INTRODUCTION TO VIRTUAL PRIVATE NETWORKS
INTRODUCTION TO VIRTUAL PRIVATE NETWORKS
VPN:Definition
n Virtual Private Network is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated connection such as leased line, a VPN uses “virtual” connections routed though the internet.It works like a point-to-point private link.
Traditional Corporate WAN
n Traditional corporate WANs are built using private lines or private Frame Relay/ATM
n The remote access needs are accommodated by remote access servers and modems. The users dial in through the public switched telephone network.
n Main advantages of Traditional WAN
q Predictable bandwidth
q Security and privacy
n Main disadvantages Traditional WAN:
q High telecommunication costs
q Not easily scalable
Virtual Private Network
n Definition - A VPN is a private network constructed within the public Internet
n Goals
q Connect private networks using shared public infrastructure
q Simplify distributed network creation
n Desirable properties
q Security – An obvious issue because a public network (Internet) becomes physical part of the private network
q Quality of service guarantees
VPN Types
n Remote-access
n single remote network device to intranet
n Site-to-site
connect multiple fixed sites over a public network
n Intranet -based
n Extranet-based
VPN Architectures
Site-to-site intranet VPNs - Connect different networks.
A VPN gateway is located at the boundary between a private corporate network and the public Internet
Remote access VPNs – Enable remote connectivity using any Internet access technology. The remote user launches the VPN client to create a VPN tunnel to the gateway.
Fig-Remote access VPNs
Extranet VPNs – Provide customers/suppliers with access to the Extranet. VPN tunnels are created through the Internet between the corporate gateway and a gateway located in a partner’s network.
Note: Extranet typically uses the Technology of the public internet (TCP/IP & Browsers)& customers access Extranet via Internet through their local ISPs. But Extranet is not a public entity as u need Accounts and Passwords typically issued by the firm running the Extranet.
Basic VPN Requirements
n Authentication
n Ensuring that the Data originates at the source that it claims.
n Access Control
n Restricting unauthorized users from gaining admission .
n When an access request is presented, resource makes a decision to allow the access request to proceed or not.
n Performed at tunnel endpoints.
n Confidentiality
n Preventing anyone from reading or copying data as it travels across the internet.
n Data Integrity
n Preventing Ensuring that no one tampers with data as it travels across theIntrnet.
Tunneling
n Tunnel – A logical link between the tunnel client and the tunnel server. It is use in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network.
n Tunneling is the process of encapsulating (placing an entire packet within another packet (which provides the routing information) and sending it over the Internet.
n Tunnels serve three 3 major purposes in VPNs:
q To enable different protocols to be transported over IP
q To route privately addressed packet through the Internet
q To provide data integrity and confidentiality
Example
If node C takes the original packet and places it completely within a new packet addressed for node G, the nodes D, E and F would not know the original destination I.
Tunneling protocols
PPTP (Point-to-point Tunneling Protocol)
Developed by Microsoft and other companies
Layer 2 protocol
For encapsulation uses the GRE (Generic Routing Encapsulation) protocol
Voluntary tunneling (the VPN client manages connection setup)
Disadvantage: Does not provide strong encryption
PPTP Steps:
n PPP access by remote computers to a private network through the Internet
1. Remote user dials in to the local ISP network access server using PPP.
2. The PAC(personal activity center) establishes a control channel (TCP) across the PPP(Point to point protocol)connection and through the internet to the PNS attached to the home network.
3. Parameters for the PPTP channel are negotiated over the control channel, and the PPTP tunnel is established.
4. A second PPP connection is made from the remote user, through the PPTP tunnel between the PAC(personal activity center) and the PNS(personal number service), and into the private networks NAS(or RAS).
5. IP datagrams or any other protocol’s datagrams are sent inside the PPP frames.
Tunneling Protocols..contineued…
L2F (Layer 2 Forwarding Protocol)
n Developed by Cisco and other vendors
n Layer 2 protocol
n Compulsory tunneling:unlike PPTP &L2TP ,L2F has no VPN client, the Internet service provider manages the VPN connection.
n Can use any packet-oriented protocol for encapsulation
n Tunnels can support more than one connection
n Disadvantage: does not define encryption for the encapsulated packet.
In L2F Tunnel is constructed from the service provider.
Remote user dials in to the local ISP network access server using PPP.
L2F builds a tunnel from the NAS to the private network. Uses packet-oriented protocol that provides end-to-end connectivity, such as UDP, frame relay, etc. as the encapsulating protocol.
L2F establishes PPP connection between NAS and home gateway.
IP packets are sent over the PPP.
L2TP (Layer 2 Tunneling Protocol)
n Combines features of the previous two to overcome their shortcomings and become a standard
n Supports both voluntary and compulsory tunneling
n Has its own encapsulation protocol
n Again lack of good security features.
n The current L2TP draft standard recommends that IPSec be used for encryption and key management in IP environments.
IPSec (Tunneling Protocol)
n Probably the most important protocol used in VPNs
n Layer 3 protocol.
n Provides the sender with the opportunity to authenticate or encrypt (or both) each IP packet.
n Two methods of using IPSec (modes)
q Transport mode – only the transport-layer segment of a IP packet is authenticated or encrypted
q Tunnel mode – the entire packet is authenticated or encrypted.
VPNs – Performance
n IPSec solves the problem of VPN security, but performance remains an issue.
n VPN performance depends on:
q The speed of transition through the Internet – the public Internet cannot provide guaranteed levels of response time and reliability. Some SP offer quality of service agreements.
q The efficiency of the VPN processing at each end of the connection. Encapsulation and encryption require adding data fields to each packet – long packets, likelihood of fragmentations. Encryption is very computationally intensive. Must be performed on products that are optimized for these functions.
VPN Gateways
n A key element of a VPN
n Sit between public and private network, preventing intrusions
n Can perform also tunneling and encryption
n Generally, fits in one of the following categories: routers, firewalls, integrated hardware, software.
n Routers – usually are preferred for high throughput VPNs
n Firewalls – can provide tunneling and encryption only on small VPNs with low traffic
n Integrated hardware – some of them provide very high throughput and number of tunnels.
n Software Gateways – usually low-cost solutions for small VPNs.
VPNs – Advantages
n Eliminate the need for expensive private or leased lines
n Reduce the long-distance telephone charges
n Reduced equipment costs (modem banks, CSU/DSUs)
n Reduced technical support
n Scalability – easy adding of new locations to the VPN
n Security
VPNs – Disadvantages
n Require an in-depth understanding of public network security issues and taking proper precautions in VPN deployment
n The availability and performance of a corporate VPN (over the Internet) depends on uncontrollable external factors.
n Shortage of standardization. The products from different vendors may not work well together.
n VPNs need to accommodate complicated protocols other than IP.
Some Useful Terminlogy Used in the Article:
PPP:
An 8 bit serial interconnection protocol which allows a PC to connect to the internet with a standard dial up telephone line and a modem.
PAC:
Personal activity center. A combination IBM,PC clone,alarm clock,ansering machine,speaker phone,fax machine,modem etc all rolled into one unit sitting at your desk.
PNS:
Personal Number Service just like UAN number.
NAS or RAS:
Remote Access Server is like a Computer which sits on a corporate LAN and into which employees dial through PSTN to get acess to their email and other data on the corporate network.
RAS is also used by ISPs to allow their customers acess into their networks.
RAS are typically measured by how many simultaneous dial-in users they can handle.
VPN:Definition
n Virtual Private Network is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated connection such as leased line, a VPN uses “virtual” connections routed though the internet.It works like a point-to-point private link.
Traditional Corporate WAN
n Traditional corporate WANs are built using private lines or private Frame Relay/ATM
n The remote access needs are accommodated by remote access servers and modems. The users dial in through the public switched telephone network.
n Main advantages of Traditional WAN
q Predictable bandwidth
q Security and privacy
n Main disadvantages Traditional WAN:
q High telecommunication costs
q Not easily scalable
Virtual Private Network
n Definition - A VPN is a private network constructed within the public Internet
n Goals
q Connect private networks using shared public infrastructure
q Simplify distributed network creation
n Desirable properties
q Security – An obvious issue because a public network (Internet) becomes physical part of the private network
q Quality of service guarantees
VPN Types
n Remote-access
n single remote network device to intranet
n Site-to-site
connect multiple fixed sites over a public network
n Intranet -based
n Extranet-based
VPN Architectures
Site-to-site intranet VPNs - Connect different networks.
A VPN gateway is located at the boundary between a private corporate network and the public Internet
Remote access VPNs – Enable remote connectivity using any Internet access technology. The remote user launches the VPN client to create a VPN tunnel to the gateway.
Fig-Remote access VPNs
Extranet VPNs – Provide customers/suppliers with access to the Extranet. VPN tunnels are created through the Internet between the corporate gateway and a gateway located in a partner’s network.
Note: Extranet typically uses the Technology of the public internet (TCP/IP & Browsers)& customers access Extranet via Internet through their local ISPs. But Extranet is not a public entity as u need Accounts and Passwords typically issued by the firm running the Extranet.
Basic VPN Requirements
n Authentication
n Ensuring that the Data originates at the source that it claims.
n Access Control
n Restricting unauthorized users from gaining admission .
n When an access request is presented, resource makes a decision to allow the access request to proceed or not.
n Performed at tunnel endpoints.
n Confidentiality
n Preventing anyone from reading or copying data as it travels across the internet.
n Data Integrity
n Preventing Ensuring that no one tampers with data as it travels across theIntrnet.
Tunneling
n Tunnel – A logical link between the tunnel client and the tunnel server. It is use in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network.
n Tunneling is the process of encapsulating (placing an entire packet within another packet (which provides the routing information) and sending it over the Internet.
n Tunnels serve three 3 major purposes in VPNs:
q To enable different protocols to be transported over IP
q To route privately addressed packet through the Internet
q To provide data integrity and confidentiality
Example
If node C takes the original packet and places it completely within a new packet addressed for node G, the nodes D, E and F would not know the original destination I.
Tunneling protocols
PPTP (Point-to-point Tunneling Protocol)
Developed by Microsoft and other companies
Layer 2 protocol
For encapsulation uses the GRE (Generic Routing Encapsulation) protocol
Voluntary tunneling (the VPN client manages connection setup)
Disadvantage: Does not provide strong encryption
PPTP Steps:
n PPP access by remote computers to a private network through the Internet
1. Remote user dials in to the local ISP network access server using PPP.
2. The PAC(personal activity center) establishes a control channel (TCP) across the PPP(Point to point protocol)connection and through the internet to the PNS attached to the home network.
3. Parameters for the PPTP channel are negotiated over the control channel, and the PPTP tunnel is established.
4. A second PPP connection is made from the remote user, through the PPTP tunnel between the PAC(personal activity center) and the PNS(personal number service), and into the private networks NAS(or RAS).
5. IP datagrams or any other protocol’s datagrams are sent inside the PPP frames.
Tunneling Protocols..contineued…
L2F (Layer 2 Forwarding Protocol)
n Developed by Cisco and other vendors
n Layer 2 protocol
n Compulsory tunneling:unlike PPTP &L2TP ,L2F has no VPN client, the Internet service provider manages the VPN connection.
n Can use any packet-oriented protocol for encapsulation
n Tunnels can support more than one connection
n Disadvantage: does not define encryption for the encapsulated packet.
In L2F Tunnel is constructed from the service provider.
Remote user dials in to the local ISP network access server using PPP.
L2F builds a tunnel from the NAS to the private network. Uses packet-oriented protocol that provides end-to-end connectivity, such as UDP, frame relay, etc. as the encapsulating protocol.
L2F establishes PPP connection between NAS and home gateway.
IP packets are sent over the PPP.
L2TP (Layer 2 Tunneling Protocol)
n Combines features of the previous two to overcome their shortcomings and become a standard
n Supports both voluntary and compulsory tunneling
n Has its own encapsulation protocol
n Again lack of good security features.
n The current L2TP draft standard recommends that IPSec be used for encryption and key management in IP environments.
IPSec (Tunneling Protocol)
n Probably the most important protocol used in VPNs
n Layer 3 protocol.
n Provides the sender with the opportunity to authenticate or encrypt (or both) each IP packet.
n Two methods of using IPSec (modes)
q Transport mode – only the transport-layer segment of a IP packet is authenticated or encrypted
q Tunnel mode – the entire packet is authenticated or encrypted.
VPNs – Performance
n IPSec solves the problem of VPN security, but performance remains an issue.
n VPN performance depends on:
q The speed of transition through the Internet – the public Internet cannot provide guaranteed levels of response time and reliability. Some SP offer quality of service agreements.
q The efficiency of the VPN processing at each end of the connection. Encapsulation and encryption require adding data fields to each packet – long packets, likelihood of fragmentations. Encryption is very computationally intensive. Must be performed on products that are optimized for these functions.
VPN Gateways
n A key element of a VPN
n Sit between public and private network, preventing intrusions
n Can perform also tunneling and encryption
n Generally, fits in one of the following categories: routers, firewalls, integrated hardware, software.
n Routers – usually are preferred for high throughput VPNs
n Firewalls – can provide tunneling and encryption only on small VPNs with low traffic
n Integrated hardware – some of them provide very high throughput and number of tunnels.
n Software Gateways – usually low-cost solutions for small VPNs.
VPNs – Advantages
n Eliminate the need for expensive private or leased lines
n Reduce the long-distance telephone charges
n Reduced equipment costs (modem banks, CSU/DSUs)
n Reduced technical support
n Scalability – easy adding of new locations to the VPN
n Security
VPNs – Disadvantages
n Require an in-depth understanding of public network security issues and taking proper precautions in VPN deployment
n The availability and performance of a corporate VPN (over the Internet) depends on uncontrollable external factors.
n Shortage of standardization. The products from different vendors may not work well together.
n VPNs need to accommodate complicated protocols other than IP.
Some Useful Terminlogy Used in the Article:
PPP:
An 8 bit serial interconnection protocol which allows a PC to connect to the internet with a standard dial up telephone line and a modem.
PAC:
Personal activity center. A combination IBM,PC clone,alarm clock,ansering machine,speaker phone,fax machine,modem etc all rolled into one unit sitting at your desk.
PNS:
Personal Number Service just like UAN number.
NAS or RAS:
Remote Access Server is like a Computer which sits on a corporate LAN and into which employees dial through PSTN to get acess to their email and other data on the corporate network.
RAS is also used by ISPs to allow their customers acess into their networks.
RAS are typically measured by how many simultaneous dial-in users they can handle.