Professional Documents
Culture Documents
How Virtual Private Networks Work
How Virtual Private Networks Work
The world has changed a lot in the last couple of decades. Instead of simply
dealing with local or regional concerns, many businesses now have to think
about global markets and logistics. Many companies have facilities spread out
across the country or around the world, and there is one thing that all of
them need: A way to maintain fast, secure and reliable communications wherever
their offices are.
Until fairly recently, this has meant the use of leased lines to maintain a
wide area network (WAN). Leased lines, ranging from ISDN (integrated services
digital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber,
provided a company with a way to expand its private network beyond its
immediate geographic area. A WAN had obvious advantages over a public network
like the Internet when it came to reliability, performance and security. But
maintaining a WAN, particularly when using leased lines, can become quite
expensive and often rises in cost as the distance between the offices
increases.
As the popularity of the Internet grew, businesses turned to it as a means of
extending their own networks. First came intranets, which are passwordprotected sites designed for use only by company employees. Now, many
companies are creating their own VPN (virtual private network) to accommodate
the needs of remote employees and distant offices.
learn
about
basic
VPN
components,
Security
Reliability
Scalability
Network management
Policy management
Analogy:
Each
LAN
is
an
Island
Imagine that you live on an island in a huge ocean. There are thousands of
other islands all around you, some very close and others farther away. The
normal way to travel is to take a ferry from your island to whichever island
you wish to visit. Of course, traveling on a ferry means that you have almost
no privacy. Anything you do can be seen by someone else.
Let's say that each island represents a private LAN and the ocean is the
Internet. Traveling by ferry is like connecting to a Web server or other
device through the Internet. You have no control over the wires and routers
that make up the Internet, just like you have no control over the other people
on the ferry. This leaves you susceptible to security issues if you are trying
to connect between two private networks using a public resource.
Continuing with our analogy, your island decides to build a bridge to another
island so that there is easier, more secure and direct way for people to
travel between the two. It is expensive to build and maintain the bridge, even
though the island you are connecting with is very close. But the need for a
reliable, secure path is so great that you do it anyway. Your island would
like to connect to a second island that is much farther away but decides that
the cost are simply too much to bear.
This is very much like having a leased line. The bridges (leased lines) are
separate from the ocean (Internet), yet are able to connect the islands
(LANs). Many companies have chosen this route because of the need for security
and reliability in connecting their remote offices. However, if the offices
are very far apart, the cost can be prohibitively high -- just like trying to
build a bridge that spans a great distance.
So how does VPN fit in? Using our analogy, we could give each inhabitant of
our islands a small submarine. Let's assume that your submarine has some
amazing properties:
It's fast.
It's easy to take with you wherever you go.
It's able to completely hide you from any other boats or submarines.
It's dependable.
It costs little to add additional submarines to your fleet once the
first is purchased.
Photo
courtesy
Cisco
Systems,
Inc.
A remote-access VPN utilizing IPSec
IPSec - Internet Protocol Security Protocol (IPSec) provides enhanced
security features such as better encryption algorithms and more
comprehensive authentication. IPSec has two encryption modes: tunnel and
transport.
transport. Tunnel encrypts the header and the payload of each packet
while transport only encrypts the payload. Only systems that are IPSec
compliant can take advantage of this protocol. Also, all devices must
use a common key and the firewalls of each network must have very
similar security policies set up. IPSec can encrypt data between various
devices, such as:
Router to router
Firewall to router
PC to router
PC to server
AAA Server - AAA (authentication, authorization and accounting) servers
are used for more secure access in a remote-access VPN environment. When
a request to establish a session comes in from a dial-up client, the
request is proxied to the AAA server. AAA then checks the following:
Who you are (authentication)
What you are allowed to do (authorization)
What you actually do (accounting)
The accounting information is especially useful for tracking client use
for security auditing, billing or reporting purposes.
VPN
Technologies
Depending on the type of VPN (remote-access or site-to-site), you will need to
put in place certain components to build your VPN. These might include:
translation,
proxy
server,
packet
filtration,
translation,
server,
capabilities in a single piece of hardware.
firewall
and
VPN
Carrier protocol - The protocol used by the network that the information
is traveling over
Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that
is wrapped around the original data
Passenger protocol - The original data (IPX, NetBeui, IP) being carried
Tunneling has amazing implications for VPNs. For example, you can place a
packet that uses a protocol not supported on the Internet (such as NetBeui)
inside an IP packet and send it safely over the Internet. Or you could put a
packet that uses a private (non-routable) IP address inside a packet that uses
a globally unique IP address to extend a private network over the Internet.
In a site-to-site VPN, GRE (generic routing encapsulation) is normally the
encapsulating protocol that provides the framework for how to package the
passenger protocol for transport over the carrier protocol, which is typically
IP-based. This includes information on what type of packet you are
encapsulating and information about the connection between the client and
server. Instead of GRE, IPSec in tunnel mode is sometimes used as the
encapsulating protocol. IPSec works well on both remote-access and site-tosite VPNs. IPSec must be supported at both tunnel interfaces to use.
In a remote-access VPN, tunneling normally takes place using PPP. Part of the
TCP/IP stack, PPP is the carrier for other IP protocols when communicating
over the network between the host computer and a remote system. Remote-access
VPN tunneling relies on PPP.
Each of the protocols listed below were built using the basic structure of PPP
and are used by remote-access VPNs.
by
Cisco,
L2F
will
use
any
Escalating remote access and telecommuting needs and an increase in the use of distributed
business models like extranets require pragmatic remote access solutions that are easy to use,
economical, and flexible enough to meet the changing needs of every business. To support its
25,000+ employees worldwide with best-of-breed remote access and virtual private networking
(VPN) services, Microsoft capitalizes on the built-in communication services included in
Windows, integrated VPN firewall and caching support from Microsoft Proxy Server, and
complementary services from partners such as UUnet Technologies, Inc., Telco Research, and
ATCOM, Inc. This potent combination enables Microsoft to take advantage of the latest third party
solutions built on Windows, preserve its legacy investment, and provide an open path for future
needs.
Today businesses are asking their Information Technology Groups (ITG) to deliver an increasing
array of communication and networking services while squeezing the maximum possible from
budgets and support staffs. At Microsoft the situation is no different. To meet these demands, the
Internet Technology Group (ITG) at Microsoft looked to the Windows operating system platform
and software vendors and service providers for the technology needed to meet the remote access
demands of its more than 25,000 mobile sales personnel, telecommuters, and consultants around
the world.
Using Windows-based clients and enhanced Windows NT RAS technology available in the
Windows NT Option Pack, Microsoft's ITG is currently using and deploying a custom Windowsbased remote dial-up and virtual private networking (VPN) solution. New user services, in
concert with new Windows based network services from UUnet, gives users quicker and easier
network access while significantly reducing network costs.
Single client. ITG provided a single client for both the direct dial up and virtual private
network connections. Using Windows integrated dial-up networking technology (DUN) and
Microsoft Connection Manager, users use the same client interface for secure transparent
access whether dialing directly to the corporate network or connecting via a VPN. In fact,
users don't need to concern themselves with which method is employed.
Central management. ITG provided central management of remote dial-up and VPN access
phone numbers. Microsoft ITG has found that one of the most common support problems
traveling users face is determining and managing local access phone numbers. This problem
translates into one of the principal reasons for support calls to Microsoft's user support
centers. Using the Connection Manager Administration kit (CMAK) wizard, which is part of
Microsoft's remote access solution, Microsoft's ITG preloads each client PC with an electronic
"phone book" that includes every dial-up remote access phone number for Microsoft's
network. The Windows solution also allows phone books to be centrally integrated and
managed from a single remote location, and clients to be updated automatically. Microsoft's
mobile users now receive phone book updates automatically whenever they log onto the
network so they always have access to the latest phone numbers.
The open extensibility of the Windows NT Server allowed ITG to preserve its current hardware
network investments while partnering with UUnet Technologies, Inc. to provide a flexible and
comprehensive network solution. In addition, using Windows NT allowed Microsoft to take
advantage of third party solutions for Windows that capitalize on the extensibility afforded
Windows NT-based servers and clients. The Windows platform enabled Microsoft ITG to integrate
the best-of-breed network services and applications to best meet its client and network
administration needs.
ATCOM
Inc
IPORT:
High-speed
Internet
access
on
the
road
Microsoft employees can also connect to high-speed Internet access by plugging into public
IPORT jacks in hotels, airports, cafes, and remote locations. Microsoft's ITG used the open
extensibility of Windows NT Server to integrate IPORT's pay-per-use Internet access features
into its custom remote access solution.
The result is that Microsoft employees connecting via the Internet can easily and securely access
any Microsoft BackOffice based application, the Microsoft Intranet, and the Internet through
IPORT jacks in hotel rooms and public places at rates of up to 50 times that of typical dial-up
modems. This high-bandwidth, easily available connection helps Microsoft employees be more
productive and have a better online experience while on the road.
Microsoft
Proxy
Server:
Secure
Internet
access
and
VPN
Like its counterpart at every corporation, Microsoft ITG must ensure that the edge of its network
is secure while still providing all its employees with the freedom needed to access information
world wide. To meet this need ITG has also deployed Microsoft Proxy Server to securely separate
the LAN from the Internet, while more easily securing VPN access to popular and productive
network resources for Microsoft employees at the highest possible speeds.
The Microsoft Proxy Server firewall capabilities protect Microsoft's network from unauthorized
access from the Internet by providing network address translation and dynamic IP-level filtering
to ensure that no intruders compromise the edge of network.
At the same time, Microsoft ITG uses the powerful caching services in Microsoft Proxy Server to
expedite the delivery of information. Commonly accessed Intranet or Internet sites used by
Microsoft employees are centrally cached and distributed to their specific remote access network
server. Hierarchical caching expedites information access and optimizes network performance by
reducing network load. The first time a dial-up remote user requests information from the
Internet, Proxy Server processes the request on the Internet on the user's behalf and returns the
contents of that page to the user. A copy of that page is also cached at the edge of the network
on Microsoft Proxy Server, and can be distributed to local dial-up servers. When another remote
or local user tries to access that same page from their remote location, Proxy Server passes back
to the user the information from the local cache rather than from the remote server location.
By reusing relevant cached information, Proxy Server is able to service subsequent users'
requests of already- requested information without having to generate additional network traffic.
ITG uses Microsoft Proxy Server to enable the Microsoft intranet and remote employees to
operate at peak efficiency with the utmost security.
Telco Research TRU RADIUS Accountant: RAS reporting, and internal usage charge back (billing)
Like many large companies with a multitude of branch offices and remote employees, Microsoft
pays a substantial amount for remote access fees due to the need to maintain private leased lines
and dedicated 800 numbers. In addition, the sheer number of LAN entry points and autonomy
afforded its international divisions made centralized accounting and retail reporting for remote
access use and roaming users important.
Using Windows NT Server 4.0, integrated user domain directory and RADIUS services, Microsoft
ITG is deploying a VPN solution bolstered with centralized accounting and reporting of enterprise
wide remote access and VPN use. Microsoft is deploying TRU RADIUS Accountant for Windows NT
from Telco Research as part of this solution.
Using Telco Research's product, Microsoft ITG is able to generate detailed reporting of remote
access and VPN network use for internal cost-accounting purposes while using familiar Windows
NT management tools. In this manner Microsoft ITG is able to quickly and easily deploy a turnkey
reporting solution built on the intrinsic communication services of Windows NT Server.
The Telco Research on Windows NT Server 4.0 RADIUS solution provides a quickly adaptable
reporting and authentication solution that offers the ultimate in network flexibility. This
flexibility is a key requirement for many ITG organizations in the face of continued acquisitions
and mergers and the increasing convergence of IP-based network applications. This solution
facilitates network integration, reduces the number of security management points, streamlines
reporting, and reduces the complexity normally associated with reporting and internal usage
charge back (billing) of remote access across an enterprise. As a result, Microsoft receives better
security, reduced implementation costs, and enhanced reporting to improve remote access
management and charge-back service while maintaining the flexibility to accommodate future
change.
UUnet
Technologies,
Inc.
VIP
Services:
Economical
Internet
access
and
VPN
The integrated and open services of Windows enabled Microsoft to supplement its private data
network infrastructure and RAS with VPN services by working with UUnet Technologies, Inc., the
largest Internet service provider in the world. Under this relationship Microsoft's VPN solution is
integrated with the UUnet Radius Proxy servers through the Windows NT Server 4.0 native
support for RADIUS. This provides Microsoft employees with secure local access to the Microsoft
LAN through more than 1,000 Internet point-of-presence locations worldwide, at speeds ranging
from 28.8 Kbps to 155 Mbps.
Microsoft ITG made reliable and secure local access to UUnet Technologies IP network available
to all Microsoft mobile employees, in part by Windows NT Server 4.0 Remote Access Service
integrated RADIUS support. This resulted in the delivery of high-quality VPN services over the
UUnet Technologies, Inc. infra-structure at a reduced cost. Microsoft ITG conservatively
estimates that this use of Windows based VPN service as an alternative to traditional remote
access will save the company more than $3.5 million per year in remote access fees alone.
Additional savings are expected from greatly reduced remote access configuration support, and
elimination of call requests for RAS phone numbers.
Integrated support for RADIUS-based authentication off of the Windows Directory in Windows NT
Server also allowed Microsoft to retain all authentication rights for Internet and LAN access for
its employees. This helps maintain network security and requires no change or redundant
replication of directory information.
In addition, the Microsoft Windows NT RADIUS solution is integrated into the Windows NT-based
User Manager, which allows Microsoft ITG to capitalize on its existing Windows NT domain
security scheme. Microsoft ITG is taking advantage of this integration to quickly enable Microsoft
employees to engage in true VPN and to securely authenticate themselves in an easy-to-manage
way.
Through its relationship with UUnet Technologies, Microsoft ITG was able to instantly extend
network access to its more than 25,000 employees in more than 50 countries. UUnet
Technologies' transcontinental backbone provides access throughout North America, Europe, and
the Asia-Pacific region so that Microsoft employees can access information locally anywhere with
reliability guarantees and the support of UUnet. In short, Windows enabled a Microsoft-UUnet
solution that proved a win for each company.
infrastructure would not only be able to meet today's needs, but also enable it to make the most
of opportunities provided by the digital convergence of network-aware applications in the near
future.
The momentum of Windows NT Server as a platform for IP telephony, media-streaming
technologies, and the migration to PBX systems based on Windows NT Server 4.0 is evidence of
an increased need for higher degrees of client/server network application integration. The
remote access solution ITG selected needed to be flexible enough to meet the forecasted demand
for increasingly sophisticated and mission-critical network-aware applications.
"In the end," says ITG Program Manager Ken Kubota, "what Microsoft remote employees want is
easy, fast, secure access to the corporate network."
The unique communication services of Windows NT Server make connecting locally through
direct dial or VPN easy and secure. Intelligent partnering with companies like UUnet
Technologies, Inc. and ATCOM Inc. has also enabled Microsoft ITG to increase employee
productivity by providing secure, fast, reliable local connections to all available network
resources from just about anywhere in the world.
Using Windows NT Server as the backbone of the remote access solution provides the flexibility
needed to economically address current and future needs of Microsoft ITG. The selection of a
Windows-based solution allows ITG the freedom to both centrally manage and incrementally
extend the Microsoft direct dial and VPN infrastructure at a controlled pace and in an open
manner, through partnerships with multiple service providers, such as UUnet Technologies.
Furthermore, should outsourcing network WAN services and equipment become even more
prevalent, Windows provides ITG with a platform that can accommodate this migration while still
preserving the value of current software and hardware investments.
Windows NT Server's Routing, RAS, and VPN services-along with tight integration with Microsoft
Proxy Server-are already enabling Microsoft ITG to seamlessly extend its RAS-VPN infrastructure
to connect Microsoft subsidiaries, branch offices, and extranet partners securely to the corporate
network over private and public networks. In addition, the broad application support enjoyed by
the Windows communication platform ensures that ITG will continue to have access to a host of
rich application services made available by developers and service providers, such as ATCOM
Inc., Telco-Research, and UUnet Technologies, Inc., to meet Microsoft's business needs into the
future.
Solution Overview
Industry
International Software Development
Architecture
The remote access infrastructure that Microsoft's Redmond, WA., headquarters uses for its
14,000 HQ employees consists of three dedicated VPN server computers running the Windows NT
Server network operating system version 4.0. Each machine is a on dual 300-MHz Pentium II
processors and with 193 MB of RAM, 2 x 2 gigabytes of local storage, and two 100-MB network
interface cards. One network card is connected to the Microsoft local area network and the other
connects to a network peering with UUnet Technologies, Inc.'s 135-MBps connection. UUnet
provides this connection to the Internet via multiple DS-3 connections in Redmond. These
facilities will be upgraded to multiple OC-12 (622-MBps) connections this summer.
The UUnet Technologies, Inc. network that supports Microsoft's wholesale remote access and
VPN services provides access to one of the largest IP networks in the world. UUnet's backbone
infrastructure features a fully meshed network that extends across both the Atlantic and Pacific
and includes direct fiber optic connections between Europe, North America, and Asia. UUnet also
provides satellite access services for remote areas that lack Internet connections.
Server Products Used
Microsoft Windows NT Server 4.0
Routing Remote Access Service (RRAS)
Connection Manager
Connection Point Services
Internet Authentication Service
Microsoft Proxy Server, firewall and proxy services
Client products used
Windows 95
Windows 98
Windows NT Workstation
Merchant Builder, from The Internet Factory
FoxPro
Norton anti-virus software