Virtual Private Networks (VPN)

Introduction

The Internet has grown in the last few years larger than anyone ever

imagined it could be. As it is now widely recognized that the Internet is the simplest way

of communication and data sharing, more and more companies rely on it for connecting

their offices worldwide.

The first implementation for sharing information between global offices

was the use of lease lines for maintaining a Wide Area Network (WAN). Leased lines

(ranging from ISDN to OC12), provided a company with a way to expand its private

network beyond its geographic area. The WAN had answered the needs of each

company - secure better performance, reliability etc., but maintaining a WAN with an

OC3 connection can become quite expensive. The cost is a function of distance - as the

distance increases, the cost rises and vise versa. Another solution was the famous

intranet. Basically, if a company wanted to use an intranet to share information between

global or local offices, it set up a password-protected (usually basic HTTP

authentication) site the use by the employees. Once again, this method had answered

all the needs of the company except security.

Virtual Private Networks is a total gaining popularity among large

organizations that use the global Internet as both Intra and Inter Organization media,

but require privacy in their intra organization communications.

To achieve privacy the organizations generally uses three strategies:

1

Private Networks

Hybrid networks

Virtual Private Networks

Private Networks:

An organization that needs privacy when routing information iside the

organization can use a private network. A small organization with one single site cans an

isolated LAN. A large organization with several suits can create a private internet. The

LAN’s at different sites can be connected to each other using routers and leased lines.

Internet can be made out of private LAN’s & private WAN’s

The Organization can use TCP/IP protocol for end-to-end communication between

stations at different sites. There is no need for IP address. The Organization can use any

IP class and assign network and host address internally.

2

Hybrid Networks:

Today most organizations need to have privacy in intraorganization data

exchange but at the same time they need to be connected to the global internet for data

exchange. The solution is hybrid network. A Hybrid network allows an organization to

have its own private internet and at the same time access to the global internet.

Intraorganization data is routed through the private internet. Inter organization data is

routed through the global internet.

The organization with 2 sites uses routers R1, R2 connect to the two sites privately

through a leased line. It uses the R3, R4 to connect two sites of the rest of the world.

The organization uses global IP address for both types of communication. Internet

packets are routed through R1, R2 and R3, R4 route the packets destined for outsiders.

3

VIRTUAL PRIVATE NETWORKS:

Both private and Hybrid have a major drawback i.e. cost. Private networks

are expensive to connect several sites an organization needs several leased lines which

means a high monthly cost.

One solution is to use the global Internet for both the private and public

communication. A technology called Virtual private Network allows organizations to be

global internet for both purposes.

Virtual Private Networks create a network that is private but virtual. It is

private because it guarantees privacy inside the organization; it is virtual because it does

not us real private WAN’s the network is physically public but virtually private.

Because both public and private networks have advantages, a new

technology has emerged that combines the advantages of both – VPN, the technology

that allows the company with multiple sites to have a private network. But use a public

network as a carrier. In particular, although the company can use the public network as

a link between its sites, VPN restricts traffic so that packets can travel only through

company’s sites. Further more even if an outsider accidentally receives a copy of a

packet, VPN technology means that they can’t understand the contents.

Now a day, more and more companies are creating their own virtual

private network to accommodate their needs. VPN, or virtual private network, is an

Internet service network that establishes a private connection over shared public

facilities. VPN acts as a bridge between two or more Local Area Networks (LANs)

across the Internet. VPN connections manage authentication between servers and

clients using data encryption. VPNs were created, so an access is permitted to

authorize users only. VPNs allow users to have access to the same network resources,

4

addresses, and so forth as if they were connected locally. VPNs provide a secure

service, because data is sent in an encrypted form between the client and the VPN

server - it makes harder to capture sensitive information, but not impossible.

As it is most commonly defined, a virtual private network (VPN) allows two or

more private networks to be connected over a publicly accessed network. In a sense,

VPNs are similar to wide area networks (WAN) or a securely encrypted tunnel, but the

key feature of VPNs is that they are able to use public networks like the Internet rather

than rely on expensive, private leased lines. At they same time, VPNs have the same

security and encryption features as a private network, while taking the advantage of the

economies of scale and remote accessibility of large public networks.

A VPN is an especially effective means of exchanging critical information

for employees working remotely in branch offices, at home, or on the road. It can

securely deliver information between vendors, suppliers, and business partners, who

may have a huge physical distance between them. Since companies no longer have to

invest in the actual infrastructure themselves, they can reduce their operational costs by

outsourcing network services to service providers. VPNs can also reduce costs by

eliminating the need for long-distance telephone charges to obtain remote access, as

client need only call into the service provider's nearest access point.

A VPN uses a public transport--the Internet--for private communications. It

applies encryption to preserve privacy. Traditionally, companies have used private

transport to do that--dedicated phone lines. The two ways of keeping an electronic

conversation private are to make the line private and the data private. Dedicated lines

are private because the line is private, i.e., inaccessible to others. VPNs are private

because the data is private, i.e., rendered unintelligible by encryption--different means,

same result.

VPNs are most commonly used to connect two networks at different sites

of the same company. The technique in effect plugs the remote computers into the local

network, consolidating the two physical nets into a single logical one. Remote computers

have access to the same local resources as local ones. At the same time, remote

machines enjoy the same degree of privacy as local ones. All this is location-transparent

5

in terms of operation (though not performance) as if they were attached to the local

network. This combination of full participation plus full privacy between networks, while

using a link that isn't private, is the hallmark of a VPN. The compelling appeal of the VPN

is that it's cheap. Dedicated lines are expensive, so displacing them with a free transport

is economic.

In Other words Virtual private networks are secured private network

connections, built on top of publicly-accessible infrastructure, such as the Internet or the

public telephone network. VPNs typically employ some combination of encryption, digital

certificates, strong user authentication and access control to provide security to the

traffic they carry. They usually provide connectivity to many machines behind a gateway

or firewall.

Virtual Private Networks

Virtual private networks (VPN) provide an encrypted connection between a user's

distributed sites over a public network (e.g., the Internet). By contrast, a private network

uses dedicated circuits and possibly encryption. This describes IP-based VPN

technology over the Internet, though an organization might deploy VPN's on its internal

nets (intranets) to encrypt sensitive information. We also have some performance

numbers. The basic idea is to provide an encrypted IP tunnel through the Internet that

6

permits distributed sites to communicate securely. The encrypted tunnel provides a

secure path for network applications and requires no changes to the application.

VPNs today are set up a variety of ways, and can be built over ATM,

frame relay, and X.25 technologies. However, the most popular current method is to

deploy IP-based VPNs, which offer more flexibility and ease of connectivity. Since most

corporate intranets use IP or Web technologies, IP-VPNs can more transparently extend

these capabilities over a wide network. An IP-VPN link can be set up anywhere in the

world between two endpoints, and the IP network automatically handles the traffic

routing.

Privacy and protection of data is of utmost importance when deploying

services over the Internet, where it can be vulnerable to attacks or illegal entry. Secure

IP-VPNs are networks that are secured by encryption and authentication, and layered on

an existing IP network. In response to security issues, the Internet Engineering Task

Force (ietf.org) has developed the IP Security (IPSec) protocol suite, a set of IP

extensions that offer strong data authentication and privacy guarantees.

Although security features differ from product to product, most IP-VPN

provider’s generally private network tunneling through the IP backbone, data encryption,

authentication proxying, firewall, and spam filtering.

Network VPN service lets clients open secure tunnels across the Internet

by connecting through a host's data center where the VPN equipment—and the staff to

service it—actually resides. "Somebody who knows what they're doing picks the

equipment, manages it, and just tells you when there's a problem," says network

consultant Lisa Phifer, vice president of Core Competence in Chester Springs,

Pennsylvania. Because they're easier to deploy and maintain, managed VPNs—and

network VPN service in particular—are beginning to eclipse do-it-yourself solutions. In its

2000 WAN Manager Survey, IDC reported that companies are opting for VPN services

more often than in-house installations.

One reason for this recent upsurge in interest is that network VPN service

has changed the equation so radically. Until it debuted last year, only two managed

options were available, and both were pricey. Customer premises equipment (CPE)

7

programs, in which an outside provider installs, maintains, and trouble- shoots

equipment on a company's own premises, require service contracts that cover the cost

of troubleshooting on-site. Internet Protocol (IP) over frame relay is a high-end service

provided by carriers in which tunnels are opened through central data centers where the

equipment is hosted and maintained.

To build a VPN, a company buys a special hardware and software

system for each of its sites. The system is placed between the company’s private (i.e.

internal) network and public network. Each of the systems must be configured with the

address of the company’s other VPN systems. The software will then exchange packets

only with the VPN systems at the company’s other sites. Furthermore to guarantee,

privacy VPN encrypts each packet before transmission.

In addition to configuring, the VPN system at each site, a network

manager must also configure routing at the site. Whenever a computer at one site sends

a packet to a computer to another, the packet is routed to the local VPN system. The

VPN system examines the destination and encrypts the packet and sends the result

across the public network to the VPN system at the destination site when a packet

arrives , the receiving VPN system verifies that it came from a valid peer, decrypts the

contents and forward the packet to its destination.

The point is:

“The VPN combines the advantages of private and public networks by

allowing a company with multiple sites to have the illusion of a completely private

network and to use a public network to carry traffic between sites “

Real World Example:

Anchor Pharmacies' search for a manageable, low-cost way to link its stores

together led it to network VPN service, one of the hottest twists on VPN connectivity.

The company's expansion strategy was to acquire financially strapped independent

drugstores and restore their profitability by cutting costs through the efficiencies of

central management. But secure connectivity—or the lack of it—was standing in the way

of Anchor's plans.

8

VPN products fall into three broad categories:

Hardware-based systems

Firewall-based systems

Standalone application packages.

Most hardware-based VPNs are encrypting routers, which are considered

secure and simple to use, as they are the nearest thing to "plug-and-play" equipment

available. However, they may not be as flexible as software-based systems, which are

ideal in situations where both endpoints of a VPN are not controlled by the same

organization, which is typical for business partnerships or when client support is

required.

Firewall-based VPNs are considered among the most secure, as they take

advantage of the firewall's existing security mechanisms. However, if the firewall is

already loaded, performance issues may pop up.

However, as the VPN market continues to rapidly evolve, the lines between

different VPN architectures are increasingly blurred; many hardware vendors have

included software clients to their product offerings, and extended their server

Capabilities to include the security features found in software-based or firewall-based

VPNs. Similarly, some standalone products have added support for hardware-Based

encryptions to boost their performance. Companies providing managed VPN services

will usually bundle other value-added services to their secure global connectivity such as

consulting, design and support for emerging applications, such as voice over IP,

E-commerce, and network-hosted applications.

9

Companies and other global services use one of the following VPN types:

Virtual Private Dial-up Network:

VPDN, or Virtual Private Dial-up Network, is used to allow a user, or

users, to connect to a remote LAN from any place in the world. A connection to a LAN

via VPDN uses the Network Access Server (NAS) of the regional service provider

(RSP). A login name and password are sent to the NAS is the format login@domain,

e.g. raven@ebcvg.com. Next, if VPDN is enabled, NAS authorized the domain portion. If

domain authorization fails, NAS authenticates the user as a non-VPDN user; if it

succeeds, a tunnel is established (using tunnel ID and home gateway IP address). Now

the user must be authenticated.

Site-to-Site VPN

Site-to-site (STS) based VPN is a private network utilizing the Internet.

This type of application provides levels of security, privacy and manageability that are

similar to networks based upon private leased lines (see above). Site-to-Site VPN can

be either:

Intranet-based Site-to-Site VPN

Extranet-based Site-to-Site VPN

Intranet-based Site-to-Site VPN this type of application is used to connect two, or more, networks

over the intranet using a Router-to-Router VPN connection. It mainly used if there are

networks that are hidden or contain sensitive information (secure networks). It is also

used to enable a remote connection over the intranet to a network that is hidden or

secure, and is physically disconnected from the intranet.

10

Extranet-based Site-to-Site VPN

this type of application is used when two LANs wish to join in a single

private network and to work in a shared environment, for example, partners, customers

etc.

VPN Security

In the beginning of the article I have written that VPN provides a

secure environment for a company. In this section I'll discuss three major methods to

secure the connection.

Authentication

Authorization

Accounting

All together these three are called as AAA Server.

AAA Server

AAA Server, or Authentication, Authorization and Accounting Server, is a

server program that handles user requests for access. Networks interface with the AAA

server via RADIUS - Remote Authentication Dial-in up Service.

The first process - authentication - provides a way to identify the user, typically

by having the user to enter a valid login name and password. Each user has a unique

set of criteria, which stored in a database. Following the authentication, a user must gain

authorization for doing certain task (what the user is allowed to do). Each user has

his/her own policies, which determine what commands could be executed, what type of

11

resources and services a user is permitted to use etc. The last step, accounting, acts as

a logger. It logs data, sessions, usage information etc.

Virtual private Networks requires two factors to create a secure connection

namely –

Encryption

Tunneling

Encryption

Encryption has the major role when creating a secure connection. Tunneling

creates the network, encryption makes it secure - scrambles data so that only those who

have the right key can decode it. Most of the computer systems use either Symmetric-

key encryption or Public-key encryption (for more details see below).

A word about tunneling

Tunneling involves the encapsulation of an encrypted diagram in a

second outer datagram. Tunneling lets the two ends of the VPN communicate across

the Internet. Since the Internet doesn't speak the same language as your network does,

a tunnel packages the data you're sending so that the Internet can understand it.

IPSec

IPSec, or Internet Protocol Security, provides IP network-layer encryption.

The common technique to encrypt and authenticate VPN is IP Security. IPSec provides

two operation modes - transport and tunnel. In transport mode, only the IP payload is

encrypted, and IP headers are left intact. This mode doesn't provide defense against

12

spoofing attack or network analysis. An attacker can pass the IP header in the clear, so

the transport mode allows him to perform an attack. In tunnel mode, the entire datagram

is encrypted. IPSec uses a mechanism called “Encapsulation Security Payload (ESP) “to

implement encryption. IPSec uses an authentication header to implement authentication.

Design Issues

Some of the design issues considered in case of Virtual Private Networks:

supported platforms (UNIX, Win*, Mac)

proprietary or open solution (standards support)

ease of use (end user and network manager/SNMP)

performance (pkts/sec, encryption bandwidth, compression)

IP fragmentation support

strength of security

firewall inter-operability

features (firewall, addressing, IPv6 support, protocols, multicast)

network address translation (NAT)

mobile user support

key and policy management, authentication

scalability

export restrictions

internals (chipset, MHz, memory, net interfaces, tamper resistance)

cost

13

Software solutions

The software solutions might be better termed "software approximations."

The classic solution is to provide privacy on an application-by-application basis using

crypto APIs. Secure remote access is provided by encrypted telnet services like SRP or

SSH. SSH also permits tunneling other services (like X) over the encrypted connection.

For dial-in connections, Blaze's Encrypting Session Manager (ESM) provides encryption

after the session has been established. Encrypted voice communication over the

Internet is provided by Nautilus or PGPfone. Transport layer encryption for TCP is

provided by SSL, also see the IETF's Transport Layer Security (TLS) drafts. More

integrated software solutions can be provided by Kerberos or OSF's DCE or by using a

Point to Point Tunneling Protocol (PPTP or Microsoft's PPTP implementation and a

FAQ) and vulnerabilities. L2TP combines the best of PPTP and Cisco's L2F protocol.

Blaze's swIPe, or vpnd, and CIPE provide encrypted transport services; also see Gong's

enclave paper. The on-going development of IP security options for IPv4 and IPv6 along

with ISAKMP and GKMP may soon provide the necessary software tools for constructing

your own virtual private network, and there are some implementations available for

testing, also see paper on MS-DOS implementation. Also, see the recent Internet draft,

or the VPN framework, or the S/WAN initiative and Linux free swan or or OpenVPN

NIST's Cerberus.

Test and evaluation

The Network Research Group at ORNL has been doing evaluations of various

VPN solutions, including STEL, SSH, Kerberos, DCE, ESM, and IPv4/v6 with Cisco

ISAKMP daemon. We have also done preliminary testing on Cisco PIX unit, DEC's

AltaVista client tunnel, and DSN's Net Fortress. Here are some preliminary performance

data of encrypted tunneling throughput and latency.

14

Further Information

VPN Papers from Technology Guides

http://www.itpapers.com/resources/tech_guides.html

Super resource on VPNs

http://vpn.shmoo.com/

VPN Design (Cisco)

http://www.cisco.com/warp/public/779/largeent/design/vpn.html

VPN FAQs

(Cisco)http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/vpnmon/1_x/

10/using /vpnmimp.htm

Terms used in VPNs

http://www.vpnc.org/terms.html

what about VPN Security?

http://www.findvpn.com/articles/secure.cfm

IP Security Protocol (IPSec)

http://www.ietf.org/html.charters/ipsec-charter.html

Wireless VPN Solution

http://www.mobileinfo.com/ProductCatalog/Columbitech_VPN.htm

Symmetric-Key Encryption

http://dsa-isis.jrc.it/Trinidad/Infra/Trini_SymKey.html

Public-Key Encryption

http://www.ebcvg.com/download.php?id=1028

Danny aka Dr.T (admin@ebcvg.com)

http://www.ebcvg.com - BCVG Network Security, July 2002

15