Professional Documents
Culture Documents
Seminar
On
Guided By Submitted By
ABSTRACT
The Virtual Private Network - VPN - has attracted the attention of many
organizations looking to both expand their networking capabilities and reduce their
costs.
The VPN can be found in workplaces and homes, where they allow employees to
safely log into company networks. Telecommuters and those who travel often find
a VPN a more convenient way to stay "plugged in" to the corporate intranet.
No matter your current involvement with VPNs, this is a good technology to know
something about. A study of VPN involves many interesting aspects of network
protocol design, Internet security, network service outsourcing, and technology
standards.
PPTP
L2TP
IPsec
SOCKS
The success of VPNs in the future depends mainly on industry dynamics. Most of
the value in VPNs lies in the potential for businesses to save money. Should the
cost of long-distance telephone calls and leased lines continue to drop, fewer
companies may feel the need to switch to VPNs for remote access. Conversely, if
VPN standards solidify and vendor products interoperate fully with other, the
appeal of VPNs should increase.
The success of VPNs also depends on the ability of intranets and extranets to
deliver on their promises. Companies have had difficulty measuring the cost
savings of their private networks, but if it can be demonstrated that these provide
significant value, the use of VPN technology internally may also increase.
INDEX
1. INTRODUCTION 1
1.1.DEFINITION
1.2.OVERVIEW
2.WORKING OF VPN 3
2.1. EXAMPLE USE OF VPN
3.TYPES OF VPN 9
3.1.VIRTUAL LEASED LINE(VLL)
3.2. VIRTUAL PRIVATE ROUTED NETWORK(VPRN)
3.3. VIRTUAL PRIVATE DIAL-UP NETWORK(VPDN)
3.4. VIRTUAL PRIVATE LAN SEGMENT(VPLS)
3.5. INTRANET VPN
3.6. EXTRANET VPN
3.7. REMOTE ACCESS VPN
4. TUNNELING 16
5. TUNNELING PROTOCOLS 18
5.1. MOTIVE OF PROTOCOLS
5.2. HISTORY
5.3. IPSec DESIGN GOALS AND OVERVIEW
5.4. L2TP DESIGN GOALS AND OVERVIEW
5.5. PPTP DESIGN GOALS AND OVERVIEW
5.6. MICROSOFT SUPPORT FOR IPSec,L2TP & PPTP
5.7. REMOTE ACCESS POLICY MANAGEMENT
5.8. CLIENT MANAGEMENT
6. SECURTY OF VPN 26
7. VPN H|W & S\W SPECIFICATION 27
8. APPLICATION OF VPN 29
9. ADVANTAGES OF VPN 30
10. DISADVANTAGES OF VPN 31
11. CONCLUSION 32
12. BIBLIOGRAPHY 33
1. INTORDUCTION :
1.1.Definition
An Internet-based virtual private network (VPN) uses the open,
distributed infrastructure of the Internet to transmit data between corporate sites.
1.2.Overview
Why to develop vpn ?
At the same time, businesses are finding that past solutions to wide-
area networking between the main corporate network and branch offices, such as
dedicated leased lines or frame-relay circuits, do not provide the flexibility required for
quickly creating new partner links or supporting project teams in the field.
First and foremost are the cost savings of Internet VPNs when compared
to traditional VPNs. A traditional corporate network built using leased T1 (1.5 Mbps)
links and T3 (45 Mbps) links must deal with tariffs that are structured to include an
installation fee, a monthly fixed cost, and a mileage charge, adding up to monthly fees
that are greater than typical fees for leased Internet connections of the same speed.
Leased Internet lines offer another cost advantage because many providers
offer prices that are tiered according to usage. For businesses that require the use of a full
T1 or T3 only during busy times of the day but do not need the full bandwidth most of
the time, ISP services, such as burstable T1, are an excellent option. Burstable T1
provides on-demand bandwidth with flexible pricing. For example, a customer who signs
up for a full T1 but whose traffic averages 512 kbps of usage on the T1 circuit will pay
less than a T1 customer whose average monthly traffic is 768 kbps.
Because point-to-point links are not a part of the Internet VPN, companies
do not have to support one of each kind of connection, further reducing equipment and
support costs. With traditional corporate networks, the media that serve smaller branc h
offices, telecommuters, and mobile works—digital subscriber line (xDSL), integrated
services digital network (ISDN), and high- speed modems, for instance—must be
supported by additional equipment at corporate headquarters. In a VPN, not only can T1
or T3 lines be used between the main office and the ISP, but many other media can be
used to connect smaller offices and mobile workers to the ISP and, therefore, to the VPN
without installing any added equipment at headquarters.
VPNs using the Internet have the potential to solve many of these business
networking problems.
In addition, VPNs are not limited to corporate sites and branch offices. As
an added advantage, a VPN can provide secure connectivity for mobile workers. These
workers can connect to their company's VPN by dialing into the POP of a local ISP,
which reduces the need for long-distance charges and outlays for installing and
maintaining large banks of modems at corporate sites.
While VPNs offer direct cost savings over other communications methods
(such as leased lines and long-distance calls), they can also offer other advantages,
including indirect cost savings as a result of reduced training requirements and
equipment, increased flexibility, and scalability.
2.WORKING OF VPN:
The world has changed a lot in the last couple of decades. Instead of
simply dealing with local or regional concerns, many businesses now have to think about
global markets and logistics. Many companies have facilities spread out across the
country or even around the world. But there is one thing that all of them need: A way to
maintain fast, secure and reliable communications wherever their offices are.
Until recently, this has meant the use of leased lines to maintain a Wide
Area Network (WAN). Leased lines, ranging from ISDN (Integrated Services Digital
Network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company
with a way to expand their private network beyond their immediate geographic area. A
WAN had obvious advantages over a public network like the Internet when it came to
reliability, performance and security. But maintaining a WAN, particularly when using
leased lines can become quite expensive and often rises in cost as the distance between
the offices increases.
For years, voice, data, and just about all software-defined network
services were called "virtual private networks" by the telephone companies. The current
generation of VPNs, however, is a more advanced combination of tunneling, encryption,
authentication and access control technologies and services used to carry traffic over the
Internet, a managed IP network or a provider's backbone.
The general idea behind using this method is that a company reduces the
recurring telecommunications charges that are shouldered when connecting remote users
and branch offices to resources in a corporation's headquarters.
Using this VPN model, packets headed towards the remote network will
reach a tunnel- initiating device, which can be anything from an extranet router to a PC
with VPN-enabled dial- up software. The tunnel initiator communicates with a VPN
terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then
encrypts the package for security before transmitting to the terminator, which decrypts
the packet and delivers it to the appropriate destination on the network.
Step 1. The remote user dials into their local ISP and logs into the
ISP’s network as usual.
Step 2.
When connectivity to the corporate network is desired, the user initiates a tunnel request
to the destination Security server on the corporate network. The Security server
authenticates the user and creates the other end of tunnel.
Step 3.
The user then sends data through the tunnel which encrypted by the VPN software before
being sent over the ISP connection.
Step 4
The figure below illustrates that VPN software can be used from
any location through any existing ISP’s dial- in service.
3. TYPES OF VPN:
Compulsory Tunnel
Voluntary Tunnel
Compulsory Tunnel
L2TP Network Server (LNS). The operation of initiating the PPP session to the LAC is
transparent to the user.
Voluntary Tunnel
4.Tunneling:
Most VPNs rely on tunneling to create a private network that reaches
across the Internet. Essentially, tunneling is the process o f placing an entire packet within
another packet and sending it over a network. The protocol of the outer packet is
understood by the network and both points, called tunnel inte rfaces, where the packet
enters and exits the network.
Carrier protocol: The protocol used by the network that the information
is traveling over
Passenger protocol: The original data (IPX, NetBeui, IP) being carried
Tunneling has amazing implications for VPNs. For example, you can
place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside
an IP packet and send it safely over the Internet. Or you could put a packet that uses a
private (non-routable) IP address inside a packet that uses a globally unique Ip address to
extend a private network over the Internet.
Each of the protocols listed below we re built using the basic structure of PPP
and are used by Remote-Access VPNs.
L2TP (Layer 2 Tunneling Protocol): The most recent addition, L2TP is the
product of a partnership between the members of the PPTP Forum, Cisco and the IETF
(Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP
also fully supports IPSec.
The truck is the carrier protocol, the box is the encapsulating protocol and
the computer is the passenger protocol.
As you can see, VPNs are a great way for a company to keep its
employees and partners connected no matter where they are.
5. TUNNELING PROTOCOLS:
5.1.Motive of protocols :
5.2.History:
the first protocols deployed for VPNs was PPTP. It has been a
widely deployed solution for dial- in VPNs since Microsoft included support for it in
RRAS for Windows NT Server 4.0 and offered a PPTP client in a service pack for
Windows 95. Microsoft's inclusion of a PPTP client in Windows 98 practically ensures
its continued use for the next few years, although it is not likely that PPTP will become a
formal standard endorsed by any of the standards bodies (like the Internet Engineering
Task Force [IETF]).
Aside from the relative simplicity of client support for PPTP, one
of the protocol's main advantages is that PPTP is designed to run at open systems
interconnection (OSI) Layer 2, or the link layer, as opposed to IPSec, which runs at Layer
3. By supporting data communications at Layer 2, PPTP can transmit protocols other than
IP over its tunnels. PPTP does have some limitations. For example, it does not provide
strong encryption for protecting data nor does it support any token-based methods for
authenticating users.
The IETF RFC IPSec tunnel protocol specifications did not include
mechanisms suitable for remote access VPN clients. Omitted features include user
authentication options or client IP address configuration. To use IPSec tunnel mode for
remote access, some vendors chose to extend the protocol in proprietary ways to solve
these issues. While a few of these extensions are documented as Internet drafts, they lack
standards status and are not generally interoperable. As a result, customers must seriously
consider whether such implementations offer suitable multi- vendor interoperability.
Feature Description
PPT
P/ PPP P/ PP
User Can Yes
Authentication authenticate the user that is
initiating the communications.
Machine Authenticates Yes2
Authentication the machines involved in the
communications.
NAT Can pass Yes
Capable through Network Address
Translators to hide one or both end-
points of the communications.
Multiprotocol Defines a Yes
Support standard method for carrying IP and
non-IP traffic.
Dynamic Defines a Yes
Tunnel IP Address Assignment standard way to negotiate an IP
address for the tunneled part of the
communications. Important so that
returned packets are routed back
through the same session rather
than through a non-tunneled and
unsecured path and to eliminate
static, manual end-system
Feature Description
PPT
P/ PPP P/ PP
configuration.
Encryption Can encrypt Yes
traffic it carries.
Uses PKI Can use PKI Yes
to implement encryption and/or
authentication.
Packet Provides an No
Authenticity authenticity method to ensure
packet content is not changed in
transit.
Multicast Can carry IP Yes
support multicast traffic in addition to IP
unicast traffic.
IPSec
L2TP
Windows 2000 includes L2TP support when used with IPSec for
client-to-gateway and gateway-to-gateway configurations. In these configurations, all
traffic from the client to a gateway, and all traffic between two gateways is encrypted.
This implementation has been tested with a variety of other vendor implementations of
L2TP/IPSec.
PPTP
With these tools the administrator can provide the client with a
specially configured profile that:
6.SECURITY OF VPN:
The key word in "virtual private networks" is private. The last thing a
business wants is to have sensitive corporate information end up in the hands of some
pubescent hacker, or worse, the competition. Fortunately, VPNs are widely considered
extremely secure, despite using public networks.
Firewall products for VPNs, such as Net Screen, Watch guard, or Net
Fortress are often relatively simple, plug-and-play solutions for network security. The
system can be connected to as many LANs as needed, keys are exchanged between the
two units, and the VPN is complete. However, these solutions can come at a substantial
cost, and the right choice will depend on the unique networking and security needs of the
company or companies using the network. Generally, if you already own the appropriate
equipment and Internet connection, an out-of-the-box solution is not necessary.
Cisco Secure PIX Fire wall: An amazing piece of technology, the PIX
(Private Internet exchange) Firewall combines dynamic network address translation,
proxy server, packet filtration, firewall and VPN capabilities in a single piece of
hardware. Instead of using Cisco IOS, this device has a highly streamlined OS that trades
the ability to handle a variety of protocols for extreme robustness and performance by
focusing on IP.
8.APPLICATION:
VPN/VOIP Application
Once you’ve set up your VPN network, you can easily save money
on interoffice long distance calling by bridging your voice network to your data network
with Multi-Tech’s MultiVOIP Voice over IP gateway. MultiVOIP is a point-to-point
solution (one box is required at each location) that merges voice/fax from traditional
telephones onto an IP data network. It then utilizes another MultiVOIP gateway at the
remote end to separate the voice/fax from the data network and send it back to the
receiving phone. With MultiVOIP a company can save thousands of dollars on recurring
long distance charges.
9.ADVANTAGES OF VPN:
There are a number of reasons to set up a VPN for remote access, but the
biggest selling point by far is the potential cost savings.
VPNs can further reduce costs by lessening the need for long-distance
telephone charges, as clients can gain access by dialing into the nearest service provider's
access point. While in some cases this may entail making a long-distance call or using an
800 service, a local call is usually sufficient. This can dramatically cut
telecommunications costs for enterprises with many international sites, sometimes in the
range of thousands of dollars per person, each month.
A third, more subtle way that VPNs may result in lower expenditures, is
through reducing the company's support burden. With a VPN, the service provider must
support dial- up access, instead of the organization using it. Theoretically, a public service
provider can charge much less for support, because its cost is shared among a wider
customer base.
Companies enjoy the flexibility that comes with VPNs, since they
typically do not require long-term contracts, as is the case with most data services. This
allows companies to easily switch over to a lower-priced service if they so desire.
Companies can usually get a high-speed Internet connection established and configured
in a much shorter time than it takes to get a similar data service. In some foreign
countries, it can take as long as a year to get a leased line installed. For some industries,
such as construction or insurance, this can make a crucial difference in a company's
operations and financial health.
received or replayed. Users can authenticate packets to establish the validity of the
information, and the integrity of the data is usually guaranteed.
With the hype that has surrounded VPNs historically, the potential
pitfalls or "weak spots" in the VPN model can be easy to forget.
These four conce rns with VPN solutions are often raised.
3. VPN technologies from different vendors may not work well together due to immature
standards.
4. VPNs need to accomodate protocols other than IP and existing ("legacy") internal
network technology.
12.BIBLIOGRAPHY:
www.iec.org
www.howstuffworks.com
www. ietf.org
www. vpnc.org