Beruflich Dokumente
Kultur Dokumente
ABSTRACT
A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure,
maintaining privacy through the use of a tunneling protocol and security procedures. This paper presents the analysis and
special performances of in communication especially the Remote Access Virtual Private Networks architectures and efficient
installation to achieve by the way of secure alternative to traditional remote access is IP-based Virtual Private Networking (IPVPN). In IP-VPNs, all connections to corporate intranets are calls to a local ISP, carried by the Internet to a corporate VPN
gateway.
Keywords:- VPN - Virtual Private Networks, RA-VPN - Remote Access Virtual Private Networks, ISP - Internet
Service Provider, RRAS - The Routing and Remote Access Service, RADIUS - Remote Authentication Dial-In User
Service.
1. INTRODUCTION
A Virtual Private Network (VPN) is a public network being used for private communication. The VPN connection is an
authenticated and encrypted communications channel, or tunnel, across this public network, such as the Internet.
Because the network is considered insecure, encryption and authentication are used to protect data while in transit.
VPN service is considered to be independent, in that client operation is transparent to the user and that all information
exchanged between the two hosts World Wide Web, File Transfer Protocol, e-mail, etc. is transmitted across the
encrypted channel. A Virtual Private Network (VPN) is a private data network that makes use of the public
telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one
company. The main purpose of a VPN is to give the company the same capabilities as private leased lines at much
lower cost by using the shared public infrastructure.[1].
1.1 Routing
A router is a device that manages the flow of data between network segments, or subnets. A router directs incoming and
outgoing packets based on the information about the state of its own network interfaces and a list of possible sources
and destinations for network traffic. By projecting network traffic and routing needs based on the number and types of
hardware devices and applications used in your environment. We may decide whether to use a dedicated hardware
router, a software-based router, or a combination of both. Generally, dedicated hardware routers handle heavier routing
demands best, and less expensive software-based routers handle lighter routing loads. A software-based routing
solution, such as RRAS in Windows, can be ideal on a small, segmented network with relatively light traffic between
subnets. Enterprise network environments that have a large number of network segments and a wide range of
performance requirements might need a variety of hardware-based routers to perform different roles throughout the
network[1].
1.2 Remote access
By configuring RRAS to act as a remote access server, we can connect remote networks. Remote users can work as if
their computers are directly connected to the network. All services typically available to a directly connected user
including file and printer sharing, Web server access, and messaging are enabled by means of the remote access
connection.
An RRAS server provides two different types of remote access connectivity:
Virtual Private Networking. A virtual private network (VPN) is a secured, point-to-point connection across a
public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols
to make a connection to a port on a remote VPN server. The VPN server accepts the connection, authenticates the
connecting user and computer, and then transfers data between the VPN client and the corporate network.
Page 1
Dial-Up Networking. In dial-up networking, a remote access client makes a dial-up telephone connection to a
physical port on a remote access server by using the service of a telecommunications provider, such as analog
telephone or ISDN. Dial-up networking over an analog phone or ISDN is a direct physical connection between the
dial-up networking client and the dial-up networking server.
Remote access is best defined as providing access to fixed site resources for users who are not at a fixed workstation at
that same site's Local Area Network (LAN). The largest remote access user community is mobile
or telecommuting users, such as a sales force or field engineering team. Figure - 1 illustrates a traditional remote access
network using the Public Switched Telephone Network (PSTN) or the Integrated Services Digital Network (ISDN).
Page 2
2. AUTHENTICATION
Authentication is the first major component of a VPN. Authentication is the process of identifying the entity ( user ,
router, or network device) requiring access. This authentication is often done by means of a cryptographic function,
such as with challenge/response algorithms. The following sections discuss the other authentication methods[3]:
Point-to-Point Tunneling Protocol Password Authentication Protocol/Challenge Handshake Protocol (PPTPPAP/CHAP)
Digital certificates
RADIUS servers
2. 1 PPTP-PAP/CHAP
Password Authentication Protocol (PAP) is the most insecure authentication method available today because both the
username and password are sent across the link in clear text. Anyone monitoring the connection could collect and use
the information to gain access to the network. The Challenge Handshake Authentication Protocol (CHAP) works
as follows :
1. The client establishes a connection with the server and the server sends a challenge back to the client.
2. The client then performs a hash (mathematical) function, adds some extra information, and sends the response
back to the server for verification.
3. The server looks in its database and computes the hash with the challenge.
4. If these two answers are the same, authentication succeeds.
While CHAP eliminates a dictionary attack, the hashing functions could still be attacked . CHAP also supports
the (user transparent) periodic challenge of the client username/password during the session to protect against
wire-tapping[2][3].
2. 2 Digital Certificates
Digital certificates include information about the owner of the certificate; therefore, when users visit the (secured) web
site, their web browsers will check information on the certificate to see whether it matches the site information included
in the URL. A digital certificate could be likened to a security driver's license. Certificates are issued by Certificate
Authorities (CAs). The contents of a digital certificate as inclusive of the certificate holder's identity, the certificate's
serial number, valid, unchangeable date for the transaction, certificate's expiration dates, a copy of the certificate
holder's public key for encryption and/or signature and group name & City and state.
2.3 RADIUS Servers
Remote Authentication Dial-In User Service (RADIUS) is a distributed system securing network remote access and
network resources against unauthorized access. RADIUS authentication includes two components :
Authentication server - Installed at the customer's site and holds all user authentication and network access
information
Client protocols - RADIUS works on the client sending authentication requests to the RADIUS server, and the
client acts on server acknowledgements sent back to the client.
RADIUS is not limited to dial-up service; many firewall vendors support a RADIUS server implementation.[2][3]
Page 3
Page 4
Page 5
confidentiality, data integrity, and data authentication. Unlike PPTP and SSTP, L2TP/IPsec enables machine
authentication at the IPsec layer and user level authentication at the PPP layer.
SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1), Windows Server 2008,
and later versions of Windows. By using SSL, SSTP VPN connections provide data confidentiality, data integrity,
and data authentication.
IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2. By using IPsec, IKEv2
VPN connections provide data confidentiality, data integrity, and data authentication. IKEv2 supports the latest
IPsec encryption algorithms. Because of its support for mobility (MOBIKE), it is much more resilient to changing
network connectivity, making it a good choice for mobile users who move between access points and even switch
between wired and wireless connections[4].
4. VPN ARCHITECTURE
Several VPN network architectures are deployed by enterprise organizations for VPN services. The following list of
Remote Access VPN network architectures is discussed in the following sections[2]-[5]:
Firewall Based
Black-Boxbbased
Router Based
Remote-Access Based
4.1 Firewall-Based VPNs
With firewall-based VPNs, it is considered a safe presumption that a firewall will be used and placed at the network
perimeter, as illustrated in Figure - 6:.
Page 6
Page 7
The intranet-based VPN connection takes advantage of IP connectivity in an organizations Local Area Network
(LAN).
4.5.1 Remote Access VPN Connections over an Intranet
In some organization intranets, the data of a department, such as human resources, is so sensitive that the network
segment of the department is physically disconnected from the rest of the intranet. While this protects the data of the
human resources department, it creates information accessibility problems for authorized users not physically connected
to the separate network segment. VPN connections help provide the required security to enable the network segment of
the human resources department to be physically connected to the intranet. In this configuration, a VPN server can be
used to separate the network segments. The VPN server does not provide a direct routed connection between the
corporate intranet and the separate network segment. Users on the corporate intranet with appropriate permissions can
establish a remote access VPN connection with the VPN server and gain access to the protected resources. Additionally,
all communication across the VPN connection is encrypted for data confidentiality. The following figure shows remote
access over an intranet[5]-[10].
4.5.2 VPN Connection Allowing Remote Access to a Secured Network over an Intranet
Figure - 11: VPN Connection Allowing Remote Access to a Secured Network over an Intranet
4.5.3 Site-to-Site VPN Connections over an Intranet
Two networks can be connected over an intranet using a site-to-site VPN connection. This type of VPN connection
might be necessary, for example, for two departments in separate locations, whose data is highly sensitive, to
communicate with each other. For instance, the finance department might need to communicate with the human
resources department to exchange payroll information. The finance department and the human resources department
are connected to the common intranet with computers that can act as VPN clients or VPN servers. When the VPN
connection is established, users on computers on either network can exchange sensitive data across the corporate
intranet. The following figure shows two networks connected over an intranet[5]-[10].
4.5.4 VPN Connecting Two Networks over an Intranet
Page 8
of dedicated facilities and hardware. A VPN is made up of three technologies that when used together form the secure
connection; authentication, tunneling, and encryption. We need to do the following before we configure an RRAS
server as a remote access VPN server[5]-[9].
Determine which network interface connects to the Internet and which network interface connects to your private
network. During configuration, you will be asked to choose which network interface connects to the Internet. If you
specify the incorrect interface, your remote access VPN server will not operate correctly.
Determine whether remote clients will receive IP addresses from a DHCP server on your private network or
directly from the remote access VPN server that you are configuring. If you have a DHCP server on your private
network, the remote access VPN server can lease 10 addresses at a time from the DHCP server and assign those
addresses to remote clients. If you do not have a DHCP server on your private network, the remote access VPN
server can assign IP addresses to remote clients from a predefined pool of addresses. You must determine that
range based on your network infrastructure.
If you are using DHCP, determine whether VPN clients are able to send DHCP messages to the DHCP server on
your private network. If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages
from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a DHCP server
is on a different subnet from your remote access VPN server, make sure that the router between subnets can relay
DHCP messages between clients and the server.
Determine whether you want connection requests from VPN clients to be authenticated by a Remote Authentication
Dial-In User Service (RADIUS) server or by the remote access VPN server that you are configuring. Adding a
RADIUS server is useful if you plan to install multiple remote access VPN servers, wireless access points, or other
RADIUS clients to your private network. For more information, see Network Policy Server Help.
Verify that all users have user accounts that are configured for dial-up access. Before users can connect to the
network, they must have user accounts on the remote access VPN server or in Active Directory Domain Services
(ADDS). Each user account on a stand-alone server or a domain controller contains properties that determine
whether that user can connect. On a stand-alone server, you can set these properties by right-clicking the user
account in Local Users and Groups and clicking Properties. On a domain controller, you can set these properties by
right-clicking the user account in the Active Directory Users and Computers console and clicking Properties.
6. CONCLUSION
Remote access solutions are deployed by enterprise organizations to provide access to fixed site resources to remote
users (not at a fixed workstation) at a site's LAN. A virtual private network (VPN) is a public network being used for
this private and secure communication between the remote ( telecommuting or mobile) user and the organization's
LAN. This VPN connection is authenticated and encrypted across the public network. Often times this public network
is the Internet.
REFERENCES
[1] Dave Kosiur, Wiley & Sons, Building and Managing Virtual Private Networks; ISBN: 0471295264, pp. 35-110.
[2] John Mains, VPNs A Beginners Guide, McGraw Hill; ISBN: 0072191813, pp. 28-72.
[3] Dr.S.S.Riaz Ahamed & P.Rajamohan, Comprehensive performance Analysis and special issues of Virtual Private
Network Strategies in the computer Communication: a Novel Study, International Journal of Engineering Science
and Technology (IJEST), ISSN : 0975-5462 Vol. 3 No. 7 July 2011, pp. 640-648.
[4] Wei Luo, Carlos Pignataro, Dmitry Bokotey, Anthony Chan (Cisco Press 2005), Layer 2 VPN Architectures,
pp.73-122.
[5] Cisco Press, Network Sales and Services Handbook (Cisco Press Networking Technology) - Chapter 16, Remote Access VPNs, page
138
[6] Alwin Thomas and George Kelley, Cost-Effective VPN-Based Remote Network Connectivity Over the Internet,
2003.
[7] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. Types of VPN, pp. 24-26.
[8] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. VPN Over IPSec., pp. 36-39.
[9] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. Explanation of the IPSec protocols, pp. 39-45.
[10] B. Gleeson et al., IP Based Virtual Private Networks, RFC 2764, February 2000.
Page 9
AUTHOR
DR. P. RAJAMOHAN received his Bachelor of Science Degree in Physics later he obtained his Post
Graduate Diploma in Computer Applications (PGDCA), Master Degree in Computer Applications
(MCA) and PhD in Computer Science. His primary research interest in Virtual Private Network
Implementation for Efficient Data Communication, Wireless Networks and Sensor Communications. He
is the member of the Institution of Engineers (India), Member of Associate in Cisco Certified Networks
and Member of the International Association of Engineers (IAENG). Dr. P. Rajamohan, over all his 20
years experiences in both academic and IT industry. He is currently working as a Senior Lecturer in School of
Information Technology, SEGi University, Malaysia.
Page 10