VPN Technology Advances And Challenges

1
VPN Technology Advances And Challenges

• LILISH M SAKI
• Lmsaki_at_scu.edu
• Santa Clara University
• COEN 329
• Winter 2002

2
AGENDA

• Introduction
• VPN overview and benefits
• Technology behind VPN
• VPN tunneling protocols
• IPsec VPN Implementation details
• Implementation alternatives
• Future challenges
• Conclusion

3
Introduction to VPN

• Earlier organizations used to build WAN - now
  called intranets, through dedicated leased
  lines/ATM/frame relay to connect their different
  branches and offices.
• In addition, some organizations selectively open
  their WAN access to partners to provide extranet
  services.
• Proves costly for many organization to support
  these kind of intranet/extranet architecture.

4
Introduction to VPN (Contd.)

• Also for mobile workers to log in to a dial-up
  intranet, he/she must call into a company's
  remote access server using either a 1-800 number
  or a remote number.
• Incurs long distance telephone charges. Virtual
  private network (VPNs) utilize public network,
  like internet, to carry private communications
  safely and inexpensively.  .
• Very useful for many organizations looking to
  both expand their networking capabilities and
  reduce their costs.

5
Introduction to VPN (Contd.)

• Telecommuters and those who travel often might
  find VPNs to be a more convenient way to stay
  "plugged in" to the corporate intranet.
• A VPN can support the same intranet/extranet
  services as a traditional WAN, but VPNs are most
  popular for their support of secure remote access
  service.

6
VPN Overview
Local ISP
LAN
VPN Tunnel
Remote user
Secure VPN Connection
Dedicated link to ISP
Companys Authentication server
Public Network
7
VPN Overview (Contd.)

• The diagram above illustrates a VPN remote access
  solution. A remote user (client) wants to log
  into the company LAN.
• The VPN client uses local ISP to connect into the
  authentication server of his company.
• The server authenticates the client, upon which
  he can now communicate with the company network
  just as securely over the public network as if it
  resided on the internal LAN.

8
VPN Overview (Contd.)

• A small remote office can also be connected this
  way, which does not have permanent connection to
  corporate intranet. In this case, remotes
  offices server establishes VPN connection with
  the corporate server.
• In the above process of establishing connection,
  a VPN tunnel is created between the remote user
  and the authentication server through internet.

9
VPN Overview - Tunneling

• Tunneling is needed because internet, though
  cost-effective, basically is public shared
  network and its not suitable in its natural state
  for secure transactions or private
  communications.
• In tunneling instead of sending a frame as it is
  produced by the originating node, the tunneling
  protocol encapsulates a data packet within a
  normal IP packet for forwarding over an IP-based
  network and routed between tunnel endpoints.

10
Common uses of VPNs

• There are three main uses of VPN
• Intranet VPNsAllow private networks to be
  extended across the internet or other public
  network service in a secure way. Intranet VPNs
  are sometimes referred to as site-to-site or
  LAN-to-LAN VPNs.
• Extranet VPNs Allow secure connections with
  business partners, suppliers and customers for
  the purpose of e-commerce. Extranet VPNs are an
  extension of intranet VPNs with the addition of
  firewalls to protect the internal network.

11
Common uses of VPNs (Contd.)

• Remote access VPNs Allows individual dial-up
  users to connect to a central site across the
  internet or other public network service in a
  secure way. Remote access VPNs are sometimes
  referred to as dial VPNs.
• Secure Intranets Internally Intranets can also
  utilize VPN technology to implement controlled
  access to individual subnets on the private
  network. In this mode, VPN clients connect to a
  VPN server that acts as a gateway to computers
  behind it on the subnet.

12
Common Uses of VPNs
Three uses of VPN are shown in the following
diagram
13
VPN Benefits

• Low cost.
• Eliminates the need for expensive long-distance
  leased lines.
• With VPNs, an organization needs only a
  relatively short dedicated connection to the
  service provider.
• This connection could be a local leased line
  (much less expensive), or it could be a local
  broadband connection such as DSL service.

14
VPN Benefits (Contd.)

• Dial-in VPNs reduces costs by lessening the need
  for long-distance telephone charges for remote
  access.
• Lower costs through offloading of the support
  burden. With VPNs, the service provider rather
  than the organization must support dial-up access
  for example.

15
VPN Benefits (Contd.)

• Scalability
• The cost to an organization of traditional leased
  lines may be reasonable initially but can
  increase exponentially as the organization grows.
• Four branch offices require six lines for full
  connectivity, five offices require ten lines, and
  so on.

16
VPN Benefits (Contd.)

• In a traditional WAN this explosion limits the
  flexibility for growth. VPNs that utilize the
  internet avoid this problem by simply tapping
  into the geographically-distributed access
  already available.
• Due to the ubiquitous nature of ISP services, it
  is possible to link even the most remote users or
  branch offices into the network.

17
Basic VPN requirements

• At a minimum, a VPN solution should provide all
  of the following
• User Authentication The solution must verify a
  user's identity and restrict VPN access to
  authorized users. In addition, the solution must
  provide audit and accounting records to show who
  accessed what information and when.
• Address Management The solution must assign a
  client's address on the private net, and must
  ensure that private addresses are kept private.

18
Basic VPN Requirements

• Data Encryption Data carried on the public
  network must be rendered unreadable to
  unauthorized clients on the network.
• Key Management The solution must generate and
  refresh encryption keys for the client and
  server.

19
Basic VPN Requirements

• Multiprotocol Support The solution must be able
  to handle common protocols used in the public
  network. These include Internet Protocol (IP),
  Internet Packet Exchange (IPX), and so on.
• security negotiation and complex filtering.

20
Basic VPN Requirements (Contd.)

• ManagementClient-based software should be as
  transparent as possible. VPN carriers will
  require new management tools in order to simplify
  the configuration and monitoring of a corporate
  customer's VPN.
• Further emerging requirements like QoS, CoS,
  etc., will be discussed later on.

21
Technology behind VPN

• A VPN is essentially a software technique to
  route private traffic on public internet.
• Three functions form basis of VPN.
• Packet encapsulation - Tunneling.
• Encryption.
• Authentication.
• Scope of Encapsulation and Encryption.
• Next slide shows layout of IP header.
• Each part of IP packet has security exposures if
  sent in clear over the internet.

22
Technology behind VPN

• The threats mentioned below, requires us to
  encrypt the entire packet when sending packets
  over internet.

IP Packet and security threats.
Other header
User data
IP Header
Passwords, userID, credit card info, all other
data
Src. And dest. Address, other information
Information useful to hackers
23
Encryption Concepts

• Privacy of the information sent over VPN is
  ensured by encryption.
• Encryption is a technique of scrambling (into
  cipher text) and unscrambling information (back
  to clear text ).

24
Encryption Concepts

• Asymmetric public key cryptography normally used
  for encryption and decryption.
• Encryption Algorithms.
• DES (56 bit key length).
• 3DES (168 bit key length).
• AES (Advanced Encryption standard) newest
  algorithms supporting.

25
Authentication Concepts

• Authentication basically answers following
  question.
• Are you really who you say you are ?
• There are two types of authentication
  User/System Authentication and Data
  Authentication.
• User/System Authentication
• Verifying that the person or system is indeed
  the one who claims to be.
• A Common technique is to send a challenge to
  other side by sending a random number.

26
Authentication Concepts (Contd.)

• The challenged side returns a value by encrypting
  the random number using key only known to
  challenged side.
• The challenger decrypts the returned value, and
  if it matched original number, challenged party
  is termed as authentic.

27
Authentication Concepts (Contd.)

• Data Authentication
• This verifies that the packet has not be altered
  during its trip over the internet.
• A typical technique done before encryption is
  that the sender calculate a number ,called a
  hash, based on data content and append it to the
  data packet.
• Receiver decrypts the packets, calculates the
  hash independently and compared this receiver
  calculated hash with the hash appended to the
  data.
• If both hash do not match, data has been altered
  and receiver rejects it.

28
Tunneling Basics

• Encrypting IP header is not enough since
  intermediate routers would not be able to read
  destination address.
• Tunneling protocol encapsulates the frame in an
  additional header.

29
Tunneling Basics

• The additional header provides routing
  information so that the encapsulated payload can
  traverse the intermediate internetwork.
• Tunneling includes this entire process
  (encapsulation, transmission, and de-capsulation
  of packets.

30
Tunneling Basics
Tunnel End Points
Tunnel
Tunneled Payload
Payload
Tunneling
31
Tunneling Basics (Contd.)

• The logical path through which the encapsulated
  packets travel through the internetwork is called
  a tunnel.
• Once the encapsulated frames reach their
  destination on the internetwork, the frame is
  un-encapsulated and forwarded to its final
  destination.

32
Tunneling Basics (Contd.)

• Tunneling technology can be based on either a
  Layer 2 or Layer 3 tunneling protocol.
• Layer 2 Tunneling protocols PPTP, L2TP, L2TF.
• Layer 3 Tunneling Protocols IP over IP and IPSec
  (Tunnel Mode).
• The next slide shows the comparison table of
  features that each of above protocol support and
  then individual protocols are discussed.

33
Tunneling Protocols Features Comparison
34
Tunneling Protocols Comparison

• Each of above features is critical in determining
  the implementation of various VPN protocols.
• IPSec is gaining more and more support from
  vendors because of its security, however issues
  like user authentication and multi-protocol
  support are still there and work is going on to
  resolve this issues.
• PPTP and L2TP lacks machine and packet
  authentication as standard which makes this
  protocols vulnerable and much less secure than
  IPSec.

35
Appropriate Protocol Use
X denotes it supports
36
Tunneling Protocols PPTP

• PPTP protocol is built on the top of PPP and
  TCP/IP.
• PPTP tunneling makes use of two basic packet
  types data packets and control packets.
• PPTP is a Layer 2 protocol that encapsulates PPP
  frames in IP datagrams for transmission over an
  IP internetwork, such as the Internet.

37
Tunneling Protocols PPTP

• Control packets are used for status inquiry and
  signaling information and is sent over TCP
  connection.
• Data portion is sent using PPP encapsulated in
  Generic Routing Encapsulation (GRE) V2 protocol.
• GRE protocol allows for encapsulation for
  arbitrary data packets within arbitrary transport
  protocol.
• Such as IPX, NetBEUI, TCP.

38
Tunneling Protocols PPTP (Contd.)
The PPTP Standard
Media Header
IP Header
GRE Header
PPP Header
User DATA
What is GRE ?
Delivery Protocol
GRE Header
Payload Protocol
Information (x -octets)
39
PPTP Security

• Security of PPTP has been enhanced to support RAS
  (Remote access server) which supports MS-CHAP,
  RSA RC 4 encryption.
• It does not intrinsically include any encryption
  and authentication mechanisms.
• There is no packet authentication and in general
  it is much weaker then IPSec and thus much more
  susceptible to attack.

40
Tunneling Protocols L2TP

• L2TP is standards based combination of two
  proprietary Layer 2 tunneling approaches.
• It combines best parts of Microsofts PPTP and
  Ciscos L2F.
• Main difference between L2TP and PPTP is that
  L2TP combines data and control channels and runs
  over UDP as opposed to TCP.
• More firewall friendly than PPTP since UDP is
  faster and also two channels are combined.

41
Tunneling Protocols L2TP

• Crucial advantage on extranet VPN applications.
• L2TP supports non-Internet based VPNs including
  frame relay, ATM, and Sonet.
• In L2TP PPP connection is tunneled using IP
  between LAC-LNS pair.
• LAC L2TP access concentrator.
• LNS L2TP Network server.

42
L2TP Encapsulation
The L2TP Standard
Media header
IP Header
UDP header
L2TP Header
PPP Header
User Data
43
L2TP Security

• L2TP doesnt intrinsically include encryption
  support.
• However, secure functionality of IPSec can be
  used to secure the L2TP tunnel.
• L2TP is more suitable for multiprotocol support
  and remote access VPN.

44
Tunneling Protocols - IPSec

• IPSec is open standard layer 3 security protocol
  that protect IP datagrams.
• IPSec has many components (including some still
  in development), but they boil down to just two
  main functions authentication and encryption.
• It Provides robust, extensible mechanism in
  which to provide security to IP and upper layer
  protocols like UDP and TCP.

45
Tunneling Protocols IPSec (Contd.)

• It protects IP datagrams by specifying the
  traffic to protect, how the traffic is protected,
  and to whom the traffic is sent.
• IPsec can protect IP datagrams between hosts,
  network security gateways (firewalls, routers),
  and between hosts and security gateways.

46
IPSec security features

• Data origin authentication Ensures that received
  data is same as sent data and that recipient
  knows who sent that data.
• Data integrity Ensures that data is transmitted
  without alteration.
• Relay protection It offers partial sequence
  integrity.
• Data Confidentiality It ensures that no one can
  read the sent data, possible by using the
  encryption algorithms.

47
IPSec Components

• IPSec provides following components.
• Encapsulating Security Payload (ESP) Provides
  data origin authentication, relay protection,
  data integrity and data confidentiality.
• Authentication Header (AH) Provides data origin
  authentication, relay protection, data integrity.
• Internet Key Exchange (IKE) Provides key
  management and security association (SA)
  management.

48
Encapsulating Security Payload (ESP)

• ESP provides authentication, integrity,
  confidentiality which protects against data
  tampering and message content protection.
• IPSec provides open framework for standard
  algorithms like MD5, SHA.
• ESP also provides encryption services in IPSec.
• Encryption/Decryption allows the sender and
  authorized receiver to read the data.

49
Encapsulating Security Payload (ESP) Contd.

• ESP also has option called ESP authentication.
• Provide authentication and integrity to IP
  payload not to the IP header.
• The ESP header is inserted into the packet
  between the IP header and any subsequent packet
  contents.
• ESP does not encrypt the ESP header and the ESP
  authentication.

50
ESP format
Original Packet
IP Header
TCP
Data
Packet with ESP
ESP Authentication
IP Header
ESP Header
ESP Trailer
Data
TCP
Encrypted
Authenticated
51
Authentication Header (AH)

• AH provides authentication and integrity, which
  protects against data tampering using the same
  algorithms as ESP.
• One drawback of AH is that is does not protect
  datas confidentiality.
• If data is intercepted and only AH is used, the
  message contents can be read.
• For the added protection in certain cases, both
  AH and ESP can be used.

52
Authentication Header (AH) Contd.

• These two protocols can be used alone or combined
  depending on type of application required and
  security needed.
• One subtle difference explaining why AH is
  preferred over ESP is the scope of coverage of
  authentication.
• AH authentication includes IP header information
  while ESP does not include that.
• The authentication header is inserted between the
  IP header and any subsequent packet contents.

53
AH format
Original Packet
IP Header
TCP
Data
Packet with IPSec AH
IP Header
Data
AH
TCP
Authenticated
54
IPSec Modes

• There are two modes of IPSec - Transport and
  Tunnel mode.
• Transport mode protects upper layer protocols.
• Tunnel mode protects entire IP Datagrams.
• In Transport mode, an IPSec header is inserted
  between IP header and the upper layer protocol
  header.

55
IPSec Modes (Contd.)

• In Tunnel mode, the entire IP packet to be
  protected is encapsulated in another IP datagram
  and the IPSec header is inserted between the
  outer and inner IP headers.
• Both AH and ESP can be operate in either tunnel
  mode or transport mode.
• Next four slides show two modes of IPSec and its
  implementations under ESP and AH.

56
IPSec Modes (Contd.)
Two Modes of IPSec
Source A
Destination B
Internet
Security Gateway2
Security Gateway1
Tunnel Mode
Transport Mode
57
ESP Transport Mode
IPSec ESP Transport Mode
1- Authenticated 2- Encrypted
Original IP Header
Original Packet
TCP
Data
Tunnel Mode Packet
STD. IP Header
ESP header
Optional ESP authentication
TCP
Data
ESP Trailer
Security Parameter Index (SPI )
ESP Header
1
Sequence number
TCP data
Payload Variable size
2
ESP Trailer
Padding
Pad len
Next Hdr
Authentication data
58
ESP Tunnel Mode
IPSec ESP Tunnel Mode
1- Authenticated 2- Encrypted
Original IP Header
Original Packet
TCP
Data
Tunnel Mode Packet
New IP Header
ESP header
Optional ESP authentication
Original IP Header
TCP
Data
ESP Trailer
Security Parameter Index (SPI )
ESP Header
1
Sequence number
IP Hdr, TCP data
Payload Variable size
2
Padding
Pad len
Next Hdr
ESP Trailer
Authentication data
59
AH Transport/Tunnel Mode
AH Transport/Tunnel Mode
Orig IP Header
Original Packet
TCP
Data
Transport mode packet
Orig IP Header
TCP
Data
AH
New IP Header
Orig IP Header
Tunnel Mode Packet
AH
TCP
Data
Next Header
Payload len
Reserved
Security Parameter Index (SPI )
Sequence number
Authentication data
60
Identity and IPSec Access Control

• In LAN- to-LAN and remote access VPNs it is
  important that devices are identified in a secure
  and manageable way.
• In remote access VPN device authentication as
  well as user authentication occurs.
• Device authentication uses either a pre-shared
  key or digital certificate to provide identity of
  the device.
• Preshared key management is done through Internet
  key exchange (IKE) protocol.

61
IPSec Security association

• IPSec introduces the concept of Security
  association (SA).
• An SA is a logical connection between two devices
  transferring data.
• An SA provides data protection for unidirectional
  traffic by using defined IPSec protocols.

62
IPSec Security association (Contd.)

• An IPSec tunnel typically consists of two
  Unidirectional SAs, which together provide a
  protected full duplex data channel.
• An SA allows an enterprise to control exactly
  what resources may communicate securely according
  to security policy.
• Enterprise can select multiple SAs to enable
  multiple secure VPNs to support different
  departments and different business partners.

63
IPSec Security association (Contd.)

• SA can be constructed manually or dynamically via
  IKE.
• When created dynamically SA have lifetime
  associated with them that is negotiated between
  IPSec peers by the key management protocol.
• The IPSec SA specifies
• The mode and keys for AH authentication
  algorithm.
• The mode and keys for ESP encryption algorithm.

64
IPSec Security association (Contd.)

• The protocol, algorithm and key used to
  authenticate VPN communication.
• The protocol, algorithm and key used to encrypt
  VPN communication.
• The presence and size of any cryptographic
  synchronization to be used.
• The change interval of keys.
• The time to live of keys.
• The time to live of SA itself.
• The SA source address.

65
IPSec Architecture
IPSec Architecture
AH Protocol
ESP Protocol
Authentication Algorithm
Encryption Algorithm
Domain of Interpretation (DOI) specifies a SA
Key Management
66
Internet Key Exchange (IKE)

• IKE establishes shared security parameters and
  authentication keys between the IPSec peers,
  including all information in SA.
• Operates under framework defined by ISAKMP
  (Internet security association and key management
  protocol).
• IKE has two phases, phase one and phase two.
• Phase one
• Is designed to exchange master secret. Its
  cryptographic operations are very processor
  intensive.
• Master secret is used to derive keys.

67
IKE (Contd.)

• Phase one does not establish any SAs of the keys
  for protecting the user data.
• Phase one operations are performed infrequently,
  and single phase negotiation can support Phase 2
  exchanges.
• Phase two
• Phase two exchanges negotiate the SAs and the
  encryption keys that will be be used to protect
  user data.
• Phase 2 negotiations occurs more frequently that
  phase one negotiations typically every few
  minutes so that hackers do not have time to break
  the encryption keys.

68
Two phase of IKE
Two Phases of IKE
IPSec Node
IPSec Node
IPSec Node
IPSec Node
Phase 1 Establishing Secure channel IKE SA
Phase 2 Negotiate General Purpose SAs
69
L2TP with IPSec (Transport Mode)

• Integrating L2TP with IPSec offers the ability to
  L2TP as the tunneling protocol but secure the
  data using IPSec.
• Using L2TP gives increased manageability with
  user authentication for client to LAN connection
  and multiprotocol support.
• Interoperability with vendors is better that just
  IPSec alone.
• One drawback is that it will not pass through NAT.

70
Authentication within IPSec

• In small fixed VPN, IPSec authentication can rely
  on shared secrets.
• Devices are configured to share secret data upon
  which data encryption is based.
• This authentication is practical for only small
  VPNs with few links to multiple nodes.
• To ensure scalability and best possible security,
  the VPN solution can be integrated with a
  Certificate Authority (CA) in Public key
  infrastructure (PKI).

71
Authentication within IPSec (Contd.)

• PKI provides a standard, secure and scalable
  means of verifying user and system identities on
  a network.
• The CA is responsible for issuing and maintaining
  digital certificates for users of VPNs as well as
  for VPN devices themselves.
• With a CA, scaling is much easier when using PKI
  on the VPN, because for each new user or device,
  simply a new certificate is issued.
• Keys can be easily managed, updated and backed up
  from a central location.

72
User/Device Authentication with Digital
Certificates

• A digital certificate contains
• Serial number of the certificate
• Issuer algorithm information
• Valid to/from date
• User public key information
• Signature of issuing authority (CA)

0000123 SHA, DH, 3837829 1/1/93 to
12/31/98 Alice Smith, Acme Corp DH, 3813710
... Acme Corporation, Security Dept. SHA, DH,
2393702347 ...
73
Authenticating IPSec VPN with RADIUS

• IPSec as proposed doesnt include user
  authentication
• Many vendors include in their VPN products with
  the RADIUS (Remote Authentication Dial-In User
  Service ) authenticating mechanisms
• RADIUS coordinates authentication and
  authorization information between a network
  access server (VPN switch) and a central
  authentication and authorization server (RADIUS
  Server)

74
VPN Implementation alternatives

• There are many VPN solutions available they cover
  a range of price-performance, of capacity and of
  installation and configuration complexity.
• Following are four categories in which they can
  be divided.
• Traditional or legacy VPN products.
• Outsourced VPNs.
• Low end VPNs/firewall products.
• Point and click VPN Services.

75
Implementation alternatives- Traditional or
legacy VPNs

• Traditional or legacy VPN products
• Most first generation VPN products fall into this
  category.
• VPN function is typically add-on to router, to a
  LAN switch or to firewall.
• Often leads to hardware upgrade supporting it.
• Optimized for large businesses.
• Legacy VPN products category includes PC based
  software solutions targeted at smaller users.
• These VPN solutions need significant expertise to
  design, install, operate and support.

76
Implementation alternatives- Outsourced VPNs

• Outsourced VPNs There are two subcategories.
• a)VPN service from ISP or NSP
• With a managed service offering complete
  solution from installation to technical support
  is provided.
• Important issue here is availability of managed
  service in all geographical location where
  customer wants to deploy VPN.

77
Implementation alternatives- Outsourced VPNs
(Contd.)

• b) Managed VPN Service from a Reseller/Solution
  Provider
• Solution providers package services from multiple
  service provider to provide solution covering all
  geographical region.
• Cost, availability and technical support are
  issues here.
• More flexibility that ISP/NSP solution.

78
Implementation Alternatives Low End
VPNs/Firewall appliances

• Low end firewall VPN devices
• These are designed for small to medium size
  enterprise and are purpose built (dedicated to
  VPN gateway function ).
• May use PC processors or specialize processors.
• They may include co-processors for offloading the
  encryption function to a separate chip.
• These appliances may include additional functions
  like firewall, increasing their complexity.
• Simpler then router, Firewall-based VPN hence
  generally less prone to problems and easier to
  diagnose.

79
Implementation Alternatives Point and click
services.

• Point and Click Services
• This solution is independent of ISP and allows
  customers to use their existing hardware.
• Key feature of this solution is that customer
  does not have to get involved in designing,
  configuring and supporting the VPN.
• Customer logs onto service provider web site and
  registers key information about each site that is
  to be part of VPN(such as site name and IP
  address).
• Solution providers NOC then automatically
  creates appropriate VPN configurations based on
  user provided information and configures users
  VPN Gateways and monitors it.

80
VPN Future Challenges

• Quality of Service (QoS), will become the next
  goals for VPNs.
• The Internet is an inherently "best effort"
  delivery system. While powerful for connectivity,
  it lacks the consistent and assured performance
  required for the effective delivery of business
  applications.
• The biggest drawback to traditional QoS is its
  inability to prioritize encrypted packets, making
  it virtually unusable in VPN environments.

81
VPN Future Challenges

• Traditional QoS relies on the use of individual
  IP packet fields to differentiate and prioritize
  packets.
• IPSec and other encryption technologies protect
  data by making most of the IP packet fields
  unreadable.
• Encryption leaves only three fields available for
  packet differentiation, IP source address, IP
  destination address, and protocol.

82
VPN Future Challenges (Contd.)

• Differentiating on the basis of source IP address
  and destination IP address is not viable
  solution.
• Source IP address can dynamically be different
  each time.
• Destination IP address can be just VPN gateway.
• VPN deployments require a new approach to QoS
  which can beat above problem.

83
Limitations of Traditional QoS devices for VPNs
84
Future Challenges QoS for VPN

• Some approaches have been proposed by vendors
  like Cisco and more recently Centrisoft
  Corporation.
• These efforts aim in controlling traffic at the
  application level prior to IPSec packet
  encryption to avoid the issue of having to
  prioritize encrypted packets.
• Centerwise implements QoS via a distributed
  architecture that provides control at the source
  of trafficthe user desktop.

85
Future Challenges QoS for VPN
Centrisoft approach
86
Future Challenges (Contd.)

• Instead of looking at individual packets, it
  attempts to control the flow of applications at
  the desktop, where traffic originates.
• Cisco proposes QoS solution for VPN based on
  packet classification before encryption.
• Once packets are classified the next step is to
  "mark" or "color" packets with a unique
  identification to ensure that this classification
  is respected end to end.
• This can be done via the IP ToS field in the
  header of an IP datagram.

87
Future Challenges (Contd.)

• QoS is still not fully implemented for IP and
  work is still going on. QoS for VPN will be one
  of the key requirements and development is still
  going on to support fully.
• Need for Traffic Classification, Policing /
  Shaping, Bandwidth Allocation, and Congestion
  Avoidance are all somewhat related to QoS.
• Other challenges include security of VPNs, though
  many secure mechanisms are available, properly
  applying them and managing is must.

88
Future Challenges (Contd.)

• Emerging technologies is Virtual private routing
  services (VPRS) which promises to greatly
  benefit customer since it will provide bridging
  and routing capabilities, VLANs, directory
  services and bandwidth critical applications.
• Focus will fall more and more on delivering
  quality of service (QoS) and class of service
  (CoS) over IP networks as part of a VPN.
• As voice and data services merge into one (voice
  over IP, IP fax), new network services are being
  developed to offer the QoS/CoS required for data,
  telephony and fax.

89
Conclusion

• Different VPN protocols have their own advantages
  and disadvantages.
• Of all VPN protocols IPSec provides strongest
  security and is best suitable for any
  gateway-to-gateway scenario.However, IPSec
  doesnt feature user authentication and have
  multiprotocol support.
• IETF IPSec remote access working group (IPSRA) is
  working on to make IPSec interoperable with
  legacy devices and in general wider support.

90
Conclusion

• PPTP and L2TP provide multiprotocol support and
  have user authentication but they security is
  weaker that IPSec and also they lack machine
  authentication.
• Until, all the problems for common solution are
  ironed out a single protocol cannot fulfill every
  customers requirement.
• VPN technology will continue to evolve and
  benefit us in coming years. With future support
  for QoS/CoS and integration with other
  technologies like VoIP and multimedia, true
  potential of VPN capabilities will be realized.

91
References

• RFC 2401 Security architecture for Internet
  Protocol.
• RFC 2402 IP Authentication Header.
• RFC 2406 IP Encapsulating Security Payload.
• RFC 2409 Internet Key Exchange IKE.
• RFC 2411 IP Security document roadmap.
• www.enterasys.com White paper - Virtual Private
  network a technology overview.
• www.cisco.com White paper SAFE VPN an IPSec
  Virtual private network in depth.
• www.networkcomputing.com Authenticating VPNs
  with RADIUS.
• www.centricitysoftware.com White paper A QoS
  breakthrough for VPN.
• www.techguide.com Technology guide- A practical
  guide to right VPN solution.
• www.cid.alcatel.com White paper - PKI and VPN
  enabling security in increasingly networked
  world.
• www.smartpipes.com White paper - IPSec-based
  VPNs.
• www.3com.com Virtual private networks Internet
  based VPNs.
• www.getesuite.com VPN tunneling basics.
• www.cisco.com White paper Quality of Service
  for virtual private networks.