You are on page 1of 9

ABSTRACT Virtual Private Networks is a concept introduced to implement global Wide Area N etwork(WAN) on the Internet.

This way enormous costs involved in the traditional implementation of these networks i.e. through dedicated lines or satellite link s is reduced considerably. A way to maintain fast, secure and reliable communica tions is attained wherever the offices are. In the VPN, Internet is used as the data pipelined replacing the traditional dat alines. This approach is just right for small and medium sized business firms. N ow, many companies are creating their own VPN (virtual private network) to accom modate the needs of remote employees and distant offices. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN, by simply making a contract with th e ISP. A VPN can grow to accommodate more users and different locations much eas ier than a leased line. In fact, scalability is a major advantage that VPNs have over typical leased lines. Unlike with leased lines, where the cost increases i n proportion to the distances involved, the geographic locations of each office matter little in the creation of a VPN. 1. INTRODUCTION The world has changed a lot in the last couple of decades. Instead of simply dea ling with local or regional concerns, many businesses now have to think about gl obal markets and logistics. Many companies have facilities spread out across the country or around the world, and there is one thing that all of them need: A wa y to maintain fast, secure and reliable communications wherever their offices ar e. Until fairly recently, this has meant the use of leased lines to maintain a w ide area network (WAN). Leased lines, ranging from ISDN (integrated services dig ital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a c ompany with a way to expand its private network beyond its immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particu larly when using leased lines, can become quite expensive and often rises in cos t as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a means of ex tending their own networks. First came intranets, which are password-protected s ites designed for use only by company employees. A simple VPN model is shown below. VIRTUAL PRIVATE NETWORKS A company has its Main office, Remote office, Home office at various sites and t hese can interact with each other via the virtual network. 2. VPN TYPES We all know WAN is simply the collection of local area networks,each located in geographically diverse locations connected to each other to form a single networ k. Leased lines which were initially used though forms a private network,it ough t to be expensive. But VPN,using the power of the public medium,it helped to cre ate a private connection called tunnel to switch data from one geographical loca tion to the other. A VPN provides network to network or remote user to network connectivity via the encrypted tunnel.Datas must be encapsulated in a IP packet before it can be sen t across a VPN.Network users use various encryption and authentication schemes t o provide security.Some VPN require specialisedv hardware,while some may require specialised software or some both that adds VPN capabilities to firewall,server or router. Since VPN depends critically on the Internet,ISP becomes drivers of VPN technolo gy. Therefore organisation using VPN becomes dependent on the ISP.If ISP faces b andwidth limitation or technical difficulties, the VPN will also face the same.

VPN can be of following types: REMOTE ACCESS SITE TO SITE REMOTE ACCESS Also called a virtual private dial-up network (VPDN), this is a user-to-LAN conn ection used by a company that has employees who need to connect to the private n etwork from various remote locations. Typically, a corporation that wishes to se t up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote use rs with desktop client software for their computers. The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to ac cess the corporate network. A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales people in the field. Remote-access VPNs permit secure, e ncrypted connections between a company's private network and remote users throug h a third-party service provider. SITE-TO-SITE Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-t o-site VPNs can be either: Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LA N to LAN. Extranet-based - When a company has a close relationship with another company (f or example, a partner, supplier or customer), they can build an extranet VPN tha t connects LAN to LAN, and that allows all of the various companies to work in a shared environment. The following is the examples of the three types of VPN. VPN TYPES 3. TUNELLING Virtual Private Network protect tunelled dat through a combination of encryption , mutual host authentcation and protocol tunelling. One of the most basic method of protecting transmitted data is encryption.This involves scrambling the trans mitted data using mathematical formula,so that even though the data transmission may be intercepted, it cannot be recovered without the correct key. Encryption can be either be hardware enabled through network devices like router s or through software.While in the case of software,encryption takes place when you correct through the tunneling protocol like PTTP,in the case of router encry ption it is performed on the fly. One of the biggest difficulty encountered over the Internet is identifying the p erson or a computer at the other end of the wire.This is addressed by the authen tication,a process where the two hosts verify eachother.This can be done through the X.2509 standard digital certificate which exchages electronic signatures be tween the two parties.This electronic signature is then verified by a trust thir d party,usually a public-certifying authority or the company`s own certificate s erver. Alternatively,the host can also verify each other using protocols like Secure Sh ell(SSH).In this case the hosts exchange two keys, a host key and a server key. The receiving computer compares the host key with the keys inthe database. If th e keys chacks out, the computer at the other end is validated as a genuine case. The PC then generates a session key using the host an the server key which is us ed to encrypt data transmission between the two computers.To ensure a high level of protection,the server key is changed on an hourly basis. Finally there is a protocol tunneling. When data is transmitted on a network in the form of packets, the header-which gives information on the packet source, de stination and number of packets transmitted- is in text format. The information can be used by hackers to gain access to either the system or the data being tra nsmitted. Protocol tunneling takes data packets, encrypts them and then encapsul

ates them again in another clear text packet. This ensures that even if data tra nsmission is intercepted the original header information is not available.Once t hese packets reach their destination,a router equipped with encryption and decry ption capabilities decrypts the packet restoring the original data packets. PRIVATE NETWORKS The too old trend or large companies to have own fully private dial in networks(com ly with modem banks, access servers and technical service personnel deployed at each company sites is being reversed as the ubiquitious presence of Internet acc ess site makes it attractive to use the resources offered by the Internet servic e providers(ISP).Such outsourcing allows employees to dial-in to an access serve r at a nearby ISP site and send packets over the Internet router for delivery to their Co. home networks. The very router vendor who provide VPN tunnels between permanent Co. sites are also competing for the oppurtuinity to provide VPN tunn els for dial-in users as well.But they are handicapped in the solution they can offer because they model tunnels as router-to-router constructs though there`s n o router at the user end.If these vendors are to have a share in the outsourcing of a company`s dial-in service,this has to be achieved using one of the followi ng models: Outsource a private site Share an outsourced site Outsource a private access server Share an access server OUTSOURCE A PRIVATE SITE A company desiring to outsource its access responsibility can ask an ISP to mana ge a site for it.ISPs themselves generally put their own dial-up equipment in th e locations are termed as points of presence(POP).Under this model,a company may enter into a contract with the ISP to establish private POPs for its employees. This really moves the company`s private dial-up equipment to the site which is m anaged by the ISP. If the resources of a POP are dedicated to a single company, then the POP is not different from a remote company site, and therefore the same routing equipment used at the company`s headquarters can be used at the POP. Since the site is pri vate, all packets at the site can be in the clear. Tunnels only run between the router at the POP and the router at the company`s headquarters. This approach offloads the access responsibility to the ISP, but it is likely to be more expensive than any other option because equipment cost are not shared. It has the further disadvantage that it require private facilities at as many PO P as needed to provide local access to employees. Such an arrangement also locks employees. Finally, an ISP has to manage a list of authorized user name and password on beh alf of the company to help control access to the private site.All this necessita tes that a very close relationship exists between the outsourcing company and th e ISP for this model to succeed.In this model,if the company employees want to s imultaneously access company and Internet resources,they tunnel to the company , and then venture out to the Internet as though they were initiating contact from their place of work. SHARE AN OUTSOURCED SITE This model is an extension of the previous one in that a number of companies ent er into a contract with an ISP to avail of the latters access service not privately , but in a shared manner. The major benefit, of course. is the resulting cost sa ving for the outsourcing company. In this model, we presume that each company us ing the shared site provides a router to tunnel its private traffic back to its headquarters. If the equipment at the POP is not dedicated to a single company, the shared acc ess server and LAN element need to be trusted, since company packets will be vul nerable on their way to and from the companys dedicated router. Such packets are ex posed to ISP personnel at the site, and are subject to routing misadventures tha t expose them more generally to the entire Internet, and in particular to other companies who have their own encrypting routers on the POPs shared LAN. If access s ervers are shared then user and password databases will be co-mingled at the sit

e, and the access server software will have to be careful enough to direct all p ackets from a given dial-in port to the one and only one tunneling router. If pa ckets go through the wrong tunnel, They will end up at the wrong headquarters. In this model, users cannot go through their tunnel to work, and then on to the Internet without running the risk that their return packets will be routed back through a wrong tunnel. This means that an Internet access all tunneling routers at the site are exposed to an arbitrary Internet packet traffic. This makes sec urity considerations a major issue for outsourcing companies, and hence this mod el is not workable in many scenarios. OUTSOURCE A PRIVATE ACCESS SERVER The previous models are not very attractive in that they are expensive, restrict ive, and in some cases not very secure. They treat the ISP as a trusted extensio n of the outsourcing company. Though site outsourcing may make sense in certain situations, it is not likely to become a common practice. Site outsourcing may n ot be favoured by router vendors, except when they can sell a bunch of new route rs to ISPs. All this brings us to another approach. Instead of beginning the tunnel at the site router on behalf of all access serve rs with the ISP, it should be possible to begin a tunnel at each access server. This way, packets received at a dial-in port can be encrypted and encapsulated, and thus enter the tunnel before leaving the server so that they are never in th e clear on the ISP LAN. Placing the tunnel function in the access server is such a compelling improvement over the earlier two models that it has received a foc al attention of all vendors. It has also provided the impetus for many new or pr oposed standards that may offer a multivendor interoperability for server-router tunnels. This model assumes that an outsourcing company asks an ISP to deploy some access servers at each POP, and dedicate them for the companys employees. The phone numbe rs of these dedicated resources are made available only to company personnel. Of course, the ISP must know employee names and passwords so as to guard access to these servers, but if the servers are effectively protected, the company does n ot have to worry about uses on other servers getting into one of their tunnels. Under this scheme, new codes are required for both access servers and the HQ (he adquarters) router. This is because, among other things, there is more than one tunnel from all ISP sites. The router itself becomes just another dial-in server, having logical por ts in place of physical ports. Each tunnel terminates at one of the routers logical ports, and from there the de-encapsulated, decrypted packets are gated on to th e company LAN. To distinguish such a logical access server from routers, an incr easingly popular term home gateway is being used. Almost all of these server-to-home gateway tunneling schemes are direct outgrowths of ubiquitous PPP (point-to point p rotocol) schemes used for exchanging packets between desktops and access servers over telephone lines. In tunneling schemes, the access server and the home gateway assume the roles pl ayed in PPP by the dialing desktop and the dialed access server respectively. Tu nnel protocols allow for the user name and password originally collected by the ISP to be forwarded to the home gateway so that the company can perform user aut hentication if it wants to. However, the access server must not only perform the new tunnel functions, but also IPX and Appletalk encapsulation functions (these funny packets must be handled on the PPP link with the user. but are encapsulated in IP packets so that they never hit the ISP LAK). Also the company itself must wo rry about providing full service desktop software to all its employees as before . It is possible for employees to have two different accounts with the ISP so th at they can alternately receive tunnel, or clear Internet service. Current appro aches do not offer a way to support both tunnelled and clear traffic services si multaneously. SHARE AN OUTSOURCED ACCESS SERVER Because the new access servers are able to establish tunnels on behalf of each d ial-in port, there is no reason why each tunnel cannot go to a different home ga teway. Home gateways can be selected on the basis of user identity as authentica

ted by the ISP, and so tunnels from a single access server can go to different c ompanies at the same time. Economy apart, this functionality is not necessarily any better than the prior scheme, and may be inferior in many ways. For example. in this model, company authentication data does need to be held by the ISP, and access servers need to be trusted more than ever before. In addition until tunn eling protocols are truly interoperable, it may not be possible for access serve s from vendor A to talk to home gateways from vendor B. This implies many constr aints for ISPs in the deployment of servers and allocation of phone numbers, mod em types, etc. 4. VPN PROTOCOLS The term VPN has taken on many different meanings in recent years. VPNC has a wh ite paper about VPN technologies (PDF format) that describes many of the terms u sed in the VPN market today. In specific, it differentiates between secure VPNs and trusted VPNs, which are two very different technologies. For secure VPNs, the technologies that VPNC supports are IPsec with encryption L2TP inside of IPsec For trusted VPNs, the technologies that VPNC supports are: MPLS with constrained distribution of routing information. IPsec is by far the most dominant protocol for secure VPNs. L2TP running under I Psec has a much smaller but significant deployment. For trusted VPNs, the market is split on the two MPLS-based protocols. STANDARDS The various VPN protocols are defined by a large number of standards and recomme ndations that are codified by the Internet Engineering Task Force (IETF). There are many flavors of IETF standards, recommendations, statements of common practi ce, and so on. Some of the protocols used in IPsec are full IETF standards; howe ver, the others are often useful and stable enough to be treated as standard by people writing IPsec software. Neither of the trusted VPN technologes are IETF s tandards yet, although there is a great deal of work being done on them to get t hem to become standards. RFC The IETF codifies the decisions it comes to in documents called "Requests For Co mments". These are almost universally called by their acronym "RFCs". Many RFCs are the standards on which the Internet is formed. The level of standardization that an RFC reaches is determined not only by how g ood the RFC is, but by how widely it is implemented and tested. Some RFCs are no t solid standards, but they nonetheless document technologies that are of great value to the Internet and thus should be used as guidelines for implementing VPN s. For the purpose of defining VPNs, any protocol that has become an IETF Reques t For Comments (RFC) document can be treated as some what of a standard. Certain ly, any IPsec-related RFC that has been deemed to be on the IETF "standards trac k" should certainly be considered a standard. INTERNET DRAFTS Before a document becomes an RFC, it starts out as an Internet Draft (often call ed "IDs" or "I-Ds"). IDs are rough drafts, and are sometimes created for no othe r benefit than to tell the Internet world what the author is thinking. On the ot her hand, there is often very good information in some IDs, particularly those t hat cover revisions to current standards. Some Internet Drafts go along for years, but are then dropped or abandoned; othe rs get on a fast track to becoming RFCs, although this is rare. Internet Drafts are given names when they first appear; if they become RFCs, the I-D name disapp ears and an RFC number is assigned. It should be emphasized here that it is unwise to make any programming decisions based on information in Internet Drafts. Most IDs go through many rounds of rev isions, and some rounds make wholesale changes in the protocols described in a d raft. Further, many IDs are simply abandoned after discussion reveals major flaw s in the reasoning that lead to the draft.

That being said, it is worthwhile to know which IDs pertain to areas of interest . The following is a list of the IDs that are related to Internet mail. Some of these drafts will likely become RFCs in the months or years to come, possibly wi th heavy revision; some will be merged with other drafts; others will be abandon ed. 5. VPN SECURITY A VPN uses several methods for keeping your connection and data secure: FIREWALLS A firewall provides a strong barrier between your private network and the Intern et. You can set firewalls to restrict the number of open ports, what type of pac kets are passed through and which protocols are allowed through. Some VPN produc ts, such as Cisco's 1700 routers, can be upgraded to include firewall capabiliti es by running the appropriate Cisco IOS on them. You should already have a good firewall in place before you implement a VPN, but a firewall can also be used to terminate the VPN sessions. If you have been using the Internet for any length of time, and especially if yo u work at a larger company and browse the Web while you are at work, you have pr obably use firewall. For example, you often hear people in companies say things like, I can't use that site because they won't let it through the firewall.If yo u have a fast Internet connection into your home (either a DSL connection or a c able modem), you may have found yourself hearing about firewalls for your home n etwork as well. It turns out that a small home network has many of the same secu rity issues that a large corporate network does. You can use a firewall to prote ct your home network and family from offensive Web sites and potential hackers. FIREWALL ACTION Basically, a firewall is a barrier to keep destructive forces away from your pro perty. In fact, that's why its called a firewall. Its job is similar to a physic al firewall that keeps a fire from spreading from one area to the next. ENCRYPTION This is the process of taking all the data that one computer is sending to anoth er and encoding it into a form that only the other computer will be able to deco de. Most computer encryption systems belong in one of two categories: Symmetric-key encryption Public-key encryption In symmetric-key encryption, each computer has a secret key (code) that it can u se to encrypt a packet of information before it is sent over the network to anot her computer. Symmetric-key requires that you know which computers will be talki ng to each other so you can install the key on each one. Symmetric-key encryptio n is essentially the same as a secret code that each of the two computers must k now in order to decode the information. The code provides the key to decoding th e message. For example: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alpha bet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted fr iend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense. The sending computer e ncrypts the document with a symmetric key, then encrypts the symmetric key with the public key of the receiving computer. The receiving computer uses its privat e key to decode the symmetric key. It then uses the symmetric key to decode the document. Public-key encryption uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by you r computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the origi nating computer, and its own private key. A very popular public-key encryption u tility is called Pretty Good Privacy (PGP), which allows you to encrypt almost a nything. You can find out more about PGP at the PGP site. IPSEC PROTOCOL

IPSEC FAVOURING FOR A SECURE SYSTEM Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication. IPSe c has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only syst ems that are IPSec compliant can take advantage of this protocol. Also, all devi ces must use a common key and the firewalls of each network must have very simil ar security policies set up. IPSec can encrypt data between various devices, suc h as: Router to router Firewall to router PC to router PC to server AAA SERVER AAA (authentication, authorization and accounting) servers are used for more sec ure access in a remote-access VPN environment. When a request to establish a ses sion comes in from a dial-up client, the request is proxied to the AAA server. A AA then checks the following: Who you are (authentication) What you are allowed to do (authorization) What you actually do (accounting) The accounting information is especially useful for tracking client use for secu rity auditing, billing or reporting purposes. 6. RELIABILITY AND PERFORMANCE Because VPN uses the Internet, they can incure reliability and performance probl ems due to congestion,dropped packets and other factors.This could cause problem s for real time applications,such as telephony and video conferencing. Some large ISPs are trying to alleviate reliability concerns by keeping all cust omer VPN traffic on their own backbone. 7. ADVANTAGES The primary advantage of a VPN is that it cut cost. Compared to the traditional WAN,VPN are a cheap way to build global networks,It partially eliminates the mod em banks, access server, phone lines and other types of hardware organisations m ust install to provide remote access to traditional private networks. To connect two far flung networks, all that is the dedicated link or backbone between thes e two networks. Since the Internet is a public network, cost are shared by all I nternet users, resulting in low access cost. Another advantage is that network expansion becomes a function of how quickly on e can get a leased data connection to the nearest ISP. For the sharing of networ ked resources by business partners is facilitated since the question of incompat ible system is already addressed in the Internet. Remote entry by authorised use rs with Internet access is possible. A well-designed VPN can benefit a company by the following factors.Extend geogra phic connectivity; Improve security; Reduce operational costs versus traditional WAN; Reduce transit time and transportation costs for remote users; Improve pro ductivity; Simplify network topology; Provide global networking opportunities; P rovide telecommuter support; Provide broadband networking compatibility and Secu rity. And farall practical purposes a VPN is a transperent as a traditional WAN.Whatev er can be done on a WAN can be done n a VPN 8. DISADVANTAGE If the level of security provided is insufficient, then it can be hazardeous. Si nce VPN is connected to the public network-Intrnet, it is prone to be hacked. Th ough all the network have some basic security-user authentication thru password verification that prevents such access, they are often insufficient. Therefore two key security issues are protecting the network from breaking and a

lso protecting the integrity of data being transmitted and validate the identity of the user over the Internet. This can be achieved by using a combination of e ncryption, host authentication and protocol tunneling. 9. CONCLUSION As the cost of setting up the global network is prohibitively costly for small a nd medium sized business, Virtual private network offers cheap way to build WAN. The problems accomplished by VPN concerns security and performance. The standar disation of VPN technology will lead to its wide spread use among network users. 10. REFERENCES 1. The book titled Security VPNs by Carton R Davis 2. The book titled computer Networks by Halsaal 3. The book titled computer Networks by Andrews Tanenbaum 4. 5. CONTENTS 1. INTRODUCTION 2. VPN TYPES: 2.1. REMOTE ACCESS 2.2. SITE TO SITE 3. TUNNELING 3.1. PRIVATE NETWORKS 3.2. OUTSOURCED SHARED MODELS 3.2.1. OUTSOURCE A PRIVATE SITE 3.2.2. OUTSOURCE A PRIVATE SITE 3.2.3. SHARE AN OUTSOURCED SITE 3.2.4. OUTSOURCE A PRIVATE ACCESS SERVER 3.2.5. SHARE AN ACCESS SERVER 4. PROTOCOLS 4.1. STANDARDS 4.1.1. RFC 4.1.2. INTERNET DRAFTS 5. SECURITY 5.1. FIREWALLS 5.2. ENCRYPTION 5.3. IPSec PROTOCOL 5.4. AAA SERVER 6. RELIABILITY N PERFORMANCE 7. ADVANTAGES 8. DISADVANTAGES 9. CONCLUSION 10. REFERENCES ACKNOWLEDGEMENTS I would like to express my gratitude to our principal, Prof. K. Achuthan for pro viding the adequate facilities required for the completion of the seminar. Next, I would like to thank the Head of the Computer Department Mr. Agni Sarman Namboodiri, I would also like to thank my seminar conductor Mr. Zaheer and also Ms. Deepa for their excellence guidance in preparation and prese ntation of the topic. And finally, to the most important person, the God Almighty, for without his ble ssings, all this wouldnt have been possible. Saleena Banu Reference: l-report#ixzz1eQFn83t7