VIRTUAL PRIVATE

NETWORK

Priji c samuel
MCA B5
Rollno:32
 Virtual private
Network
 Computer network is an interconnected
collection of autonomous computers.

 Two computers are said to be

interconnected if they can exchange
information.

 The internet is quickly becoming the

primary vehicle of communication.
 Transfer of important and sensitive data
over the internet has become a routine.

 But using the internet to transfer data is

not as safe.

 A solution for this is the VIRTUAL PRIVATE

NETWORK.
VIRTUAL PRIVATE NETWORK
 A virtual private network is a private
communication network usually used within
a company or by different companies or
organizations, to communicate over the network.

 In VPN,message traffic is carried on public

network(ie;internet) using standard protocols, or
over a service provider’s network .
 The main purpose of VPN is to provide
the organizations or companies the same
capabilities as private leased lines at
much lower cost.

 A virtual private network makes it

possible to have protected sharing of
public resources for data transfer.
 VPN’s became more popular because of
less cost to implement.

 Inorder to perform the data transfer

safely,VPN uses special tunneling protocols
and complex encryption procedures.
 Requirements of VPN
 A well-designed VPN should incorporate:
Security
Reliability
Network management
Policy management
 There is one very important requirement
that is common to all VPNs: the VPN
administrator must know the extent of the VPN.

 Regardless of the type of VPN in use, a VPN

is meant to have capabilities that the "regular"
network does not.

 Thus, the VPN administrator must be able to

know at all times what data will and will not be in
the VPN.
 WORKING OF VPN
 Companies using an Internet VPN
establish links to the local access points of
their ISP.

 From here, they let the ISP ensure that

the data is transmitted to the appropriate
destinations via the Internet, leaving the
rest of the connectivity details to the ISP’s
network and the Internet infrastructure.
 How VPN works
 A VPN works by using shared public infrastructure
while maintaining privacy through security procedures and
tunneling protocols.

 In effect, by encrypting data at the sending end and

decrypting it at the receiving end, the protocols send the
data through a 'tunnel' that cannot be 'entered' by data
that is not properly encrypted.

 An additional level of security involves encrypting not only

the data, but also the originating and receiving network
addresses.
 TUNNELING
 Most VPNs rely on tunneling to create a
private network that reaches across the Internet.
The thing that makes a Virtual Private Network
“virtually private” is a tunnel.
 Even though you access your network via
the Internet, you’re not really “on” the Internet;
you are actually “on” your company network.
 Although the term “tunnel” feels like it’s
describing a fixed path through the Internet, this
is not the case. As with any Internet traffic, VPN
tunnel packets may take different paths between
the two endpoints.
 What makes a VPN transmission a
tunnel is the fact that only the recipients at the
other end of your transmission can see inside
your protective encryption shell, sort of a “tunnel
vision” idea.
 Tunneling technology encrypts and
encapsulates our own network protocols within
Internet protocol (IP).
 In this way, we can route and bridge,
enable filters, and deploy cost-control features
the same way as any of your other traditional
WAN links.
 Essentially, tunneling is the process of placing an entire
packet within another packet and sending it over a
network.
 The protocol of the outer packet is understood by the
network and both points, called tunnel interfaces, where
the packet enters and exits the network.
 Tunneling has amazing implications for VPNs.
 For example, you can place a packet that uses a
protocol not supported on the Internet (such as NetBeui)
inside an IP packet and send it safely over the Internet.
 Or you could put a packet that uses a private (non-
routable) IP address inside a packet that uses a globally
unique address to extend a private network over the
Internet.
 Tunneling requires three different
protocols:
 Carrier protocol - The protocol used by
the network that the information is
traveling over
 Encapsulating protocol - The protocol
that is wrapped around the original data

 Passenger protocol - The original data

being carried
VPN TECHNOLOGIES

 The Internet is a shared public

network of networks with open
transmission protocols.

 Therefore, VPNs must include

measures for packet encapsulation
(tunneling), encryption, and authentication
to ensure that sensitive data reaches its
destination without tampering by
unauthorized parties.
 Two technologies are emerging for this:

1) L2TP (Layer 2 Tunneling Protocol)

2) IPSec (IP Security Protocol).
 L2TP:-
L2TP, as its name implies, tunnels a link-layer
protocol over IP. This allows for support of multiple
protocols over an IP network.

 L2TP is targeted for remote clients, but some

servers, routers and gateways will support it for network-
to-network links.

 L2TP may not be common in firewall products as its

security is not recognized as fully secure.

 L2TP combines a number of existing technologies to

create manageable on-demand networks. For the most
part, L2TP does not claim to offer security.
IPSec:-

 IPSec provides network-level security for IP.

 The distinction between L2TP and IPSec is an

important one. L2TP supports on-demand
connections that can be secured. IPSec provides
security that supports on-demand connections.
VPN SECURITY

 A well-designed VPN uses several methods

for keeping the connection and data
secure:
1. Firewalls
2. Encryption
3. IPSec
4. AAA servers
 Firewalls:
A firewall provides a strong barrier
between the private network and the
Internet. We can set firewalls to restrict
the number of open ports, what type of
packets is passed through and which
protocols are allowed through.
2.Encryption:

Encryption is the process of taking all the data that one

computer is sending to another and encoding it into a form that
only the other computer will be able to decode. Most computer
encryption systems belong in one of two categories:

 Symmetric-key encryption
 Public-key encryption

 In symmetric-key encryption, each computer has a secret

key (code) that it can use to encrypt a packet of information
before it is sent over the network to another computer.

 Symmetric-key requires that you know which computers will

be talking to each other so you can install the key on each one.
 Symmetric-key encryption is essentially the
same as a secret code that each of the two
computers must know in order to decode the
information.
 The code provides the key to decoding the
message.
 The sending computer encrypts the
document with a symmetric key, then encrypts
the symmetric key with the public key of the
receiving computer.
 The receiving computer uses its private key
to decode the symmetric key. It then uses the
symmetric key to decode the document.
 Public-key encryption uses a combination of a
private key and a public key.

 The private key is known only to your computer,

while the public key is given by your computer to any
computer that wants to communicate securely with it.
 To decode an encrypted message, a computer must
use the public key, provided by the originating computer,
and its own private key.
 A very popular public-key encryption utility is called
Pretty Good Privacy (PGP), which allows you to encrypt
almost anything.
 3.Internet Protocol Security Protocol (IPSec):
IPSec provides enhanced security features such as better
encryption algorithms and more comprehensive authentication.

 IPSec has two encryption modes: tunnel and transport.

 Tunnel encrypts the header and the payload of each

packet while transport only encrypts the payload. Only systems
that are IPSec compliant can take advantage of this protocol.
Also, all devices must use a common key and the firewalls of each
network must have very similar security policies set up.

 IPSec can encrypt data between various devices, such as:

Router to router
Firewall to router
PC to router
PC to server
 4.AAA Servers:

 AAA (authentication, authorization and accounting)

servers are used for more secure access in a remote-access
VPN environment.
 When a request to establish a session comes in from
a dial-up client, the request is proxied to the AAA server.
AAA then checks the following:
 Who you are (authentication)
 What you are allowed to do (authorization)
 What you actually do (accounting)

 The accounting information is especially useful for tracking

client use for security auditing, billing or reporting
purposes.
Advantages of VPN
 A well-designed VPN can greatly benefit a company. For
example, it can:
• Extend geographic connectivity
• Improve security
• Reduce operational costs versus traditional WAN
• Reduce transit time and transportation costs for remote users
• Improve productivity
• Simplify network topology
• Provide global networking opportunities
• Provide telecommuter support
• Provide broadband networking compatibility
• Provide faster ROI (return on investment) than traditional WAN
VPN Applications

1) Remote Access
Business professionals who travel frequently or who often
work at home after hours find this solution to be of great benefit
to their ability to get things done. No matter where they are,
secure access to their entire business is only a local telephone call
away. This is also a useful solution for cases where key personnel
need to be away from the office for an extended period of time.
2) Site-to-Site Connectivity
The global business of today’s marketplace often requires
companies to establish regional and international branch offices.
The options have traditionally been either to deploy dedicated
leased-line services or to use the same dial-up technologies as
mobile workers. In addition to the infrastructure costs attached to
this scenario, businesses have also had to consider the lost-
opportunity costs associated with inefficient or non-existent
access to centralized information and applications.
 A VPN may be implemented in several
ways:
 • LAN-to-LAN
 • Remote user-to-LAN
 • Within an intranet
VPN Challenges

 Setting up the infrastructure before

deploying VPN:
Many of the branch offices
operated on dial-up connections, which
were slow and often unreliable.
So the first step was to get
24x7 connectivity using DSL or similar
technology.
 Paucity of IT staff at remote locations:
Since many of the branch offices
were small and/or recently set up, there
was no dedicated IT staff at remote
locations.
The challenge was to build a
solution that was literally 'plug-and-play'
-that could be easily setup, deployed and
managed ,with an option for remote
manageability as well in case advanced
troubleshooting was required.
 Reliability of the ISP connection and
support for dial-up backup:
In many locations, if the main ISP
connection was down, the connectivity to
the head office was maintained via dial-
up.
It was a prerequisite that the VPN
solution work not just on the regular ISDN
or DSL connection, but also on the dial-up,
so that application uptime could be
maintained.
 Response time:
Since this was a real-time application, the
end users would have to get a reasonable
response time, or else they might abandon the
use of the application. The response time
depends on several factors besides the VPN
solution, such as the coding in the software
application, the quality of the ISP connection, the
volume of data being transferred by the
application and the general level of congestion on
the Internet pipe itself.
Keeping all these factors in mind and yet
providing an interface, which would not cause the
user to lose patience with it, was one of the
foremost issues that needed to be addressed.
No provision for a separate firewall solution:
 Since the implementation of the VPN
involved opening up the IT infrastructure of the
branches to the Internet, a firewall solution to
protect the branch network was also required.
But as there was no budgetary provision for a
separate firewall, the VPN appliance was required
to provide firewall functionality as well.
 The firewall had to be simple to
configure and manage, that is, meet all the
requirements of the VPN solution.
User acceptance:
 A major challenge faced during the
implementation of this IT and security project
was to gain the acceptance of remote users
throughout the country to switch from a
decentralized, batch process-oriented manual
system to a centrally administered and managed
real-time system.
 This was achieved by educating end users
about the use and benefits of VPN and training.
CONCLUSION
 The VPN market has changed
significantly in the past ten years as the
Internet has grown and as vastly more
companies have come to rely on the
Internet for communications.
 The VPN Consortium (VPNC) is the
international trade association for
manufacturers in the VPN market.
 The primary purposes of the VPNC are:
• Promote the products of its members to the press and to
potential customers
• Increase interoperability between members by showing where
the products interoperate
• Serve as the forum for the VPN manufacturers throughout the
world
• Help the press and potential customers understand VPN
technologies and standards

 Today, VPNs are equally appealing to companies of all

sizes. Even small businesses are finding compelling reasons
to implement VPNs.
 Many view VPNs as a competitive advantage, specifically
because of their global coverage and the relative ease with
which they can be extended to create extranets.