of connection is called “trunking”, and switches have one or more ports designed for this purpose. It is independent from the PHY layer; it does not matter whether copper or fiber optic cables or a wireless connection are used;
- (2)
- Frame-based VLAN (or Tagged VLAN): in this case, the assignment to the VLAN is more dynamic, in the sense that it is guaranteed by a tag in the packet frame, which replaces the permanent setting in the switch. The tag contains the information that indicates which VLAN the frame belongs to. Each switch recognizes in which segment the communication takes place, and on the basis of this, forwards the message. Each VLAN has its own number. Tagged VLANs can also be implemented directly on network cards (Linux, for example, supports the standard by default). The frame structure follows the IEEE 802.1Q standard [27], which is the most used (other solutions also exist, as the Cisco Inter-Switch Link Protocol (ISL) [28], able to encapsulate the full data frame to enable multiple VLANs).
- (1)
- Tagged VLANs protocol: IEEE802.1Q is the standard reference for VLANs [29], in particular for the tagged ones. It is a Layer-2 encapsulation protocol, which allows for logical separation of different traffic flows, as if they follow distinct physical paths. The IEEE802.1Q does not encapsulate the original frame, but adds 4 bytes to the header (Figure 3). The first 2 bytes regard the TPID protocol identifier tag (it is set to 0 × 8100, which indicates that the frame is in IEEE 802.1Q format). The next 2 bytes regard the Tag for Control Information TCI (also called VLAN Tag). The TCI is divided as follows: 3 bits for the Priority Code Point (PCP), used to indicate a priority level for the frame, 1 bit for the Drop Eligible Indicator (DEI), indicating the ability to skip the frame in case of congestion, 12 bits for the VLAN ID (VID), indicating the ID of the VLANs (up to 4096, but only 4094 are really available, because the IDs 0 and 4095 are reserved). The rest of the Ethernet frame remains as the original. Obviously, since the header is changed (hence the frame is changed), the 802.1Q encapsulation mechanism requires the recalculation of the FCS field in the Ethernet trailer.
- (2)
- Trunked VLANs protocol: The VLAN Trunking Protocol (VTP) [30,31] is a Cisco proprietary Layer-2 protocol, which allows management of VLAN information, making it available to all switches on the network. The protocol requires the existence of a VTP server: when a VLAN is created or modified, the information is distributed to all the switches of the VTP domain, starting from the server, using the VTP announcements. The VTP advertising operation consists of invitation update messages on the management VLAN (default VLAN1). This is the reason why all trunk connections between switches must be configured to allow traffic to VLAN1. To find out which is the most recent configuration, the VTP information is presented with a revision number, the VTP Configuration Revision Number (CRN), increased by one with each modification of the VLANs. There are, basically, three types of message:
- (a)
- Summary announcements: the switches send them every 5 min or as soon as there is a change in the VLAN database; these messages contain the VTP domain name and the VTP CRN. If a VLAN is added, deleted, or modified, the server increments the revision number and sends a summary update. If a switch receives an update containing a different VTP domain name than its own, the VTP information is simply ignored. If the name matches, then the revision number is checked—if this is higher than the one in possession, an advertisement request is sent;
- (b)
- Advertising requests: VTP clients use these messages to request information about VLANs. The update requests immediately after a switch reboot, a change of the VTP domain name, or new revision numbers;
- (c)
- Sub-advertisements: as soon as a server, following changes on the VLANs, increases the revision number and sends an update summary, it follows up some “subset” messages containing information on the individual VLANs. If there are multiple VLANs, multiple subset messages are created;
- (a)
- Server: this is the default mode in which VLANs can be created, removed and modified, as well as the ability to set the VTP version. Server switches are then synchronized with the other switches of the VTP domain through the trunk connections, every 5 min or immediately on the basis of a new event.
- (b)
- Client: this is the mode allowing all changes to the VLAN database to be received. The switch can forward received updates, but cannot make changes to the VTP database information. However, if the information forwarded has a higher “Revision Number” than the one present on the clients and servers, it will be modified locally, i.e., the local VLAN database will be updated.
- (c)
- Transparent: in this mode the switch does not participate in any VTP domain; however, it carries out the forwarding of VTP information to trunk ports, thus avoiding interruptions in the exchange of information between client and server.
4. Practical Mobility Management in Modern Scenarios
4.1. Dealing with Mobility via VPN Applications
4.2. Possible Issues and Solutions When Dealing with Mobility in VLANs
- (a)
- Initializing: the IP address is acquired after a set of message exchanges (discover message from client C to broadcast B, offer message from server S to C, unicast request message from C to S and the acknowledgement from S to C);
- (b)
- Renewing: in this state, a message is sent by the client (if it is still present in the network) to the server, asking for the extension (in time) of the lease; it is a periodical message (the period is equal to the half of the lease time);
- (c)
- Releasing: this state occurs if the client sends a clear release message to the server (because it wants to leave the network) or if the periodical renew message has not been sent.
5. Real Security Implementations for VPNs and VLANs
5.1. Security Issues and Countermeasures in VLANs
S# configure terminal S(config)# username admin privilege 15 secret P4$$w0rd_! S(config)# line console 0 S(config-line)# login local S(config-line)# password P4$$w0rd_! S(config-line)# exec-timeout 60 0 |
S(config)# line vty 0 15 S(config-line)# password P4$$w0rd_! S(config-line)# login local S(config-line)# exec-timeout 60 0 S(config-line)# transport preferred ssh S(config-line)# access-class 115 in S(config)# access-list 115 remark Inbound Limitations S(config)# access-list 115 permit ip host 1.2.3.4 any S(config)# access-list 115 permit ip 192.168.100.0 0.0.0.255 any |
S(config)# interface fastethernet0/24 S(config-if)# switchport trunk allowed vlan remove 1,2,3,4,5 S(config-if)# switchport access vlan 24 |
S(config)# interface fastethernet0/24 S(config-if)# no cdp enable S(config-if)# no udld port |
C(config)# vtp domain VTPdomain C(config)# vtp password P4$$w0rd_! secret C(config)# vtp mode server C(config)# vtp version 2 C(config)# vtp pruning E(config)# vtp domain VTPdomain E(config)# vtp password P4$$w0rd_! secret E(config)# vtp mode client E(config)# vtp version 2 E(config)# vtp pruning |
C(config)# access-list 100 remark Allow DNS C(config)# access-list 100 permit udp 192.168.240.0 0.0.0.255 host 192.168.240.1 eq 53 C(config)# access-list 100 deny ip 192.168.240.0 0.0.0.255 192.168.240.0 0.0.0.255 log C(config)# access-list 100 permit ip 192.168.240.0 0.0.0.255 any C(config)# interface vlan 24 C(config-if)# ip access-group 100 in |
5.2. Security Issues and Countermeasures in VPNs
5.2.1. IDSs, IPSs and Intrusion Detection and Prevention Systems (IDPSs)
- (a)
- Network-Based IDPSs (NB-IDPSs): these monitor traffic, with particular regard to the application and network layers. Typically they are installed on the edge of the network topology (before firewalls and gateways) or on the extreme limits of the DeMilitarized Zones (DMZs);
- (b)
- Wireless IDPSs: these are dedicated to monitoring only wireless traffic, with particular attention paid to the networking protocols;
- (c)
- Network Behavior Analysis IDPSs (NBA-IDPSs): these examine packets to identify threats that generate suspicious traffic uncommon for a network, such as attempted Distributed Denial of Service (DDoS). They are also often used to monitor internal traffic on the same network, or to give access to external third parties;
- (d)
- Host-Based IDPSs (HB-IDPSs): these are dedicated to monitoring everything that happens within the single host to which they belong: they are typically a server, reachable from outside the network, or a client of public access. They monitor data ranging from processes running on the machine, the file access, system logs, etc.
- (a)
- Signature-based: a comparison of the signatures managed by the network and the transiting packets is carried out. This technology is very effective in identifying known threats that have static attack patterns, but they are almost useless against unknown threats;
- (b)
- Statistical anomaly-based detection: this technology is based on maintaining a vision of the statistical data related to normal network flows, and providing warning situations when the given parameters deviate from their standard values. Obviously the initial statistics about “normal activity” require a preliminary study of the network in order to determine which are the normal values;
- (c)
- Stateful protocol analysis: in this case, network flows are analyzed, comparing them with specific profiles (e.g., a user having accesses to an FTP server, without having obtained the authentication privileges yet). This type of analysis is very sophisticated but, at the same time, it is very difficult and complex because profiles need to be created for each protocol, covering all possible use cases, with a high computational cost.
5.2.2. Integration of IDSs and IPSs with VPNs
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- De Rango, F.; Lentini, D.C.; Marano, S. Static and dynamic 4-way handshake solutions to avoid denial of service attack in Wi-Fi protected access and IEEE 802.11i. EURASIP J. Wirel. Commun. Netw. 2006, 2006, 047453. [Google Scholar] [CrossRef] [Green Version]
- De Rango, F.; Marano, S. Trust-based SAODV protocol with intrusion detection and incentive cooperation in MANET. In Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly, Leipzig, Germany, 21–24 June 2009; pp. 1443–1448. [Google Scholar]
- Jahan, S.; Rahman, M.S.; Saha, S. Application specific tunneling protocol selection for Virtual Private Networks. In Proceedings of the International Conference on Networking Systems and Security (NSysS), Dhaka, Bangladesh, 5–8 January 2017. [Google Scholar]
- Lupia, A.; de Rango, F. Evaluation of the Energy Consumption Introduced by a Trust Management Scheme on Mobile Ad-hoc Networks. J. Netw. 2015, 10, 240–251. [Google Scholar] [CrossRef]
- De la Cruz, J.E.C.; Goyzueta, C.A.R.; Cahuana, C.D. Open VProxy: Low Cost Squid Proxy Based Teleworking Environment with OpenVPN Encrypted Tunnels to Provide Confidentiality, Integrity and Availability. In Proceedings of the IEEE Engineering International Research Conference (EIRCON), Lima, Peru, 21–23 October 2020. [Google Scholar]
- Duddu, S.; Sai, A.R.; Sowjanya, L.S.; Rao, G.R.; Siddabattula, K.S. Secure Socket Layer Stripping Attack Using Address Resolution Protocol Spoofing. In Proceedings of the 4th International Conference on Intelligent Computing and Control Systems (ICICCS), Madurai, India, 13–15 May 2020. [Google Scholar]
- Floissac, N.; L’Hyver, Y. From AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks on Key Expansion. In Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, Milan, Italy, 17 September 2011. [Google Scholar]
- Luo, J.; Ji, Q. Password Acquisition and Traffic Decryption Based on L2TP/IPSec. In Proceedings of the IEEE 20th International Conference on Communication Technology (ICCT), Nanning, China, 28–31 October 2020. [Google Scholar]
- Gui-hong, L.; Hua, Z.; Gui-zhi, L. Building a Secure Web Server Based on OpenSSL and Apache. In Proceedings of the International Conference on E-Business and E-Government, Guangzhou, China, 7–9 May 2010. [Google Scholar]
- Rhee, M.Y. Transport Layer Security: SSLv3 and TLSv1. In Wiley Wireless Mobile Internet Security; Book Chapter; Wiley: New York, NY, USA, 2013. [Google Scholar]
- Semwal, P.; Sharma, M.K. Comparative study of different cryptographic algorithms for data security in cloud computing. In Proceedings of the 3rd International Conference on Advances in Computing, Communication & Automation (ICACCA), Dehradun, India, 15–16 September 2017. [Google Scholar]
- Kim, Y.-J.; Kolesnikov, V.; Kim, H.; Thottan, M. SSTP: A scalable and secure transport protocol for smart grid data collection. In Proceedings of the IEEE International Conference on Smart Grid Communications (SmartGridComm), Brussels, Belgium, 17–20 October 2011. [Google Scholar]
- Jones, J.; Wimmer, H.; Haddad, R.J. PPTP VPN: An Analysis of the Effects of a DDoS Attack. In Proceedings of the IEEE SoutheastCon, Huntsville, AL, USA, 11–14 April 2019. [Google Scholar]
- Kent, S.; Seo, K.; Network Working Group. Request for Comments: 4301. 2005. Available online: https://www.rfc-editor.org/rfc/pdfrfc/rfc4301.txt.pdf (accessed on 18 May 2021).
- Socievole, A.; Caputo, A.; de Rango, F.; Fazio, P. Routing in mobile opportunistic social networks with selfish nodes. Wirel. Commun. Mob. Comput. 2019, 2019, 6359806. [Google Scholar] [CrossRef] [Green Version]
- Socievole, A.; de Rango, F.; Caputo, A. Wireless contacts, Facebook friendships and interests: Analysis of a multi-layer social network in an academic environment. In Proceedings of the 2014 IFIP Wireless Days (WD), Rio de Janeiro, Brazil, 12–14 November 2014; pp. 1–7. [Google Scholar]
- Karbasioun, M.M.; Berenjkub, M.; Taji, B. Securing mobile IP communications using MOBIKE protocol. In Proceedings of the IEEE International Conference on Telecommunications, St. Petersburg, Russia, 16–19 June 2008. [Google Scholar]
- Goff, T.; Moronski, J.; Phatak, D.S.; Gupta, V. Freeze-TCP: A true end-to-end TCP enhancement mechanism for mobile environments. In Proceedings of the IEEE INFOCOM Annual Joint Conference of the IEEE Computer and Communications Societies, Tel Aviv, Israel, 26–30 March 2000; Volume 3, pp. 1537–1545. [Google Scholar]
- Alshalan, A.; Pisharody, S.; Huang, D. MobiVPN: A Mobile VPN Providing Persistency to Applications. In Proceedings of the International Conference on Computing, Networking and Communications, Wireless Networks, Kauai, HI, USA, 15–18 February 2016. [Google Scholar]
- A VPN for a New Era, Sectra Communications. Available online: https://communications.sectra.com/product/secure-mobile-vpn-up-to-restricted/ (accessed on 13 May 2021).
- Columbitech App for Iphone. Available online: https://apps.apple.com/it/app/columbitech-mobile-vpn/id1046769589 (accessed on 14 April 2021).
- Dong, L.; Kang, X.; Song, J. A WTLS-based virtual private network for wireless intrusion prevention. In Proceedings of the International Conference on Computer Application and System Modeling (ICCASM), Taiyuan, China, 22–24 October 2010; Volume 3. [Google Scholar]
- Zúquete, A.; Frade, C. Fast vpn mobility across wi-fi hotspots. In Proceedings of the IEEE Security and Communication Networks (IWSCN), 2nd International Workshop on, Karlstad, Sweden, 26–28 May 2010; pp. 1–7. [Google Scholar]
- Schonwalder, J.; Chulkov, G.; Asgarov, E.; Cretu, M. Session resumption for the secure shell protocol. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, Long Island, NY, USA, 1–5 June 2009; pp. 157–163. [Google Scholar]
- Chen, T.-C.; Chen, J.C.; Liu, Z.H. Secure Network Mobility (SeNEMO) for Real-Time Applications. In Proceedings of the IEEE Transactions on Mobile Computing, Abu Dhabi, United Arab Emirates, 10 October 2011; Volume 10, pp. 1113–1130. [Google Scholar]
- Ernst, T.; Tj, K. Network Mobility Working Group, IETF. Available online: https://datatracker.ietf.org/wg/nemo/about/ (accessed on 18 May 2021).
- Xinzhan, L.; Chuanqing, C. Discuss on VLAN Stacking in Packet Network. In Proceedings of the International Symposium on Intelligent Ubiquitous Computing and Education, Chengdu, China, 15–16 May 2009. [Google Scholar]
- CISCO ISL Protocol for LAN Switching. Available online: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/8758-43.html (accessed on 18 May 2021).
- IEEE 802.1Q-2018—IEEE Standard for Local and Metropolitan Area Networks—Bridges and Bridged Networks. Available online: https://standards.ieee.org/standard/802_1Q-2018.html (accessed on 25 May 2021).
- Verma, R.O.; Shriramwar, S.S. Effective VTP Model for Enterprise VLAN Security. In Proceedings of the International Conference on Communication Systems and Network Technologies, Gwalior, India, 6–8 April 2013. [Google Scholar]
- Understanding VLAN Trunking Protocol, Cisco. Available online: https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html?dtid=osscdc000283 (accessed on 19 May 2021).
- WireGuard. Available online: https://www.wireguard.com/ (accessed on 22 May 2021).
- Lipp, B.; Blanchet, B.; Bhargavan, K. A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), Stockholm, Sweden, 17–19 June 2019. [Google Scholar]
- Kossingou, G.M.S.; Dégboé, B.M.; Ouya, S.; Mendy, G. Mutualisation of ICT laboratory resources between West and Central African universities in post-crisis situations: The case of Senegal and the Central African Republic. In Proceedings of the Sixth International Conference on e-Learning (econf), Sakheer, Bahrain, 6–7 December 2020. [Google Scholar]
- Haga, S.; Esmaeily, A.; Kralevska, K.; Gligoroski, D. 5G Network Slice Isolation with WireGuard and Open Source MANO: A VPNaaS Proof-of-Concept. In Proceedings of the IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Leganes, Spain, 9–12 November 2020. [Google Scholar]
- Donenfeld, J.A. WireGuard: Next Generation Kernel Network Tunnel. NDSS. 2017. Available online: https://www.wireguard.com/papers/wireguard.pdf (accessed on 26 May 2021).
- Trevor Perrin, Noise Protocol Framework. Available online: http://www.noiseprotocol.org/ (accessed on 27 May 2021).
- Palazzi, C.E.; Brunati, M.; Roccetti, M. An OpenWRT solution for future wireless homes. In Proceedings of the IEEE International Conference on Multimedia and Expo, Singapore, 19–23 July 2010. [Google Scholar]
- OpenWrt, a Writable Filesystem with Package Management. Available online: https://openwrt.org/ (accessed on 24 May 2021).
- Silva, C.R.M.; Silva, F.A.C.M. An IoT Gateway for Modbus and MQTT Integration. In Proceedings of the SBMO/IEEE MTT-S International Microwave and Optoelectronics Conference (IMOC), Aveiro, Portugal, 10–14 November 2019. [Google Scholar]
- Message Queue Telemetry Transport (MQTT), the standard for IoT messaging. Available online: https://mqtt.org (accessed on 30 April 2021).
- de Rango, F.; Potrino, G.; Tropea, M.; Fazio, P. Energy-aware dynamic Internet of Things security system based on Elliptic Curve Cryptography and Message Queue Telemetry Transport protocol for mitigating Replay attacks. Pervasive Mob. Comput. 2020, 61, 101105. [Google Scholar] [CrossRef]
- Guirado, R.; Padró, J.C.; Zoroa, A.; Olivert, J.; Bukva, A.; Cavestany, P. StratoTrans: Unmanned Aerial System (UAS) 4G Communication Framework Applied on the Monitoring of Road Traffic and Linear Infrastructure. Drones 2021, 5, 10. [Google Scholar] [CrossRef]
- de Rango, F.; Tropea, M.; Fazio, P.; Marano, S. Overview on VoIP: Subjective and objective measurement methods. Int. J. Comput. Sci. Netw. Secur. 2006, 6, 140–153. [Google Scholar]
- Álvares, P.; Silva, L.; Magaia, N. Blockchain-Based Solutions for UAV-Assisted Connected Vehicle Networks in Smart Cities: A Review, Open Issues, and Future Perspectives. Telecom 2021, 2, 108–140. [Google Scholar] [CrossRef]
- Miao, C.; Wang, J.; Ji, T.; Wang, H.; Xu, C.; Li, F.; Ren, F. BDAC: A Behavior-aware Dynamic Adaptive Configuration on DHCP in Wireless LANs. In Proceedings of the IEEE 27th International Conference on Network Protocols (ICNP), Chicago, IL, USA, 7–10 October 2019. [Google Scholar]
- Patrick, M. DHCP Relay Agent Information Option; 2001; Available online: https://www.rfc-editor.org/info/rfc3046 (accessed on 26 May 2021).
- Malatesta, L. Articoli e Configurazioni. Available online: https://www.malatesta.biz/ (accessed on 26 May 2021).
- Progetto Cogito. Available online: https://www.icar.cnr.it/progetti/cogito-sistema-dinamico-e-cognitivo-per-consentire-agli-edifici-di-apprendere-ed-adattarsi/ (accessed on 20 May 2021).
- Distretto Domus Cosenza. Available online: https://www.gruppotim.it/it/archivio-stampa/mercato/2016/TIM-Distretto-Domus-Cosenza-14Dicembre2016.html (accessed on 19 May 2021).
- Progetto Res Novae. Available online: https://www.cueim.org/progetti/res-novae-reti-edifici-strade-nuovi-obiettivi-virtuosi-per-lambiente-e-lenergia-smart-city/ (accessed on 23 May 2021).
- Fosić, I.; Žagar, D. VPN network protection by IDS system implementation. In Proceedings of the 34th International Conven-tion MIPRO, Opatija, Croatia, 23–27 May 2011. [Google Scholar]
- Dong, L.; Yu, S.; Xia, T.; Liao, R. WBIPS: A Lightweight WTLS-Based Intrusion Prevention Scheme. In Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing, Shanghai, China, 21–25 September 2007. [Google Scholar]
VLANs | VPNs |
---|---|
Purely a level two construct | They operate from level one to level three |
Used to group multiple computers that are not usually located within the same geographic areas in the same broadcast domain. | Create a smaller subnet on a larger existing network than the VLAN. |
They can separate computers in a larger local network into smaller networks for each office or department | Used for secure data transmission between two separate entities (point-to-point case) |
They can shield the data so that it does not behave as if it is on the same network even if it is on the same switch. | Create a virtual tunnel for secure data transmission over the Internet. |
They allow the grouping of devices scattered across multiple physical locations into a single transmission domain. | Provide encryption and anonymization. |
They can be intended as a subcategory of VPNs. | They increase the overall efficiency of a network distributed over multiple geographic locations |
Optimal for splitting a network into logical parts for better management, but they do not provide any security features. | Operates in an unsecured online environment by definition. |
Reduce the need for routers and the expense of managing them. | Enable users to reliably send and receive sensitive data by providing an encrypted connection over the Internet. |
They remove latency in the network and improve its efficiency, facilitate its management and scalability, and save HW network resources. | They allow connection partners to securely facilitate the transmission of sensitive data. |
They use the layer-two frame tag for encapsulation and can scale up to 4000 VLANs. | Mitigate access attempts by malicious hackers by exploiting any confidential information. |
Help workers do their work remotely in their organizations. | |
Connection partners leverage this technology to access regionally restricted websites and maintain encryption during browsing activities for maximum protection from any type of cyber damage. |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Gentile, A.F.; Fazio, P.; Miceli, G. A Survey on the Implementation and Management of Secure Virtual Private Networks (VPNs) and Virtual LANs (VLANs) in Static and Mobile Scenarios. Telecom 2021, 2, 430-445. https://doi.org/10.3390/telecom2040025
Gentile AF, Fazio P, Miceli G. A Survey on the Implementation and Management of Secure Virtual Private Networks (VPNs) and Virtual LANs (VLANs) in Static and Mobile Scenarios. Telecom. 2021; 2(4):430-445. https://doi.org/10.3390/telecom2040025
Chicago/Turabian StyleGentile, Antonio Francesco, Peppino Fazio, and Giuseppe Miceli. 2021. "A Survey on the Implementation and Management of Secure Virtual Private Networks (VPNs) and Virtual LANs (VLANs) in Static and Mobile Scenarios" Telecom 2, no. 4: 430-445. https://doi.org/10.3390/telecom2040025
APA StyleGentile, A. F., Fazio, P., & Miceli, G. (2021). A Survey on the Implementation and Management of Secure Virtual Private Networks (VPNs) and Virtual LANs (VLANs) in Static and Mobile Scenarios. Telecom, 2(4), 430-445. https://doi.org/10.3390/telecom2040025