Virtual Private Network
A Virtual Private Network is a logical connection between two or more different location over Private and/or Public Network to secure Private data or traffic.
A VPN enables you to send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link. To emulate a point-to-point link, data is encapsulated or wrapped with a header that provides routing information allowing it to traverse the shared or public network to reach its endpoint. To emulate a private link, the data being sent is encrypted for confidentiality. The portion of the connection in which the private data is encapsulated is known as the tunnel. The portion of the connection in which the private data is encrypted is known as the virtual private network (VPN) connection.
Fig. Virtual Private Network Scheme
1. Types of VPN
1.1 Site-to-Site VPN
1.1.1 Intranet
1.1.2 Extranet
1.2 Remote –Access VPN
1.1 Site-to-Site VPN
1.1.1 Intranet- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connectLANto LAN.
1.1.2 Extranet- When a company wants to share his network with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.
1.2 Remote-Access VPN (Internet)
A remote access VPN is for home or traveling users who need to access their corporate network from a remote location. They dial their ISP and connect over the Internet to companies internal WAN. This is made possible by installing client software program on the remote users’ laptop or PC that deals with the encryption and decryption of the VPN traffic between itself and the VPN gateway on the central LAN.
A Remote-Access VPN uses a public network (Internet) as the backbone to transport VPN traffic between devices.
2. Requirement and features
2.1 Basic VPN Requirements
A well designed VPN should provide at least all of the following:
· User Authentication: - The solution must verify the VPN clients' identity and restrict VPN access to authorized users only. It must also provide audit and accounting records to show who accessed what information and when.
· Address Management: - The solution must assign a VPN client address on the intranet and ensure that private addresses are kept private.
· Data Encryption: - Data carried on the public network must be rendered unreadable to unauthorized clients on the network.
· Key Management: - The solution must generate and refresh encryption keys for the client and the server.
2.2 Features of VPN
· Security
· Reliability
· Confidentiality, protects privacy
· Integrity ensures that the information being transmitted over the internet (or any other public network) is not being altered.
· Authentication ensures the identity of all communicating parties.
· Scalability extra users and bandwidth can be added easily to adapt new requirements.
3. VPN Security Issues
3.1 Firewalls
An internet firewall decide what traffic allowed into a network using techniques such as examining internet addresses on packets or ports requested on incoming connections. They are an integral part of a VPN. The most common firewall is a packet filtration firewall, which will block specified IP services run on specific port numbers from crossing the gateway (router). Many routers that support VPN technologies (such as PIX) also support packet filtration.
Proxies are also a common method of protecting a network while allowing VPN services to enter. Proxy servers are typically a software solution run on top of a network operating system (UNIX, Windows NT).
3.2 Authentication
Authentication techniques ensure the communicating parties that they are exchanging data with the correct user or host. Most VPN authentication systems are based on a shared key system. The keys are run through a hashing algorithm, which generates a hash value. The other party holding the key will generate its own hash value and compare it to the one it received from the other end.
The Challenge Handshake Authentication Protocol (CHAP) is a good example of this method.
3.3 Encryption
Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories:
(1) Symmetric-key encryption
(2) Public-key encryption
(1) Symmetric-key encryption
In this, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.
(2) Public-key encryption
It uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP).
4. VPN Components
4.1 Customer Edge:
Customer network consisted of the routers at the various customer sites called customer edge (CE) routers.
4.2 Provider network:
Service Provider devices to which the CE routers were directly attached were called provider PE) routers.
Service Provider network might consist of devices used for forwarding data in the Service Provider backbone called provider (P) routers.
5. VPN Implementations
5.1 IPsec
5.2 MPLS
5.3 GRE
5.4 PPTP
5.5 L2TP
5.1 Internet Protocol Security VPN- (IPsec VPN)
IPsec VPN is aprotocol suitefor securingInternet Protocol Communication byauthenticatingandencryptingeachIP packetof adata stream.
IPsec consists of two sub-protocols:
Encapsulated Security Payload (ESP) - Protects the IP packet data from third party interference, by encrypting the contents using symmetric cryptography algorithms (like Blowfish, 3DES).
Authentication Header (AH) - Protects the IP packet header from third party interference and spoofing, by computing a cryptographic checksum and hashing the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the information in the packet to be authenticated.
ESPandAHcan either be used together or separately, depending on the environment.
IPsec can either be used to directly encrypt the traffic between two hosts (known asTransport Mode), or to build “virtual tunnels” between two subnets, which could be used for secure communication between two corporate networks (known asTunnel Mode). The latter is more commonly known as aVirtual Private Network (VPN).
5.2 Multiple Protocol Layer Switching VPN- (MPLS VPN)
MPLS VPN support Multiple Protocol to secure traffic i.e. data through the Network. MPLS belongs to the family of packet-switched networks. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. The primary benefit is to eliminate dependence on a particular Data Link Layer technology, such as frame relay and eliminate the need for multiple Layer 2 networks to satisfy different types of traffic. MPLS operates at an OSI Model layer that is generally considered to lie between traditional definitions of Layer 2 (Data Link Layer) and Layer 3 (Network Layer), and thus is often referred to as a "Layer 2.5" protocol.
5.3 Generic Routing Encapsulation- (GRE)
GRE is a tunneling protocol. GRE tunnels end-point does not keep any information about the state or availability of the remote tunnel end-point. A consequence of this is that the local tunnel end-point router does not have the ability to bring the line protocol of the GRE tunnel interface down if the remote end-point is unreachable. GRE tunnel interface comes up as soon as it is configured and it stays up as long as there is a tunnel source address or interface which is up. The tunnel destination IP address must also be routable. This is true even if the other side of the tunnel has not been configured. This means that a static route or PBR forwarding of packets via the GRE tunnel interface remains in effect even though the GRE tunnel packets do not reach the other end of the tunnel.
6. Tunneling
Tunneling is a method of using an internetwork infrastructure to transfer data for one network over another network. The data to be transferred (or payload) can be the frames (or packets) of another protocol. Instead of sending a frame as it is produced by the originating node, the tunneling protocol encapsulates the frame in an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate internetwork.
The transit internetwork can be any internetwork. The Internet is a public internetwork and is the most widely known real world example. There are many examples of tunnels that are carried over corporate internetworks. And while the Internet provides one of the most cost effective internetworks, references to the Internet in this paper can be replaced by any other public or private internetwork that acts as a transit Internetwork.
The encapsulated packets are then routed between tunnel endpoints over the internetwork. The logical path through which the encapsulated packets travel through the internetwork is called a tunnel. Once the encapsulated frames reach their destination on the internetwork, the frame is decapsulated and forwarded to its final destination. Tunneling includes this entire process (encapsulation, transmission, and decapsulation of packets).
Tunneling requires three different protocols:
· Carrier protocol - The protocol used by the network that the information is traveling over.
· Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, and L2TP) that is wrapped around the original data.
· Passenger protocol - The original data (IPX, NetBeui, IP) being carried.
7. VPN Overview
7.1 Basic steps
The general process of sending data through VPN
(1) A protected host sends clear traffic to a VPN kit located at the point of connection to the public network.
(2) The source device examines the data according to rules specified by the network manager, securing the information or allowing it to pass unaffected.
(3) When data protection is required, the source device encrypts (encodes) and authenticates (attaches a digital signature to) the whole packet, including the transmitted data as well as the source and destination host IP addresses.
(4) The source device then attaches a new header to the data, including the information that the destination device requires for security functions and process initialization.
(5) The source VPN kit then encapsulates the encrypted and authenticated packet with the source and destination IP addresses of the destination device or devices. This results in a virtual tunnel through the public network.
(6) When the data reaches the destination device, it is decapsulated, its digital signature is checked and the packet is decrypted.
7.2 Advantages of VPN
· Authenticate all packets of data received; ensuring that they are from a trusted source and encryption ensures the data remains confidential.
· Most VPNs connect over the Internet so call costs are minimal, even if the remote user is a great distance from the central LAN.
· A reduction in the overall telecommunication infrastructure as the ISP Provides the bulk of the network.
· Reduced cost of management, maintenance of equipment and technical support. Simplifies network topology by eliminating modem pools and a private network infrastructure.
· VPNs are easily extended by increasing the available bandwidth and by licensing extra client software.
7.3 Disadvantages of VPN
· If the ISP or Internet connection is down, VPN is also down.
· The central site must have a permanent Internet connection so that the remote clients and other sites can connect at anytime.
· May provide less bandwidth than a dedicated line solution.
· Different VPN manufacturers may comply with different standards.
· All traffic over the VPN is encrypted, regardless of need. This can be potentially cause bottleneck since encrypting and decrypting causes network overhead.
· Provides no internal protection on the corporate network - VPN endpoint is typically at the edge of the network.
· Once employees are on the internal corporate network, data is no longer encrypted.
· Most VPN technologies today do not address performance and availability issues as important as they are because the majority of VPN solutions exist on client machines and gateway servers at the extreme ends of the communication path. They simply cannot consistently affect the performance of the network components in the middle, the Internet.
8. VPN solutions
There are four main components of an Internet-based VPN: the Internet, security gateways, security policy servers and certificate authorities. The Internet provides the fundamental plumbing for a VPN. Security gateways sit between public and private networks, preventing unauthorized intrusions into the private network. They may also provide tunneling capabilities and encrypt private data before it is transmitted on the public network. In general, a security gateway for a VPN fits into one of the following categories: routers, firewalls, integrated VPN hardware and VPN software.
Another important component of a VPN is the security-policy server. This server maintains the access-control lists and other user-related information that the security gateway uses to determine which traffic is authorized. For example, in some systems, access can be controlled via a RADIUS server.