Virtual Private Network

Virtual Private Virtual Private Networking (VPN)Networking (VPN)

Roll No- 45-49Roll No- 45-49Group VIIGroup VII

IntroIntro To VPNTo VPN

bull Virtual Private NetworkVirtual Private Network as name suggests as name suggests safely and securely transfers information from safely and securely transfers information from one network to another systemone network to another system

bull Organizations which are connected by a single Organizations which are connected by a single logical network via Routers amp WAN logical network via Routers amp WAN technologiestechnologies

bull They are inter-connected to do PRIVATE data They are inter-connected to do PRIVATE data sharing sharing

bull Supports telecommuters branch offices amp off Supports telecommuters branch offices amp off site partners hence most vital part of site partners hence most vital part of corporate IT worldcorporate IT world

Need Of VPNNeed Of VPN

bull In this world internet is the most essential thing In this world internet is the most essential thing to do communication amp data transfersto do communication amp data transfers

bull But for some organizations which are spreading But for some organizations which are spreading over the world need one thing a way to over the world need one thing a way to maintain fast reliable amp secured maintain fast reliable amp secured communicationcommunication

bull WAN has fast speed High performance but less WAN has fast speed High performance but less security reliability amp too expensivesecurity reliability amp too expensive

bull For that For that Virtual Private NetworkVirtual Private Network is the best is the best possible solutionpossible solution

In short a VPN is a private network that In short a VPN is a private network that uses a public network (usually the Internet) uses a public network (usually the Internet) to connect remote sites or users together to connect remote sites or users together Instead of using a dedicated real-world Instead of using a dedicated real-world connection such as leased line a VPN uses connection such as leased line a VPN uses virtual connections routed through the virtual connections routed through the Internet from the companys private Internet from the companys private network to the remote site or employeenetwork to the remote site or employee

Features OFFeatures OF VPNVPN

bull Security Security bull Reliability Reliability bull Scalability Scalability bull Network management Network management

bull Policy managementPolicy management

Connections in VPNConnections in VPN

bull Remote Access-Remote Access-

Better known as Better known as Virtual Private Dial-up NetworkVirtual Private Dial-up Network (VPDN) (VPDN) This is Remote user-to-LAN connectionThis is Remote user-to-LAN connection Mostly Organizations outsource ESP (Enterprise Service Mostly Organizations outsource ESP (Enterprise Service

Provider) which sets Network Access Server (NAS) amp provides Provider) which sets Network Access Server (NAS) amp provides the remote users with desktop client software for their the remote users with desktop client software for their computers The telecommuters can then dial a toll-free computers The telecommuters can then dial a toll-free number to reach the NAS and use their VPN client software to number to reach the NAS and use their VPN client software to access the corporate network (eg Call Center)access the corporate network (eg Call Center)

Remote-access VPNs permit secure encryptedRemote-access VPNs permit secure encrypted connections connections between a companys private network and remote users between a companys private network and remote users through a third-party service provider through a third-party service provider

Intranet BasedIntranet Based

Single Private Single Private network between network between Companyrsquos remote Companyrsquos remote locationslocations

Connection can be Connection can be LAN - LAN LAN - LAN

Extranet BasedExtranet Based

Network between two Network between two companies (ie Partner companies (ie Partner Customer etc) so that Customer etc) so that working is in shared working is in shared environmentenvironment

Connection can be LAN Connection can be LAN - LAN- LAN

bull Site to Site- Connection bw multiple site via Internet

It is divided in two parts

Requirements of VPNRequirements of VPN

bull User Authentication-User Authentication- VPN accessed VPN accessed should be restricted to authorized users onlyshould be restricted to authorized users only

bull Address Management-Address Management- Ensuring that the Ensuring that the

private address are kept privateprivate address are kept private

bull Data encryption- Data encryption- Data carried must be Data carried must be unreadable to unauthorized usersunreadable to unauthorized users

bull Multi protocol SupportMulti protocol Support The solution The solution must be able to handle common protocols must be able to handle common protocols used in the public network These include used in the public network These include Internet Protocol (IP) internet packet Internet Protocol (IP) internet packet exchange (IPX) and so onexchange (IPX) and so on

How does VPN workHow does VPN workbull A VPN works by using shared public infrastructure A VPN works by using shared public infrastructure

while maintaining privacy through security while maintaining privacy through security procedures and tunneling protocolsprocedures and tunneling protocols

bull In effect by encoding data at the sending end and In effect by encoding data at the sending end and

decoding it at the receiving end the protocols decoding it at the receiving end the protocols send the data through a tunnel that cannot be send the data through a tunnel that cannot be entered by data that is not properly encryptedentered by data that is not properly encrypted

bull An additional level of security involves encoding An additional level of security involves encoding not only the data but also the originating and not only the data but also the originating and receiving network addressesreceiving network addresses

TunnelingTunneling bull TunnelingTunneling is the process of placing an entire is the process of placing an entire

packet within another packet and sending it over packet within another packet and sending it over a network its noting but point-point topologya network its noting but point-point topology

bull At At Tunnel interfacesTunnel interfaces the packet enters and the packet enters and exits the networkexits the network

bull It Requires three protocols- It Requires three protocols- 1 Carrier protocol 1 Carrier protocol 2 Encapsulating protocol 2 Encapsulating protocol 3 Passenger protocol 3 Passenger protocol

bull Carrier protocolCarrier protocol - The protocol used by - The protocol used by the network that the information is the network that the information is traveling over traveling over

bull Encapsulating protocolEncapsulating protocol - The protocol - The protocol that is wrapped around the original data that is wrapped around the original data

bull Passenger protocolPassenger protocol - The original data - The original data being carried being carried

Tunneling Remote AccessTunneling Remote Access

The truck is the carrier protocol the box is the encapsulating protocol and the computer is the passenger protocol

bull Tunneling Site- SiteTunneling Site- Site GRE (generic routing encapsulation) GRE (generic routing encapsulation)

Normally encapsulating protocol that provides the Normally encapsulating protocol that provides the framework for how to package the passenger protocol for framework for how to package the passenger protocol for transport over the carrier protocol IP based information transport over the carrier protocol IP based information on what type of packet you are encapsulating and on what type of packet you are encapsulating and information about the connection between the client and information about the connection between the client and server server

IPSec (IP Security)IPSec (IP Security)

Sometimes instead of GRE IPSec is used It is the Sometimes instead of GRE IPSec is used It is the encapsulating protocol IPSec works well on both remote-encapsulating protocol IPSec works well on both remote-access and site-to-site VPN access and site-to-site VPN

Tunneling Site- SiteTunneling Site- Site

bull Tunneling Remote AccessTunneling Remote Access

Tunneling normally takes place using PPP (carrier for Tunneling normally takes place using PPP (carrier for other IP protocols when communicating over the other IP protocols when communicating over the network between the host and a remote system)network between the host and a remote system)

L2FL2F (Layer 2 Forwarding) L2F will use any (Layer 2 Forwarding) L2F will use any

authentication scheme supported by PPP authentication scheme supported by PPP PPTP PPTP (Point-to-Point Tunneling Protocol) supports 40-(Point-to-Point Tunneling Protocol) supports 40-

bit and 128-bit encoding and will use any bit and 128-bit encoding and will use any authentication scheme supported authentication scheme supported

L2TPL2TP (Layer 2 Tunneling Protocol) Combining features (Layer 2 Tunneling Protocol) Combining features of both PPTP and L2F L2TP also fully supports IPSec of both PPTP and L2F L2TP also fully supports IPSec

Types Of VPN ServicesTypes Of VPN Services

bull L1 Services L1 Services 1 VPWS1 VPWS

bull L2 ServicesL2 Services 1 VPLS1 VPLS

2 Pseudo Wire (PW) 2 Pseudo Wire (PW)

3 IPLS3 IPLS

bull L3 ServicesL3 Services 1 BGPMPLS VPN1 BGPMPLS VPN

2 Virtual Router VPN2 Virtual Router VPN

bull Layer 1 ServiceLayer 1 Service VPWSVPWS The provider does not offer a full routed The provider does not offer a full routed

or bridged network but components from which or bridged network but components from which the customer can build customer-administered the customer can build customer-administered networks VPWS are point-to-point They can be networks VPWS are point-to-point They can be Layer 1 emulated circuits with no data link Layer 1 emulated circuits with no data link structurestructure

bull Layer 2 ServicesLayer 2 Services

PW (Pseudo Wiring) PW (Pseudo Wiring) PW is similar to VPWS but it PW is similar to VPWS but it can provide different L2 protocols at both ends can provide different L2 protocols at both ends

Virtual Private LAN Services (VPLS) Virtual Private LAN Services (VPLS) Allow Allow multiple tagged LANs to share common Data multiple tagged LANs to share common Data Not useful for customer-owned facilities Not useful for customer-owned facilities emulates the full functionality of a traditional emulates the full functionality of a traditional LAN The remote LAN segments behave as one LAN The remote LAN segments behave as one single LANsingle LAN

bull L3 ServicesL3 Services BGPMPLS VPN BGPMPLS VPN PE disambiguates duplicate PE disambiguates duplicate

addresses in a single routing instance Extensions addresses in a single routing instance Extensions are used to advertise routes which are of the are used to advertise routes which are of the form of 12-byte strings beginning with an 8-byte form of 12-byte strings beginning with an 8-byte and ending with a 4-byte IPv4 address and ending with a 4-byte IPv4 address

Virtual LAN Virtual LAN The PE contains a virtual router The PE contains a virtual router instance per VPN Opposed to BGPMPLS instance per VPN Opposed to BGPMPLS techniques as multiple virtual routers belong to techniques as multiple virtual routers belong to one and only one VPNone and only one VPN

VPN SecurityVPN Security

bull A well-designed VPN uses several A well-designed VPN uses several methods for keeping the connection and methods for keeping the connection and data securedata secure

1 Firewalls 1 Firewalls

2 Encryption 2 Encryption

3 IPSec 3 IPSec

4 AAA servers4 AAA servers

11 FirewallsFirewalls

A firewall provides a strong barrier between the A firewall provides a strong barrier between the private network and the Internet We can set private network and the Internet We can set firewalls to restrict the number of open ports firewalls to restrict the number of open ports what type of packets is passed through and what type of packets is passed through and which protocols are allowed through which protocols are allowed through

2Encryption2Encryption

Encryption is the process of taking all the data that one Encryption is the process of taking all the data that one

computer is sending to another and encoding it into a computer is sending to another and encoding it into a form that only the other computer will be able to form that only the other computer will be able to decode Most computer encryption systems belong in decode Most computer encryption systems belong in one of two categories one of two categories

ndash 1048707 1048707 Symmetric-key encryption Symmetric-key encryption ndash 1048707 1048707 Public-key encryption Public-key encryption

bull In symmetric-key encryption each computer has a In symmetric-key encryption each computer has a secret key (code) that it can use to encrypt a packet of secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another information before it is sent over the network to another computer computer

bull Symmetric-key requires that you know which Symmetric-key requires that you know which computers will be talking to each other so you can computers will be talking to each other so you can install the key on each one install the key on each one

bull Symmetric-keySymmetric-key encryption is essentially the same encryption is essentially the same as a secret code that each of the two computers must as a secret code that each of the two computers must know in order to decode the information know in order to decode the information

bull The code provides the key to decoding the The code provides the key to decoding the messagemessage

bull The sending computer encrypts the document The sending computer encrypts the document with a symmetric key then encrypts the symmetric with a symmetric key then encrypts the symmetric key with the public key of the receiving computer key with the public key of the receiving computer

bull The receiving computer uses its private key to The receiving computer uses its private key to decode the symmetric key It then uses the symmetric decode the symmetric key It then uses the symmetric key to decode the document key to decode the document

bull Public-key encryption Public-key encryption uses a combination of a uses a combination of a private key and a public key private key and a public key

bull The private key is known only to your computer The private key is known only to your computer while the public key is given by your computer to any while the public key is given by your computer to any computer that wants to communicate securely with itcomputer that wants to communicate securely with it

bull To decode an encrypted message a computer To decode an encrypted message a computer must use the public key provided by the originating must use the public key provided by the originating computer and its own private keycomputer and its own private key

bull A very popular public-key encryption utility is A very popular public-key encryption utility is called called Pretty Good Privacy Pretty Good Privacy (PGP) which allows you to (PGP) which allows you to encrypt almost anything encrypt almost anything

3 Internet Protocol Security Protocol 3 Internet Protocol Security Protocol (IPSec)(IPSec)

bull IPSec provides enhanced security features such as IPSec provides enhanced security features such as better encryption algorithms and more comprehensive better encryption algorithms and more comprehensive authentication authentication

bull IPSec has two encryption modes IPSec has two encryption modes tunnel tunnel and and transporttransport

bull Tunnel encrypts the header and the payload of Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload each packet while transport only encrypts the payload Only systems that are IPSec compliant can take Only systems that are IPSec compliant can take advantage of this protocol Also all devices must use a advantage of this protocol Also all devices must use a common key and the firewalls of each network must common key and the firewalls of each network must have very similar security policies set up have very similar security policies set up

bull IPSec can encrypt data between various devices such IPSec can encrypt data between various devices such as as

bull 1048707 1048707 Router to router Router to router bull 1048707 1048707 Firewall to router Firewall to router bull 1048707 1048707 PC to router PC to router bull 1048707 1048707 PC to server PC to server

Benefits of VPNBenefits of VPN

A well-designed VPN can greatly benefit a A well-designed VPN can greatly benefit a company For example it cancompany For example it can bull bull Extend geographic connectivity Extend geographic connectivity bull bull Improve security Improve security bull bull Reduce operational costs versus traditional WAN Reduce operational costs versus traditional WAN bull bull Reduce transit time and transportation costs for Reduce transit time and transportation costs for

remote users remote users bull bull Improve productivity Improve productivity bull bull Simplify network topology Simplify network topology bull bull Provide global networking opportunities Provide global networking opportunities bull bull Provide telecommuter support Provide telecommuter support bull bull Provide broadband networking compatibility Provide broadband networking compatibility bull bull Provide faster ROI (return on investment) than Provide faster ROI (return on investment) than

traditional WAN traditional WAN

How VPN differ from How VPN differ from ordinary networks ordinary networks

bull Virtual Private Networks allow any valid Virtual Private Networks allow any valid remote user to become part of a corporate remote user to become part of a corporate central network using the same network central network using the same network scheme and addressing as users on this central scheme and addressing as users on this central network network

bull Each Corporate central network can also Each Corporate central network can also be responsible for validating their own users be responsible for validating their own users despite the fact that they are actually dialing despite the fact that they are actually dialing into a public network into a public network

bull The Internet Service Provider can The Internet Service Provider can give each of their customers a unique give each of their customers a unique dial-up telephone number which will dial-up telephone number which will distinguish their service from any distinguish their service from any other But this is depends on the other But this is depends on the software that will be used by the software that will be used by the remote user remote user

Other FeaturesOther Featuresbull Mobile VPNs are designed for mobile and wireless users Mobile VPNs are designed for mobile and wireless users

They integrate standards-based authentication and They integrate standards-based authentication and encryption technologies to secure data transmissions to encryption technologies to secure data transmissions to and from devices and to protect networks from and from devices and to protect networks from unauthorized users Designed for wireless environments unauthorized users Designed for wireless environments Mobile VPNs are designed as an access solution for users Mobile VPNs are designed as an access solution for users that are on the move and require secure access to that are on the move and require secure access to information and applications over a variety of wired and information and applications over a variety of wired and wireless networks Mobile VPNs allow users to roam wireless networks Mobile VPNs allow users to roam seamlessly across IP-based networks and in and out of seamlessly across IP-based networks and in and out of wireless coverage areas without losing application wireless coverage areas without losing application sessions or dropping the secure VPN session sessions or dropping the secure VPN session

VPN ChallengesVPN Challenges

bull Setting up the infrastructure Setting up the infrastructure before deploying VPNbefore deploying VPN

Many of the branch offices Many of the branch offices operated on dial-up connections which operated on dial-up connections which were slow and often unreliable were slow and often unreliable

So the first step was to get So the first step was to get 24x7 connectivity using DSL or similar 24x7 connectivity using DSL or similar technology technology

bull Paucity of IT staff at remote locationsPaucity of IT staff at remote locations Since many of the branch offices were Since many of the branch offices were

small andor recently set up there was no small andor recently set up there was no dedicated IT staff at remote locations dedicated IT staff at remote locations

The challenge was to build a The challenge was to build a solution that was literally plug-and-play -that solution that was literally plug-and-play -that could be easily setup deployed and could be easily setup deployed and managed with an option for remote managed with an option for remote manageability as well in case advanced manageability as well in case advanced troubleshooting was requiredtroubleshooting was required

bull Reliability of the ISP connection and Reliability of the ISP connection and support for dial-up backupsupport for dial-up backup

In many locations if the main ISP In many locations if the main ISP connection was down the connectivity to the connection was down the connectivity to the head office was maintained via dial-up head office was maintained via dial-up

It was a prerequisite that the VPN It was a prerequisite that the VPN solution work not just on the regular ISDN or solution work not just on the regular ISDN or DSL connection but also on the dial-up so DSL connection but also on the dial-up so that application uptime could be maintainedthat application uptime could be maintained

bull Response timeResponse time

Since this was a real-time application the end Since this was a real-time application the end users would have to get a reasonable response users would have to get a reasonable response time or else they might abandon the use of the time or else they might abandon the use of the application The response time depends on application The response time depends on several factors besides the VPN solution such several factors besides the VPN solution such as the coding in the software application the as the coding in the software application the quality of the ISP connection the volume of quality of the ISP connection the volume of data being transferred by the application and data being transferred by the application and the general level of congestion on the Internet the general level of congestion on the Internet pipe itself pipe itself

Keeping all these factors in mind and Keeping all these factors in mind and yet providing an interface which would not yet providing an interface which would not cause the user to lose patience with it was one cause the user to lose patience with it was one of the foremost issues that needed to be of the foremost issues that needed to be addressedaddressed

bull No provision for a separate firewall No provision for a separate firewall solutionsolution

Since the implementation of the VPN involved Since the implementation of the VPN involved opening up the IT infrastructure of the opening up the IT infrastructure of the branches to the Internet a firewall solution to branches to the Internet a firewall solution to protect the branch network was also required protect the branch network was also required But as there was no budgetary provision for But as there was no budgetary provision for a separate firewall the VPN appliance was a separate firewall the VPN appliance was required to provide firewall functionality as required to provide firewall functionality as wellwell

The firewall had to be simple to The firewall had to be simple to configure and manage that is meet all the configure and manage that is meet all the requirements of the VPN solutionrequirements of the VPN solution

User acceptanceUser acceptance A major challenge faced during the A major challenge faced during the

implementation of this IT and security project implementation of this IT and security project was to gain the acceptance of remote users was to gain the acceptance of remote users throughout the country to switch from a throughout the country to switch from a decentralized batch process-oriented manual decentralized batch process-oriented manual system to a centrally administered and system to a centrally administered and managed real-time systemmanaged real-time system

This was achieved by educating end This was achieved by educating end users about the use and benefits of VPN and users about the use and benefits of VPN and trainingtraining

Conclusion Conclusion

bull Thus VPN is an outgrowth of the Internet Thus VPN is an outgrowth of the Internet technology which will transform the daily technology which will transform the daily method of doing business faster than any method of doing business faster than any other technology A Virtual Private Network other technology A Virtual Private Network or VPN typically uses theor VPN typically uses the

bull Internet as the transport backbone to Internet as the transport backbone to establish secure links with business partners establish secure links with business partners extend communications to regional and extend communications to regional and isolated offices and significantly decrease the isolated offices and significantly decrease the cost of communications for an increasingly cost of communications for an increasingly mobile workforce VPNs serve as private mobile workforce VPNs serve as private network overlays on public IP network network overlays on public IP network infrastructures such as the Internetinfrastructures such as the Internet

bull Today VPNs are equally appealing to companies of all Today VPNs are equally appealing to companies of all sizes Even small businesses are finding compelling reasons sizes Even small businesses are finding compelling reasons to implement VPNsto implement VPNs

bull The primary purposes of the VPNC areThe primary purposes of the VPNC are Promote the products of its members to the press and Promote the products of its members to the press and

to potential customers to potential customers Increase interoperability between members by showing Increase interoperability between members by showing

where the products interoperate where the products interoperate Serve as the forum for the VPN manufacturers Serve as the forum for the VPN manufacturers

throughout the world throughout the world Help the press and potential customers understand VPN Help the press and potential customers understand VPN

technologies and standardstechnologies and standards

BIBLIOGRAGHYBIBLIOGRAGHY

bull wwwscribdcomwwwscribdcombull wwwwikipediaorgwwwwikipediaorgbull wwwhowstuffworkscomwwwhowstuffworkscombull wwwgooglecomwwwgooglecom

IntroIntro To VPNTo VPN

bull Virtual Private NetworkVirtual Private Network as name suggests as name suggests safely and securely transfers information from safely and securely transfers information from one network to another systemone network to another system

bull Organizations which are connected by a single Organizations which are connected by a single logical network via Routers amp WAN logical network via Routers amp WAN technologiestechnologies

bull They are inter-connected to do PRIVATE data They are inter-connected to do PRIVATE data sharing sharing

bull Supports telecommuters branch offices amp off Supports telecommuters branch offices amp off site partners hence most vital part of site partners hence most vital part of corporate IT worldcorporate IT world


























































3 IPLS3 IPLS















3 IPSec 3 IPSec

























































































































3 IPLS3 IPLS















3 IPSec 3 IPSec












































































3 IPSec 3 IPSec
































































Virtual Private Network

Documents

Transcript of Virtual Private Network