4 vpn s

NETWORLD+INTEROP 98 Tokyo Internet Roaming, Workshop W8751

Virtual Private Virtual Private Networks (VPNs)Networks (VPNs)

Tunneling, VPNs and Roaming


Defining Some TermsDefining Some Terms

Intranet

Internal corporate

applications using Web

and Internet technology

Intranet

Internal corporate

applications using Web

and Internet technology

ExtranetExtends an Intranet to

include customers,

suppliers and partners

ExtranetExtends an Intranet to

include customers,

suppliers and partners

Remote AccessUses the Internet to link

telecommuters and

mobile workers to the

company Intranet

Remote AccessUses the Internet to link

telecommuters and

mobile workers to the

company Intranet


Tunneling DefinedTunneling Defined

Creating a transparent virtual network link between two network nodes that is unaffected by physical network links and devices.


Tunneling ExplainedTunneling Explained

Tunneling is encapsulating one protocol in another

Tunnels provide routable transport for unroutable packets encrypted, illegal addressing, non-supported

Tunneling itself provides no security


One way to One way to communicate…communicate…

Router CSU/DSU

LA

N

LA

N

Firewall

LA

N

Web SitesLos AngelesHQ

New York

Boston

CSU/DSU

Router

Firewall

CSU/DSURouter

PSTN

Remote AccessServer

Internet

CSU/DSU

Firewall

Remote AccessServer


Another view of network Another view of network possibilities... possibilities...

A Virtual Private NetworkA Virtual Private Network

InternetRouter VSU-1000 CSU/DSU

LA

N

LA

N

Firewall

LA

N

Web SitesLos Angeles

New York

Boston

Remote Clients(VPNremote)

CSU/DSU

VSU-1000

Router

Firewall

CSU/DSU

VSU-1000Router

VPNmanager

VSU-1000


Tunneling IllustratedTunneling Illustrated

Router A

Workstation X

Router BWorkstation

Y

Original IPpacket dest Y

Step 1.Original, unroutable

IP Packet sent to router

Step 2Original IP

packetencapsulatedin another IP

packetOriginal IP

packetNew IPPacket

Tunnel

Step 3Original packetextracted, sentto destination

Original IPpacket dest Y

Tunnel


Types of TunnelsTypes of Tunnels(with thanks to Bernard Aboba)(with thanks to Bernard Aboba)

Two basic types of tunnels Voluntary tunnels

Tunneling initiated by the end-user

(Requires client software on remote computer)

Compulsory tunnels

Tunnel is created by NAS or router

(Tunneling support required on NAS or Router)


Voluntary TunnelsVoluntary Tunnels Will work with any network device

Tunneling transparent to leaf and intermediate devices

But user must have a tunneling client compatible with tunnel server PPTP, L2TP, L2F, IPSEC, IP-IP, etc.

Simultaneous access to Intranet (via tunnel) and Internet possible Employees can use personal accounts for

corporate access Remote office applications

Dial-up VPN’s for low traffic volumes


A Voluntary L2TP TunnelA Voluntary L2TP Tunnel

D i a l I P A c c e s s

P P P a c c e s s p r o t o c o l

D i a l A c c e s s P r o v i d e rV P N S e r v i c e

D i a l A c c e s s

S e r v e r

P P T P A c c e s s

S e r v e rC l i e n t H o s t

S e r i a l I n t e r f a c e

P P T P V i r t u a l I n t e r f a c e


Compulsory TunnelsCompulsory Tunnels

Will work with any client But NAS must support same tunnel

methodBut… Tunneling transparent to intermediate routers

Network access controlled by tunnel server User traffic can only travel through tunnel Internet access possible

Must be by pre-defined facilities Greater control Can be monitored


Compulsory TunnelsCompulsory Tunnels

Static Tunnels All calls from a given NAS/Router tunneled to a

given server

Realm-based tunnels Each tunnel based on information in NAI

(I.e. user@realm)

User-based tunnels Calls tunneled based on userID data stored in

authentication system


A Compulsory L2TP A Compulsory L2TP TunnelTunnel


RADIUS Support for RADIUS Support for TunnelsTunnels

Can define tunnel type Can define/limit tunnel end points Allows tunnel configuration to be based

on Calling-Station-ID or Called-Station-ID

Additional accounting information Tunnel end points Tunnel ID, etc.


RADIUS Dial Up RADIUS Dial Up SecuritySecurity

Remote User

User Login

Private Network

Authenticates dial in users at boundary of private network

RADIUS Protocol

Boundary

Hacker

RADIUSServer

RAS


Protocol ComparisonProtocol Comparison

PPTP L2TP IPSEC

Authenticated Tunnels X X

Compression X X X

Smart Cards X X

Address Allocation X X

Multiprotocol X X

Encryption X

Flow Control X

Requires Server X X


Layer 2 Tunneling Layer 2 Tunneling Protocol (L2TP)Protocol (L2TP)

Mobile Employee

Shared Dial Network

L2TPTunnel

Private Network

LAC

TelecommuterLAC

LNS

RADIUS

L2TP Access Concentrator(LAC) tunnels PPP frames in IP

PPP

L2TP Network Server de-tunnels PPP, authenticates via RADIUS and performs address assignment

4 vpn s

Technology

Transcript of 4 vpn s