Of That

Brandt Redd on Education, Technology, Energy, and Trust

19 October 2009

Business Concept - A Virtual Secure Network


This is the first in a series. Over the years I have come up with dozens of new business ideas. Some fraction of those dozens are viable and quite a number of them have appeared – though I haven’t been involved in most cases. This has taught me several things. My biggest lesson is that if I have a good idea, most likely someone else has that same idea and if I don’t pursue it, someone else is likely to do so.

Despite this long-known lesson my typical approach to a good idea has been to speak little of each idea in hopes that I may someday have a chance to make money from it. This, of course, hasn’t happened except in a few cases. I’m ready to challenge that strategy. Henceforth I’m taking an Abundance approach to new ideas. So long as it doesn’t compromise my obligations to my current employers, I intend to share my best ideas and simply see what grows.

Of course, if you get serious about pursuing one of these ideas we would both benefit if you were to contact me. I’ve given a lot more thought to these ideas than I can fit in a simple blog post.

A Virtual Secure Network

Most people are familiar with Virtual Private Networking (VPN). In a nutshell, a VPN allows you to connect your computer over the Internet to a private network. Usually this is used by businesspeople to connect to their office network and access private resources. It’s also used to interconnect networks between branch offices without the cost of dedicated private lines. Data that passes over the internet is encrypted to prevent eavesdropping. It may be argued that VPN is a misnomer since what you really have is a virtual connection over the internet to an actual network back at the home office.

I propose a true Virtual Private Network that would allow my laptop, my home desktop and my wife’s computer to all communicate regardless of where they are located on the internet. This would enable secure file sharing, Remote Desktop, Remote Assistance and a host of other things to work conveniently without worrying about firewall traversal, routing and other things. It would also use encryption to protect such communications from external scrutiny. To distinguish this from existing Virtual Private Networks and to emphasize the built-in security features I call I call it a Virtual Secure Network or VSN.

The biggest problem with any virtual networking protocol (VPN or VSN) is getting through the firewall. Most firewalls and routers will allow connections to originate inside the firewall but not from the outside. For example, my desktop PC at home can connect to Google.com but Google can’t contact my desktop because the connection is blocked by my home firewall/router. Specialized protocols such as UPnP NAT Traversal and Teredo have been introduced to fix this problem but adoption is limited.

A couple of years ago a colleague pointed me at this paper: Peer-to-peer Communication Across Network Address Translators by Bryan Ford, Pyda Srisuresh and Dan Kegel. It introduces a method of Hole Punching that opens TCP and UDP communication through a majority of firewalls including NAT firewalls. The system requires a publicly available server to coordinate the connection between two computers but once that connection is made, the individual computers are able to connect directly so the bandwidth demands on the public server are modest. This is the primary method that Skype and as those who have used Skype know, it simply works without any special network configuration.The Internet Engineering Task Force has worked on standardizing the similar methods to those proposed by Ford et. al. The original draft proposal is in RFC 3489 and an update is in RFC 5389.

I propose creating a virtual network adapter driver similar to those used for VPN connections. The virtual adaptor would use the real network adapter in a computer to connect with a public server on the internet and register the computer’s availability and the IP address of its firewall. Other computers in the same VSN could connect to that public server to discover the necessary information to broker a direct, encrypted connection.

From the user’s perspective, it would appear as if all trusted computers in his/her VSN are immediately available and things like Remote Desktop, Remote Assistance, File Sharing, Printer Sharing and the like would "just work" like Skype.

From a business model perspective it’s convenient that a public server is required to set up the connections but the server isn’t involved in the actual transmission of the data. This means that a company could set up the public server and charge a modest subscription fee without the bandwidth cost of actually relaying the traffic. Even if IPv6 and Teredo become popular, the VSN would retain security advantages that preserve the business model.

No comments:

Post a Comment