Guided By

Submitted By

For Download Visit 1


The Virtual Private Network - VPN - has attracted the attention of many organizations looking to both expand their networking capabilities and reduce their costs. The VPN can be found in workplaces and homes, where they allow employees to safely log into company networks. Telecommuters and those who travel often find a VPN a more convenient way to stay "plugged in" to the corporate intranet. No matter your current involvement with VPNs, this is a good technology to know something about. A study of VPN involves many interesting aspects of network protocol design, Internet security, network service outsourcing, and technology standards.

What Exactly Is A VPN?

A VPN supplies network connectivity over a possibly long physical distance. In this respect, a VPN is a form of Wide Area Network (WAN). The key feature of a VPN, however, is its ability to use public networks like the Internet rather than rely on private leased lines. VPN technologies implement restricted-access networks that utilize the same cabling and routers as a public network, and they do so without sacrificing features or basic security. A VPN supports at least three different modes of use:
  

Remote access client connections LAN-to-LAN internetworking Controlled access within an intranet

VPN Pros and Cons

Like many commercialized network technologies, a significant amount of sales and marketing "hype" surrounds VPN. In reality, VPNs provide just a simple few clear potential advantages over more traditional forms of wide-area networking. These advantages can be quite significant, but they do not come for free. The potential problems with the VPN outnumber the advantages and are generally more difficult to understand. The disadvantages do not necessarily outweigh the advantages, however. From security and perfo rmance concerns, to coping with a wide range of sometimes incompatible vendor products, the decision of whether or not to use a VPN cannot be made without significant planning and preparation. )

For Download Visit 2


Technology Behind VPNs

Several network protocols have become popular as a result of VPN developments:
   


These protocols emphasize authentication and encryption in VPNs. Authentication allows VPN clients and servers to correctly establish the identity of people on the network. Encryption allows potentially sensitive data to be hidden from the general public. Many vendors have developed VPN hardware and/or software products. Unfortunately, immature VPN standards mean that some of these products remain incompatible with each other.

The Future of VPN

The success of VPNs in the future depends mainly on industry dynamics. Most of the value in VPNs lies in the potential for businesses to save money. Should the cost of long-distance telephone calls and leased lines continue to drop, fewer companies may feel the need to switch to VPNs for remote access. Conversely, if VPN standards solidify and vendor products interoperate fully with other, the appeal of VPNs should increase. The success of VPNs also depends on the ability of intranets and extranets to deliver on their promises. Companies have had difficulty measuring the cost savings of their private networks, but if it can be demonstrated that these provide significant value, the use of VPN technology internally may also increase.

For Download Visit 3





3 9

16 18

26 27 29 30 31 32 33

For Download Visit 4


1. INTORDUCTION : 1.1.Definition
An Internet-based virtual private network (VPN) uses the open, distributed infrastructure of the Internet to transmit data between corporate sites.

 Why to develop vpn ?

Businesses today are faced with supporting a broader variety of communications among a wider range of sites even as they seek to reduce the cost of their communications infrastructure. Employees are looking to access the resources of their corporate intranets as they take to the road, telecommute, or dial in from customer sites.

For Download Visit 5


Plus business partners are joining together in extranets to share business information, either for a joint project of a few months' duration or for long-term strategic advantage. At the same time, businesses are finding that past solutions to widearea networking between the main corporate network and branch offices, such as dedicated leased lines or frame-relay circuits, do not provide the flexibility required for quickly creating new partner links or supporting project teams in the field. Meanwhile, the growth of the number of telecommuters and an increasingly mobile sales force is eating up resources as more money is spent on modem banks, remote-access servers, and phone charges. The trend toward mobile connectivity shows no sign of abating; Forrester Research estimated that more than 80 percent of the corporate workforce would have at least one mobile computing device by 1999.  Comparison of vpn with exiting network:

First and foremost are the cost savings of Internet VPNs when compared to traditional VPNs. A traditional corporate network built using leased T1 (1.5 Mbps) links and T3 (45 Mbps) links must deal with tariffs that are structured to include an installation fee, a monthly fixed cost, and a mileage charge, adding up to monthly fees that are greater than typical fees for leased Internet connections of the same speed. Leased Internet lines offer another cost advantage because many providers offer prices that are tiered according to usage. For businesses that require the use of a full T1 or T3 only during busy times of the day but do not need the full bandwidth most of the time, ISP services, such as burstable T1, are an excellent option. Burstable T1 provides on-demand bandwidth with flexible pricing. For example, a customer who signs up for a full T1 but whose traffic averages 512 kbps of usage on the T1 circuit will pay less than a T1 customer whose average monthly traffic is 768 kbps. Because point-to-point links are not a part of the Internet VPN, companies do not have to support one of each kind of connection, further reducing equipment and support costs. With traditional corporate networks, the media that serve smaller branc h offices, telecommuters, and mobile works—digital subscriber line (xDSL), integrated services digital network (ISDN), and high- speed modems, for instance—must be supported by additional equipment at corporate headquarters. In a VPN, not only can T1 or T3 lines be used between the main office and the ISP, but many other media can be used to connect smaller offices and mobile workers to the ISP and, therefore, to the VPN without installing any added equipment at headquarters.  VPN resolves the limitations of ordinary networks:

For Download Visit 6


VPNs using the Internet have the potential to solve many of these business networking problems. VPNs allow network managers to connect remote branch offices and project teams to the main corporate network economically and provide re mote access to employees while reducing the in-house requirements for equipment. Rather than depend on dedicated leased lines or frame relay's permanent virtual circuits (PVCs), an Internet-based VPN uses the open, distributed infrastructure of the Internet to transmit data between corporate sites. Companies using an Internet VPN set up connections to the local connection points (called points-of-presence [POPs]) of their Internet service provider (ISP) and let the ISP ensure that the data is transmitted to the appropriate destinations via the Internet, leaving the rest of the connectivity details to the ISP's network and the Internet infrastructure. Because the Internet is a public network with open transmission of most data, Internet-based VPNs include measures for encrypting data passed between VPN sites, which protects the data against eavesdropping and tampering by unauthorized parties. In addition, VPNs are not limited to corporate sites and branch offices. As an added advantage, a VPN can provide secure connectivity for mobile workers. These workers can connect to their company's VPN by dialing into the POP of a local ISP, which reduces the need for long-distance charges and outlays for installing and maintaining large banks of modems at corporate sites. While VPNs offer direct cost savings over other communications methods (such as leased lines and long-distance calls), they can also offer other advantages, including indirect cost savings as a result of reduced training requirements and equipment, increased flexibility, and scalability.


For Download Visit 7


The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or even around the world. But there is one thing that all of them need: A way to maintain fast, secure and reliable communications wherever their offices are. Until recently, this has meant the use of leased lines to maintain a Wide Area Network (WAN). Leased lines, ranging from ISDN (Integrated Services Digital Network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand their private network beyond their immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines can become quite expensive and often rises in cost as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating their own VPNs (Virtual Private Networks) to accommodate the needs of remote employees and distant offices.

Image courtesy of Cisco Systems, Inc. A typical VPN might have a main LAN at the corporate headquarte rs of a company, other LANs at remote offices or facilities and individual users connecting from out in the field.

For Download Visit 8


Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, realworld connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.

For years, voice, data, and just about all software-defined network services were called "virtual private networks" by the telephone companies. The current generation of VPNs, however, is a more advanced combination of tunneling, encryption, authentication and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider's backbone. The traffic reaches these backbones using any combination of access technologies, including T1, frame relay, ISDN, ATM or simple dial access. VPNs use familiar networking technology and protocols. The client sends a stream of encrypted Point-to-Point Protocol (PPP) packets to a remote server or router, except instead of going across a dedicated line (as in the case of WANs); the packets go across a tunnel over a shared network. The general idea behind using this method is that a company reduces the recurring telecommunications charges that are shouldered when connecting remote users and branch offices to resources in a corporation's headquarters. The most commonly accepted method of creating VPN tunnels is by encapsulating a network protocol (including IPX, NetBEUI, AppleTalk, and others) inside the PPP, and then encapsulating the entire package inside a tunneling protocol, which is typically IP, but could also be ATM or frame relay. This increasingly popular approach is called Layer 2 tunneling, because the passenger is a Layer-2 Tunneling Protocol (L2TP). Using this VPN model, packets headed towards the remote network will reach a tunnel- initiating device, which can be anything from an extranet router to a PC with VPN-enabled dial- up software. The tunnel initiator communicates with a VPN terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then encrypts the package for security before transmitting to the terminator, which decrypts the packet and delivers it to the appropriate destination on the network.

L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). It supports any routed protocol, including IP, IPX, and AppleTalk, as well as any WAN backbone technology, including frame relay, ATM, X.25, and SONET. Because of L2TP's use of Microsoft's PPTP, it is included as part of the remote access features of most Windows products.

For Download Visit 9


Another approach to VPN is SOCKS 5, which follows a pro xy server model and works at the TCP socket level. It requires a SOCKS 5 server and appropriate software in order to work. The SOCKS 5 client intercepts a request for service, and checks it against a security database. If the request is granted, the server establishes an authenticated session with the client, acting as a proxy. This allows network managers to apply specific controls and proxies traffic, and specify which applications can cross the firewall into the Internet. VPN technology can be used for site-to-site connectivity as well, which would allow a branch office with multiple access lines get rid of the data line, and move traffic over the existing Internet access connection. Since many sites use multiple lines, this can be a very useful application, and it can be deployed without adding additional equipment or software.


Example use of VPN:

Step 1. The remote user dials into their local ISP and logs into the ISP’s network as usual.

For Download Visit 10


Step 2. When connectivity to the corporate network is desired, the user initiates a tunnel request to the destination Security server on the corporate network. The Security server authenticates the user and creates the other end of tunnel.

For Download Visit 11


Step 3. The user then sends data through the tunnel which encrypted by the VPN software before being sent over the ISP connection.

For Download Visit 12


Step 4 The destination Security server receives the encrypted data and decrypts. The Security server then forwards the decrypted data packets onto the corporate network. Any information sent back to the Remote user is also encrypted before being sent over the Internet.

For Download Visit 13


The figure below illustrates that VPN software can be used from any location through any existing ISP’s dial- in service.

3. TYPES OF VPN: 3.1.Virtual Leased Lines (VLL)
This is the simplest form of a VPN. In this type there is point to point link between two customer premise equipment (CPE). The CPE devices can be either routers, bridges or hosts. The IP tunnel is set up between two ISP nodes which are connected by IP network. Each of these node is configured to bind the stub link and the IP tunnel together at layer 2. Frames are relayed between the two links. The contents of the payload is opaque to the ISP node. The IP network is invisible to the customer. It seems a single ATM Virtual Channel Connections (VCC) or Frame Relay circuit were used to interconnect the CPE devices for him. If the two links used to connect the CPE devices to the ISP nodes are not the same then ISP traffic is not opaque. In this case ISP nodes must perform the functions of an inter-working device between the two media types (e.g., ATM and Frame Relay) and any media specific processing that is expected by the CPE devices.

For Download Visit 14


Figure 3.1: Virtual Leased Lines (VLL)

3.2. Virtual Private Routed Network (VPRN)
A VPRN is emulation of a multi-site wide area routed network using IP facilities. In VPRN packet forwarding is carried out at the network layer. A VPRN consists of a mesh of IP tunnels between ISP routers, together with the routing capabilities needed to forward traffic received at each VPRN node to the appropriate destination site. At each ISP router to which members of the VPRN are connected there is a VPRN specific forwarding table. Traffic is forwarded between ISP routers and between ISP routers and customer sites, using these forwarding tables. The forwarding tables contain network layer reachability information. VPRN carries out forwarding at the network layer, hence a single VPRN only directly supports a single network layer protocol. For multiprotocol support, a separate VPRN for each network layer protocol could be used or one protocol could be tunneled over another.

VPRN Require ments 1. VPN Identifier The use of a globally unique VPN identifier. 2. VPRN me mbership determination An edge router must learn of the local stub links that are in each VPRN and the set of other routers that have members in that VPRN. 3. Stub link reachability information An edge router must learn the set of addresses and address prefixes reachable via each stub link. 4. Intra-VPRN reachability information Edge router must disseminate the address prefixes information associated with each of its stub links to each other edge router in the VPRN. 5. Tunneling mechanism An edge router must construct the necessary tunnels to other routers that have members in the VPRN, and must perform the encapsulation and decapsulation necessary to send and receive packets over the tunnels.

For Download Visit 15


Figure 3.2: Virtual Private Routed Network (VPRN)

3.3. Virtual Private Dial Network (VPDN)
A Virtual Private Dial Network (VPDN) allows on demand ad hoc tunnel between remote user and another site. The user is connected to a public IP network via a dial- up PSTN or ISDN link. User packets are tunneled across the public network to the destination site. To the user, it gives the impression of being directly connected into that site. The most important thing here is authentication of user since anybody can try to gain access to destination sites using dial-up network. There are two types of possible tunnel in this case : Compulsory Tunnel Voluntary Tunnel Compulsory Tunnel In this scenario L2TP Access Contractor (LAC) acting as a dial or network access server extends a PPP session across a backbone using L2TP to a remote

For Download Visit 16


L2TP Network Server (LNS). The operation of initiating the PPP session to the LAC is transparent to the user.

Figure 3.3: Compulsory Tunnel (VPDN)

Voluntary Tunnel Voluntary tunnel refers to the case where an individual host connects to a remote site using a tunnel originating on the host, with no involvement from intermediate network nodes. Tunnel mechanism chosen can be IPSec or L2TP. There is considerable overhead with such a protocol stack, particularly when IPSec is also needed. The overhead consists of both extra headers in the data plane and extra control protocols needed in the control plane.

Figure 3.4: Voluntary Tunnel (VPDN)

For Download Visit 17


3.4.Virtual Private Lan Segment (VPLS)
A Virtual Private Lan Segment (VPLS) is the emulation of a LAN segment using internet facilities. VPLS can be used to provide Transparent Lan Service (TLS). Topologically and operationally a VPLS is similar to VPRN, except that each VPLS edge nod implements link layer bridging rather than network layer forwarding.

Figure 3.5: Virtual Private Lan Segment (VPLS)

For Download Visit 18


3.5.Branch office connection network (Intranet VPN)
The branch office scenario securely connects two trusted intranets within the organization. Routers or firewalls acting as gateways for the office with vpn capabilities can be used to protect the corporate traffic. They provide the necessary data authentication and encryption.

3.6.Business partner/supplier network (Extranet VPN)
In this scenario multiple supplier intranets that need to access a common corporate network over the Internet. Each supplier is allowed access to only a limited set of destinations within the corporate network. The VPN must be constructed to guarantee that no traffic from a supplier will be visible to any other supplier or to any system other than its intended destination.

Figure 3.7: Extranet VPN

For Download Visit 19


Design Conside rations The clients have to support the IPSec protocols. Client addresses are dynamic hence dynamic tunnel establishing is needed. Manual tunnels are possible only in case of fixed remote client IP addresses. Dial in traffic that cannot be authenticated will be rejected by firewall.

3.7. Remote access network (Access VPN)
A remote user wants to be able to communicate securely and costeffectively to his corporate intranet. This can be done by use of an VPN IPSec enabled remote client and firewall (or gateway). The client accesses the Internet via dial-up to an ISP, and then establishes an authenticated and encrypted tunnel between itself and the firewall at the intranet boundary.

Figure 3.8: Access VPN

For Download Visit 20


Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process o f placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel inte rfaces, where the packet enters and exits the network. Tunneling requires three different protocols: Carrier protocol: The protocol used by the network that the information is traveling over Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data

For Download Visit 21


Passenger protocol: The original data (IPX, NetBeui, IP) being carried

Tunneling has amazing implications for VPNs. For example, you can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique Ip address to extend a private network over the Internet. In a Site-to-Site VPN, GRE (Generic Routing Encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet you are encapsulating and information about the connection between the client and server. Instead of GRE, IPSec in Tunnel Mode is sometimes used as the encapsulating protocol. IPSec works well on both Remote-Access and Site-to-Site VPNs. IPSec must be supported at both tunnel interfaces to use. In a Remote-Access VPN, tunneling normally takes place- using PPP. Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. Remote-Access VPN tunneling relies on PPP. Each of the protocols listed below we re built using the basic structure of PPP and are used by Remote-Access VPNs. L2F (Laye r 2 Forwarding): Developed by Cisco, L2F will use any authentication scheme supported by PPP. PPTP (Point-to-Point Tunneling Protocol): PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication scheme supported by PPP. L2TP (Layer 2 Tunneling Protocol): The most recent addition, L2TP is the product of a partnership between the members of the PPTP Forum, Cisco and the IETF (Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP also fully supports IPSec. L2TP can be used as a tunneling protocol for Site-to-Site VPNs as well as Remote-Access VPNs. In fact, L2TP can create a tunnel between:    Client and Router NAS and Router Router and Router

For Download Visit 22


The truck is the carrier protocol, the box is the encapsulating protocol and the computer is the passenger protocol. Think of tunneling like having a computer delivered to you by UPS. The vendor packs the computer (passenger protocol) into a box (encapsulating protocol), which is then put on a UPS truck (carrier protocol) at the vendor's warehouse (entry tunnel interface). The truck (carrier protocol) travels over the highways (Internet) to your home (exit tunnel interface) and delivers the computer. You open the box (encapsulating protocol) and remove the computer (passenger protocol). Tunneling is just that simple!

As you can see, VPNs are a great way for a company to keep its employees and partners connected no matter where they are.

5.1.Motive of protocols : Four different protocols have been suggested for creating VPNs over the Internet: point-to-point tunneling protocol (PPTP), layer-2 forwarding (L2F), layer-2 tunneling protocol (L2TP), and IP security protocol (IPSec). One reason for the number of protocols is that, for some companies, a VPN is a substitute for remote-access servers, allowing mobile users and branch offices to dial into the protected corporate network via their local ISP. For others, a VPN may consist of traffic traveling in secure tunnels over the Internet between protected LANs. The protocols that have been developed for VPNs reflect this dichotomy. PPTP, L2F, and L2TP are largely aimed at dial- up VPNs, while IPSec's main focus has been LAN–to–LAN solutions. For Download Visit 23


5.2.History: the first protocols deployed for VPNs was PPTP. It has been a widely deployed solution for dial- in VPNs since Microsoft included support for it in RRAS for Windows NT Server 4.0 and offered a PPTP client in a service pack for Windows 95. Microsoft's inclusion of a PPTP client in Windows 98 practically ensures its continued use for the next few years, although it is not likely that PPTP will become a formal standard endorsed by any of the standards bodies (like the Internet Engineering Task Force [IETF]). The most commonly used protocol for remote access to the Internet is point-to-point protocol (PPP). PPTP builds on the functio nality of PPP to provide remote access that can be tunneled through the Internet to a destination site. As currently implemented, PPTP encapsulates PPP packets using a modified version of the generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols other than IP, such as Internet packet exchange (IPX) and network basic input/output system extended user interface (NetBEUI). Because of its dependence on PPP, PPTP relies on the authentication mechanisms within PPP, namely password authentication protocol (PAP) and CHAP. Because there is a strong tie between PPTP and Windows NT, an enhanced version of CHAP, MS–CHAP, is also used, which utilizes information within NT domains for security. Similarly, PPTP can use PPP to encrypt data, but Microsoft has also incorporated a stronger encryption method called Microsoft point-to-point encryption (MPPE) for use with PPTP. Aside from the relative simplicity of client support for PPTP, one of the protocol's main advantages is that PPTP is designed to run at open systems interconnection (OSI) Layer 2, or the link layer, as opposed to IPSec, which runs at Layer 3. By supporting data communications at Layer 2, PPTP can transmit protocols other than IP over its tunnels. PPTP does have some limitations. For example, it does not provide strong encryption for protecting data nor does it support any token-based methods for authenticating users.

5.3. IPSec Design Goals and Ove rvie w
IPSec provides integrity protection, authentication, and (optional) privacy and replay protection services for IP traffic. IPSec packets are of two types: • IP protocol 50 called the Encapsulating Security Payload (ESP) format, which provides privacy, authenticity, and integrity.

For Download Visit 24


IP protocol 51 called the Authentication Header (AH) format, which only provides integrity and authenticity for packets, but not privacy

IPSec can be used in two modes; transport mode which secures an existing IP packet from source to destination, and tunnel mode which puts an existing IP packet inside a new IP packet that is sent to a tunnel end point in the IPSec format. Both transport and tunnel mode can be encapsulated in ESP or AH headers. IPSec transport mode was designed to provide security for IP traffic end-to-end between two communicating systems, for example to secure a TCP connection or a UDP datagram. IPSec tunnel mode was designed primarily for network midpoints, routers, or gateways, to secure other IP traffic inside an IPSec tunnel that connects one private IP network to another private IP network over a public or untrusted IP network (for example, the Internet). In both cases, a complex security negotiation is performed between the two computers through the Internet Key Exchange (IKE), normally using PKI certificates for mutual authentication. The IETF RFC IPSec tunnel protocol specifications did not include mechanisms suitable for remote access VPN clients. Omitted features include user authentication options or client IP address configuration. To use IPSec tunnel mode for remote access, some vendors chose to extend the protocol in proprietary ways to solve these issues. While a few of these extensions are documented as Internet drafts, they lack standards status and are not generally interoperable. As a result, customers must seriously consider whether such implementations offer suitable multi- vendor interoperability.

5.4. L2TP Design Goals and Overvie w
L2TP is a mature IETF standards track protocol that has been widely implemented. L2TP encapsulates Point-to-Point Protocol (PPP) frames to be sent over IP, X.25, frame relay, or asynchronous transfer mode (ATM) networks. When configured to use IP as its transport, L2TP can be used as a VPN tunneling protocol over the Internet. L2TP over IP uses UDP po rt 1701 and includes a series of L2TP control messages for tunnel maintenance. L2TP also uses UDP to send L2TP-encapsulated PPP frames as the tunneled data. The encapsulated PPP frames can be encrypted or compressed. When L2TP tunnels appear as IP packets, they take advantage of standard IPSec security using IPSec transport mode for strong integrity, replay, authenticity, and privacy protection. L2TP was specifically designed for client connections to network access servers, as well as for gateway-to-gateway connections. Through its use of PPP, L2TP gains multi-protocol support for protocols such as IPX and Appletalk. PPP also provides a wide range of user authentication options, including CHAP, MS-CHAP, MSCHAPv2 and Extensible Authentication Protocol (EAP) that supports token card and smart card authentication mechanisms. L2TP/IPSec therefore provides well-defined and interoperable tunneling, with the strong and interoperable security of IPSec. It is a good solution for secure remote access and secure gateway-to-gateway connections. For Download Visit 25


5.5. PPTP Design Goals and Ove rvie w
PPTP was designed to provide authenticated and encrypted communications between a client and a gateway or between two gateways—without requiring a public key infrastructure—by using a user ID and password. It was first delivered in 1996, two years before the availability of IPSec and L2TP. The design goal was simplicity, multiprotocol support, and ability to traverse a broad range of IP networks. The Point-to-Point Tunneling Protocol (PPTP) uses a TCP connection for tunnel maintenance and Generic Routing Encapsulation (GRE) encapsulated PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted and/or compressed. The use of PPP provides the ability to negotiate authentication, encryption, and IP address assignment services. Table 1 summarizes some of the key technical differences between these three security protocols. Table 1 Network Security Protocol Differences Feature User Description P/ PPP Can authenticate the user that is initiating the communications. Machine Authenticates Authentication the machines involved in the communications. NAT Can pass Capable through Network Address Translators to hide one or both endpoints of the communications. Multiprotocol Defines a Support standard method for carrying IP and non-IP traffic. Dynamic Defines a Tunnel IP Address Assignment standard way to negotiate an IP address for the tunneled part of the communications. Important so that returned packets are routed back through the same session rather than through a non-tunneled and unsecured path and to eliminate static, manual end-system Authentication For Download Visit 26 Yes Yes2 PPT






Feature configuration. Encryption traffic it carries. Uses PKI

Description P/ PPP Can encrypt Can use PKI to implement encryption and/or authentication. Provides an authenticity method to ensure packet content is not changed in transit. Can carry IP multicast traffic in addition to IP unicast traffic.


P/ PP Yes Yes

Packet Authenticity


Multicast support


5.6. Microsoft Support for IPSec, L2tp, and PPTP
IPSec The Microsoft Windows 2000 operating system simplifies deployment and management of network security with Windows IP Security, a robust implementation of IPSec. IPSec protocol is an integral part of the TCP/IP protocol stack. Microsoft and Cisco Systems, Inc., have jointly developed IPSec and related services in Windows 2000. Interoperability is tested with Cisco and a number of other vendors for each of the examples below. Using IPSec, you can provide privacy, integrity and authenticity for network traffic in the following situations. • End-to-end security for IP unicast traffic, from client-to-server, server-to-server and client-to-client using IPSec transport mode • Remote access VPN client and gateway functions using L2TP secured by IPSec transport mode. • Site-to-Site VPN connections, across outsourced private WAN or Internet- based connections using L2TP/IPSec or IPSec tunnel mode. Windows IP Security builds upon the IETF IPSec architecture by integrating with Windows 2000 domains and the Active Directory service. Active Directory delivers policy-based, directory-enabled networking. IPSec policy is assigned and distributed to Windows 2000 domain members through Windows 2000 Group For Download Visit 27


Policy. Local policy configuration is provided, so membership in a domain is not required. An automatic security negotiation and key management service is also provided using the IETF-defined Internet Key Exchange (IKE) protocol, RFC 2409. The implementation of IKE provides three authentication methods to establish trust between computers: • Kerberos v5.0 authentication is provided by the Windows 2000 domain that serves as a Kerberos version 5.0 Key Distribution Center (KDC). This provides easy deployment of secure communications between Windows 2000 computers that are members in a domain or across trusted domains. IKE only uses the authentication properties of Kerberos, as documented in draft- ietf- ipsec- isakmp-gss-auth02.txt. Key generation for IPSec security associations is done using IKE RFC2409 methods. • Public/Private key signatures using certificates is compatible with several certificate systems, including Microsoft, Entrust, Verisign, and Netscape. This is part of RFC 2409. • Passwords , termed pre-shared authentication keys, are used strictly for establishing trust between computers. This is part of RFC 2409. Once configured with an IPSec policy, peer computers negotiate using IKE to establish a main security association for all traffic between the two computers. This involves authenticating using one of the methods above and generating a shared master key. The systems then use IKE to negotiate another security association for the application traffic they are trying to protect at the moment. This involves generating shared session keys. Only the two computers know both sets of keys. The data exchanged using the security association is very well-protected against modification or interpretation by attackers who may be in the network. The keys are automatically refreshed according to IPSec policy settings to provide constant protection according to the administrator defined policy. For customers familiar with technical details of IPSec, Windows 2000 supports DES (56-bit key strength) and 3DES (168-bit key strength) encryption algorithms, and SHA-1 and MD5 integrity algorithms. These algorithms are supported in all combinations in the ESP format. Because the AH format provides only integrity and authenticity, only MD5 and SHA-1 are used. L2TP Windows 2000 includes L2TP support when used with IPSec for client-to-gateway and gateway-to-gateway configurations. In these configurations, all For Download Visit 28


traffic from the client to a gateway, and all traffic between two gateways is encrypted. This implementation has been tested with a variety of other vendor implementations of L2TP/IPSec. PPTP Windows 2000 includes PPTP support for client-to-gateway and gateway-to-gateway configurations. This implementation is consistent with the PPTP services available for the Microsoft Windows NT® Server, Windows NT Workstation, Windows 98, and Windows 95 operating systems. Customers can take advantage of their existing investment in Windows operating system–based platforms by using PPTP. Windows 2000-based systems can interoperate with Windows NT–based PPTP servers, and today's Windows–based systems interoperate with Windows 2000–based PPTP servers. In addition to password-based authentication, Windows 2000 PPTP can support public key authentication through the Extensible Authentication Protocol (EAP).


Remote Access Policy Management

Another dimension of security policy management that goes beyond encryption policy is access policy. In client-to-gateway and gateway-to-gateway situations, Windows 2000 provides a rich set of administrative policies that can be implemented to control user access through direct-dial, PPTP, and L2TP/IPSec connections. These access policies allow administrators to grant or deny access based upon a combination of user ID, time-of-day, protocol port, encryption level, and more. While available natively within a Windows 2000 Active Directory environment, these access policies can also be enforced on non-Windows 2000 environments through the use of RADIUS. For example, an existing Windows NT–based PPTP server can be configured to use a Windows 2000 Server to authenticate users through RADIUS. When used in this way, the Windows 2000 Server can be configured to enforce access policies and apply them to the Windows NT–based PPTP server. This is an example of how Windows 2000 can simplify and strengthen central administration during a transition to Windows 2000, and demonstrates one of the many benefits of using Windows 2000 for authentication in heterogeneous environments.

5.8. Client Management
As previously mentioned for IPSec, Active Directory is used to define and control IPSec policy. Installation of the PPTP, L2TP, and IPSec protocols is inherent in the installation of Windows 2000. Client configuration of these protocols for client-to-gateway scenarios can be accomplished in two ways: • On end systems, a New Connections wizard prompts the user through a simple set of screens to set configure the connection. • In larger scale installations, the For Download Visit 29


Connection Manager Administration Kit and Connection Point Services can be used together to deliver a customized remote access direct-dial and VPN client to corporate systems. With these tools the administrator can provide the client with a specially configured profile that: • • • • • • Brands the dialer consistent with corporate remote access programs. Integrates customize help files and corporate remote access use licenses. Integrates applications and other tools for automatic launch at various stages of the connection process. Administers a central phonebook of remote access numbers. Contracts with Internet Service Providers (ISPs) for management of point-of-presence (POP) phone numbers. Configures clients to automatically update, and collates phonebooks from the ISP and the corporate phonebook servers.

The resulting profile can be distributed centrally to clients through Microsoft System Management Services, Web downloads, file transfers, e- mail, floppy disks, or CDs. This lets administrators centrally manage clients while users get a single interface that: • Connects, regardless of type of protocol or connection (direct dial or VPN protocol). • Hides the complexity of the connection process (single click access). • Provides single sign-on using company user IDs (no separate ISP account required). Based on customer feedback, Microsoft considers this to be one of the most important components for deploying VPN services.

The key word in "virtual private networks" is private. The last thing a business wants is to have sensitive corporate information end up in the hands of some For Download Visit 30


pubescent hacker, or worse, the competition. Fortunately, VPNs are widely considered extremely secure, despite using public networks. In order to authenticate the VPN's users, a firewall will be necessary. While in the past, firewalls have been a major source of headaches for network administrators, the new generation of firewalls are far simpler to create and maintain. Nowadays, there is a wide variety of hassle- free, prepackaged appliances to keep unwanted packets out of the network. Many "black box" security systems also include some sort of encryption system, although some VPNs do not.

Firewall products for VPNs, such as Net Screen, Watch guard, or Net Fortress are often relatively simple, plug-and-play solutions for network security. The system can be connected to as many LANs as needed, keys are exchanged between the two units, and the VPN is complete. However, these solutions can come at a substantial cost, and the right choice will depend on the unique networking and security needs of the company or companies using the network. Generally, if you already own the appropriate equipment and Internet connection, an out-of-the-box solution is not necessary.

All VPNs require configuration of an access device, either software- or hardware-based, to set up a secure channel. A random user cannot simply log in to a VPN, as some information is needed to allow a remote user access to the network, or to even begin a VPN handshake. When used in conjunction with strong authentication, VPNs can prevent intruders from successfully authenticating to the network, even if they were able to somehow capture a VPN session. Most VPNs use IPSec technologies, the evolving framework of protocols that has become the standard for most vendors. IPSec is useful because it is compatible with most different VPN hardware and software, and is the most popular for networks with remote access clients. IPSec requires very little knowledge for clients, because the authentication is not user-based, which means a token (such as Secure ID or Crypto Card) is not used. Instead, the security comes from the workstation's IP address or its certificate, establishing the user's identity and ensuring the integrity of the network. An IPSec tunnel basically acts as the network layer protecting all the data packets that pass through, regardless of the application. Depending on the solution used, it is possible to control the type of traffic sent over a VPN solution. Many devices allow the administrator to define group-based filter, which controls UP address and protocol/port services allowed through the tunnel. IPSec-based VPNs also allow the administrator to define a list of specific networks and applications to which traffic can be passed. One downside to IPSec-compliant products is that they provide access control over the network and transport layers only, and not a great deal of measures to selectively regulate access to individual resources within these hosts. If customers given For Download Visit 31


access to particular company information on a server, for instance, highly selective controls are needed to make sure they access only the information they've been authorized to see. This type of selective or unidirectional access, within a VPN is available in some non-IPSec solutions, such as Aventail's SOCKS 5 server. In a unidirectional connection, a two-way trusted relationship is not assumed as it is with tunneled VPNs. With this model, if there is some kind of breach in security, only the destination network is affected. SOCKS 5 are also able to handle virtually any authentication and encryption standards. Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Forwarding (L2F) are also available, and although only a handful of firewall vendors support these security protocols, they are part of the reason why there is no current universally accepted standard. Although VPN vendors must decide which standard they use, it is the administrators who will eventually decide the outcome of this emerging technology. Because of factors like this, it is all the more important to make a wise, informed decision before purchasing a VPN.



Depending on the type of VPN (Remote-Access or Site-to-Site), you will need to put in place certain components to build your VPN. These might include: Desktop software client for each remote user Dedicated hardware such as a VPN Concentrator or Secure PIX Fire wall

Dedicated VPN server for dial-up services NAS (Network Access Server) used by service provide r for re mote user VPN access VPN Concentrator: Incorporating the most advanced encryption and authentication techniques available, Cisco VPN Concentrators are built specifically for creating a Remote-Access VPN. They provide high availability, high performance and scalability and include components, called Scalable Encryption Processing (SEP) modules that enable users to easily increase capacity and throughput. The Concentrators are offered in models suitable for small businesses with 100 or fewer remote-access users to large enterprise organizations with up to 10,000 simultaneous remote users.

For Download Visit 32


Photo courtesy of Cisco The Cisco VPN 3000 Concentrator



VPN-optimized router: Cisco's VPN-optimized routers provide scalability, routing, security and QoS (quality of service). Based on the Cisco IOS (Internet Operating System) software, there is a router suitable for every situation, from small-office/home-office (SOHO) access through central-site VPN aggregation, to largescale enterprise needs.

Photo courtesy of Cisco The Cisco 1750 Modular Access Router



Cisco Secure PIX Fire wall: An amazing piece of technology, the PIX (Private Internet exchange) Firewall combines dynamic network address translation, proxy server, packet filtration, firewall and VPN capabilities in a single piece of hardware. Instead of using Cisco IOS, this device has a highly streamlined OS that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP.

For Download Visit 33


Photo courtesy of The Cisco PIX Fire wall




VPN/VOIP Application Once you’ve set up your VPN network, you can easily save money on interoffice long distance calling by bridging your voice network to your data network with Multi-Tech’s MultiVOIP Voice over IP gateway. MultiVOIP is a point-to-point solution (one box is required at each location) that merges voice/fax from traditional telephones onto an IP data network. It then utilizes another MultiVOIP gateway at the remote end to separate the voice/fax from the data network and send it back to the receiving phone. With MultiVOIP a company can save thousands of dollars on recurring long distance charges.

For Download Visit 34


There are a number of reasons to set up a VPN for remote access, but the biggest selling point by far is the potential cost savings. Using the Internet to distribute network services over long distances means companies no longer have to purchase expensive leased lines to branch or partners' offices as a VPN connection needs only to use a relatively short dedicated connection. In an organization experiencing rapid growth, this can make a enormous difference in costs. As an organization adds companies to its network, the number of leased lines required climbs with it exponentially. In a traditional WAN, this can limit the flexibility for growth, whereas VPNs avoid this problem by tapping into an almost universally available network. VPNs can further reduce costs by lessening the need for long-distance telephone charges, as clients can gain access by dialing into the nearest service provider's access point. While in some cases this may entail making a long-distance call or using an 800 service, a local call is usually sufficient. This can dramatically cut telecommunications costs for enterprises with many international sites, sometimes in the range of thousands of dollars per person, each month. A third, more subtle way that VPNs may result in lower expenditures, is through reducing the company's support burden. With a VPN, the service provider must support dial- up access, instead of the organization using it. Theoretically, a public service provider can charge much less for support, because its cost is shared among a wider customer base. Finally, VPNs save a company on operational costs for equipment previously used to support remote users. A company using a VPN can get rid of its modem pools, remote-access servers, and other WAN equipment and simply use its existing Internet installation. Many companies employ several links with different functions prior to setting up a VPN.

Companies enjoy the flexibility that comes with VPNs, since they typically do not require long-term contracts, as is the case with most data services. This allows companies to easily switch over to a lower-priced service if they so desire. Companies can usually get a high-speed Internet connection established and configured in a much shorter time than it takes to get a similar data service. In some foreign countries, it can take as long as a year to get a leased line installed. For some industries, such as construction or insurance, this can make a crucial difference in a company's operations and financial health. VPN technologies are also considered remarkably secure. Since the introduction of IPSec, VPN data protection has become more standardized among service providers. Data that is sent over VPNs is confidential, requiring authorization to be For Download Visit 35


received or replayed. Users can authenticate packets to establish the validity of the information, and the integrity of the data is usually guaranteed.

Companies may also choose to build an extranet application on a VPN, in order to use its access controls and authentication services to deny or grant access to specific information for customers, trading partners or business associates. This can help build customer loyalty, as clients who are given higher levels of access would be less likely to switch to another business partner. The same technology can also be used internally to assign worker populations to segmented groups with different access levels. This solution is simpler and more economical than traditional methods used by IT managers. A VPN-based extranet may replace a more expensive system, such as an electronic data interchange (EDI), which typically necessitate custom software and the use of a value-added network (VAN) provider. Some VANs charge upwards of $6 to $12 (US) per hour of connectivity, much more than ordinary service providers.

With the hype that has surrounded VPNs historically, the potential pitfalls or "weak spots" in the VPN model can be easy to forget. These four conce rns with VPN solutions are often raised. 1. VPNs require an in-depth understanding of public network security issues and taking proper precautions in VPN deployment. 2. The availability and performance of an organization's wide-area VPN (over the Internet in particular) depends on factors largely outside of their control. 3. VPN technologies from different vendors may not work well together due to immature standards. 4. VPNs need to accomodate protocols other than IP and existing ("legacy") internal network technology. Generally speaking, these four factors comprise the hidden costs of a VPN solution. Whereas VPN advocates tout cost savings as the primary advantage of this technology, detractors cite hidden costs as the primary disadvantage of VPNs.

For Download Visit 36




are an effective way to create secure communication channels across the Internet or between sensitive systems within a company’s internal network. With the inclusion of VPN support in Microsoft 2000, Cisco routers, Checkpoint 2000, and a host of other systems, the deployment of VPN’s is going to become more commonplace. Without proper security design, these VPN’s could add many more unwanted entrances to corporate networks. Use VPN’s where appropriate but ensure security issues including machine configuration, policy and user security awareness have been considered

For Download Visit 37



our reference sites are : www. www.

For Download Visit 38

Sign up to vote on this title
UsefulNot useful