Global InternetIntranet Access Service

1
Learning to Live and Work with Virtual Private
Networks
CEENET 6 Budapest Hungary
2
Tunneling Defined

• Creating a transparent virtual network link
  between two network nodes that is unaffected by
  physical network links and devices.

3
Tunneling Explained

• Tunneling is encapsulating one protocol in
  another
• Tunnels provide routable transport for unroutable
  packets
• encrypted, illegal addressing, non-supported
• Tunneling itself provides no security

4
Tunneling Illustrated
5
Tunneling Illustrated
6
Tunneling Illustrated
LAN B
LAN A
7
Tunneling Illustrated
Step 2
Original IP
packet
encapsulated
in another IP
packet
Original IP
New IP
packet
Packet
Workstation
Router A
Router B
Y
Original IP
packet dest Y
Tunnel
Tunnel
Workstation
Step 1.
Step 3
X
Original, unroutable
Original packet extracted, sent to destination
Original IP
packet dest Y
IP Packet sent to router
8
Virtual Private Networks (VPN)

• What is a VPN?
• A means of augmenting a shared network on a
  secure basis through encryption and/or tunneling
• Tunnels created between endpoints for
  transporting data securely across public
  networks
• Benefits
• Leverages existing Service Provider
  infrastructure for private data communications
• Cost savings

9
What Is an IP VPN ?

• Emulate a private network over a shared IP
  network ..

Branch Offices
Remote Workers
Shared IP Network
Internet
Corporate Headquarters
Customers, Suppliers

• Why IP ?
• Service Differentiation, Global Connectivity,
  Flexibility, Platform for fast growing new
  services (e.g E Commerce)

10
Types of IP VPN Services

• Service options
• Applications Dial, Intranet, Extranet
• QoS End to end guarantees, service
  differentiation, best effort
• Security Network based, user based
• Infrastructure Internet, IP, ATM, MPLS

11
One way to communicate
Tokyo
Remote Access Server
Internet
LAN
Web Sites
New York HQ
Firewall
Router
CSU/DSU
CSU/DSU
PSTN (Dial) or Dedicated Line
LAN
London
Router
CSU/DSU
Firewall
CSU/DSU
Router
LAN
Firewall
Remote Access Server
12
Another view of network possibilities... A
Virtual Private Network
Tokyo
Firewall
LAN
Web Sites
New York
Router w/L2TP
CSU/DSU
Firewall
Internet
LAN
London
Router w/L2TP
CSU/DSU
CSU/DSU
LAN
Router w/L2TP
Remote Clients
13
Internet as Backbone Dial-Up
Internet/ISP Network
Secure Tunnel
VPN Gateway
Remote User with VPN Software
Private Network
Hacker
14
Internet as Backbone Branch Offices
Internet/ISP Network
Branch Office
VPN Gateway
Secure Tunnel
VPN Router
Private Network
15
Shared Dial Networking
Shared Service Provider Network
Mobile Employee
IAG
VPN Gateway
Telecommuter
IAG
Contractor
Tunneled Traffic
IAG
Private Network
16
Virtual Private Networks
Extends private network boundary across a shared
network using tunneling technology
Virtual Private Dial-Up
IAG
Private Servers
Tunnels
VPN Gateway
VPN Gateway
Virtual Private Dial-Up
Shared Network
Internal Users
17
Types of Tunnels

• Two basic types of tunnels
• Voluntary tunnels
• Tunneling initiated by the end-user(Requires
  client software on remote computer)
• Compulsory tunnels
• Tunnel is created by NAS or router(Tunneling
  support required on NAS or Router)

18
Voluntary Tunnels

• Will work with any network device
• Tunneling transparent to leaf and intermediate
  devices
• But user must have a tunneling client compatible
  with tunnel server
• PPTP, L2TP, L2F, IPSEC, IP-IP, etc.
• Simultaneous access to Intranet (via tunnel) and
  Internet possible
• Employees can use personal accounts for corporate
  access
• Remote office applications
• Dial-up VPNs for low traffic volumes

19
A Voluntary PPTP Tunnel
20
Compulsory Tunnels

• Will work with any client
• But NAS must support same tunnel method
• But Tunneling transparent to intermediate
  routers
• Network access controlled by tunnel server
• User traffic can only travel through tunnel
• Internet access possible
• Must be by pre-defined facilities
• Greater control
• Can be monitored

21
Compulsory Tunnels

• Static Tunnels
• All calls from a given NAS/Router tunneled to a
  given server
• Realm-based tunnels
• Each tunnel based on information in NAI(I.e.
  user_at_realm)
• User-based tunnels
• Calls tunneled based on userID data stored in
  authentication system

22
A Compulsory L2TP Tunnel
23
RADIUS Support for Tunnels

• Can define tunnel type
• Can define/limit tunnel end points
• Allows tunnel configuration to be based on
  Calling-Station-ID or Called-Station-ID
• Additional accounting information
• Tunnel end points
• Tunnel ID, etc.

24
RADIUS Dial Up Security
Authenticates dial in users at boundary of
private network
Private Network
RADIUS Server
RADIUS Protocol
Boundary
RAS
User Login
Remote User
Hacker
25
Protocol Comparison
PPTP L2TP IPSEC Authenticated Tunnels
X X Compression X X X Smart
Cards X X Address Allocation X
X Multiprotocol X X Strong
Encryption X Flow
Control X Requires Server X
X
26
Virtual Private Networks via the Layer Two
Tunneling Protocol (L2TP)
27
L2TP Building Blocks

• L2TP Access Concentrator (LAC)
• Typically attached to the switched network
  fabric, such as public switched telephone network
  (PSTN)
• Only needs to implement the media, over which
  L2TP operates in order to pass traffic to one or
  more LNS's
• Typically the initiator of incoming calls and the
  receiver of outgoing calls

28
L2TP Building Blocks (Cont-)

• L2TP Network Server (LNS)
• Operates on any platform capable of PPP
  termination
• Handles the server side of the L2TP protocol
• scalability is critical
• Able to terminate calls arriving at any LAC's
  full range of PPP interfaces (async, ISDN, PPP
  over ATM, PPP over Frame Relay)
• The initiator of outgoing calls
• The receiver of incoming calls

29
L2TP VPN in the Network
Customer Premise Equipment
Service Provider
Remote, Telecommuter Employees
LNS
LAC
Corporate Network/ Servers
ISDN
Analog
RADIUS
RADIUS
L2TP Encapsulated Tunnel
30
How Does a L2TP VPN Device Work?

• Service provider provides remote access
  outsourcing services to utilize idle network
  infrastructure and provide their customers with
  the cost savings of using a public network like
  the Internet
• The customer wants to connect their remote branch
  offices and telecommuters to Corporate HQ servers

31
How Does a L2TP VPN Device Work?

• STEP 1
• Remote users/telecommuters/branch offices
  initiate a session or call into a L2TP Access
  Concentrator (LAC) device

STEP 1
Service Provider
CPE
LAC
Remote, Telecommuter Employees
LNS
Corporate Network/ Servers
ISDN
Analog
RADIUS
RADIUS
32
How Does a L2TP VPN Device Work?

• STEP 2
• The LAC sends an authentication request to a
  RADIUS Server, which will authenticate the call
  and generate configuration information about the
  creation, type of L2TP tunnel and end point of
  the tunnel

Service Provider
CPE
Remote, Telecommuter Employees
LAC
LNS
Corporate Network/ Servers
ISDN
Analog
STEP 2
RADIUS
RADIUS
33
How Does a L2TP VPN Device Work?

• STEP 3
• Tunnel creation information is sent to the LAC
  which encapsulates the users PPP Frames and
  tunnels them over the network to the LNS device.

Service Provider
STEP 3
CPE
Remote, Telecommuter Employees
LAC
LNS
Corporate Network/ Servers
ISDN
Analog
RADIUS
RADIUS
34
How Does a L2TP VPN Device Work?

• STEP 4
• LNS serves as termination point where the
  encapsulated L2TP frame is stripped and
  processed. The PPP Frame is then passed on to
  higher layer protocols and users on the local
  area network.

STEP 4
Service Provider
CPE
LAC
Remote, Telecommuter Employees
LNS
Corporate Network/ Servers
ISDN
Analog
RADIUS
RADIUS
35

• VPN Questions and Answers
• (FAQs)

36
Q What is a virtual private network?

• A VPN gives users a secure way to access or link
  corporate network resources over the Internet or
  other public or private networks.

37
Q What are the elements to a VPN?

• VPNs typically include a number of security
  features including encryption, authentication,
  and tunneling.
• VPN software may be included on laptops and
  network workstations and servers or may be
  included with routers and remote access servers

38
Q How do companies use VPNs?

• I place of traditional dial-up connections to
  provide access to remote users and telecommuters
• To connect LANs in different sites instead of
  using the public switched telephone network or
  dedicated leased lines
• To give customers, clients and consultants access
  to corporate resources.

39
Q Is a VPN the same thing as an extranet?

• No. Most VPNs can be designed to work as an
  extranet. But not all extranets are VPNs.

40
Q Then what is an extranet?

• Extranet is a general term than can mean many
  different things. The common definition of an
  extranet is a type of network that gives outside
  users, such as customers, clients and
  consultants, access to data residing on a
  corporation's network. Users access the data
  through a Web brows er over the Internet and
  typically need to enter a user name and password
  before access to the data is granted.

41
Q How is this different from a VPN?

• A VPN can be used in a similar manner, but
  typically a VPN has much higher security
  associated with it. Specifically, a VPN typically
  requires the establishment of a tunnel into the
  corporate network and the encryption of data
  passed between the user's PC and corporate
  servers.

42
Q Why bother with a VPN, aren't there other ways
to give users secure access to network resources?

• There are different ways to control access and
  provide secure access to network resources. A VPN
  is just one of those ways.
• However, a well implemented VPN is transparent to
  the user and should require no special skills or
  knowledge to use

43
Q What are other methods for accessing network
resources over the Internet?

• Depending on the level of security needed, a
  company could choose to use an extranet approach
  or a customized approach that combines password
  protection of network servers with third-party
  auth entication systems.

44
Q Why do companies use VPNs?

• There are many reasons to use a VPN. The most
  common reasons are (1) to save
  telecommunications costs by using the Internet to
  carry traffic (rather than paying long distance
  phone charges)(2) to save telecommunications
  costs by reducing the number of access lines into
  a corporate site, and (3) to save operational
  costs by outsourcing the management of remote
  access equipment to a service provider.

45
Q How does a VPN cut long distance phone
charges?

• Long distance phone charges are reduced with a
  VPN because a user typically dials a local call
  to an ISP rather than placing a long distance or
  international call directly to his or her
  company.

46
Q How do VPNs help reduce the number of access
lines.

• Many companies pay monthly charges for two types
  access lines (1) high-speed links for their
  Internet access(2) frame relay, ISDN Primary
  Rate Interface or T1 lines to carry data . A VPN
  may allow a company to carry the data traffic
  over its Internet access lines, thus reducing the
  need for some installed lines.

47
Q How can a VPN save operational costs?

• Some companies hope to save operational costs by
  outsourcing their remote access to an ISP or
  other type of service provider. The idea is that
  by giving users access to the network via a VPN,
  a company can get rid of its modem pools and
  remote access servers. The operational cost
  savings come from not having to manage those
  devices.

48
Performance Issues
49
Q What about VPN performance?

• There are several issues to consider when
  exploring VPN performance. Some are related to
  the Internet itself. Is it available? What is the
  latency for packets traveling across the network?
  Other performance issues are related to the
  specific VPN applications.
• In general, VPNs implemented over the public
  Internet will have poorer performance than VPNs
  implemented over private IP networks.

50
Q What are the concerns about network
availability?

• The Internet occasionally experiences outages.
  For example, in 1997 there was a system-wide
  availability problem when a corrupted master list
  of Domain Names was distributed to the handful of
  root servers that are the heart of the Internet.
  More frequently, a particular Internet service
  provider may experience equipment problems
  leading to a service outage that can last from
  hours to days.

51
Q What can be done to ease concerns about
network availability?

• Many service providers are trying to improve the
  reliability of their networks to prevent outages.
  While they cannot guarantee 100 percent
  availability, many providers are offering service
  level agreements that offer credits or refunds if
  network availability falls below a certain level.

52
Q How good are the network availability service
level agreements (SLAs)?

• Most of the service providers with nation-wide
  backbones guarantee the network will be available
  at least 99.6 percent of the time. That
  translates into a maximum outage time of about 6
  .5 minutes a day before the refund or credits
  kick in. Some offer higher availability with
  refunds or credits kicking in for outages of 3
  minutes per day or longer.

53
Q What are the short-comings of these SLAs?

• All VPN SLAs offered today only apply to the
  specific service provider's network. If the
  traffic crosses from one provider's network to
  another, the SLAs do not apply.

54
Q What about latency?

• To date, there are no VPN SLAs that address
  latency. The service providers say they will need
  a number of things, like the ability to offer
  quality of service guarantees, to happen before
  latency SLAs will be offered.

55
Q Are there other issues that will prevent
latency-related VPN SLAs?

• Yes. IT managers will not see end-to-end latency
  SLAs for VPNs as they get for other services such
  as a Frame Relay service that carriers
  time-sensitive SNA terminal to host traffic. One
  of the reasons end-to-end latency SLAs will not
  be practical for VPN s is that there are many
  variables, such as the type of encryption used
  and the client's process power, that determine
  end-to-end performance in VPN applications.

56
VPN Technology Questions
57
Q What are the common tunneling protocols?

• There are currently three major tunneling
  protocols for VPNs. They are
• Point-to-Point Tunneling Protocol (PPTP)
• Internet Protocol Security (IPSec)
• Layer 2 Tunneling Protocol (L2TP)
• Two proprietary protocols often seen are
• Ascends ATMP
• Ciscos L2F

58
Q What types of encryption can be used in VPN
applications.

• Virtually all of the common encryption
  technologies can be used in a VPN. Most VPN
  equipment vendors give the user a choice. IT
  managers can often select anything from the
  40-bit built-in encryption offered by Microsoft
  under Windows 95 to more robust, but less
  exportable, encryption technologies like
  triple-DES.

59
Q How are VPN users authenticated?

• VPN vendors support a number of different
  authentication methods. Many vendors now support
  a wide range of authentication techniques and
  products including such services as RADIUS,
  Kerberos, token cards, NDS, NT Domain, and
  software and hardware-based dynamic passwords.

60
Q Can user access and authentication be linked
to existing access control systems?

• Yes. Some vendors, such as Lucent, support
  existing standards like RADIUS.
• Other VPN vendors, notably Aventail, Novell, and
  New Oak Communications, provide ways to link VPN
  access rights to defined access rights such as
  those in Windows NT Workgroup lists, Novell
  Directory Services or Binderies.

61
Net 10.x.1.0
Net 10.x.2.0
Net 10.x.2.0
LAC

Telnet Server 10.x.2.5
Workstation 10.x.2.128
Terminal Server 10.x.1.2
LNS
10.x.1.1
10.x.2.1
Router
RADIUS Server 10.x.2.3
This RADIUS server is used to select the LNS
based on the DNIS, Realm or other information
This RADIUS server is used to authenticate the
user
L2TP Tunnel Lab Diagram
62
Net 10.x.2.0
Net 10.x.1.0
Net 10.x.2.0
LAC

L2TP Tunnel Lab Diagram