Virtual Private Network

A Virtual Private Network is a logical connection between two or more

different location over Private and/or Public Network to secure Private
data or traffic.

A VPN enables you to send data between two computers across a

shared or public network in a manner that emulates the properties of a
point-to-point private link. To emulate a point-to-point link, data is
encapsulated or wrapped with a header that provides routing
information allowing it to traverse the shared or public network to
reach its endpoint. To emulate a private link, the data being sent is
encrypted for confidentiality. The portion of the connection in which
the private data is encapsulated is known as the tunnel. The portion of
the connection in which the private data is encrypted is known as the
virtual private network (VPN) connection.
 Fig. Virtual Private Network Scheme

1. Types of VPN
1.1 Site-to-Site VPN
1.1.1 Intranet
1.1.2 Extranet
1.2 Remote –Access VPN

1.1 Site-to-Site VPN

1.1.1 Intranet- If a company has one or more remote locations

that they wish to join in a single private network, they can create an
intranet VPN to connect LAN to LAN.

1.1.2 Extranet- When a company wants to share his network

with another company (for example, a partner, supplier or customer),
they can build an extranet VPN that connects LAN to LAN, and that
allows all of the various companies to work in a shared environment.

1.2 Remote-Access VPN (Internet)

A remote access VPN is for home or traveling users who need to access
their corporate network from a remote location. They dial their ISP and
connect over the Internet to companies internal WAN. This is made
possible by installing client software program on the remote users’
laptop or PC that deals with the encryption and decryption of the VPN
traffic between itself and the VPN gateway on the central LAN.

A Remote-Access VPN uses a public network (Internet) as the backbone

to transport VPN traffic between devices.

2. Requirement and features

2.1 Basic VPN Requirements

A well designed VPN should provide at least all of the following:

• User Authentication: - The solution must verify the VPN
clients' identity and restrict VPN access to authorized users only.
It must also provide audit and accounting records to show who
accessed what information and when.

• Address Management: - The solution must assign a VPN client

address on the intranet and ensure that private addresses are
kept private.

• Data Encryption: - Data carried on the public network must be

rendered unreadable to unauthorized clients on the network.

• Key Management: - The solution must generate and refresh

encryption keys for the client and the server.

2.2 Features of VPN

• Security
• Reliability
• Confidentiality, protects privacy
• Integrity ensures that the information being transmitted over the
internet (or any other public network) is not being altered.
• Authentication ensures the identity of all communicating parties.
 • Scalability extra users and bandwidth can be added easily to
adapt new requirements.

3. VPN Security Issues

3.1 Firewalls

An internet firewall decide what traffic allowed into a network using

techniques such as examining internet addresses on packets or ports
requested on incoming connections. They are an integral part of a VPN.
The most common firewall is a packet filtration firewall, which will
block specified IP services run on specific port numbers from crossing
the gateway (router). Many routers that support VPN technologies
(such as PIX) also support packet filtration.
Proxies are also a common method of protecting a network while
allowing VPN services to enter. Proxy servers are typically a software
solution run on top of a network operating system (UNIX, Windows NT).

3.2 Authentication

Authentication techniques ensure the communicating parties that they

are exchanging data with the correct user or host. Most VPN
authentication systems are based on a shared key system. The keys
are run through a hashing algorithm, which generates a hash value.
The other party holding the key will generate its own hash value and
compare it to the one it received from the other end.

The Challenge Handshake Authentication Protocol (CHAP) is a good

example of this method.

3.3 Encryption

Encryption is the process of taking all the data that one computer is
sending to another and encoding it into a form that only the other
computer will be able to decode. Most computer encryption systems
belong in one of two categories:
(1) Symmetric-key encryption
(2) Public-key encryption

(1) Symmetric-key encryption

In this, each computer has a secret key (code) that it can use to
encrypt a packet of information before it is sent over the network to
another computer. Symmetric-key requires that you know which
computers will be talking to each other so you can install the key on
each one. Symmetric key encryption is essentially the same as a
secret code that each of the two computers must know in order to
decode the information. The code provides the key to decoding the
message.

(2) Public-key encryption

It uses a combination of a private key and a public key. The private key
is known only to your computer, while the public key is given by your
computer to any computer that wants to communicate securely with it.
To decode an encrypted message, a computer must use the public
key, provided by the originating computer, and its own private key. A
very popular public-key encryption utility is called Pretty Good Privacy
(PGP).

4. VPN Components

4.1 Customer Edge:

Customer network consisted of the routers at the various customer

sites called customer edge (CE) routers.

4.2 Provider network:

Service Provider devices to which the CE routers were directly attached

were called provider PE) routers.

Service Provider network might consist of devices used for forwarding

data in the Service Provider backbone called provider (P) routers.
5. VPN Implementations
5.1 IPsec
5.2 MPLS
5.3 GRE
5.4 PPTP
5.5 L2TP

5.1 Internet Protocol Security VPN- (IPsec VPN)

IPsec VPN is a protocol suite for securing Internet Protocol

Communication by authenticating and encrypting each IP packet of
a data stream.

IPsec consists of two sub-protocols:

Encapsulated Security Payload (ESP) - Protects the IP packet data
from third party interference, by encrypting the contents using
symmetric cryptography algorithms (like Blowfish, 3DES).

Authentication Header (AH) - Protects the IP packet header from

third party interference and spoofing, by computing a cryptographic
checksum and hashing the IP packet header fields with a secure
hashing function. This is then followed by an additional header that
contains the hash, to allow the information in the packet to be
authenticated.

ESP and AH can either be used together or separately, depending on

the environment.

IPsec can either be used to directly encrypt the traffic between two
hosts (known as Transport Mode), or to build “virtual tunnels” between
two subnets, which could be used for secure communication between
two corporate networks (known as Tunnel Mode). The latter is more
commonly known as a Virtual Private Network (VPN).

5.2 Multiple Protocol Layer Switching VPN- (MPLS

VPN)

MPLS VPN support Multiple Protocol to secure traffic i.e. data through
the Network. MPLS belongs to the family of packet-switched networks.
In an MPLS network, data packets are assigned labels. Packet-
forwarding decisions are made on the contents of this label, without
the need to examine the packet itself. This allows one to create end-to-
end circuits across any type of transport medium, using any protocol.
The primary benefit is to eliminate dependence on a particular Data
Link Layer technology, such as frame relay and eliminate the need for
multiple Layer 2 networks to satisfy different types of traffic. MPLS
operates at an OSI Model layer that is generally considered to lie
between traditional definitions of Layer 2 (Data Link Layer) and Layer 3
(Network Layer), and thus is often referred to as a "Layer 2.5" protocol.

5.3 Generic Routing Encapsulation- (GRE)

GRE is a tunneling protocol. GRE tunnels end-point does not keep any
information about the state or availability of the remote tunnel end-
point. A consequence of this is that the local tunnel end-point router
does not have the ability to bring the line protocol of the GRE tunnel
interface down if the remote end-point is unreachable. GRE tunnel
interface comes up as soon as it is configured and it stays up as long
as there is a tunnel source address or interface which is up. The tunnel
destination IP address must also be routable. This is true even if the
other side of the tunnel has not been configured. This means that a
static route or PBR forwarding of packets via the GRE tunnel interface
remains in effect even though the GRE tunnel packets do not reach the
other end of the tunnel.

6. Tunneling
Tunneling is a method of using an internetwork infrastructure to
transfer data for one network over another network. The data to be
transferred (or payload) can be the frames (or packets) of another
protocol. Instead of sending a frame as it is produced by the
originating node, the tunneling protocol encapsulates the frame in an
additional header. The additional header provides routing information
so that the encapsulated payload can traverse the intermediate
internetwork.

The transit internetwork can be any internetwork. The Internet is a

public internetwork and is the most widely known real world example.
There are many examples of tunnels that are carried over corporate
internetworks. And while the Internet provides one of the most cost
effective internetworks, references to the Internet in this paper can be
replaced by any other public or private internetwork that acts as a
transit Internetwork.

The encapsulated packets are then routed between tunnel endpoints

over the internetwork. The logical path through which the
encapsulated packets travel through the internetwork is called a
tunnel. Once the encapsulated frames reach their destination on the
internetwork, the frame is decapsulated and forwarded to its final
destination. Tunneling includes this entire process (encapsulation,
transmission, and decapsulation of packets).

Tunneling requires three different protocols:

• Carrier protocol - The protocol used by the network that the
information is traveling over.
• Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, and
L2TP) that is wrapped around the original data.
• Passenger protocol - The original data (IPX, NetBeui, IP) being
carried.

7. VPN Overview

7.1 Basic steps

The general process of sending data through VPN

(1) A protected host sends clear traffic to a VPN kit located at the point
of connection to the public network.
(2) The source device examines the data according to rules specified
by the network manager, securing the information or allowing it to
pass unaffected.
(3) When data protection is required, the source device encrypts
(encodes) and authenticates (attaches a digital signature to) the whole
packet, including the transmitted data as well as the source and
destination host IP addresses.
(4) The source device then attaches a new header to the data,
including the information that the destination device requires for
security functions and process initialization.
(5) The source VPN kit then encapsulates the encrypted and
authenticated packet with the source and destination IP addresses of
the destination device or devices. This results in a virtual tunnel
through the public network.
(6) When the data reaches the destination device, it is decapsulated,
its digital signature is checked and the packet is decrypted.

7.2 Advantages of VPN

• Authenticate all packets of data received; ensuring that they are
from a trusted source and encryption ensures the data remains
confidential.
• Most VPNs connect over the Internet so call costs are minimal,
even if the remote user is a great distance from the central LAN.
• A reduction in the overall telecommunication infrastructure as
the ISP Provides the bulk of the network.
• Reduced cost of management, maintenance of equipment and
technical support. Simplifies network topology by eliminating
modem pools and a private network infrastructure.
• VPNs are easily extended by increasing the available bandwidth
and by licensing extra client software.

7.3 Disadvantages of VPN

• If the ISP or Internet connection is down, VPN is also down.
• The central site must have a permanent Internet connection so
that the remote clients and other sites can connect at anytime.
• May provide less bandwidth than a dedicated line solution.
• Different VPN manufacturers may comply with different
standards.
• All traffic over the VPN is encrypted, regardless of need. This can
be potentially cause bottleneck since encrypting and decrypting
causes network overhead.
• Provides no internal protection on the corporate network - VPN
endpoint is typically at the edge of the network.
• Once employees are on the internal corporate network, data is
no longer encrypted.
• Most VPN technologies today do not address performance and
availability issues as important as they are because the majority
 of VPN solutions exist on client machines and gateway servers at
the extreme ends of the communication path. They simply
cannot consistently affect the performance of the network
components in the middle, the Internet.

8. VPN solutions
There are four main components of an Internet-based VPN: the
Internet, security gateways, security policy servers and
certificate authorities. The Internet provides the fundamental
plumbing for a VPN. Security gateways sit between public and private
networks, preventing unauthorized intrusions into the private network.
They may also provide tunneling capabilities and encrypt private data
before it is transmitted on the public network. In general, a security
gateway for a VPN fits into one of the following categories: routers,
firewalls, integrated VPN hardware and VPN software.

Another important component of a VPN is the security-policy server.

This server maintains the access-control lists and other user-related
information that the security gateway uses to determine which traffic
is authorized. For example, in some systems, access can be controlled
via a RADIUS server.