The Higher Institute of Industry - Misurata 1st International Workshop on MOBILE and Wireless...

The Higher Institute of Industry - Misurata

1st International Workshop on MOBILE and Wireless SECURITY (WMS’08)

16-19 / 9/ 2008 Cardiff - Wales

Performance Evaluation for Remote Access VPNs on Windows Server 2003

By:Ahmed A. JahaFathi Ben ShatwanMajdi Ashibani

The Higher Institute of Industry - Misurata WMS’08 16-19 / 9/ 2008 Cardiff - Wales

Outlines

• Paper Objectives• VPN Overview.• Experimental Testbeds• Experimental Results• Conclusions and Future Work.


Paper Objectives


Paper Objectives

• Overview of VPN• Survey popular remote access VPN solutions

that are widely available• Performance evaluation of these solutions on

wired and wireless windows server 2003 platform experimentally.

• Identify issues that have future research potential


VPN Overview


InternetInternet

What is VPN?

Tunnel

Acme Corp

Site 1VPN VPN Site 2

VPN can be defined as a way to provide secure communication between members of a group through use of the public telecommunication infrastructure (usually the Internet), maintaining privacy through the use of a tunneling protocol and security procedures. VPN systems provide users with the illusion of a completely private network.


Tunneling

• Method of using an internetwork infrastructure to transfer data from one network over another network (encapsulation, transmission, and decapsulation of packets)


Security of VPN

• Authentication– Authentication ensures that the data is coming from the

source from which it claims to come.


Security of VPN

• Authentication• Access Control

– Access control concept relates to the accepting or rejecting of a particular requester to have access to some service or data in any given system. It is therefore necessary to define a set of access rights, privileges, and authorizations, and assign these to appropriate people within the domain of the

system under analysis.


Security of VPN

• Authentication• Access Control

• Confidentiality – Confidentiality ensures the privacy of information by

restricting an unauthorized users from reading data carried on the public network.


• Authentication• Access Control• Confidentiality • Data Integrity

– Data Integrity verifies that a data has not been altered during

its travel over the public network.

Security of VPN


Benefits of VPN

• Cost– VPN eliminate the fixed monthly charge of dedicated leased

lines.


• Cost• Scalability

– As the enterprise grows, full-mesh connectivity might be required between the different offices. This means that the number of leased lines, and the total cost associated with deploying them, increases exponentially.

– VPN that utilizes the Internet avoid this problem by simply using the infrastructure already available.

Benefits of VPN


• Cost• Scalability• Security

– Security is not impaired when using VPN since transmitted data is either encrypted or, if sent unencrypted, forwarded through trusted networks.

Benefits of VPN


• Cost• Scalability• Security • Productivity

– In addition to cost savings, VPN increases profits by improving productivity.

– The improved productivity results from the ability to access resources from anywhere at anytime.

Benefits of VPN


Architecture of VPN

• Remote Access VPN– User-to-LAN connection used by

enterprises that have employees who need to connect to their private network from various remote locations (e.g. homes, hotel rooms, airports).

InternetInternet

Enterprise mainsite

RemoteUser


• Remote Access VPN• Intranet Site-to-Site VPN

– LAN-to-LAN connection used to connect enterprise’s offices over Internet

Enterprise mainsite

Enterprise branchsite

InternetInternet

Architecture of VPN


• Remote Access VPN• Intranet Site-to-Site VPN• Extranet Site-to-Site VPN

– LAN-to-LAN connection Provides business partners, suppliers, and customers access to certain data.

Enterprise mainSite

InternetInternet

Partner SiteSupplier Site

Architecture of VPN


Remote Access VPN Protocols (L2)

• Point to Point Tunneling Protocol (PPTP)– Developed by microsoft and others (RFC 2637).– Extension of Point to Point Protocol (PPP).– Clients are included in all versions of Windows since

Windows 95. – Servers are included in all windows server products since

Windows NT.– Clients and servers are supported in Linux.


• Point to Point Tunneling Protocol (PPTP)• Layer Two Tunneling Protocol (L2TP)

– Developed by IETF (RFC 2661).– Combines best features of L2F and PPTP.– Commonly used with IPSec -> L2TP/IPSec.– Clients are included in windows xp, 2000, and 2003.– Servers are included in windows server 2000 and 2003.– Clients and servers are supported in Linux.



• Point to Point Tunneling Protocol (PPTP)• Layer Two Tunneling Protocol (L2TP)• Internet Protocol Security (IPSec)

– Framework Developed by IETF (RFCs 2401-2411 and 2451 ).– IPSec is supported in Windows XP, 2000, 2003 and Vista, in

Linux 2.6 and later.– Many vendors supply IPSec VPN servers and clients.



• Point to Point Tunneling Protocol (PPTP)• Layer Two Tunneling Protocol (L2TP)• Internet Protocol Security (IPSec)• Secure Socket Layer (SSL)

– Higher layer security protocol developed by Netscape.– Used with HTTP to enable secure Web browsing (HTTPS).

• Supported by most browsers and servers

– SSL can also be used to create a VPN tunnel (OpenVpn).• Open-source VPN package for Linux and Windows.



Experimental Testbeds


Performance Metrics

• Throughput – The rate at which bulk of data transfers can be transmitted from

one host to another over a sufficiently long period of time.


• Throughput • Round Trip Time (RTT)

– The amount of time it takes one packet to travel from one host to another and back to the originating host.

Performance Metrics


• Throughput • Round Trip Time (RTT)

• Packet delay variation (Jitter) – The variation of packet delay where delays actually impact the

quality of service.

Performance Metrics


• Throughput • Round Trip Time (RTT) • Packet delay variation (Jitter)

• Packet loss – The portion of packets transmitted but not received in the

destination compared to the total number or packets transmitted.

Performance Metrics


Wired Testbed Setup


Desktop PC equipped with double 2600 MHz

processor, 512 Mbytes of RAM, and VIA Rhine II

Compatible Fast Ethernet Adapter built-in NIC and

loaded with windows server 2003 and configured to

act as a domain controller server.

Wired Testbed Setup


Desktop PC equipped with double Genuine Intel 3000

MHz processor, 512 Mbytes of RAM, Broadcom

Extreme Gigabit Ethernet built-in NIC, and VIA VT6105

Rhine III Compatible Fast Ethernet NIC, loaded with

windows server 2003, and configured to act as PPTP,

L2TP/IPSec, and SSL VPN servers.

Wired Testbed Setup


Laptop PC equipped with Genuine Intel 1866 MHz

processor, 512 Mbytes of RAM, Broadcom 440x

10/100 Integrated controller built-in NIC and loaded

with windows xp sp/2 and configured to act as PPTP,

L2TP/IPSec, and SSL VPN clients.

Wired Testbed Setup


D-Link, 10/100 Fast Ethernet Switch..

Wired Testbed Setup


LINKSYS, wireless-G, AP with SES model WAP54G.

Wireless Testbed Setup


Iperfclient

Throughput/Jitter/Losses

Performance measurement Tools (Iperf)

Iperfserver

Throughput/Jitter/Losses


Hrping

Round Trip Time (RTT)

Performance measurement Tools (Hrping)


Experimental Results


TCP throughput


Round Trip Time (RTT)


UDP Throughput


Jitter


Packet Loss


Wired Testbeds Results

Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

24.55

Packet loss in multiple of no VPN

Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

377.18

Jitter in multiple of no VPN

Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

6.65 %

UDP throughput in % of no VPN

Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

2.862.521.98

Round Trip Time (RTT) in multiple of no VPN

Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

52.59 %55.23 %82.37 %

TCP throughput in % of no VPN

68.12 %

3.49

2.53

51.04 %

4.34

5.27



Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

24.55


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

377.18


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

6.65 %


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

2.862.521.98


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

52.59 %55.23 %82.37 %


68.12 %

3.49

2.53

51.04 %

4.34

5.27

Due to the smallest overhead packets

that have been introduced by PPTP,

PPTP on both windows server 2003 and

fedora core 6 have produced the best

performance values for both TCP and

UDP-based user applications.



Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

24.55


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

377.18


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

6.65 %


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

2.862.521.98


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

52.59 %55.23 %82.37 %


68.12 %

3.49

2.53

51.04 %

4.34

5.27

In order to have strong security,

L2TP/IPSec combines L2TP's

tunnel with IPSec's secure channel

which increases the overhead

packets. So, L2TP/IPSec on both

windows server 2003 and fedora

core 6 has produced a good

performance values for both TCP

and UDP-based user applications .



Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

24.55


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

377.18


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

6.65 %


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

2.862.521.98


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

52.59 %55.23 %82.37 %


68.12 %

3.49

2.53

51.04 %

4.34

5.27

Because OpenVPN was

written as a user space

daemon rather than a

kernel module, OpenVPN

on both windows server

2003 and fedora core 6

have produced a lower

performance values in high

traffic environments .


Wireless Testbeds Results

Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

5.02


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

44.76


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

8.44 %


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

1.601.501.33


Wired OpenVPN

Wired L2TP/IPSec

Wired PPTP

53.85 %68.38 %83.33 %


65.68 %

1.43

1.64

59.98 %

2.20

1.51


Conclusions and Future Work


Conclusions• Testbeds have been built to evaluate the performance

of remote access VPN solutions (PPTP, L2TP/IPSec, and OpenVPN) on wired and wireless windows server 2003 platform.

• Performance metrics (Throughput, RTT, Jitter, and packet loss) have been measured in both TCP and UDP mode. These metrics are used in our experiments as they have a direct impact on the ultimate performance perceived by end user applications.

• The wireless testbed performance values indicate that the deployment of VPNs on a wireless network infrastructure could be considered as an acceptable choice to secure transmission between wireless clients and their enterprise network.


Future Work

• The performance of software-based VPN solutions on platforms other than windows server 2003 (such as Linux, BSD, Mac, and Solaris) can be evaluated to select the best platform that will be used to implement the software-based VPN solutions.

• The performance evaluation of hardware-based VPN solutions using different hardware VPN products (such as 3Com, ADTRAN, Cisco, and Juniper) should be investigated as well.

• The OpenVPN needs to be manipulated to improve it’s performance in high traffic environment.


Thank you for your attention

The Higher Institute of Industry - Misurata 1st International Workshop on MOBILE and Wireless...

Documents

Transcript of The Higher Institute of Industry - Misurata 1st International Workshop on MOBILE and Wireless...