The Higher Institute of Industry - Misurata 1st International Workshop on MOBILE and Wireless...
-
Upload
clifton-underwood -
Category
Documents
-
view
213 -
download
0
Transcript of The Higher Institute of Industry - Misurata 1st International Workshop on MOBILE and Wireless...
The Higher Institute of Industry - Misurata
1st International Workshop on MOBILE and Wireless SECURITY (WMS’08)
16-19 / 9/ 2008 Cardiff - Wales
Performance Evaluation for Remote Access VPNs on Windows Server 2003
By:Ahmed A. JahaFathi Ben ShatwanMajdi Ashibani
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Outlines
• Paper Objectives• VPN Overview.• Experimental Testbeds• Experimental Results• Conclusions and Future Work.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Paper Objectives
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Paper Objectives
• Overview of VPN• Survey popular remote access VPN solutions
that are widely available• Performance evaluation of these solutions on
wired and wireless windows server 2003 platform experimentally.
• Identify issues that have future research potential
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
VPN Overview
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
InternetInternet
What is VPN?
Tunnel
Acme Corp
Site 1VPN VPN Site 2
VPN can be defined as a way to provide secure communication between members of a group through use of the public telecommunication infrastructure (usually the Internet), maintaining privacy through the use of a tunneling protocol and security procedures. VPN systems provide users with the illusion of a completely private network.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Tunneling
• Method of using an internetwork infrastructure to transfer data from one network over another network (encapsulation, transmission, and decapsulation of packets)
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Security of VPN
• Authentication– Authentication ensures that the data is coming from the
source from which it claims to come.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Security of VPN
• Authentication• Access Control
– Access control concept relates to the accepting or rejecting of a particular requester to have access to some service or data in any given system. It is therefore necessary to define a set of access rights, privileges, and authorizations, and assign these to appropriate people within the domain of the
system under analysis.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Security of VPN
• Authentication• Access Control
• Confidentiality – Confidentiality ensures the privacy of information by
restricting an unauthorized users from reading data carried on the public network.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Authentication• Access Control• Confidentiality • Data Integrity
– Data Integrity verifies that a data has not been altered during
its travel over the public network.
Security of VPN
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Benefits of VPN
• Cost– VPN eliminate the fixed monthly charge of dedicated leased
lines.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Cost• Scalability
– As the enterprise grows, full-mesh connectivity might be required between the different offices. This means that the number of leased lines, and the total cost associated with deploying them, increases exponentially.
– VPN that utilizes the Internet avoid this problem by simply using the infrastructure already available.
Benefits of VPN
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Cost• Scalability• Security
– Security is not impaired when using VPN since transmitted data is either encrypted or, if sent unencrypted, forwarded through trusted networks.
Benefits of VPN
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Cost• Scalability• Security • Productivity
– In addition to cost savings, VPN increases profits by improving productivity.
– The improved productivity results from the ability to access resources from anywhere at anytime.
Benefits of VPN
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Architecture of VPN
• Remote Access VPN– User-to-LAN connection used by
enterprises that have employees who need to connect to their private network from various remote locations (e.g. homes, hotel rooms, airports).
InternetInternet
Enterprise mainsite
RemoteUser
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Remote Access VPN• Intranet Site-to-Site VPN
– LAN-to-LAN connection used to connect enterprise’s offices over Internet
Enterprise mainsite
Enterprise branchsite
InternetInternet
Architecture of VPN
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Remote Access VPN• Intranet Site-to-Site VPN• Extranet Site-to-Site VPN
– LAN-to-LAN connection Provides business partners, suppliers, and customers access to certain data.
Enterprise mainSite
InternetInternet
Partner SiteSupplier Site
Architecture of VPN
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Remote Access VPN Protocols (L2)
• Point to Point Tunneling Protocol (PPTP)– Developed by microsoft and others (RFC 2637).– Extension of Point to Point Protocol (PPP).– Clients are included in all versions of Windows since
Windows 95. – Servers are included in all windows server products since
Windows NT.– Clients and servers are supported in Linux.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Point to Point Tunneling Protocol (PPTP)• Layer Two Tunneling Protocol (L2TP)
– Developed by IETF (RFC 2661).– Combines best features of L2F and PPTP.– Commonly used with IPSec -> L2TP/IPSec.– Clients are included in windows xp, 2000, and 2003.– Servers are included in windows server 2000 and 2003.– Clients and servers are supported in Linux.
Remote Access VPN Protocols (L2)
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Point to Point Tunneling Protocol (PPTP)• Layer Two Tunneling Protocol (L2TP)• Internet Protocol Security (IPSec)
– Framework Developed by IETF (RFCs 2401-2411 and 2451 ).– IPSec is supported in Windows XP, 2000, 2003 and Vista, in
Linux 2.6 and later.– Many vendors supply IPSec VPN servers and clients.
Remote Access VPN Protocols (L3)
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Point to Point Tunneling Protocol (PPTP)• Layer Two Tunneling Protocol (L2TP)• Internet Protocol Security (IPSec)• Secure Socket Layer (SSL)
– Higher layer security protocol developed by Netscape.– Used with HTTP to enable secure Web browsing (HTTPS).
• Supported by most browsers and servers
– SSL can also be used to create a VPN tunnel (OpenVpn).• Open-source VPN package for Linux and Windows.
Remote Access VPN Protocols (L5)
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Experimental Testbeds
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Performance Metrics
• Throughput – The rate at which bulk of data transfers can be transmitted from
one host to another over a sufficiently long period of time.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Throughput • Round Trip Time (RTT)
– The amount of time it takes one packet to travel from one host to another and back to the originating host.
Performance Metrics
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Throughput • Round Trip Time (RTT)
• Packet delay variation (Jitter) – The variation of packet delay where delays actually impact the
quality of service.
Performance Metrics
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
• Throughput • Round Trip Time (RTT) • Packet delay variation (Jitter)
• Packet loss – The portion of packets transmitted but not received in the
destination compared to the total number or packets transmitted.
Performance Metrics
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Wired Testbed Setup
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Desktop PC equipped with double 2600 MHz
processor, 512 Mbytes of RAM, and VIA Rhine II
Compatible Fast Ethernet Adapter built-in NIC and
loaded with windows server 2003 and configured to
act as a domain controller server.
Wired Testbed Setup
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Desktop PC equipped with double Genuine Intel 3000
MHz processor, 512 Mbytes of RAM, Broadcom
Extreme Gigabit Ethernet built-in NIC, and VIA VT6105
Rhine III Compatible Fast Ethernet NIC, loaded with
windows server 2003, and configured to act as PPTP,
L2TP/IPSec, and SSL VPN servers.
Wired Testbed Setup
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Laptop PC equipped with Genuine Intel 1866 MHz
processor, 512 Mbytes of RAM, Broadcom 440x
10/100 Integrated controller built-in NIC and loaded
with windows xp sp/2 and configured to act as PPTP,
L2TP/IPSec, and SSL VPN clients.
Wired Testbed Setup
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
D-Link, 10/100 Fast Ethernet Switch..
Wired Testbed Setup
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
LINKSYS, wireless-G, AP with SES model WAP54G.
Wireless Testbed Setup
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Iperfclient
Throughput/Jitter/Losses
Performance measurement Tools (Iperf)
Iperfserver
Throughput/Jitter/Losses
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Hrping
Round Trip Time (RTT)
Performance measurement Tools (Hrping)
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Experimental Results
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
TCP throughput
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
TCP throughput
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Round Trip Time (RTT)
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
UDP Throughput
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Jitter
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Packet Loss
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
24.55
Packet loss in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
377.18
Jitter in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
6.65 %
UDP throughput in % of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
2.862.521.98
Round Trip Time (RTT) in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
52.59 %55.23 %82.37 %
TCP throughput in % of no VPN
68.12 %
3.49
2.53
51.04 %
4.34
5.27
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
24.55
Packet loss in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
377.18
Jitter in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
6.65 %
UDP throughput in % of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
2.862.521.98
Round Trip Time (RTT) in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
52.59 %55.23 %82.37 %
TCP throughput in % of no VPN
68.12 %
3.49
2.53
51.04 %
4.34
5.27
Due to the smallest overhead packets
that have been introduced by PPTP,
PPTP on both windows server 2003 and
fedora core 6 have produced the best
performance values for both TCP and
UDP-based user applications.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
24.55
Packet loss in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
377.18
Jitter in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
6.65 %
UDP throughput in % of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
2.862.521.98
Round Trip Time (RTT) in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
52.59 %55.23 %82.37 %
TCP throughput in % of no VPN
68.12 %
3.49
2.53
51.04 %
4.34
5.27
In order to have strong security,
L2TP/IPSec combines L2TP's
tunnel with IPSec's secure channel
which increases the overhead
packets. So, L2TP/IPSec on both
windows server 2003 and fedora
core 6 has produced a good
performance values for both TCP
and UDP-based user applications .
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
24.55
Packet loss in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
377.18
Jitter in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
6.65 %
UDP throughput in % of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
2.862.521.98
Round Trip Time (RTT) in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
52.59 %55.23 %82.37 %
TCP throughput in % of no VPN
68.12 %
3.49
2.53
51.04 %
4.34
5.27
Because OpenVPN was
written as a user space
daemon rather than a
kernel module, OpenVPN
on both windows server
2003 and fedora core 6
have produced a lower
performance values in high
traffic environments .
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Wireless Testbeds Results
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
5.02
Packet loss in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
44.76
Jitter in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
8.44 %
UDP throughput in % of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
1.601.501.33
Round Trip Time (RTT) in multiple of no VPN
Wired OpenVPN
Wired L2TP/IPSec
Wired PPTP
53.85 %68.38 %83.33 %
TCP throughput in % of no VPN
65.68 %
1.43
1.64
59.98 %
2.20
1.51
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Conclusions and Future Work
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Conclusions• Testbeds have been built to evaluate the performance
of remote access VPN solutions (PPTP, L2TP/IPSec, and OpenVPN) on wired and wireless windows server 2003 platform.
• Performance metrics (Throughput, RTT, Jitter, and packet loss) have been measured in both TCP and UDP mode. These metrics are used in our experiments as they have a direct impact on the ultimate performance perceived by end user applications.
• The wireless testbed performance values indicate that the deployment of VPNs on a wireless network infrastructure could be considered as an acceptable choice to secure transmission between wireless clients and their enterprise network.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Future Work
• The performance of software-based VPN solutions on platforms other than windows server 2003 (such as Linux, BSD, Mac, and Solaris) can be evaluated to select the best platform that will be used to implement the software-based VPN solutions.
• The performance evaluation of hardware-based VPN solutions using different hardware VPN products (such as 3Com, ADTRAN, Cisco, and Juniper) should be investigated as well.
• The OpenVPN needs to be manipulated to improve it’s performance in high traffic environment.
The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales
Thank you for your attention