Extranets are networks built to link facilities over large distances. For years, broadcasters have moved content between facilities, frequently through special video circuits leased from various service providers (traditional telephone companies, satellite companies and terrestrial carriers). Such extranets are intrinsically private. Providers control access to these networks, and coding the content makes it difficult for unauthorized parties to monitor the content or to divert it in transit from one facility to another. But these dedicated networks can also be quite expensive.
Thus, it is becoming increasingly common for broadcasters to link facilities using the public Internet. This option is much less expensive, but it may be difficult to attain adequate security while meeting the broadcaster's needs. The risk increases when the broadcaster wishes to link its facilities on a full-time basis. Broadcasters recognize the value of full-time connectivity between affiliates, station group members and others in the field, especially when they can use this connectivity to transmit both content and data. So, how can a broadcaster use the Internet as a secure extranet? The answer may lie with virtual private networks (VPNs).
A VPN is a private network that uses the public Internet to connect two or more computers or facilities. It allows a broadcaster to create a single network, even though the network may connect facilities that are hundreds of miles apart. When interconnected using a VPN, computers act as if they are all on the same network. Workstations in one location can access a server, plotter or other device in another location. This may not seem like a major breakthrough — you can access a server over the Internet without any special software or connection. But, in this case, the workstation on the VPN behaves almost exactly as if it was connected to a port on a local switch. Moreover, VPNs incorporate security technology that is hard to break, and you can set them up so that remote workstations can traverse a firewall without compromising security. And setting up a VPN is relatively simple to do.
In Figure 1, you can see that location A uses a private address of 192.168.2. Note that location B uses a private address of 192.168.1. The VPN routers are configured to route traffic between the two networks. On the public side of the Internet, location A has an address of 22.214.171.124, and location B has an address of 126.96.36.199. When setting up the VPN, the engineer tells VPN router A to connect to 188.8.131.52. Once the connection is established, the two networks are connected together. The magic of the VPN is that, to the outside world, the only things visible are two public Internet addresses. The router typically contains a firewall that prevents unauthorized access to the networks. But the VPN connection allows the two networks to be linked together over the public Internet. The VPN router encrypts packets sent between the two locations, and the network rejects unauthorized VPN connection attempts.
Figure 2 on page 38 illustrates how someone on the road might use a laptop computer and a VPN to access a local e-mail server. First, the traveler connects to the Internet, typically by using a dial-up connection to an Internet service provider. Second, when the connection is established, the ISP assigns the laptop a public IP address (example: 184.108.40.206). At this point, the traveler can use the laptop to access the Internet as usual, including Web sites, FTP sites and so on. But the laptop cannot see the e-mail server on the local corporate network. Third, the laptop user “dials in” to the VPN by entering the IP address of the VPN along with a username and password combination. In this case, the user would enter 220.127.116.11 to connect to the VPN. Once authenticated, the VPN router assigns the laptop an IP address (example: 192.168.2.45). When the connection is complete, the laptop acts as if it is connected to the local network. The laptop can access the local e-mail server. Requests to access content on the Internet travel from the laptop, over the Internet to the local network, then back out through the VPN router to the Internet.
To illustrate this point, let's look at what happens if the laptop calls up a Web site (www.broadcastengineering.com for example). First, the Web browser message travels from the laptop over the Internet to the VPN router at corporate headquarters. The VPN recognizes that the IP address of www.broadcastengineering.com (which is 18.104.22.168) is not on the local network. The VPN router sends the packet back out on the Internet, directed to the Broadcast Engineering Web site. When the Web site responds, the VPN router sends the packets back to the laptop at 192.168.2.45, which it knows is physically connected via the VPN. Once a computer is connected through the VPN, it acts as if it were plugged into a switch located at corporate headquarters.
A virtual tunnel
You might wonder how it is that a VPN can be secure when it connects two facilities together over the public Internet. While you are using the Internet to carry the data between two facilities, you are not really “on the Internet.” Instead, you are creating a “tunnel” between the two facilities. Data then pass through the tunnel from one facility to another without being visible on the Internet. This tunneling analogy breaks down though, when you look at the details. First, the image of a tunnel implies that some sort of permanent connection exists between the two facilities, and that all data flow over the same path all the time; this is not true. As with most traffic carried over the Internet, the exact path that data take from source to destination can vary on a packet-by-packet basis. So, while a permanent tunnel using the same route does not exist, it is fair to say that a VPN creates a virtual tunnel between the two facilities. To the user, it looks as if the two facilities are connected together using a permanent connection. Second, a tunnel implies that someone on the outside of the tunnel cannot see what is happening inside. Hackers who are monitoring a VPN can see the packets as they travel along the Internet. But, because you've encrypted the data inside the packets, the hacker cannot tell what you are transmitting.
There are three components to VPN security. The first is user authentication, accomplished with a username and password combination. Obviously, if you give away your VPN username and password (or send it via unencrypted e-mail for example), you can compromise VPN security. The second component of VPN security is a feature that assures that packets have not been altered during transmission. An encrypting system puts the data in a packet through a “hash system.” The hash system calculates a small number based upon the data carried in the packet. The VPN application appends this number to the data packet before transmitting it. The receiving VPN application puts the data in the packet through the same “hash system” and compares its result with the one sent with the data. If the two differ, the receiving application notifies the user that a packet may have been altered during transmission. The final component encrypts messages sent over the public Internet using encryption keys. This is a detailed subject, but 3DES, an encryption scheme in wide use these days, uses 168-bit keys. To try all possible keys, a hacker would have to try 2168 combinations — a monumental task.
VPNs are inexpensive, relatively easy to deploy, well-tested and quite secure. There used to be some issues with interoperability of different types of VPNs but, at this point, most of these issues have been resolved. In addition, most common operating systems have included support for VPNs for several years. So configuring a VPN on a remote computer can be as easy as configuring a dial-up connection.
VPNs can provide you with much greater security than a straight dial-up connection. Broadcasters have always been challenged to provide secure connections for their networks. VPNs are currently the best way to provide this without having to resort to expensive, dedicated networks.
You can find a great deal of information about VPNs at the Virtual Private Network Consortium's Web site (www.vpnc.org).
Brad Gilmer is president of Gilmer & Associates, executive director of the AAF Association and executive director of the Video Services Forum.
Send questions and comments to: firstname.lastname@example.org