Seminar Report 03

VPN

1. INTRODUCTION
The world has changed a lot in the last couple of decades. Instead of
simply dealing with local or regional concerns, many businesses now have to
think about global markets and logistics. Many companies have facilities spread
out across the country or around the world, and there is one thing that all of them
need: A way to maintain fast, secure and reliable communications wherever their
offices are. Until fairly recently, this has meant the use of leased lines to maintain
a wide area network (WAN). Leased lines, ranging from ISDN (integrated
services digital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber,
provided a company with a way to expand its private network beyond its
immediate geographic area. A WAN had obvious advantages over a public
network like the Internet when it came to reliability, performance and security.
But maintaining a WAN, particularly when using leased lines, can become quite
expensive and often rises in cost as the distance between the offices increases.
As the popularity of the Internet grew, businesses turned to it as a means
of extending their own networks. First came intranets, which are passwordprotected sites designed for use only by company employees.

Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

A simple VPN model is shown below.

VIRTUAL PRIVATE NETWORKS

A company has its Main office, Remote office, Home office at various
sites and these can interact with each other via the virtual network.

Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

2. VPN TYPES
We all know WAN is simply the collection of local area networks,each
located in geographically diverse locations connected to each other to form a
single network. Leased lines which were initially used though forms a private
network,it ought to be expensive. But VPN,using the power of the public
medium,it helped to create a private connection called tunnel to switch data from
one geographical location to the other.
A VPN provides network to network or remote user to network
connectivity via the encrypted tunnel.Datas must be encapsulated in a IP packet
before it can be sent across a VPN.Network users use various encryption and
authentication schemes to provide security.Some VPN require specialisedv
hardware,while some may require specialised software or some both that adds
VPN capabilities to firewall,server or router.
Since VPN depends critically on the Internet,ISP becomes drivers of VPN
technology. Therefore organisation using VPN becomes dependent on the ISP.If
ISP faces bandwidth limitation or technical difficulties, the VPN will also face
the same.
VPN can be of following types:
REMOTE ACCESS
SITE TO SITE

REMOTE ACCESS
Also called a virtual private dial-up network (VPDN), this is a user-toLAN connection used by a company that has employees who need to connect to
the private network from various remote locations. Typically, a corporation that
wishes to set up a large remote-access VPN will outsource to an enterprise
Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

service provider (ESP). The ESP sets up a network access server (NAS) and
provides the remote users with desktop client software for their computers. The
telecommuters can then dial a toll-free number to reach the NAS and use their
VPN client software to access the corporate network.
A good example of a company that needs a remote-access VPN would be a
large firm with hundreds of sales people in the field. Remote-access VPNs permit
secure, encrypted connections between a company's private network and remote
users through a third-party service provider.

SITE-TO-SITE
Through the use of dedicated equipment and large-scale encryption, a
company can connect multiple fixed sites over a public network such as the
Internet. Site-to-site VPNs can be either:
Intranet-based - If a company has one or more remote locations that they
wish to join in a single private network, they can create an intranet VPN to
connect LAN to LAN.
Extranet-based - When a company has a close relationship with another
company (for example, a partner, supplier or customer), they can build an
extranet VPN that connects LAN to LAN, and that allows all of the various
companies to work in a shared environment.

The following is the examples of the three types of VPN.

Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

VPN TYPES

3. TUNELLING

Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

Virtual Private Network protect tunelled dat through a combination of

encryption, mutual host authentcation and protocol tunelling. One of the most
basic method of protecting transmitted data is encryption.This involves
scrambling the transmitted data using mathematical formula,so that even though
the data transmission may be intercepted, it cannot be recovered without the
correct key.
Encryption can be either be hardware enabled through network devices
like routers or through software.While in the case of software,encryption takes
place when you correct through the tunneling protocol like PTTP,in the case of
router encryption it is performed on the fly.
One of the biggest difficulty encountered over the Internet is identifying
the person or a computer at the other end of the wire.This is addressed by the
authentication,a process where the two hosts verify eachother.This can be done
through the X.2509 standard digital certificate which exchages electronic
signatures between the two parties.This electronic signature is then verified by a
trust third party,usually a public-certifying authority or the company`s own
certificate server.
Alternatively,the host can also verify each other using protocols like
Secure Shell(SSH).In this case the hosts exchange two keys, a host key and a
server key. The receiving computer compares the host key with the keys inthe
database. If the keys chacks out, the computer at the other end is validated as a
genuine case.The PC then generates a session key using the host an the server
key which is used to encrypt data transmission between the two computers.To
ensure a high level of protection,the server key is changed on an hourly basis.
Finally there is a protocol tunneling. When data is transmitted on a
network in the form of packets, the header-which gives information on the packet
source, destination and number of packets transmitted- is in text format. The
Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

information can be used by hackers to gain access to either the system or the data
being transmitted. Protocol tunneling takes data packets, encrypts them and then
encapsulates them again in another clear text packet. This ensures that even if
data transmission is intercepted the original header information is not
available.Once these packets reach their destination,a router equipped with
encryption and decryption capabilities decrypts the packet restoring the original
data packets.

PRIVATE NETWORKS
The too old trend or large companies to have own fully private dial in
networks(completely with modem banks, access servers and technical service
personnel deployed at each company sites is being reversed as the ubiquitious
presence of Internet access site makes it attractive to use the resources offered by
the Internet service providers(ISP).Such outsourcing allows employees to dial-in
to an access server at a nearby ISP site and send packets over the Internet router
for delivery to their Co. home networks. The very router vendor who provide
VPN tunnels between permanent Co. sites are also competing for the
oppurtuinity to provide VPN tunnels for dial-in users as well.But they are
handicapped in the solution they can offer because they model tunnels as routerto-router constructs though there`s no router at the user end.If these vendors are
to have a share in the outsourcing of a company`s dial-in service,this has to be
achieved using one of the following models:
Outsource a private site
Share an outsourced site
Outsource a private access server
Share an access server

OUTSOURCE A PRIVATE SITE

Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

A company desiring to outsource its access responsibility can ask an ISP to

manage a site for it.ISPs themselves generally put their own dial-up equipment in
the locations are termed as points of presence(POP).Under this model,a company
may enter into a contract with the ISP to establish private POPs for its
employees.This really moves the company`s private dial-up equipment to the site
which is managed by the ISP.
If the resources of a POP are dedicated to a single company, then the POP
is not different from a remote company site, and therefore the same routing
equipment used at the company`s headquarters can be used at the POP. Since the
site is private, all packets at the site can be in the clear. Tunnels only run between
the router at the POP and the router at the company`s headquarters.
This approach offloads the access responsibility to the ISP, but it is likely
to be more expensive than any other option because equipment cost are not
shared. It has the further disadvantage that it require private facilities at as many
POP as needed to provide local access to employees. Such an arrangement also
locks employees.
Finally, an ISP has to manage a list of authorized user name and password
on behalf of the company to help control access to the private site.All this
necessitates that a very close relationship exists between the outsourcing
company and the ISP for this model to succeed.In this model,if the company
employees want to simultaneously access company and Internet resources,they
tunnel to the company ,and then venture out to the Internet as though they were
initiating contact from their place of work.

SHARE AN OUTSOURCED SITE

This model is an extension of the previous one in that a number of
companies enter into a contract with an ISP to avail of the latters access service
Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

not privately, but in a shared manner. The major benefit, of course. is the
resulting cost saving for the outsourcing company. In this model, we presume that
each company using the shared site provides a router to tunnel its private traffic
back to its headquarters.
If the equipment at the POP is not dedicated to a single company, the
shared access server and LAN element need to be trusted, since company packets
will be vulnerable on their way to and from the companys dedicated router. Such
packets are exposed to ISP personnel at the site, and are subject to routing
misadventures that expose them more generally to the entire Internet, and in
particular to other companies who have their own encrypting routers on the
POPs shared LAN. If access servers are shared then user and password databases
will be co-mingled at the site, and the access server software will have to be
careful enough to direct all packets from a given dial-in port to the one and only
one tunneling router. If packets go through the wrong tunnel, They will end up at
the wrong headquarters.

Dept. of IT

MESCE, Kuttippuram

Seminar Report 03

VPN

In this model, users cannot go through their tunnel to work, and then on to
the Internet without running the risk that their return packets will be routed back
through a wrong tunnel. This means that an Internet access all tunneling routers
at the site are exposed to an arbitrary Internet packet traffic. This makes security
considerations a major issue for outsourcing companies, and hence this model is
not workable in many scenarios.

OUTSOURCE A PRIVATE ACCESS SERVER

The previous models are not very attractive in that they are expensive,
restrictive, and in some cases not very secure. They treat the ISP as a trusted
extension of the outsourcing company. Though site outsourcing may make sense
in certain situations, it is not likely to become a common practice. Site
outsourcing may not be favoured by router vendors, except when they can sell a
bunch of new routers to ISPs. All this brings us to another approach.
Instead of beginning the tunnel at the site router on behalf of all access
servers with the ISP, it should be possible to begin a tunnel at each access server.
This way, packets received at a dial-in port can be encrypted and encapsulated,
and thus enter the tunnel before leaving the server so that they are never in the
clear on the ISP LAN. Placing the tunnel function in the access server is such a
compelling improvement over the earlier two models that it has received a focal
attention of all vendors. It has also provided the impetus for many new or
proposed standards that may offer a multivendor interoperability for server-router
tunnels.
This model assumes that an outsourcing company asks an ISP to deploy
some access servers at each POP, and dedicate them for the companys
employees. The phone numbers of these dedicated resources are made available
only to company personnel. Of course, the ISP must know employee names and
passwords so as to guard access to these servers, but if the servers are effectively
Dept. of IT

10

MESCE, Kuttippuram

Seminar Report 03

VPN

protected, the company does not have to worry about uses on other servers
getting into one of their tunnels. Under this scheme, new codes are required for
both access servers and the HQ (headquarters) router.
This is because, among other things, there is more than one tunnel from all
ISP sites. The router itself becomes just another dial-in server, having logical
ports in place of physical ports. Each tunnel terminates at one of the routers
logical ports, and from there the de-encapsulated, decrypted packets are gated on
to the company LAN. To distinguish such a logical access server from routers, an
increasingly popular term home gateway is being used. Almost all of these
server-to-home gateway tunneling schemes are direct outgrowths of ubiquitous
PPP (point-to point protocol) schemes used for exchanging packets between
desktops and access servers over telephone lines.
In tunneling schemes, the access server and the home gateway assume the
roles played in PPP by the dialing desktop and the dialed access server
respectively. Tunnel protocols allow for the user name and password originally
collected by the ISP to be forwarded to the home gateway so that the company
can perform user authentication if it wants to. However, the access server must
not only perform the new tunnel functions, but also IPX and Appletalk
encapsulation functions (these funny packets must be handled on the PPP link
with the user. but are encapsulated in IP packets so that they never hit the ISP
LAK). Also the company itself must worry about providing full service desktop
software to all its employees as before. It is possible for employees to have two
different accounts with the ISP so that they can alternately receive tunnel, or clear
Internet service. Current approaches do not offer a way to support both tunnelled
and clear traffic services simultaneously.

SHARE AN OUTSOURCED ACCESS SERVER

Dept. of IT

11

MESCE, Kuttippuram

Seminar Report 03

VPN

Because the new access servers are able to establish tunnels on behalf of
each dial-in port, there is no reason why each tunnel cannot go to a different
home gateway. Home gateways can be selected on the basis of user identity as
authenticated by the ISP, and so tunnels from a single access server can go to
different companies at the same time. Economy apart, this functionality is not
necessarily any better than the prior scheme, and may be inferior in many ways.
For example. in this model, company authentication data does need to be held by
the ISP, and access servers need to be trusted more than ever before. In addition
until tunneling protocols are truly interoperable, it may not be possible for access
serves from vendor A to talk to home gateways from vendor B. This implies many
constraints for ISPs in the deployment of servers and allocation of phone
numbers, modem types, etc.

Dept. of IT

12

MESCE, Kuttippuram

Seminar Report 03

VPN

4. VPN PROTOCOLS
The term VPN has taken on many different meanings in recent years.
VPNC has a white paper about VPN technologies (PDF format) that describes
many of the terms used in the VPN market today. In specific, it differentiates
between secure VPNs and trusted VPNs, which are two very different
technologies.
For secure VPNs, the technologies that VPNC supports are
IPsec with encryption
L2TP inside of IPsec
For trusted VPNs, the technologies that VPNC supports are:
MPLS with constrained distribution of routing information.
IPsec is by far the most dominant protocol for secure VPNs. L2TP running
under IPsec has a much smaller but significant deployment. For trusted VPNs,
the market is split on the two MPLS-based protocols.

STANDARDS
The various VPN protocols are defined by a large number of standards and
recommendations that are codified by the Internet Engineering Task Force
(IETF). There are many flavors of IETF standards, recommendations, statements
of common practice, and so on. Some of the protocols used in IPsec are full IETF
standards; however, the others are often useful and stable enough to be treated as
standard by people writing IPsec software. Neither of the trusted VPN
technologes are IETF standards yet, although there is a great deal of work being
done on them to get them to become standards.

Dept. of IT

13

MESCE, Kuttippuram

Seminar Report 03

VPN

RFC
The IETF codifies the decisions it comes to in documents called "Requests
For Comments". These are almost universally called by their acronym "RFCs".
Many RFCs are the standards on which the Internet is formed.
The level of standardization that an RFC reaches is determined not only
by how good the RFC is, but by how widely it is implemented and tested. Some
RFCs are not solid standards, but they nonetheless document technologies that
are of great value to the Internet and thus should be used as guidelines for
implementing VPNs. For the purpose of defining VPNs, any protocol that has
become an IETF Request For Comments (RFC) document can be treated as some
what of a standard. Certainly, any IPsec-related RFC that has been deemed to be
on the IETF "standards track" should certainly be considered a standard.

INTERNET DRAFTS
Before a document becomes an RFC, it starts out as an Internet Draft
(often called "IDs" or "I-Ds"). IDs are rough drafts, and are sometimes created
for no other benefit than to tell the Internet world what the author is thinking. On
the other hand, there is often very good information in some IDs, particularly
those that cover revisions to current standards.
Some Internet Drafts go along for years, but are then dropped or
abandoned; others get on a fast track to becoming RFCs, although this is rare.
Internet Drafts are given names when they first appear; if they become RFCs, the
I-D name disappears and an RFC number is assigned.
It should be emphasized here that it is unwise to make any programming
decisions based on information in Internet Drafts. Most IDs go through many
rounds of revisions, and some rounds make wholesale changes in the protocols
Dept. of IT

14

MESCE, Kuttippuram

Seminar Report 03

VPN

described in a draft. Further, many IDs are simply abandoned after discussion
reveals major flaws in the reasoning that lead to the draft.
That being said, it is worthwhile to know which IDs pertain to areas of
interest. The following is a list of the IDs that are related to Internet mail. Some
of these drafts will likely become RFCs in the months or years to come, possibly
with heavy revision; some will be merged with other drafts; others will be
abandoned.

5. VPN SECURITY
A VPN uses several methods for keeping your connection and data secure:

Dept. of IT

15

MESCE, Kuttippuram

Seminar Report 03

VPN

FIREWALLS
A firewall provides a strong barrier between your private network and the
Internet. You can set firewalls to restrict the number of open ports, what type of
packets are passed through and which protocols are allowed through. Some VPN
products, such as Cisco's 1700 routers, can be upgraded to include firewall
capabilities by running the appropriate Cisco IOS on them. You should already
have a good firewall in place before you implement a VPN, but a firewall can
also be used to terminate the VPN sessions.
If you have been using the Internet for any length of time, and especially if
you work at a larger company and browse the Web while you are at work, you
have probably use firewall. For example, you often hear people in companies say
things like, I can't use that site because they won't let it through the firewall.If
you have a fast Internet connection into your home (either a DSL connection or a
cable modem), you may have found yourself hearing about firewalls for your
home network as well. It turns out that a small home network has many of the
same security issues that a large corporate network does. You can use a firewall
to protect your home network and family from offensive Web sites and potential
hackers.

FIREWALL ACTION

Dept. of IT

16

MESCE, Kuttippuram

Seminar Report 03

VPN

Basically, a firewall is a barrier to keep destructive forces away from your

property. In fact, that's why its called a firewall. Its job is similar to a physical
firewall that keeps a fire from spreading from one area to the next.

ENCRYPTION
This is the process of taking all the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to
decode. Most computer encryption systems belong in one of two categories:
Symmetric-key encryption
Public-key encryption
In symmetric-key encryption, each computer has a secret key (code) that
it can use to encrypt a packet of information before it is sent over the network to
another computer. Symmetric-key requires that you know which computers will
be talking to each other so you can install the key on each one. Symmetric-key
encryption is essentially the same as a secret code that each of the two computers
must know in order to decode the information. The code provides the key to
decoding the message. For example: You create a coded message to send to a
friend in which each letter is substituted with the letter that is two down from it
in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already
told a trusted friend that the code is "Shift by 2". Your friend gets the message
and decodes it. Anyone else who sees the message will see only nonsense. The
sending computer encrypts the document with a symmetric key, then encrypts the
symmetric key with the public key of the receiving computer. The receiving
computer uses its private key to decode the symmetric key. It then uses the
symmetric key to decode the document.
Public-key encryption uses a combination of a private key and a public
key. The private key is known only to your computer, while the public key is
Dept. of IT

17

MESCE, Kuttippuram

Seminar Report 03

VPN

given by your computer to any computer that wants to communicate securely

with it. To decode an encrypted message, a computer must use the public key,
provided by the originating computer, and its own private key. A very popular
public-key encryption utility is called Pretty Good Privacy (PGP), which allows
you to encrypt almost anything. You can find out more about PGP at the PGP
site.

IPSEC PROTOCOL

IPSEC FAVOURING FOR A SECURE SYSTEM

Internet Protocol Security Protocol (IPSec) provides enhanced security

features such as better encryption algorithms and more comprehensive
authentication. IPSec has two encryption modes: tunnel and transport. Tunnel
encrypts the header and the payload of each packet while transport only encrypts
the payload. Only systems that are IPSec compliant can take advantage of this
protocol. Also, all devices must use a common key and the firewalls of each
network must have very similar security policies set up. IPSec can encrypt data
between various devices, such as:
Router to router
Firewall to router
PC to router
Dept. of IT

18

MESCE, Kuttippuram

Seminar Report 03

VPN

PC to server

AAA SERVER
AAA (authentication, authorization and accounting) servers are used for
more secure access in a remote-access VPN environment. When a request to
establish a session comes in from a dial-up client, the request is proxied to the
AAA server. AAA then checks the following:
Who you are (authentication)
What you are allowed to do (authorization)
What you actually do (accounting)
The accounting information is especially useful for tracking client use for
security auditing, billing or reporting purposes.

6. RELIABILITY AND PERFORMANCE

Because VPN uses the Internet, they can incure reliability and
performance problems due to congestion,dropped packets and other factors.This
could cause problems for real time applications,such as telephony and video
conferencing.
Some large ISPs are trying to alleviate reliability concerns by keeping all
customer VPN traffic on their own backbone.

Dept. of IT

19

MESCE, Kuttippuram

Seminar Report 03

VPN

7. ADVANTAGES
The primary advantage of a VPN is that it cut cost. Compared to the
traditional WAN,VPN are a cheap way to build global networks,It partially
eliminates the modem banks, access server, phone lines and other types of
hardware organisations must install to provide remote access to traditional private
networks. To connect two far flung networks, all that is the dedicated link or
backbone between these two networks. Since the Internet is a public network,
cost are shared by all Internet users, resulting in low access cost.
Another advantage is that network expansion becomes a function of how
quickly one can get a leased data connection to the nearest ISP. For the sharing of
networked resources by business partners is facilitated since the question of
incompatible system is already addressed in the Internet. Remote entry by
authorised users with Internet access is possible.
A well-designed VPN can benefit a company by the following
factors.Extend geographic connectivity; Improve security; Reduce operational
costs versus traditional WAN; Reduce transit time and transportation costs for
remote users; Improve productivity; Simplify network topology; Provide global
networking opportunities; Provide telecommuter support; Provide broadband
networking compatibility and Security.
And farall practical purposes a VPN is a transperent as a traditional
WAN.Whatever can be done on a WAN can be done n a VPN

Dept. of IT

20

MESCE, Kuttippuram

Seminar Report 03

VPN

8. DISADVANTAGE
If the level of security provided is insufficient, then it can be hazardeous.
Since VPN is connected to the public network-Intrnet, it is prone to be hacked.
Though all the network have some basic security-user authentication thru
password verification that prevents such access, they are often insufficient.
Therefore two key security issues are protecting the network from
breaking and also protecting the integrity of data being transmitted and validate
the identity of the user over the Internet. This can be achieved by using a
combination of encryption, host authentication and protocol tunneling.

Dept. of IT

21

MESCE, Kuttippuram

Seminar Report 03

VPN

9. CONCLUSION
As the cost of setting up the global network is prohibitively costly for
small and medium sized business, Virtual private network offers cheap way to
build WAN. The problems accomplished by VPN concerns security and
performance. The standardisation of VPN technology will lead to its wide spread
use among network users.

Dept. of IT

22

MESCE, Kuttippuram

Seminar Report 03

VPN

10. REFERENCES
1. The book titled Security VPNs by Carton R Davis
2. The book titled computer Networks by Halsaal
3. The book titled computer Networks by Andrews Tanenbaum
4. www.google.com
5. www.cisco.com

Dept. of IT

23

MESCE, Kuttippuram

Seminar Report 03

VPN

ABSTRACT
Virtual Private Networks is a concept introduced to implement global
Wide Area Network(WAN) on the Internet. This way enormous costs involved in
the traditional implementation of these networks i.e. through dedicated lines or
satellite links is reduced considerably. A way to maintain fast, secure and reliable
communications is attained wherever the offices are.
In the VPN, Internet is used as the data pipelined replacing the traditional
datalines. This approach is just right for small and medium sized business firms.
Now, many companies are creating their own VPN (virtual private network) to
accommodate the needs of remote employees and distant offices. Each remote
member of your network can communicate in a secure and reliable manner using
the Internet as the medium to connect to the private LAN, by simply making a
contract with the ISP. A VPN can grow to accommodate more users and different
locations much easier than a leased line. In fact, scalability is a major advantage
that VPNs have over typical leased lines. Unlike with leased lines, where the cost
increases in proportion to the distances involved, the geographic locations of
each office matter little in the creation of a VPN.

Dept. of IT

24

MESCE, Kuttippuram

Seminar Report 03

VPN

CONTENTS
1. INTRODUCTION
2. VPN TYPES:
2.1. REMOTE ACCESS
2.2. SITE TO SITE
3. TUNNELING
3.1. PRIVATE NETWORKS
3.2. OUTSOURCED SHARED MODELS
3.2.1. OUTSOURCE A PRIVATE SITE
3.2.2. OUTSOURCE A PRIVATE SITE
3.2.3. SHARE AN OUTSOURCED SITE
3.2.4. OUTSOURCE A PRIVATE ACCESS SERVER
3.2.5. SHARE AN ACCESS SERVER
4. PROTOCOLS
4.1. STANDARDS
4.1.1. RFC
4.1.2. INTERNET DRAFTS
5. SECURITY
5.1. FIREWALLS
5.2. ENCRYPTION
5.3. IPSec PROTOCOL
5.4. AAA SERVER
6. RELIABILITY N PERFORMANCE
7. ADVANTAGES
8. DISADVANTAGES
9. CONCLUSION
10. REFERENCES

Dept. of IT

25

MESCE, Kuttippuram

Seminar Report 03

VPN

ACKNOWLEDGEMENTS
I would like to express my gratitude to our principal, Prof. K.
Achuthan for providing the adequate facilities required for the completion of
the seminar.
Next, I would like to thank the Head of the Computer Department
Mr. Agni Sarman Namboodiri, I would also like to thank my seminar
conductor Mr. Zaheer and also Ms. Deepa for their excellence guidance in
preparation and presentation of the topic.
And finally, to the most important person, the God Almighty, for
without his blessings, all this wouldnt have been possible.
Saleena Banu

Dept. of IT

26

MESCE, Kuttippuram