AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

Transcription

1 AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION DR. P. RAJAMOHAN SENIOR LECTURER, SCHOOL OF INFORMATION TECHNOLOGY, SEGi UNIVERSITY, TAMAN SAINS SELANGOR, KOTA DAMANSARA, PJU 5, PJ, SELANGOR DARUL EHSAN, MALAYSIA. ABSTRACT A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. This paper presents the analysis and special performances of in communication especially the Remote Access Virtual Private Networks architectures and efficient installation to achieve by the way of secure alternative to traditional remote access is IP-based Virtual Private Networking (IP- VPN). In IP-VPNs, all connections to corporate intranets are calls to a local ISP, carried by the Internet to a corporate VPN gateway. Keywords:- VPN - Virtual Private Networks, RA-VPN - Remote Access Virtual Private Networks, ISP - Internet Service Provider, RRAS - The Routing and Remote Access Service, RADIUS - Remote Authentication Dial-In User Service. 1. INTRODUCTION A Virtual Private Network (VPN) is a public network being used for private communication. The VPN connection is an authenticated and encrypted communications channel, or tunnel, across this public network, such as the Internet. Because the network is considered insecure, encryption and authentication are used to protect data while in transit. VPN service is considered to be independent, in that client operation is transparent to the user and that all information exchanged between the two hosts World Wide Web, File Transfer Protocol, , etc. is transmitted across the encrypted channel. A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one company. The main purpose of a VPN is to give the company the same capabilities as private leased lines at much lower cost by using the shared public infrastructure.[1]. 1.1 Routing A router is a device that manages the flow of data between network segments, or subnets. A router directs incoming and outgoing packets based on the information about the state of its own network interfaces and a list of possible sources and destinations for network traffic. By projecting network traffic and routing needs based on the number and types of hardware devices and applications used in your environment. We may decide whether to use a dedicated hardware router, a software-based router, or a combination of both. Generally, dedicated hardware routers handle heavier routing demands best, and less expensive software-based routers handle lighter routing loads. A software-based routing solution, such as RRAS in Windows, can be ideal on a small, segmented network with relatively light traffic between subnets. Enterprise network environments that have a large number of network segments and a wide range of performance requirements might need a variety of hardware-based routers to perform different roles throughout the network[1]. 1.2 Remote access By configuring RRAS to act as a remote access server, we can connect remote networks. Remote users can work as if their computers are directly connected to the network. All services typically available to a directly connected user including file and printer sharing, Web server access, and messaging are enabled by means of the remote access connection. An RRAS server provides two different types of remote access connectivity: Virtual Private Networking. A virtual private network (VPN) is a secured, point-to-point connection across a public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols to make a connection to a port on a remote VPN server. The VPN server accepts the connection, authenticates the connecting user and computer, and then transfers data between the VPN client and the corporate network. Volume 2, Issue 11, November 2014 Page 1

2 Dial-Up Networking. In dial-up networking, a remote access client makes a dial-up telephone connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog telephone or ISDN. Dial-up networking over an analog phone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. Remote access is best defined as providing access to fixed site resources for users who are not at a fixed workstation at that same site's Local Area Network (LAN). The largest remote access user community is mobile or telecommuting users, such as a sales force or field engineering team. Figure - 1 illustrates a traditional remote access network using the Public Switched Telephone Network (PSTN) or the Integrated Services Digital Network (ISDN). Figure - 1. Traditional Remote Access (PSTN/ISDN Transport) Traditional Remote Access connectivity is achieved with users dialing into a dedicated PSTN/ISDN modem pool, maintained either by a corporate Information Systems/Information Technology staff or by the network service provider. A secure alternative to traditional remote access is IP-based Virtual Private Networking (IP-VPN). In IP- VPNs, all connections to corporate intranets are calls to a local ISP, carried by the Internet to a corporate VPN gateway[1]-[3]. 1.3 VPN Connection VPN can be broadly classified into two types of connections. They are: Remote access VPN and Site-to-site VPN. Figure - 1: Classification of VPN connection Remote Access VPN A Remote Access VPN connection enables a user working at home or on the road to access a server on a private network by using the infrastructure provided by a public network, such as the Internet. From the user s perspective, the VPN is a point-to-point connection between the client computer and the organization s server. The infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link Site-to-Site VPN A Site-to-Site VPN connection (sometimes called a router-to-router VPN connection) enables an organization to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. When networks are connected over the Internet, as shown in the following figure - 2: a VPN-enabled router forwards packets to another VPN-enabled router across a VPN connection. To the routers, the VPN connection appears logically as a dedicated, data-link layer link. A Site-to-Site VPN connection the calling router authenticates itself to the answering router, and, for mutual authentication, the answering router authenticates itself to the calling router. In a Site-to-Site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers. Site to site VPN can be further classified into two types. They are Intranetbased VPN Intranet-Based VPN and Extranet-based VPN[2]. Volume 2, Issue 11, November 2014 Page 2

3 Figure - 2: VPN connecting two remote sites across the Internet Intranet-Based VPN : If a Company has more remote locations that it wishes to join in a single private network, it can create an Intranet VPN to connect LAN to LAN. Extranet-Based VPN : When a Company has close relationship with another company, it can build an Extranet VPN that connects LAN to LAN and allows all of the various companies to work in a shared environment. Remote access VPN can be also called as virtual private dial-up network (VPDN). This Remote access VPN establishes the User-to- LAN connection. Thus an authenticated User can logon to the VPN tunnel from anywhere using a laptop[2][3]. 2. AUTHENTICATION Authentication is the first major component of a VPN. Authentication is the process of identifying the entity ( user, router, or network device) requiring access. This authentication is often done by means of a cryptographic function, such as with challenge/response algorithms. The following sections discuss the other authentication methods[3]: Point-to-Point Tunneling Protocol Password Authentication Protocol/Challenge Handshake Protocol (PPTP- PAP/CHAP) Digital certificates RADIUS servers 2. 1 PPTP-PAP/CHAP Password Authentication Protocol (PAP) is the most insecure authentication method available today because both the username and password are sent across the link in clear text. Anyone monitoring the connection could collect and use the information to gain access to the network. The Challenge Handshake Authentication Protocol (CHAP) works as follows : 1. The client establishes a connection with the server and the server sends a challenge back to the client. 2. The client then performs a hash (mathematical) function, adds some extra information, and sends the response back to the server for verification. 3. The server looks in its database and computes the hash with the challenge. 4. If these two answers are the same, authentication succeeds. While CHAP eliminates a dictionary attack, the hashing functions could still be attacked. CHAP also supports the (user transparent) periodic challenge of the client username/password during the session to protect against wire-tapping[2][3] Digital Certificates Digital certificates include information about the owner of the certificate; therefore, when users visit the (secured) web site, their web browsers will check information on the certificate to see whether it matches the site information included in the URL. A digital certificate could be likened to a security driver's license. Certificates are issued by Certificate Authorities (CAs). The contents of a digital certificate as inclusive of the certificate holder's identity, the certificate's serial number, valid, unchangeable date for the transaction, certificate's expiration dates, a copy of the certificate holder's public key for encryption and/or signature and group name & City and state. 2.3 RADIUS Servers Remote Authentication Dial-In User Service (RADIUS) is a distributed system securing network remote access and network resources against unauthorized access. RADIUS authentication includes two components : Authentication server - Installed at the customer's site and holds all user authentication and network access information Client protocols - RADIUS works on the client sending authentication requests to the RADIUS server, and the client acts on server acknowledgements sent back to the client. RADIUS is not limited to dial-up service; many firewall vendors support a RADIUS server implementation.[2][3] Volume 2, Issue 11, November 2014 Page 3

4 3. ARCCHITECTURE VPN TUNNELING PROTOCOLS Tunneling enables the encapsulation of a packet from one type of protocol within the datagram of a different protocol. For example, VPN uses Point-to-Point Tunneling Protocol (PPTP) to encapsulate IP packets over a public network, such as the Internet. Configure a VPN solution based on PPTP, Layer Two Tunneling Protocol (L2TP), Secure Socket Tunneling Protocol (SSTP), or Internet Protocol security (IPsec) using Internet Key Exchange version 2 (IKEv2). PPTP, L2TP, and SSTP depend heavily on the features originally specified for Point-to-Point Protocol (PPP). PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames and then transmits the encapsulated PPP packets across a point-to-point link. PPP was originally defined as the protocol to use between a dial-up client and a network access server. [2][3]. 3.1 PPTP PPTP allows multiprotocol traffic to be encrypted and then encapsulated in an IP header to be sent across an IP network or a public IP network, such as the Internet. PPTP can be used for remote access and site-to-site VPN connections. When using the Internet as the public network for VPN, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet[1],[3] Encapsulation PPTP encapsulates PPP frames in IP datagram's for transmission over the network. PPTP uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted, compressed or both Structure of a PPTP packet containing an IP datagram Figure - 3: PPTP - IP Datagram Encryption The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication process. Virtual private networking clients must use the MS-CHAP v2 or EAP-TLS authentication protocols in order for the payloads of PPP frames to be encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame. Only 128-bit RC4 encryption algorithm is supported. 40 and 56-bit RC4 support was removed starting with Windows Vista and Windows Server 2008, but can be added by changing a registry key[2][9]. 3.2 L2TP/IPsec L2TP/IPsec allows multiprotocol traffic to be encrypted and then sent over any medium that supports point-to-point datagram delivery, such as IP or Asynchronous Transfer Mode (ATM). L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco Systems, Inc. L2TP represents the best features of PPTP and L2F. Unlike PPTP, the Microsoft implementation of L2TP does not use MPPE to encrypt PPP datagrams. L2TP uses IPsec in Transport Mode for encryption services. The combination of L2TP and IPsec is known as L2TP/IPsec. Both L2TP and IPsec must be supported by both the VPN client and the VPN server. Client support for L2TP is built in to the Windows remote access clients, and VPN server support for L2TP is built in to the Windows Server operating system. L2TP/IPsec is installed with the TCP/IP protocol[1][3] Encapsulation Encapsulation for L2TP/IPsec packets consists of two layers: First Layer: L2TP encapsulation A PPP frame (an IP datagram) is wrapped with an L2TP header and a UDP header. The following figure shows the structure of an L2TP packet containing an IP datagram Structure of an L2TP packet containing an IP datagram Figure - 4: L2TP - IP Datagram Volume 2, Issue 11, November 2014 Page 4

5 Second Layer: IPsec encapsulation The resulting L2TP message is then wrapped with an IPsec Encapsulating Security Payload (ESP) header and trailer, an IPsec Authentication trailer that provides message integrity and authentication, and a final IP header. In the IP header is the source and destination IP address that corresponds to the VPN client and VPN server. The following illustration shows L2TP and IPsec encapsulation for a PPP datagram[2][9][10] Encryption of L2TP traffic with IPsec ESP Figure - 5: L2TP Traffic with IPSec ESP Encryption The L2TP message is encrypted with one of the following protocols by using encryption keys generated from the IKE negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms. Data Encryption Standard (DES) encryption algorithm with Message Digest 5 (MD5) integrity check support has been removed, but can be added (not recommended) by changing a registry key[3]. 3.3 SSTP Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking. When a client tries to establish a SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as the data payload[3][9][10] Encapsulation SSTP encapsulates PPP frames in IP datagram for transmission over the network. SSTP uses a TCP connection (over port 443) for tunnel management as well as PPP data frames Encryption The SSTP message is encrypted with the SSL channel of the HTTPS protocol IKEv2 IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500. An IKEv2 VPN provides resilience to the VPN client when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec allows support for strong authentication and encryption methods Encapsulation IKEv2 encapsulates datagram by using IPsec ESP or AH headers for transmission over the network Encryption The message is encrypted with one of the following protocols by using encryption keys generated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms. 3.4 Choosing Between Tunneling Protocols for Remote Access VPNs When choosing between PPTP, L2TP/IPsec, SSTP, and IKEv2 remote access VPN solutions, consider the following: PPTP can be used with a variety of Microsoft clients, including Microsoft Windows 2000 and later versions of Windows. Unlike L2TP/IPsec and IKEv2, PPTP does not require the use of a public key infrastructure (PKI). By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user). L2TP can be used with client computers running Windows 2000 and later versions of Windows. L2TP supports either computer certificates or a preshared key as the authentication method for IPsec. Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPsec, L2TP/IPsec VPN connections provide data Volume 2, Issue 11, November 2014 Page 5

6 confidentiality, data integrity, and data authentication. Unlike PPTP and SSTP, L2TP/IPsec enables machine authentication at the IPsec layer and user level authentication at the PPP layer. SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1), Windows Server 2008, and later versions of Windows. By using SSL, SSTP VPN connections provide data confidentiality, data integrity, and data authentication. IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2. By using IPsec, IKEv2 VPN connections provide data confidentiality, data integrity, and data authentication. IKEv2 supports the latest IPsec encryption algorithms. Because of its support for mobility (MOBIKE), it is much more resilient to changing network connectivity, making it a good choice for mobile users who move between access points and even switch between wired and wireless connections[4]. 4. VPN ARCHITECTURE Several VPN network architectures are deployed by enterprise organizations for VPN services. The following list of Remote Access VPN network architectures is discussed in the following sections[2]-[5]: Firewall Based Black-Boxbbased Router Based Remote-Access Based 4.1 Firewall-Based VPNs With firewall-based VPNs, it is considered a safe presumption that a firewall will be used and placed at the network perimeter, as illustrated in Figure - 6:. Figure - 6:. Firewall-Based VPN This presumption leads to a natural extension that this device also can support the VPN connections, providing a central point of management of both the firewall and network access security policies. A drawback to this combined firewall/vpn-access method is performance. 4.2 Black-Box-Based VPNs In the black-box scenario, a vendor offers just that, a black box; a device loaded with encryption software to create a VPN tunnel. Black-box VPN vendors should be supporting all three tunneling protocols -PPTP, L2TP, and IPSec.. The black-box VPN sits behind or with the firewall, as illustrated in Figure - 7:. Figure - 7 :. Black-Box-Based VPN The firewall provides security to the organization, not the data, whereas the VPN device provides security to the data, but not the organization. If the firewall is in front of the VPN device, a rule-based policy on that firewall will need to be implemented. 4.3 Router-Based VPNs Router-based VPNs are for an organization that has a large capital investment in routers and an experienced IT staff. Many router vendors support router-based VPN configurations. There are two ways to go about implementing routerbased VPNs: Software is added to the router to allow an encryption process to occur. An external card from a thirdparty vendor is inserted into the router chassis. This method is designed to off-load the encryption process from the router CPU to the additional card. Volume 2, Issue 11, November 2014 Page 6

7 Figure - 8:. Router-Based VPN Some vendors support hot swapping (replacing hardware) and redundancy (backup solutions), which are built into their router-based VPN products. Performance can be an issue with router-based VPNs because of the addition of an encryption process to the routing process; a heavier burden may be added to the router CPU, more than ever if the router is handling a large number of routes or implementing an intensive routing algorithm. Figure - 8: Illustrates a router-based VPN, where packets are encrypted from source to destination. The drawback to a router-based VPN is security. Routers are considered to be poor at providing network security compared to a firewall. It is possible that an attacker will spoof traffic past the router, in turn fooling the firewall because the firewall will interpret these packets as originating from the other side of the VPN tunnel. This spoofing allows the attacker to gain access to services that are not visible from other locations on the Internet[4]-[7]. 4.4 Internet-Based VPN Connections Using an Internet-based VPN connection, an organization can avoid long-distance charges while taking advantage of the global availability of the Internet Remote Access VPN Connections over the Internet A remote access VPN connection over the Internet enables a remote access client to initiate a dial-up connection to a local ISP instead of connecting to a corporate or outsourced network access server (NAS). By using the established physical connection to the local ISP, the remote access client initiates a VPN connection across the Internet to the organization s VPN server. When the VPN connection is created, the remote access client can access the resources of the private intranet[5]-[7] VPN Connecting a Remote Client to a Private Intranet Figure - 9: Remote Access Over the Internet Site-to-Site VPN Connections Over the Internet When networks are connected over the Internet, as shown in the following figure, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link VPN Connecting Two Remote Sites Across the Internet Figure - 10: Connecting Two Remote Sites Across the Internet. 4.5 Intranet-Based VPN Connections Volume 2, Issue 11, November 2014 Page 7

8 The intranet-based VPN connection takes advantage of IP connectivity in an organization s Local Area Network (LAN) Remote Access VPN Connections over an Intranet In some organization intranets, the data of a department, such as human resources, is so sensitive that the network segment of the department is physically disconnected from the rest of the intranet. While this protects the data of the human resources department, it creates information accessibility problems for authorized users not physically connected to the separate network segment. VPN connections help provide the required security to enable the network segment of the human resources department to be physically connected to the intranet. In this configuration, a VPN server can be used to separate the network segments. The VPN server does not provide a direct routed connection between the corporate intranet and the separate network segment. Users on the corporate intranet with appropriate permissions can establish a remote access VPN connection with the VPN server and gain access to the protected resources. Additionally, all communication across the VPN connection is encrypted for data confidentiality. The following figure shows remote access over an intranet[5]-[10] VPN Connection Allowing Remote Access to a Secured Network over an Intranet Figure - 11: VPN Connection Allowing Remote Access to a Secured Network over an Intranet Site-to-Site VPN Connections over an Intranet Two networks can be connected over an intranet using a site-to-site VPN connection. This type of VPN connection might be necessary, for example, for two departments in separate locations, whose data is highly sensitive, to communicate with each other. For instance, the finance department might need to communicate with the human resources department to exchange payroll information. The finance department and the human resources department are connected to the common intranet with computers that can act as VPN clients or VPN servers. When the VPN connection is established, users on computers on either network can exchange sensitive data across the corporate intranet. The following figure shows two networks connected over an intranet[5]-[10] VPN Connecting Two Networks over an Intranet Figure - 12: VPN Connecting Two Networks Over the Intranet. 5. EFFICIENT INSTALLATION OF REMOTE ACCESS VPNS Before a VPN can be established, certain requirements must be met. These include the following: Each network site must be set up with a VPN-capable device (router, firewall, or some other VPN dedicated device) on the network edge. Each site must know the IP addressing scheme (host, network, and network mask) in use by the other side of the intended connection. Both sites must agree on the authentication method and, if required, exchange digital certificates and Both sites also must agree on the encryption method and exchange the keys required. VPNs are used to replace both dial-in modem pools and dedicated wide area network (WAN) links. A VPN solution for remote dial-in users can reduce support costs because there are no phone lines or 800-number charges. A VPN solution offers advantages over a dedicated WAN environment when sites are geographically diverse or mobile, saving the cost Volume 2, Issue 11, November 2014 Page 8

9 of dedicated facilities and hardware. A VPN is made up of three technologies that when used together form the secure connection; authentication, tunneling, and encryption. We need to do the following before we configure an RRAS server as a remote access VPN server[5]-[9]. Determine which network interface connects to the Internet and which network interface connects to your private network. During configuration, you will be asked to choose which network interface connects to the Internet. If you specify the incorrect interface, your remote access VPN server will not operate correctly. Determine whether remote clients will receive IP addresses from a DHCP server on your private network or directly from the remote access VPN server that you are configuring. If you have a DHCP server on your private network, the remote access VPN server can lease 10 addresses at a time from the DHCP server and assign those addresses to remote clients. If you do not have a DHCP server on your private network, the remote access VPN server can assign IP addresses to remote clients from a predefined pool of addresses. You must determine that range based on your network infrastructure. If you are using DHCP, determine whether VPN clients are able to send DHCP messages to the DHCP server on your private network. If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a DHCP server is on a different subnet from your remote access VPN server, make sure that the router between subnets can relay DHCP messages between clients and the server. Determine whether you want connection requests from VPN clients to be authenticated by a Remote Authentication Dial-In User Service (RADIUS) server or by the remote access VPN server that you are configuring. Adding a RADIUS server is useful if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS clients to your private network. For more information, see Network Policy Server Help. Verify that all users have user accounts that are configured for dial-up access. Before users can connect to the network, they must have user accounts on the remote access VPN server or in Active Directory Domain Services (ADDS). Each user account on a stand-alone server or a domain controller contains properties that determine whether that user can connect. On a stand-alone server, you can set these properties by right-clicking the user account in Local Users and Groups and clicking Properties. On a domain controller, you can set these properties by right-clicking the user account in the Active Directory Users and Computers console and clicking Properties. 6. CONCLUSION Remote access solutions are deployed by enterprise organizations to provide access to fixed site resources to remote users (not at a fixed workstation) at a site's LAN. A virtual private network (VPN) is a public network being used for this private and secure communication between the remote ( telecommuting or mobile) user and the organization's LAN. This VPN connection is authenticated and encrypted across the public network. Often times this public network is the Internet. REFERENCES [1] Dave Kosiur, Wiley & Sons, Building and Managing Virtual Private Networks ; ISBN: , pp [2] John Mains, VPNs A Beginners Guide, McGraw Hill; ISBN: , pp [3] Dr.S.S.Riaz Ahamed & P.Rajamohan, Comprehensive performance Analysis and special issues of Virtual Private Network Strategies in the computer Communication: a Novel Study, International Journal of Engineering Science and Technology (IJEST), ISSN : Vol. 3 No. 7 July 2011, pp [4] Wei Luo, Carlos Pignataro, Dmitry Bokotey, Anthony Chan (Cisco Press 2005), Layer 2 VPN Architectures, pp [5] Cisco Press, Network Sales and Services Handbook (Cisco Press Networking Technology) - Chapter 16, Remote Access VPNs, page 138 [6] Alwin Thomas and George Kelley, Cost-Effective VPN-Based Remote Network Connectivity Over the Internet, [7] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. Types of VPN, pp [8] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. VPN Over IPSec., pp [9] Ronald, F.J. (Ed 2003). CCSP Cisco Secure VPN. Explanation of the IPSec protocols, pp [10] B. Gleeson et al., IP Based Virtual Private Networks, RFC 2764, February Volume 2, Issue 11, November 2014 Page 9

10 AUTHOR DR. P. RAJAMOHAN received his Bachelor of Science Degree in Physics later he obtained his Post Graduate Diploma in Computer Applications (PGDCA), Master Degree in Computer Applications (MCA) and PhD in Computer Science. His primary research interest in Virtual Private Network Implementation for Efficient Data Communication, Wireless Networks and Sensor Communications. He is the member of the Institution of Engineers (India), Member of Associate in Cisco Certified Networks and Member of the International Association of Engineers (IAENG). Dr. P. Rajamohan, over all his 20 years experiences in both academic and IT industry. He is currently working as a Senior Lecturer in School of Information Technology, SEGi University, Malaysia. Volume 2, Issue 11, November 2014 Page 10