VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining privacy using encryption and, tunneling protocol and security procedures to connect users securely virtual implies that there is no physical connection between the two networks; Instead connections routed through the Internet private implies that the transmitted data is kept confidential (encryption and secured tunneling) network implies communication medium using private, public, wired, wireless, Internet or any resource available
Why VPN Low-cost Secured and reliable communication Dynamic access to private networks Such access would otherwise only be possible Using expensive leased dedicated lines provided by telephone companies point to point dedicated digital circuit Dialing into the local area network (LAN)
Types of VPN Remote Access Network Remote access to a corporate Intranet or extranet over a shared infrastructure with the same policies as a private network from any location. Site-to-Site Connection Network Intranet based: An alternative WAN infrastructure that used to connect branch offices, home offices, or business partners' sites to all or portions of a company's network. VPNs do not inherently change private WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility. Extranet based: Link communities of interest to a corporate Intranet over a shared infrastructure. Businesses enjoy the same policies as a private network, including security, QoS, manageability, and reliability.
Remote Access Network Secured Tunnel A remote access VPN is for home or traveling users who need to access their corporate network from a remote location. They dial their ISP and connect over the Internet to company s internal WAN. This is made possible by installing client software program on the remote user s laptop or PC that deals with the encryption and decryption of the VPN traffic between itself and the VPN gateway on the central LAN.
Site-to-Site Connection Network Secured Tunnel A Fixed VPN is normally used between two or more sites allowing a central LAN to be accessed by remote LANs over the Internet of private communication lines using VPN Gateways. VPN Gateways (Normally a VPN-enabled router) are placed at each remote site and at the central site to allow all encryption and decryption and tunneling to be carried out transparently.
Design Goals and Features of VPN Security Tunneling support between sites with at least 128 bit encryptions of the data. Confidentiality Protects Privacy Private key cryptography Public key cryptography Integrity - Ensures that the information being transmitted over the Internet is not being altered One-way hash functions Message Authentication codes (encryption of hash) Digital Signatures (Hash functions + Private Key)
Design Goals and Features of VPN Authentication - Ensures the identity of all communicating parties Password Authentication Digital Certificates - is a file that binds an identity to the associated public key. This binding is validated by a trusted third party, the certification authority (CA) Scalability - Extra users and bandwidth can be added easily to adapt new requirements Services QoS (Quality of Services) Reports on user activity, management of user policies and monitoring of the VPN
VPN Tunneling Voluntary Tunneling: The VPN Client manages connection setup. The client first makes a connection to the carrier network provider (ISP) and then, the VPN Client application creates the tunnel to a VPN server over this live connection Compulsory Tunneling: The carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier immediately brokers a VPN connection between the client and a VPN server. From the client point of view, VPN connections are setup in just one step compared to the two-step procedure for voluntary tunnels Compulsory VPN tunneling authenticates clients and associates them with specific VPN server using logic built into the broker device. It also hides the details of VPN server connectivity from VPN client.
VPN Protocols Layer 2 - Data Link Layer: PPTP Point-to-Point Tunneling Protocol L2F Layer 2 Forwarding Protocol L2TP Layer 2 Tunneling Protocol CHAP Challenged Handshake Authentication Protocol PAP Password Authentication Protocol MS-CHAP Microsoft Challenged Handshake Authentication Protocol Layer 3 Network Layer (IP): IPSec Internet Protocol Security Transport Layer(TCP/UDP): SOCKS V5 Sock-et-S version 5 SSL Secure Socket Layer
IPSec Internet Protocol Security RFCs - 2401,2402 and 2406 Network Layer Protocol Layer 3 Solution A set of authentication and encryption the only protocol with Standard of IFTF (Internet Engineering task Force) Data confidentiality, integrity, authentication and key management, in addition to tunneling Typically works on the edges of a security domain. Supports Ipv4 and IPv6 Encapsulates each packet by wrapping another packet around it and then encrypts the entire packet. This encrypted stream of traffic forms a secure tunnel across an otherwise unsecured network. Majority VPN vendors are implementing IPSec in their solutions
PPP Point-to-Point Protocol Designed to send data across the dial-up or dedicated point-topoint connections. PPP encapsulates IP, IPX and NetBEUI packets with PPP frames. There are four distinct phases must complete successfully before the PPP connection is ready to transfer user data. PPP Link establishment User Authentication Password Authentication Protocol (PAP) Challenged Handshake Authentication Protocol (CHAP) encrypted Authentication Mechanism PPP Callback Control Invoking Network Layer Protocol(s)
PPTP Point-to-Point Tunneling Protocol RFC - 2637 PPTP is a tunneling protocol provided by Microsoft, which provides remote users, encrypted, multi protocol access to a corporate network over the Internet. It encapsulates PPP frames in IP data grams (IP, IPX and NetBEUI are encapsulated) PPTP is built in to NT 4.0 and the client is free for the older versions such as Windows 95. Microsoft s implementation of PPTP has been found to have several problems that make it vulnerable to attacks, and it also lakes the scalability in that it only supports 255 concurrent connections per server. Require an IP Network between PPTP Client and PPTP Serve(either LAN or dial-up) PPTP can support only one tunnel at a time for each user. Uses TCP Port 1723
L2F Layer 2 Forwarding RFC - 2637 Developed by Cisco Systems Inc. L2F was designed as a protocol for tunneling traffic from users to their corporate sites. One major difference between PPTP and L2F tunneling is not dependent on IP, because it works directly with other media, such as frame relay and ATM. Like PPTP, L2F uses PPP for authentication of the remote user but it also includes support for TACACS (terminal access controller access control system) and RADIUS (Remote Authentication Dial-in User Service Lightweight UDP based protocol) for authentication. It allows tunnels to support more than one connection. Cisco offers L2F and L2TP capabilities in its router product line along with IPSec.
L2TP Layer 2 Tunneling Protocol RFC - 2661 PPTP s successor L2TP (a hybrid of Microsoft s PPTP and Cisco Systems Layer 2 Forwarding - L2F protocol) can support multiple, simultaneous tunnels for each user. It encapsulates PPP frames in IP data grams Extends from the remote host to all the way back to corporate gateway. In effect, the remote host appears to be on the same subnet as the corporate gateway It Uses UDP and supports any routed protocol, including IP, IPX and AppleTalk, including frame relay, ATM, X.25 Because of L2TP s use of PPTP, it is included as part of the remote access features of most Windows Products It does not provide cryptographically key security features It can support IPSec for data encryption and integrity Compulsory tunneling Model UDP Port 1701
Socks5 (Sock-et-s Version 5) Circuit level proxy protocol that was originally designed to facilitate authenticated firewall traversal. Works at the TCP socket level. It requires a SOCK5 server and appropriate software in order to work. It checks each request from client for service against the security database, and if request is granted, then server establishes an authenticated session with the client acting as a proxy. Provides a secure, proxy architecture with extremely granular access control, making it an excellent choice for extranet configurations. Allows developers to build system plug-ins such a content filtering (denying access to Java Applets or Active X controls) and extensive logging and auditing of users. When SOCKS is used in conjunction with other VPN technologies, its possible to have more complete solution than any individual could provide. For example: SOCKS could be used to enforce user-level and application level access control and IPSec could be used to secure the underlying network transport.
SSH Secured Socket Secure Socket Layer (SSL) is an upper-layer mechanism commonly used by Web browser Clients and servers to provide peer authentication and encryption of application data. IPSec provides only network level security, In addition to that, SSH can provide application level security Use existing web browser technology to create a secure VPN tunnel between a client and a server. SSL VPNs are limited to applications that can run in a browser and therefore not as popular as IPSec
VPN Advantages Authenticate all packets of data received, ensuring that they are from a trusted source and encryption ensures the data remains confidential Most VPNs connect over the Internet so call costs are minimal, even if the remote user is a great distance from the central LAN. A reduction in the overall telecommunication infrastructure as the ISP Provides the bulk of the network. Reduced cost of management, maintenance of equipment and technical support.simplifies network topology by eliminating modem pools and a private network infrastructure. VPN functionality is already present in some IT equipments. VPNs are easily extended by increasing the available bandwidth and by licensing extra client software.
VPN Disadvantages If the ISP or Internet connection is down, so it s VPN. The central site must have a permanent Internet connection so that the remote clients and other sites can connect at anytime. May provide less bandwidth than a dedicated line solution. Different VPN manufacturers may comply with different standards. All traffic over the VPN is encrypted, regardless of need. This can be potentially cause bottleneck since encrypting and decrypting causes network overhead. Provides no internal protection on the corporate network. The VPN endpoint is typically at the edge of the network. Once employees are on the internal corporate network, data is no longer encrypted. (SSH provides point-to-point secure communication.) Most VPN technologies today do not address performance and availability issues as important as they are. Why? Because the majority of VPN solutions exist on client machines and gateway servers at the extreme ends of the communication path. They simply cannot consistently affect the performance of the network components in the middle. Unfortunately, this middle is exactly the Internet.
Need VPN Solution?? There is no one size fits all solution when choosing a VPN. Several basic questions should be asked before deciding on a solution: Do you need to connect sites together or individual remote users to a central LAN? Individual users are best connected with software installed on PC/laptop Sites should be connected using hardware devices because of their faster throughput with one device located at each site. What type of network equipment and operating systems do you have? Existing equipment may have VPN functionality built in and may be worth attempting to configure this rather than buying a new solution. What are the main features of a software/hardware solution? Software solution is cheaper and may be included in the equipment in use and network doesn t change. Hardware solutions are more expensive but remain more reliable and secure. How many users require a VPN access and which application access? How secure your data need to be during transmission? What about a managed VPN Solution? Built and operated by trusted third party like ISP or Secure Application Service provider (SASP) Expensive but takes away the burden from IT Staff.