Virtual Private Networks

Transcription

1 Virtual Private Networks Omar ALGhamdi, MD, MS Medical Informatics

2 2 Table of Contents: 1. Introduction. 2. Definitions. 3. VPN Motivations. 4. Architecture & Implementations. 4.1 Network Layer VPNs Controlled Route Leaking Tunneling Network Layer Encryption. 4.2 Link-Layer VPNs. 5 Types of VPNs. 5.1 LAN Interconnect VPN. 5.2 Dial-up VPN. 5.3 The Extranet VPN. 6 Requirements of well designed VPN. 7 The future of VPN. 1. Introduction: The Internet global presence makes it attractive as a universal communications infrastructure for businesses. With distance-independent rates and flat fees, the costs of corporate Internet communications become predictable and tend to get cheaper. However,

3 3 some Internet design principles discourage the use of the Internet as a universal communication platform. First, all Internet traffic shares the available resources and is forwarded in a best-effort manner. Such resource sharing with all other Internet users makes it impossible for Internet service providers (ISPs) to offer the service guarantees needed. The second problem with internet is lack of built in security support.(braun, Guenter, & Khalil, 2001). According to infonetics Cahners In Stat Group predicts the total market for VPN will explode from a projected $2.67 billion in 1999 to $32 billion by the end of Moreover, the September, 1999 Internet Week survey of 200 IT managers found that 29% were using VPNs, while 71% were six moths to one year or more from deployment(younglove, 2000). This is a clear indication that VPNs are very promising to many organizations, as a potential economical communication solution. Therefore VPNs have been earning the nickname Very Profitable Networks (Yuricik & Doss, 2001). 2. Definitions: A VPN is a communications environment in which access is controlled to permit peer connections only within a defined community of interest, and is constructed through some form of partitioning of a common underlying communications medium, where this underlying communication medium provides services to the network on a non-exclusive basis(ferguson & Huston, 1998). A simpler, more approximate, and much less formal description is:

4 4 A communication environment constructed by controlled segmentation of a shared communication infrastructure to emulate the characteristics of a private network.(venkateswaran, 2001). It should be noted that shared communication infrastructure upon which the VPN is constructed could either be public Internet or a private network.(yuricik & Doss, 2001). 3. Motivations for VPNs: A virtual private network can resolve many of the issues associated with today s private networks. a) Cost: Traditional private networks facilitate connectivity among various network entities through a set of links, comprising of dedicated circuits (T1, T3 etc.). The cost of such links is high especially when they involve international locations.(venkateswaran, 2001). Even when VPNs are implemented on a provider private network, it would still be less expensive, since that private network will provide VPN services to many other subscribers(ferguson & Huston, 1998). b) Mobility of workforce: The percentage of people in the US workforce that depends on remote access to do their jobs is continually growing. Many companies are encouraging telecommunications to reduce their investment in real estate, reduce traffic, and reduce pollution from automobile. To support this, companies have to provide a reliable IT infrastructure like large modem pools and toll free numbers, all of which adds to their overhead cost.(younglove, 2000).

5 5 c) E-commerce applications: such applications are deployed around inventory management, supply chain management, electronic data interchange etc. However, in traditional private networks, this kind of special access provision is difficult to incorporate because it is not easy to install dedicated link to all suppliers and business partners, nor it is flexible because a change in the supplier would require de-installing the link and installing another one to the new vendor. Such inflexible infrastructure makes it difficult to take advantage of cost saving opportunities like quickly replacing a supplier with one who provides more competitive prices. (Venkateswaran, 2001). 4. Architecture & Implementations. Despite the common perception that VPN is not a customizable solution, a broad spectrum of VPN options is available. Network designers do not anticipate any single VPN solution to supplant others. Instead they forecast that a diversity of choices will continue to emerge, increasing an advanced planning framework s value(yuricik & Doss, 2001). There are several different ways of VPN implementations. VPNs can be implemented at Link-layer, Network layer, Transport layer, and application layer.(ferguson & Huston, 1998). There is currently significant interest in the deployment of virtual private networks across IP backbone facilities(gleeson, Lin, Heinanen, Armitage, & Malis, 2000), for this reason this paper will focus on the two most common implementation methods (Network & Link-layer VPNs) Network Layer VPNs: There are two models within this framework, The Peer and Overlay VPN.

6 6 The peer VPN model is one in which paths are computed on hop-by-hop basis, where each node in the path is a peer with a next-hop node. The overlay VPN model is one in which the network layer forwarding path uses the intermediate link layer as a cut - through to another edge node on the other side of a public network (Yuricik & Doss, 2001). There are three common ways of implementing Network layer VPNs Controlled Route Leaking: Is a method which could also be called privacy through obscurity, it is a peer VPN model. It consist simply of controlling route propagation to the point that only certain networks receives routes from other networks which are within their own community of interest, the most common and efficient way to accomplish this is by using BGP communities, which is a method that enable the VPN provider to mark the Network Layer Reachability Information with community attributes that identifies different networks. Figure 1. Figure 1 Courtesy of (Ferguson & Huston, 1998)

7 Tunneling: Tunneling is an Overlay VPN model, it is a method of sending packets securely over a shared public infrastructure(younglove, 2000). In the tunnel mode, the end points of the tunnel are common nodes of the VPN and the shared public infrastructure (Venkateswaran, 2001). Generally, there are two approaches for establishing tunnels: Customer Premise Equipment (CPE) based approach and the network based approach. In the CPE-based approach, tunnels are established only between CPE devises (mainly border router). In the network based approach, tunnels are established between the routers of the core (shared) network. The CPE-based approach is more simple, however, for scalability and economic reasons, network-based solutions for VPNs are preferred (Cohen & Kaempfer, 2000). There are numerous tunneling mechanisms, including, Generic Routing Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP), Point to Point Tunneling protocol(pptp), IPSec, and Multiprotocol Label Switching(MPLS) (Ferguson & Huston, 1998). The most common tunneling mechanism is GRE routing from source to destination router, router to router, or host to host. Tunnels between source (ingress) and destination (egress) routers encapsulate source packets with a new GRE header and forward them into a tunnel with tunnel s endpoint as a destination address. When the packet reaches the tunnel endpoint, the last router strips the outer GRE header away, unencapsulating the inner packet. The router then forwards this original packet to its original destination, which appears in the inner packet header.(braun et al., 2001). GRE tunnels are generally point-to-point, that is, there is a single source address and single destination tunnel

8 8 endpoint address. However, there are some vendor implementations that allow the configuration of point-to-multipoint tunnels(ferguson & Huston, 1998). Layer 2 tunneling protocol (L2TP) is a network protocol which was developed by IETF(Internet Engineering Task Force), it encapsulate PPP frames to be sent over IP, X.25, frame relay, or ATM networks(younglove, 2000). L2TP is a compulsory Tunneling model, this means that a dial up client dials into Network Access Server (NAS), which after successful authentication dynamically establish L2TP tunnel to a predetermined end point in the network.(gleeson et al., 2000). Point to Point tunneling protocol (PPTP), is similar to L2TP, but is considered Voluntary tunneling model, where the client dials into NAS, and establish a PPTP tunnel directly from the client side to the end point of the server to be accessed, depending on the privileges granted to that client.(ferguson & Huston, 1998). Tunneling has two main advantages, first it helps to route multiple protocols across the shared network infrastructure i.e. the original packet could be based on any layer 3 protocol ( like IP, Apple Talk, or Novel IPX). Second, the VPN and the shared network infrastructure may use different routing protocols and addressing mechanism without hindering the routing process typically the network-layer protocol within the shared infrastructure is IP. The are some disadvantages of tunneling. It is difficult to manage a large number of tunnels. Therefore, it doesn t scale well to a large number of VPN nodes. Further, the packets on the unencrypted tunnels can be eavesdropped by others attached to the shared network infrastructure. This tunnel is especially vulnerable at tunnel end-point where the

9 9 extra headers are stripped away and packets are visible in their original forms (Venkateswaran, 2001) Network Layer Encryption: As tunneling doesn t ensure privacy, this is clearly a problem for organizations who wants to use public networks, especially the internet to transmit important information (Yuricik & Doss, 2001). The evolving standard for network layer encryption is IP Security ( IP Sec) which was developed by the IETF. It is a layer 3 protocol standard designed to insure data security in IP based communications. IPSec allows IP payloads to be encrypted and encapsulated in an IP header for secure transfer.(younglove, 2000). IPSec supports two types of encapsulation which are used in combination: authentication header (AH) and encapsulating security payload (ESP). AH provides secure source identification and data integrity verification using a header field. ESP supports payload encryption for confidentiality and has two modes: tunnel mode for WAN traffic (the entire packet, including source and destination addresses is encrypted to prevent traffic analysis) and the transport mode (only the payload is encrypted ) for LAN traffic(yuricik & Doss, 2001). IPSec has become the de facto industry standard for IP-based VPN infrastructure. The future version of IP (IPv6), has IP sec built in it, and when fully deployed, it will render IPSec obsolete (Younglove, 2000). Generally speaking and independent of IPSec, there are two basic methods in which network layer encryption is implemented. The most secure is end-to-end between

10 10 participating hosts. This allows for the highest level of security. The alternative is tunnel mode, where encryption is only performed between intermediate devices (routers), and traffic between the end system and the router is in plain text. The latter is obviously less secure (Gleeson et al., 2000) Link-Layer VPNs: The basic concept of this kind of implementation is to use a shared network infrastructure that is based on switched link layer technology like Frame Relay or Asynchronous Transfer Mode (ATM). Thus, a collection of VPNs may share the same infrastructure for connectivity, and share the same switching elements without being visible to each other. By this, link-layer VPNs attempts to maintain the critical elements of being self contained and economical (Gleeson et al., 2000). There are several protocols that are used in link-layer VPN implementations, the most common is Multiprotocol over ATM (MPOA), and Multiprotocol Label Swiching ( MPLS) (Venkateswaran, 2001). The connection is established as a virtual circuit at the link layer. The essential difference here between this architecture of virtual circuit and that of dedicated circuits is that there is no synchronized data clock shared by the sender and the receiver, nor is there a dedicated transmission path assigned from the common shared infrastructure.(ferguson & Huston, 1998). The advantage of virtual circuits is that they are cheaper than dedicated links and they are very flexible. Link-layer VPNs are appropriate for LAN interconnect VPN services. Link-layer VPNs are not ideally suited for dial-up services because most ISPs provide connectivity through

11 11 IP. Since dial-up VPN services offer more cost reductions, IP-based network layer VPNs are more attractive to IT managers (Venkateswaran, 2001). There are no industry standards, per se, for link layer encryption, thus all link layer encryption solutions are generally vendor specific and require special encryption hardware (Ferguson & Huston, 1998). 5. Types of VPNs. There are primarily three types of VPNs. Local Area Network Interconnect VPN, Dial- Up VPN, and Extranet VPN (Venkateswaran, 2001) LAN Interconnect VPN: Helps to interconnect different LANs located at different geographical areas over shared network infrastructure. Typically it is used to connect small offices with their regional main office. The advantages of this type, is that it is very flexible, i.e, both the capacity of a link and the number of necessary link can be changed whenever needed Dial-up VPN: Supports mobile and telecommuting employees in accessing the company s Intranet from remote locations. This type of VPN may use either L2TP, or PPTP protocols as described earlier in the tunneling section. The dial-up VPN has two main advantages. It eliminates the need to manage and maintain a RAS, as this is usually done by the service provider. It also provides considerable cost saving as it result in a significant reduction in long distance and Toll Free calls Extranet VPN: Combines the architecture of both LAN interconnect and dial-up VPNs.

12 12 This kind of VPNs enables vendors, suppliers, and customers to access specific areas of the company s Intranet. The allowed specific area is denoted as Demilitarized Zone (DMZ). The main advantage of Extranet VPNs is that it helps in several e-commerce areas including efficient inventory management and electronic data interchange. 6. Requirements of a Well Designed VPN. Scalability: allows a solution to grow as the business grows and eliminate forklift upgrades. Performance: VPN should be able to process close to the input line speed or to the line speed of the slowest link. Reliability: VPN should be available at all the time, reliability must include redundancy features to allow automatic recovery of failed devices with limited interruption of service. Usability: VPN needs to be very easy to use and understand by the end-users. Ease of Management: the management platform must have a simple way to design security policy, an easy way to distribute that policy, and an easy way to simultaneously manage a large number of devises. Interoperability: the VPN equipment must be interoperable according to industry standards and protocols. Protocol Support: at least the following protocols must be supported. IPSec, PPTP, L2TP, and RADIUS. Service Level Agreement (SLA): It is necessary to negotiate with service provider a SLA to provide a consistent throughput and service to the connected locations.

13 13 Seamless Integration: VPN solution must fit into an organization network system as a complementary service.(gentry, 2001) 7. The Future of VPN. VPN technology is still in its infancy. But the general believe that in a couple of years VPNs will evolve and demonstrate all the promised advantages. VPN will be a global technology linking geographical regions around the world (Venkateswaran, 2001). Future VPN researches are directed toward Quality of Service (QoS), especially as a capability of the MPLS (Yuricik & Doss, 2001). Internet QoS VPNs have become a feasible and economically interesting solution for deploying wide area corporate networks. However, the Qos and VPN enabling technologies increases network management complexity significantly (Braun et al., 2001). In their paper, (Jingsha He, Blight, & Chujo, 2000), studied the VPN requirements, especially the Qos and security requirements, and analyzed the different implantations that can support the requirements in different network environments. They proposed a unified Policy Server-based architecture which supports both LAN and Dial-Up modules. The policy server stores the company s QoS Policy, security policy and the rules to establish the VPN connections. Each and every network element that is involved in the VPN needs to consult the PS at the time of establishing a VPN connection. With the support of the PS and dynamic policy rules it enforces, different VPN connections can be established depending on where the user initiates the connections. Another advantage of

14 14 this approach is the centralized administration and management of policies that resides on the PS. 8. References: Braun, T., Guenter, M., & Khalil, I. (2001). Managment of quality of service enabled VPNs. IEEE Communication Magazine, 39(5), Cohen, R., & Kaempfer, G. (2000). On the cost of virtual private networks. IEEE/ACM Transactions on Networking, 8(6), Ferguson, P., & Huston, G. (1998). What is a VPN, from Gentry, P. B. (2001). What is a VPN. Information Security Technical Report, 6(1), Gleeson, B., Lin, A., Heinanen, J., Armitage, G., & Malis, A. (2000). A Framework for IP Based Virtual Private Networks, from Jingsha He, Blight, D., & Chujo, T. (2000). A unified architecture for virtual private networking. Paper presented at the International Communication Technology. Venkateswaran, R. (2001). Virtual private networks. IEEE potentials, 20(1), Younglove, R. (2000). Virtual private networks - how they work. Computing & Control Engineering Journal, 11(6), Yuricik, W., & Doss, D. (2001). A Planning framework for implementing virtual private networks. IT Professional, 3(3), Braun, T., Guenter, M., & Khalil, I. (2001). Managment of quality of service enabled VPNs. IEEE Communication Magazine, 39(5), Cohen, R., & Kaempfer, G. (2000). On the cost of virtual private networks. IEEE/ACM Transactions on Networking, 8(6), Ferguson, P., & Huston, G. (1998). What is a VPN. Retrieved, from the World Wide Web: Gentry, P. B. (2001). What is a VPN. Information Security Technical Report, 6(1), Gleeson, B., Lin, A., Heinanen, J., Armitage, G., & Malis, A. (2000). A Framework for IP Based Virtual Private Networks. Retrieved, from the World Wide Web: Jingsha He, Blight, D., & Chujo, T. (2000). A unified architecture for virtual private networking. Paper presented at the International Communication Technology. Venkateswaran, R. (2001). Virtual private networks. IEEE potentials, 20(1), Younglove, R. (2000). Virtual private networks - how they work. Computing & Control Engineering Journal, 11(6),

15 Yuricik, W., & Doss, D. (2001). A Planning framework for implementing virtual private networks. IT Professional, 3(3),