Chapter

VPN fundamentals

Mahmoud TOUNSI
Slim REKHIS
 Outline
 Motivations for VPN
 VPN concepts and functionalities
 Node-to-Node tunneling and End-to-End Tunneling
 VPN Components
 Remote Access, Intranet and Extranet VPN

2
 Motivation for Virtual Private Networks
 Conventional private networks are not cheap to plan and install
The cost associated with dedicated links is especially high when they involve international
sites.
Security concern is aggravated due to the international transport of information
The planning periods of these network are high as they involve estimating the applications
and traffic patterns and their growth rates.
Dedicated links takes time to install
 Need for a mean to conduct private communications in a public network
 use of VPNs

3
 Motivation for Virtual Private Networks (2)

Corporate office
Corporate office
Dedicated P2P line Site 2
Site 1
192.168.2.0/24
192.168.1.0/24 Too Costly !!!

Corporate office Corporate office

Site 1 Public Internet or Site 2
192.168.1.0/24 operator IP network 192.168.2.0/24

How to manage private address space ?

How to protect data in transit (over the public Internet)?
4
Virtual Networks: An analogy

5
 VPN definition
 A VPN stands for Virtual Private network
 A private network constructed within a public network
infrastructure, such as the global Internet [Huston, 1998]
 A private network connecting different sites or corporate offices
by using public telecommunication infrastructure (Internet) using
encryption and tunneling protocol procedures for secured and
reliable connectivity. [Obaidat and Boudriga, Security of e-
Systems and Computer Networks, Cambridge University Press,
2007]

6
 VPN definition
 Virtual:
Virtual: A virtual topology is built upon an existing, shared physical network
infrastructure.
 Private:
Private: A private network supports a closed community of authorized
users, allowing them to access various network-related services &
resources.
There is traffic isolation: the traffic corresponding to this private network does not affect
nor is it affected by other traffic extraneous to the private network.
 Network:
Network: A VPN provides inter-connectivity to exchange information
among various entities that belong to it

7
 Over IP
Encapsulation Decapsulation

IP
IP IP IP Src: 192.168.1.10
Src: 192.168.1.10 Src: 200.1.1.1 Src: 192.168.1.10 Dst: 192.168.2.10
Dst: 192.168.2.10 Dst: 150.1.1.1 Dst: 192.168.2.10
200.1.1.1 150.1.1.1 192.168.2.10
192.168.1.10

 The example introduces IP in IP tunnels (Not the most effective approach)

 VPN =
Networks (tunnels)
+
Private Networks (authentication, encryption)
8
 tunnel
1. Carrier Protocol:
The protocol of an existing network for conveying information => Any robust and
widespread protocol.
Examples: Especially Internet protocols PPP/IP/TCP/HTTP but also ATM.
2. Tunneling Protocol:
The protocol that is added to encapsulate user data by securing it => the protocol that
achieves VPN security objectives.
Examples: GRE, see the list on the next slide etc…
3. Passenger Protocol:
The user protocol to be routed.
Examples: an Internet protocol IP or a non-Internet protocol IPX, NETBIOS/NetBeui…. in the
IP protocol.
9
 Unsecure Tunneling protocols
 GRE : Generic Routing Encapsulation (level 3 on another level 3) (RFC 1701):
only dedicated to tunnels
 PPPoE : Point to Point Protocol over Ethernet (level 2 over level 2).
 PPPoA : Point to Point Protocol over ATM (level 2 over level 2).
 IP in IP Tunneling : IP (V4) encapsulated in IP (V4) (level 3 over level 3) (RFC
1853).
 6to4 : Tunnelage de IPV6 sur IPV4 (level 3 over level 3).
 IEEE 802.1Q : Ethernet VLANs (level 2 over level 2).
 DLSw : Data Link Switching SNA over TCP (level 7 over level 4).
 XOT : X.25 over TCP : (level 3 over level 4).

10
 Secure Tunneling Protocols
 Data link layer
Point-to-Point Tunneling Protocol (PPTP) - RFC 2637
Layer 2 Tunneling Protocol (L2TP) - RFC 2661
 Network layer
Internet Protocol Security (IPsec) - RFC 4301, RFC 4303, RFC 4306
 Transport layer
Transport Layer Security (TLS) - RFC 8446
Datagram Transport Layer Security (DTLS) - RFC 6347

 Application layer
Secure Shell (SSH) - RFC 4250, RFC 4251, RFC 4252, RFC 4253, RFC 4254
Virtual Private Network (VPN) clients such as OpenVPN, Cisco AnyConnect, and others

11
 VPN advantages
 Worldwide coverage: A VPN can be accessible by any place that has an
internet connectivity.
 Cost effectiveness: Cost is minimized by replacing multiple communication
links and equipments, with a single connection and one equipment for each
location.
 Secure communication: A VPN provides a tool for user authentication,
access control, and data encryption that guarantees confidentiality of
transmission and data integrity.
 Reliability: A VPNs can provide increased reliability by offering redundant
connections that can automatically switch to a backup connection if the
primary one fails.

12
 Major concerns about VPN technologies
 Security: Data should be secured before entering the public
network.
Protecting the travelling data will not protect the information inside
Intranet from unauthorized access.
 Manageability: VPN should deal with the rapid changes and

growth in the organizations’ communication requirements.

 Performance: Security measures can reduce performance

considerably
Because ISPs deliver packets on a “best effort” basis, the transport
performance of a VPN cannot be forecasted.
13
 Trusted vs Secure VPNs
 Trusted VPNs
Customer traffic is not encrypted over the service provider backbone.
Customers trust the service provider to ensure that data traffic is kept secure in transit between the
customer’s sites.
Examples include Frame Relay, ATM, and BGP/MPLS VPNS.
 Secure VPNs
Customer data traffic data is authenticated and encrypted over the service provider backbone or Internet
between VPN peers.
Examples of secure VPNs are IPsec VPNs, SSL VPNs, PPTP VPNs, and L2TP VPNs secured using IPsec.
 Hybrid VPNs
Combined use of secure & trusted VPNs.
Secure parts controlled by customer or provider providing the trusted part.

14
 VPN functionnality
 Tunneling
 Authentication
 Access control
 Data security

15
 Tunneling (1)
 The process of encapsulating an original packet into another packet by
replacing one or more protocol layers.
Encapsulation performed by conventional layered protocols, in accordance with OSI model
should not be considered as tunneling
 E.g. HTTP over TCP over IP over PPP over a V.92 modem
 Puts unsecured packets into secure encrypted packets.
 Frequently used to hide the real source and destination addresses of the
original data packet.
The destination @IP of the packet sent in an access VPN may indicate a non globally unique
@IP of a corporate internal server.
Often a packet sent by a user of an access VPN should be forwarded first to the user’s ISP
and only then from the ISP toward the corporate network.

16
 Tunneling (2)
 Can also be used to transport packets and protocols over networks that
only support other network protocols.
 Each tunnel is uniquely identified by two components
Its endpoints: where the tunnel starts and where it ends.
The encapsulation protocol transporting packets inside the tunnel
 Two types of tunneling techniques
End-to-end tunneling
Node-to-node tunneling

17
Types of tunneling techniques

End-to-end tunnel

Router Router
+ +
VPN server VPN server

Node-to-node tunnel

18
 Tunneling: End-to-end tunneling
 Also known as « transport model » tunneling.
 The VPN devices at each end of the connection are responsible for tunnel
creation and data encryption.
 Extends the tunnel through edge devices (e.g., Firewalls) to computers
sending and receiving the traffic.
 Secure solution as the data never appears on the network in clear-text
form.
 Performing encryption increases the complexity of the process of enforcing
security policy.
Network gateways could not determine the purpose of the traffic.
This is problematic for enforcing security policy (e.g., filtering).

19
 Tunneling: Node-to-node tunneling
 Creation a termination of the tunnel occurs at the gateway devices (e.g., Firewalls)
comprising the edge of the network.
 Traffic within the LAN remains unchanged.
 Traffic is encrypted once it reaches the gateway and sent via a dynamically established
tunnel to the opposite equivalent device.
 The true source and destination are hidden to attackers who perform traffic analysis in
the public part of network.
 No need for NAT to convert between public and private addresses.
 Moves the intensive encryption work to a central server.
 Poor scalability: the number of tunnels increases geometrically as the number of VPN
nodes increases
 Suboptimal routing: the path taken across the shared network may not be optimal.

20
 Compulsory vs Voluntary tunnel mode
 Compulsory tunnel mode:
The remote access client connects to a Network Access Server that
tunnels client data traffic to and from a VPN gateway.
Are provider provisioned.
 Voluntary tunnel mode
Data traffic is tunneled directly between the remote access client
and a VPN gateway.
Can be either customer or provider provisioned.

21
 Desirable characteristics for a VPN tunneling mechanism
 Multiplexing: multiple tunnels may be needed between the same two IP
end points.
Need to distinguish which packet belongs to which tunnel
E.g., Each end point may support multiple customers and traffic for different customers
travel over separate tunnels.
 Signaling protocol: some configuration information must be known by an
end point in advance of the tunnel establishment
e.g., IP address of the remote end point, level of security.
 Data security: need to support mechanisms to allow for whatever level of
security, including authentication and/or encryption of various strength.

22
 Desirable characteristics for a VPN tunneling mechanism
 Multiprotocol transport: in many applications of VPNs, the VPN may carry
opaque and multi-protocol transport.
 Frame sequencing: need to support sequencing field to implement frame
sequencing.
 Tunnel maintenance: the VPN endpoints must ensure that connectivity has
not been lost and take appropriate actions such as route recalculation.
 Support for large MTUs: need to incorporate segmentation and reassembly
capabilities at the tunnel endpoints level.
It would be better to avoid mid-tunnel fragmentation as it leads to undesirable
performance implications.

23
 Desirable characteristics for a VPN tunneling mechanism
 Minimization of tunnel overhead: security overhead needs to be
minimized especially for the transport of jitter and latency
sensitive traffic.
 QoS/Traffic management: need to yield similar behavior to
physical leased lines with respect to QoS parameters (e.g., loss
rate, jitter, latency, bandwidth guarantee,)

24
 Authentication
 The process of identity verification between the two networks on
the opposite endpoints of the tunnel
Ensures that data are coming exactly from the source identified in
the encapsulated data packets.
 Use of two general types of authentication methods

Two-party authentication methods including passwords, and

challenge/response methods
E.g., PAP, CHAP, EAP, RADIUS, OTP
Trusted third party authentication methods
E.g., Kerberos, Public Key Infrastructure, Pretty Good Privacy
25
 Access Control
 Follows the authentication phase
 Allows the entities of a VPN to decide whether to allow each other
the authorized access to resources.
 The decision is usually made based on the identity of the
requester, the requested resource, and the rules of their access.
 Usually, the decision is made by a centralized server at each VPN
endpoint where all the policies are administrated there.

26
 Data security
 Is the cornerstone of any VPN solution.
 Data transmitted over the public infrastructure can potentially be

intercepted, decrypted, read, and altered by others.

 Objectives

Data integrity and encryption of every network datagram.

Protection against replay attacks.
Over-the-air rekeying: a technique of changing encryption in the
middle of a communication session.

27
 VPN components
 VPN gateway:
Typically serves as an endpoint of VPN tunnel.
Acts as a gatekeeper for all network packets coming to and form the resources protected
by a VPN.
Usually located at the perimeter of a corporate network.
Works on behalf of the protected network resources to negotiate and provide services.
Typically combines tunneling, access control, authentication, and data security within a
single hardware device.
Designed to serve multiple secure network resources.
Can be standalone or integrated to routers or Firewalls.

28
 VPN components (the VPN gateway)
 Checks inbound traffic according to the security policy.
Ensures that only the traffic from the already existing secured tunnels is processed
If no secure tunnel is established, the traffic is dropped except if its purpose is to negotiate
and establish a secure tunnel.
 Examines the outbound traffic based on a set of policies
If secured tunneling is needed for the traffic, it finds whether such a tunnel is already in
position.
otherwise it establishes a new tunnel with the anticipated device.
 If a policy cannot be found, the traffic is dropped
The traffic is dealt with according to the tunnel strategy and is sent into the tunnel.
 Buffers outbound packets before a secure tunnel is in place
 VPN components
 VPN client
A software used by a single user to remotely access the VPN.
A program designed to work with a single computer (contrarily to a
VPN gateway)
Provides authentication and data security and creates a tunnel
between the computer on which it is installed and an endpoint of
a VPN (on which a VN gateway is usually installed)

30
 Types of VPNs
 Intranet VPNs: connects a number of organization’s Local Area Networks
located in multiple geographic area over the shared network infrastructure
 Remote access: connects telecommuters and mobile users to a corporate
networks.
Enable remote users to work as if they were at a workstation in the office
 Extranet VPNs: extends limited access to coroporate computing resources to
business partners, enabling access to shared information
Such users are restricted to a specific area of the Intranet: the DMZ.

31
Intranet VPNs

32
Remote access VPNs

33
Extranet VPNs

34
 VPNs implementations
A VPN may be implemented and secured at various layers of the
TCP/IP protocol stack.
Network layer VPNs.
Data Link Layer VPNs.
Application Layer VPNs.
Non-IP VPNs.

35
 Network layer VPNs
 Based primarily on IP and are implemented using network layer
encryption and possibly tunneling.
 Data entering the network are appended with an additional IP
header containing a destination address corresponding to the end
of the tunnel.
 Due to encapsulation, the original packet could be based on any
network layer protocol.
 Examples include IP Security (IPSec).

36
 Data link layer
 Employs a shared backbone network based on a switched link
layer technology such as Frame Relay or ATM.
 Links between VPN nodes are implemented as virtual circuits
which are inexpensive and flexible.
 Are more appropriate for providing Intranet services
 Examples: PPTP, L2TP, L2F which are based on PPP encapsulation.

37
 Application layer VPNs
 Are implemented in software.
 Workstation and servers are required to perform tasks such as

encryption.
 Inexpensive to implement but can have a significant impact on

performance.
High CPU usage, limitation of network throughput.

38
 Disadvantages of VPN
 Disadvantages
Lack of standards
Understanding of security issues
Unpredictable Internet traffic
Difficult to accommodate products from different vendors

39