Virtual Private Networks

1
Virtual Private Networks

• BAD 64046
• Vladislav Hrosinkov
• 4/30/2003

2
Traditional Corporate WAN

• Traditional corporate WANs are built using
  private lines or private Frame Relay/ATM
• The remote access needs are accommodated by
  remote access servers and modems. The users dial
  in through the public switched telephone network.

3
Traditional corporate WAN

• Main advantages
• Predictable bandwidth
• Security and privacy
• Main disadvantages
• High telecommunication costs
• Not easily scalable

4
Virtual Private Network

• Definition - A VPN is a private network
  constructed within the public Internet
• Goals
• Connect private networks using shared public
  infrastructure
• Simplify distributed network creation
• Desirable properties
• Security An obvious issue because a public
  network (Internet) becomes physical part of the
  private network
• Quality of service guarantees

5
VPN Architectures

• Site-to-site intranet VPNs - Connect different
  networks.
• A VPN gateway is located at the boundary between
  a private corporate network and the public
  Internet

6
VPN Architectures

• Remote access VPNs Enable remote connectivity
  using any Internet access technology. The remote
  user launches the VPN client to create a VPN
  tunnel to the gateway

7
VPN Architectures

• Extranet VPNs Provide customers and suppliers
  with access to the corporate LAN. VPN tunnels are
  created through the Internet between the
  corporate gateway and a gateway or a client
  located in a partners network

8
Tunneling

• Tunnel A logical link between the tunnel client
  and the tunnel server. The path through which the
  packets travel
• Tunneling is the process of encapsulating
  (placing an entire packet within another packet
  (which provides the routing information) and
  sending it over the Internet.
• Tunnels serve three major purposes in VPNs
• To enable different protocols to be transported
  over IP
• To route privately addressed packet through the
  Internet
• To provide data integrity and confidentiality

9
Tunneling

• Example If node C takes the original packet and
  places it completely within a new packet
  addressed for node G, the nodes D, E and F would
  not know the original destination I.

10
Tunneling protocols

• PPTP (Point-to-point Tunneling Protocol)
• Developed by Microsoft and other companies
• Layer 2 protocol
• For encapsulation uses the GRE (Generic Routing
  Encapsulation) protocol
• Voluntary tunneling (the VPN client manages
  connection setup)
• Disadvantage Does not provide strong encryption

11
Tunneling Protocols

• L2F (Layer 2 Forwarding Protocol)
• Developed by Cisco and other vendors
• Layer 2 protocol
• Compulsory tunneling no VPN client, the Internet
  service provider manages the VPN connection.
• Can use any packet-oriented protocol for
  encapsulation
• Tunnels can support more than one connection
• Disadvantage does not define encryption for the
  encapsulated packet.

12
Tunneling Protocols

• L2TP (Layer 2 Tunneling Protocol)
• Combines features of the previous two to overcome
  their shortcomings and become a standard
• Supports both voluntary and compulsory tunneling
• Has its own encapsulation protocol
• Again lack of good security features.
• The current L2TP draft standard recommends that
  IPSec be used for encryption and key management
  in IP environments.

13
Tunneling Protocols

• IPSec
• Probably the most important protocol used in VPNs
• Layer 3 protocol.
• Provides the sender with the opportunity to
  authenticate or encrypt (or both) each IP packet.
• Two methods of using IPSec (modes)
• Transport mode only the transport-layer segment
  of a IP packet is authenticated or encrypted
• Tunnel mode the entire packet is authenticated
  or encrypted.

14
Tunneling Protocols

• IPSec (cont.)
• Supports AH (Authentication Header) protocol for
  per-packet authentication.
• Supports ESP (Encapsulating Security Payload)
  protocol for authentication, encryption,
  anti-replay.
• Either one or both can be used
• Uses a number of standardized cryptographic
  technologies
• Supports both manual key exchange and IKE
  (Internet Key Exchange) protocol for automated
  key management.
• IPSec is considered for the best VPN solution for
  IP environment

15
VPNs - Performance

• IPSec solves the problem of VPN security, but
  performance remains an issue.
• VPN performance depends on
• The speed of transition through the Internet
  the public Internet cannot provide guaranteed
  levels of response time and reliability. Some SP
  offer quality of service agreements.
• The efficiency of the VPN processing at each end
  of the connection. Encapsulation and encryption
  require adding data fields to each packet long
  packets, likelihood of fragmentations. Encryption
  is very computationally intensive. Must be
  performed on products that are optimized for
  these functions.

16
VPN Gateways

• A key element of a VPN
• Sit between public and private network,
  preventing intrusions
• Can perform also tunneling and encryption
• Generally, fits in one of the following
  categories routers, firewalls, integrated
  hardware, software.
• Routers usually are preferred for high
  throughput VPNs
• Firewalls can provide tunneling and encryption
  only on small VPNs with low traffic
• Integrated hardware some of them provide very
  high throughput and number of tunnels.
• Software Gateways usually low-cost solutions
  for small VPNs

17
VPNs - Advantages

• Eliminate the need for expensive private or
  leased lines
• Reduce the long-distance telephone charges
• Reduced equipment costs (modem banks, CSU/DSUs)
• Reduced technical support
• Scalability easy adding of new locations to the
  VPN
• Security

18
VPNs - Disadvantages

• Require an in-depth understanding of public
  network security issues and taking proper
  precautions in VPN deployment
• The availability and performance of a corporate
  VPN (over the Internet) depends on uncontrollable
  external factors.
• Shortage of standardization. The products from
  different vendors may not work well together.
• VPNs need to accommodate complicated protocols
  other than IP

19
VPNs Global Market

• 1997-2001

In 2000 VPN Hardware 1.2 B VPN Services 5.1 B
Source Infonetics Research, June 2000
20
VPN Market Major Players

• Check Point 62
• Nortel 15
• Net Screen 6
• Avaya 4

Source Data Monitor June 2001
21
VPNs Some Implications

• Facilitate place-displacement work
• Facilitate the creation of virtual corporations

22
VPNs Future?

• Forecasts predict fast growth in the next 5 years
• The future of VPNs depends mainly on the savings
  they provide
• What if the telecommunication costs continue to
  drop?

23
Sources

• Yuan, R., Strayer, T. Virtual private networks,
  2001.
• Mairs, J. VPNs a beginners guide, 2002
• VPN Tutorial
• http//www.iec.org/online/tutorials/vpn/
• Virtual Private Networks research of Infonetics
  Inc.
• http//www1.avaya.com/enterprise/whitepapers/vpne
  tworkswp.pdf

24

• Questions?