Seminar Report On VIRTUAL PRIVATE NETWORK

VIRTUAL PRIVATE NETWORK
Seminar
On
Guided By Submitted By
For Download Visit http://www.nectarkunj.byethost14.com/

1
ABSTRACT
The Virtual Private Network - VPN - has attracted the attention of many
organizations looking to both expand their networking capabilities and reduce their
costs.
The VPN can be found in workplaces and homes, where they allow employees to
safely log into company networks. Telecommuters and those who travel often find
a VPN a more convenient way to stay "plugged in" to the corporate intranet.
No matter your current involvement with VPNs, this is a good technology to know
something about. A study of VPN involves many interesting aspects of network
protocol design, Internet security, network service outsourcing, and technology
standards.
 What Exactly Is A VPN?

A VPN supplies network connectivity over a possibly long physical distance. In
this respect, a VPN is a form of Wide Area Network (WAN).
The key feature of a VPN, however, is its ability to use public networks like the
Internet rather than rely on private leased lines. VPN technologies implement
restricted-access networks that utilize the same cabling and routers as a public
network, and they do so without sacrificing features or basic security.
A VPN supports at least three different modes of use:
 Remote access client connections

 LAN-to-LAN internetworking
 Controlled access within an intranet
 VPN Pros and Cons
Like many commercialized network technologies, a significant amount of sales and

marketing "hype" surrounds VPN. In reality, VPNs provide just a simple few clear
potential advantages over more traditional forms of wide-area networking. These
advantages can be quite significant, but they do not come for free.
The potential problems with the VPN outnumber the advantages and are generally
more difficult to understand. The disadvantages do not necessarily outweigh the
advantages, however. From security and perfo rmance concerns, to coping with a
wide range of sometimes incompatible vendor products, the decision of whether or
not to use a VPN cannot be made without significant planning and preparation.
)

2
 Technology Behind VPNs
Several network protocols have become popular as a result of VPN developments:
 PPTP
 L2TP
 IPsec
 SOCKS
These protocols emphasize authentication and encryption in VPNs. Authentication

allows VPN clients and servers to correctly establish the identity of people on the
network. Encryption allows potentially sensitive data to be hidden from the general
public.
Many vendors have developed VPN hardware and/or software products.
Unfortunately, immature VPN standards mean that some of these products remain
incompatible with each other.
 The Future of VPN
The success of VPNs in the future depends mainly on industry dynamics. Most of
the value in VPNs lies in the potential for businesses to save money. Should the
cost of long-distance telephone calls and leased lines continue to drop, fewer
companies may feel the need to switch to VPNs for remote access. Conversely, if
VPN standards solidify and vendor products interoperate fully with other, the
appeal of VPNs should increase.
The success of VPNs also depends on the ability of intranets and extranets to
deliver on their promises. Companies have had difficulty measuring the cost
savings of their private networks, but if it can be demonstrated that these provide
significant value, the use of VPN technology internally may also increase.

3
INDEX
1. INTRODUCTION 1
1.1.DEFINITION
1.2.OVERVIEW
2.WORKING OF VPN 3
2.1. EXAMPLE USE OF VPN
3.TYPES OF VPN 9
3.1.VIRTUAL LEASED LINE(VLL)
3.2. VIRTUAL PRIVATE ROUTED NETWORK(VPRN)
3.3. VIRTUAL PRIVATE DIAL-UP NETWORK(VPDN)
3.4. VIRTUAL PRIVATE LAN SEGMENT(VPLS)
3.5. INTRANET VPN
3.6. EXTRANET VPN
3.7. REMOTE ACCESS VPN
4. TUNNELING 16
5. TUNNELING PROTOCOLS 18
5.1. MOTIVE OF PROTOCOLS
5.2. HISTORY
5.3. IPSec DESIGN GOALS AND OVERVIEW
5.4. L2TP DESIGN GOALS AND OVERVIEW
5.5. PPTP DESIGN GOALS AND OVERVIEW
5.6. MICROSOFT SUPPORT FOR IPSec,L2TP & PPTP
5.7. REMOTE ACCESS POLICY MANAGEMENT
5.8. CLIENT MANAGEMENT
6. SECURTY OF VPN 26
7. VPN H|W & S\W SPECIFICATION 27
8. APPLICATION OF VPN 29
9. ADVANTAGES OF VPN 30
10. DISADVANTAGES OF VPN 31
11. CONCLUSION 32
12. BIBLIOGRAPHY 33

4
1. INTORDUCTION :
1.1.Definition
An Internet-based virtual private network (VPN) uses the open,
distributed infrastructure of the Internet to transmit data between corporate sites.
1.2.Overview
 Why to develop vpn ?
Businesses today are faced with supporting a broader variety of

communications among a wider range of sites even as they seek to reduce the cost of
their communications infrastructure.
Employees are looking to access the resources of their corporate intranets

as they take to the road, telecommute, or dial in from customer sites.

5
Plus business partners are joining together in extranets to share business

information, either for a joint project of a few months' duration or for long-term strategic
advantage.
At the same time, businesses are finding that past solutions to wide-
area networking between the main corporate network and branch offices, such as
dedicated leased lines or frame-relay circuits, do not provide the flexibility required for
quickly creating new partner links or supporting project teams in the field.
Meanwhile, the growth of the number of telecommuters and an

increasingly mobile sales force is eating up resources as more money is spent on modem
banks, remote-access servers, and phone charges.
The trend toward mobile connectivity shows no sign of abating; Forrester

Research estimated that more than 80 percent of the corporate workforce would have at
least one mobile computing device by 1999.
 Comparison of vpn with exiting network:
First and foremost are the cost savings of Internet VPNs when compared
to traditional VPNs. A traditional corporate network built using leased T1 (1.5 Mbps)
links and T3 (45 Mbps) links must deal with tariffs that are structured to include an
installation fee, a monthly fixed cost, and a mileage charge, adding up to monthly fees
that are greater than typical fees for leased Internet connections of the same speed.
Leased Internet lines offer another cost advantage because many providers
offer prices that are tiered according to usage. For businesses that require the use of a full
T1 or T3 only during busy times of the day but do not need the full bandwidth most of
the time, ISP services, such as burstable T1, are an excellent option. Burstable T1
provides on-demand bandwidth with flexible pricing. For example, a customer who signs
up for a full T1 but whose traffic averages 512 kbps of usage on the T1 circuit will pay
less than a T1 customer whose average monthly traffic is 768 kbps.
Because point-to-point links are not a part of the Internet VPN, companies
do not have to support one of each kind of connection, further reducing equipment and
support costs. With traditional corporate networks, the media that serve smaller branc h
offices, telecommuters, and mobile works—digital subscriber line (xDSL), integrated
services digital network (ISDN), and high- speed modems, for instance—must be
supported by additional equipment at corporate headquarters. In a VPN, not only can T1
or T3 lines be used between the main office and the ISP, but many other media can be
used to connect smaller offices and mobile workers to the ISP and, therefore, to the VPN
without installing any added equipment at headquarters.
 VPN resolves the limitations of ordinary networks:

6
VPNs using the Internet have the potential to solve many of these business
networking problems.
VPNs allow network managers to connect remote branch offices and

project teams to the main corporate network economically and provide re mote access to
employees while reducing the in-house requirements for equipment.
Rather than depend on dedicated leased lines or frame relay's permanent

virtual circuits (PVCs), an Internet-based VPN uses the open, distributed infrastructure of
the Internet to transmit data between corporate sites.
Companies using an Internet VPN set up connections to the local

connection points (called points-of-presence [POPs]) of their Internet service provider
(ISP) and let the ISP ensure that the data is transmitted to the appropriate destinations via
the Internet, leaving the rest of the connectivity details to the ISP's network and the
Internet infrastructure.
Because the Internet is a public network with open transmission of most

data, Internet-based VPNs include measures for encrypting data passed between VPN
sites, which protects the data against eavesdropping and tampering by unauthorized
parties.
In addition, VPNs are not limited to corporate sites and branch offices. As
an added advantage, a VPN can provide secure connectivity for mobile workers. These
workers can connect to their company's VPN by dialing into the POP of a local ISP,
which reduces the need for long-distance charges and outlays for installing and
maintaining large banks of modems at corporate sites.
While VPNs offer direct cost savings over other communications methods
(such as leased lines and long-distance calls), they can also offer other advantages,
including indirect cost savings as a result of reduced training requirements and
equipment, increased flexibility, and scalability.
2.WORKING OF VPN:

7
The world has changed a lot in the last couple of decades. Instead of
simply dealing with local or regional concerns, many businesses now have to think about
global markets and logistics. Many companies have facilities spread out across the
country or even around the world. But there is one thing that all of them need: A way to
maintain fast, secure and reliable communications wherever their offices are.
Until recently, this has meant the use of leased lines to maintain a Wide
Area Network (WAN). Leased lines, ranging from ISDN (Integrated Services Digital
Network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company
with a way to expand their private network beyond their immediate geographic area. A
WAN had obvious advantages over a public network like the Internet when it came to
reliability, performance and security. But maintaining a WAN, particularly when using
leased lines can become quite expensive and often rises in cost as the distance between
the offices increases.
As the popularity of the Internet grew, businesses turned to it as a means

of extending their own networks. First came intranets, which are password-protected
sites designed for use only by company employees. Now, many companies are creating
their own VPNs (Virtual Private Networks) to accommodate the needs of remote
employees and distant offices.
Image courtesy of Cisco Systems, Inc.

A typical VPN might have a main LAN at the corporate headquarte rs of
a company, other LANs at remote offices or facilities and individual
users connecting from out in the field.

8
Basically, a VPN is a private network that uses a public network (usually

the Internet) to connect remote sites or users together. Instead of using a dedicated, real-
world connection such as leased line, a VPN uses "virtual" connections routed through
the Internet from the company's private network to the remote site or employee.
For years, voice, data, and just about all software-defined network
services were called "virtual private networks" by the telephone companies. The current
generation of VPNs, however, is a more advanced combination of tunneling, encryption,
authentication and access control technologies and services used to carry traffic over the
Internet, a managed IP network or a provider's backbone.
The traffic reaches these backbones using any combination of access

technologies, including T1, frame relay, ISDN, ATM or simple dial access. VPNs use
familiar networking technology and protocols. The client sends a stream of encrypted
Point-to-Point Protocol (PPP) packets to a remote server or router, except instead of
going across a dedicated line (as in the case of WANs); the packets go across a tunnel
over a shared network.
The general idea behind using this method is that a company reduces the
recurring telecommunications charges that are shouldered when connecting remote users
and branch offices to resources in a corporation's headquarters.
The most commonly accepted method of creating VPN tunnels is by

encapsulating a network protocol (including IPX, NetBEUI, AppleTalk, and others)
inside the PPP, and then encapsulating the entire package inside a tunneling protocol,
which is typically IP, but could also be ATM or frame relay. This increasingly popular
approach is called Layer 2 tunneling, because the passenger is a Layer-2 Tunneling
Protocol (L2TP).
Using this VPN model, packets headed towards the remote network will
reach a tunnel- initiating device, which can be anything from an extranet router to a PC
with VPN-enabled dial- up software. The tunnel initiator communicates with a VPN
terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then
encrypts the package for security before transmitting to the terminator, which decrypts
the packet and delivers it to the appropriate destination on the network.
L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and

Microsoft's Point-to-Point Tunneling Protocol (PPTP). It supports any routed protocol,
including IP, IPX, and AppleTalk, as well as any WAN backbone technology, including
frame relay, ATM, X.25, and SONET. Because of L2TP's use of Microsoft's PPTP, it is
included as part of the remote access features of most Windows products.

9
Another approach to VPN is SOCKS 5, which follows a pro xy server

model and works at the TCP socket level. It requires a SOCKS 5 server and appropriate
software in order to work. The SOCKS 5 client intercepts a request for service, and
checks it against a security database. If the request is granted, the server establishes an
authenticated session with the client, acting as a proxy. This allows network managers to
apply specific controls and proxies traffic, and specify which applications can cross the
firewall into the Internet.
VPN technology can be used for site-to-site connectivity as well, which

would allow a branch office with multiple access lines get rid of the data line, and move
traffic over the existing Internet access connection. Since many sites use multiple lines,
this can be a very useful application, and it can be deployed without adding additional
equipment or software.
2.1. Example use of VPN:
Step 1. The remote user dials into their local ISP and logs into the
ISP’s network as usual.

10
Step 2.
When connectivity to the corporate network is desired, the user initiates a tunnel request
to the destination Security server on the corporate network. The Security server
authenticates the user and creates the other end of tunnel.

11
Step 3.
The user then sends data through the tunnel which encrypted by the VPN software before
being sent over the ISP connection.

12
Step 4
The destination Security server receives the encrypted data and

decrypts. The Security server then forwards the decrypted data packets onto the corporate
network. Any information sent back to the Remote user is also encrypted before being
sent over the Internet.

13
The figure below illustrates that VPN software can be used from
any location through any existing ISP’s dial- in service.
3. TYPES OF VPN:
3.1.Virtual Leased Lines (VLL)

This is the simplest form of a VPN. In this type there is point to
point link between two customer premise equipment (CPE). The CPE devices can be
either routers, bridges or hosts. The IP tunnel is set up between two ISP nodes which are
connected by IP network. Each of these node is configured to bind the stub link and the
IP tunnel together at layer 2. Frames are relayed between the two links. The contents of
the payload is opaque to the ISP node. The IP network is invisible to the customer. It
seems a single ATM Virtual Channel Connections (VCC) or Frame Relay circuit were
used to interconnect the CPE devices for him. If the two links used to connect the CPE
devices to the ISP nodes are not the same then ISP traffic is not opaque. In this case ISP
nodes must perform the functions of an inter-working device between the two media
types (e.g., ATM and Frame Relay) and any media specific processing that is expected by
the CPE devices.

14
Figure 3.1: Virtual Leased Lines (VLL)
3.2. Virtual Private Routed Network (VPRN)

A VPRN is emulation of a multi-site wide area routed network
using IP facilities. In VPRN packet forwarding is carried out at the network layer. A
VPRN consists of a mesh of IP tunnels between ISP routers, together with the routing
capabilities needed to forward traffic received at each VPRN node to the appropriate
destination site. At each ISP router to which members of the VPRN are connected there is
a VPRN specific forwarding table. Traffic is forwarded between ISP routers and between
ISP routers and customer sites, using these forwarding tables. The forwarding tables
contain network layer reachability information. VPRN carries out forwarding at the
network layer, hence a single VPRN only directly supports a single network layer
protocol. For multiprotocol support, a separate VPRN for each network layer protocol
could be used or one protocol could be tunneled over another.
VPRN Require ments
1. VPN Identifier The use of a globally unique VPN identifier.
2. VPRN me mbership determination An edge router must learn

of the local stub links that are in each VPRN and the set of other routers that have
members in that VPRN.
3. Stub link reachability information An edge router must learn

the set of addresses and address prefixes reachable via each stub link.
4. Intra-VPRN reachability information Edge router must

disseminate the address prefixes information associated with each of its stub links to each
other edge router in the VPRN.
5. Tunneling mechanism An edge router must construct the

necessary tunnels to other routers that have members in the VPRN, and must perform the
encapsulation and decapsulation necessary to send and receive packets over the tunnels.

15
Figure 3.2: Virtual Private Routed Network (VPRN)
3.3. Virtual Private Dial Network (VPDN)

A Virtual Private Dial Network (VPDN) allows on demand ad hoc
tunnel between remote user and another site. The user is connected to a public IP network
via a dial- up PSTN or ISDN link. User packets are tunneled across the public network to
the destination site. To the user, it gives the impression of being directly connected into
that site. The most important thing here is authentication of user since anybody can try to
gain access to destination sites using dial-up network. There are two types of possible
tunnel in this case :
Compulsory Tunnel
Voluntary Tunnel
Compulsory Tunnel
In this scenario L2TP Access Contractor (LAC) acting as a dial or

network access server extends a PPP session across a backbone using L2TP to a remote

16
L2TP Network Server (LNS). The operation of initiating the PPP session to the LAC is
transparent to the user.
Figure 3.3: Compulsory Tunnel (VPDN)
Voluntary Tunnel
Voluntary tunnel refers to the case where an individual host

connects to a remote site using a tunnel originating on the host, with no involvement from
intermediate network nodes. Tunnel mechanism chosen can be IPSec or L2TP. There is
considerable overhead with such a protocol stack, particularly when IPSec is also needed.
The overhead consists of both extra headers in the data plane and extra control protocols
needed in the control plane.
Figure 3.4: Voluntary Tunnel (VPDN)

17
3.4.Virtual Private Lan Segment (VPLS)

A Virtual Private Lan Segment (VPLS) is the emulation of a LAN
segment using internet facilities. VPLS can be used to provide Transparent Lan Service
(TLS). Topologically and operationally a VPLS is similar to VPRN, except that each
VPLS edge nod implements link layer bridging rather than network layer forwarding.
Figure 3.5: Virtual Private Lan Segment (VPLS)

18
3.5.Branch office connection network (Intranet VPN)
The branch office scenario securely connects two trusted intranets

within the organization. Routers or firewalls acting as gateways for the office with vpn
capabilities can be used to protect the corporate traffic. They provide the necessary data
authentication and encryption.
3.6.Business partner/supplier network (Extranet VPN)
In this scenario multiple supplier intranets that need to access a

common corporate network over the Internet. Each supplier is allowed access to only a
limited set of destinations within the corporate network. The VPN must be constructed to
guarantee that no traffic from a supplier will be visible to any other supplier or to any
system other than its intended destination.
Figure 3.7: Extranet VPN

19
Design Conside rations
The clients have to support the IPSec protocols.
Client addresses are dynamic hence dynamic tunnel establishing is needed.

Manual tunnels are possible only in case of fixed remote client IP addresses.
Dial in traffic that cannot be authenticated will be rejected by firewall.
3.7. Remote access network (Access VPN)
A remote user wants to be able to communicate securely and cost-

effectively to his corporate intranet. This can be done by use of an VPN IPSec enabled
remote client and firewall (or gateway). The client accesses the Internet via dial-up to an
ISP, and then establishes an authenticated and encrypted tunnel between itself and the
firewall at the intranet boundary.
Figure 3.8: Access VPN

20
4.Tunneling:
Most VPNs rely on tunneling to create a private network that reaches
across the Internet. Essentially, tunneling is the process o f placing an entire packet within
another packet and sending it over a network. The protocol of the outer packet is
understood by the network and both points, called tunnel inte rfaces, where the packet
enters and exits the network.
Tunneling requires three different protocols:
Carrier protocol: The protocol used by the network that the information
is traveling over
Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP)

that is wrapped around the original data

21
Passenger protocol: The original data (IPX, NetBeui, IP) being carried
Tunneling has amazing implications for VPNs. For example, you can
place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside
an IP packet and send it safely over the Internet. Or you could put a packet that uses a
private (non-routable) IP address inside a packet that uses a globally unique Ip address to
extend a private network over the Internet.
In a Site-to-Site VPN, GRE (Generic Routing Encapsulation) is

normally the encapsulating protocol that provides the framework for how to package the
passenger protocol for transport over the carrier protocol, which is typically IP-based.
This includes information on what type of packet you are encapsulating and information
about the connection between the client and server. Instead of GRE, IPSec in Tunnel
Mode is sometimes used as the encapsulating protocol. IPSec works well on both
Remote-Access and Site-to-Site VPNs. IPSec must be supported at both tunnel interfaces
to use.
In a Remote-Access VPN, tunneling normally takes place- using PPP. Part

of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over
the network between the host computer and a remote system. Remote-Access VPN
tunneling relies on PPP.
Each of the protocols listed below we re built using the basic structure of PPP
and are used by Remote-Access VPNs.
L2F (Laye r 2 Forwarding): Developed by Cisco, L2F will use any

authentication scheme supported by PPP.
PPTP (Point-to-Point Tunneling Protocol): PPTP was created by the PPTP

Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI
Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication
scheme supported by PPP.
L2TP (Layer 2 Tunneling Protocol): The most recent addition, L2TP is the
product of a partnership between the members of the PPTP Forum, Cisco and the IETF
(Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP
also fully supports IPSec.
L2TP can be used as a tunneling protocol for Site-to-Site VPNs as well as

Remote-Access VPNs. In fact, L2TP can create a tunnel between:
 Client and Router

 NAS and Router
 Router and Router

22
The truck is the carrier protocol, the box is the encapsulating protocol and
the computer is the passenger protocol.
Think of tunneling like having a computer delivered to you by UPS. The

vendor packs the computer (passenger protocol) into a box (encapsulating protocol),
which is then put on a UPS truck (carrier protocol) at the vendor's warehouse (entry
tunnel interface). The truck (carrier protocol) travels over the highways (Internet) to your
home (exit tunnel interface) and delivers the computer. You open the box (encapsulating
protocol) and remove the computer (passenger protocol). Tunneling is just that simple!
As you can see, VPNs are a great way for a company to keep its
employees and partners connected no matter where they are.
5. TUNNELING PROTOCOLS:
5.1.Motive of protocols :
Four different protocols have been suggested for creating VPNs

over the Internet: point-to-point tunneling protocol (PPTP), layer-2 forwarding (L2F),
layer-2 tunneling protocol (L2TP), and IP security protocol (IPSec).
One reason for the number of protocols is that, for some

companies, a VPN is a substitute for remote-access servers, allowing mobile users and
branch offices to dial into the protected corporate network via their local ISP. For others,
a VPN may consist of traffic traveling in secure tunnels over the Internet between
protected LANs. The protocols that have been developed for VPNs reflect this
dichotomy. PPTP, L2F, and L2TP are largely aimed at dial- up VPNs, while IPSec's main
focus has been LAN–to–LAN solutions.
23
5.2.History:
the first protocols deployed for VPNs was PPTP. It has been a
widely deployed solution for dial- in VPNs since Microsoft included support for it in
RRAS for Windows NT Server 4.0 and offered a PPTP client in a service pack for
Windows 95. Microsoft's inclusion of a PPTP client in Windows 98 practically ensures
its continued use for the next few years, although it is not likely that PPTP will become a
formal standard endorsed by any of the standards bodies (like the Internet Engineering
Task Force [IETF]).
The most commonly used protocol for remote access to the

Internet is point-to-point protocol (PPP). PPTP builds on the functio nality of PPP to
provide remote access that can be tunneled through the Internet to a destination site. As
currently implemented, PPTP encapsulates PPP packets using a modified version of the
generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of
handling protocols other than IP, such as Internet packet exchange (IPX) and network
basic input/output system extended user interface (NetBEUI).
Because of its dependence on PPP, PPTP relies on the

authentication mechanisms within PPP, namely password authentication protocol (PAP)
and CHAP. Because there is a strong tie between PPTP and Windows NT, an enhanced
version of CHAP, MS–CHAP, is also used, which utilizes information within NT
domains for security. Similarly, PPTP can use PPP to encrypt data, but Microsoft has also
incorporated a stronger encryption method called Microsoft point-to-point encryption
(MPPE) for use with PPTP.
Aside from the relative simplicity of client support for PPTP, one
of the protocol's main advantages is that PPTP is designed to run at open systems
interconnection (OSI) Layer 2, or the link layer, as opposed to IPSec, which runs at Layer
3. By supporting data communications at Layer 2, PPTP can transmit protocols other than
IP over its tunnels. PPTP does have some limitations. For example, it does not provide
strong encryption for protecting data nor does it support any token-based methods for
authenticating users.
5.3. IPSec Design Goals and Ove rvie w
IPSec provides integrity protection, authentication, and (optional)

privacy and replay protection services for IP traffic. IPSec packets are of two types:
• IP protocol 50 called the Encapsulating

Security Payload (ESP) format, which provides privacy,
authenticity, and integrity.
24
• IP protocol 51 called the Authentication

Header (AH) format, which only provides integrity and
authenticity for packets, but not privacy
IPSec can be used in two modes; transport mode which secures an

existing IP packet from source to destination, and tunnel mode which puts an existing IP
packet inside a new IP packet that is sent to a tunnel end point in the IPSec format. Both
transport and tunnel mode can be encapsulated in ESP or AH headers.
IPSec transport mode was designed to provide security for IP

traffic end-to-end between two communicating systems, for example to secure a TCP
connection or a UDP datagram. IPSec tunnel mode was designed primarily for network
midpoints, routers, or gateways, to secure other IP traffic inside an IPSec tunnel that
connects one private IP network to another private IP network over a public or untrusted
IP network (for example, the Internet). In both cases, a complex security negotiation is
performed between the two computers through the Internet Key Exchange (IKE),
normally using PKI certificates for mutual authentication.
The IETF RFC IPSec tunnel protocol specifications did not include
mechanisms suitable for remote access VPN clients. Omitted features include user
authentication options or client IP address configuration. To use IPSec tunnel mode for
remote access, some vendors chose to extend the protocol in proprietary ways to solve
these issues. While a few of these extensions are documented as Internet drafts, they lack
standards status and are not generally interoperable. As a result, customers must seriously
consider whether such implementations offer suitable multi- vendor interoperability.
5.4. L2TP Design Goals and Overvie w
L2TP is a mature IETF standards track protocol that has been

widely implemented. L2TP encapsulates Point-to-Point Protocol (PPP) frames to be sent
over IP, X.25, frame relay, or asynchronous transfer mode (ATM) networks. When
configured to use IP as its transport, L2TP can be used as a VPN tunneling protocol over
the Internet. L2TP over IP uses UDP po rt 1701 and includes a series of L2TP control
messages for tunnel maintenance. L2TP also uses UDP to send L2TP-encapsulated PPP
frames as the tunneled data. The encapsulated PPP frames can be encrypted or
compressed. When L2TP tunnels appear as IP packets, they take advantage of standard
IPSec security using IPSec transport mode for strong integrity, replay, authenticity, and
privacy protection. L2TP was specifically designed for client connections to network
access servers, as well as for gateway-to-gateway connections. Through its use of PPP,
L2TP gains multi-protocol support for protocols such as IPX and Appletalk. PPP also
provides a wide range of user authentication options, including CHAP, MS-CHAP, MS-
CHAPv2 and Extensible Authentication Protocol (EAP) that supports token card and
smart card authentication mechanisms. L2TP/IPSec therefore provides well-defined and
interoperable tunneling, with the strong and interoperable security of IPSec. It is a good
solution for secure remote access and secure gateway-to-gateway connections.

25
5.5. PPTP Design Goals and Ove rvie w
PPTP was designed to provide authenticated and encrypted

communications between a client and a gateway or between two gateways—without
requiring a public key infrastructure—by using a user ID and password. It was first
delivered in 1996, two years before the availability of IPSec and L2TP. The design goal
was simplicity, multiprotocol support, and ability to traverse a broad range of IP
networks. The Point-to-Point Tunneling Protocol (PPTP) uses a TCP connection for
tunnel maintenance and Generic Routing Encapsulation (GRE) encapsulated PPP frames
for tunneled data. The payloads of the encapsulated PPP frames can be encrypted and/or
compressed. The use of PPP provides the ability to negotiate authentication, encryption,
and IP address assignment services.
Table 1 summarizes some of the key technical differences between

these three security protocols.
Table 1 Network Security Protocol Differences
Feature Description
PPT
P/ PPP P/ PP
User Can Yes
Authentication authenticate the user that is
initiating the communications.
Machine Authenticates Yes2
Authentication the machines involved in the
communications.
NAT Can pass Yes
Capable through Network Address
Translators to hide one or both end-
points of the communications.
Multiprotocol Defines a Yes
Support standard method for carrying IP and
non-IP traffic.
Dynamic Defines a Yes
Tunnel IP Address Assignment standard way to negotiate an IP
address for the tunneled part of the
communications. Important so that
returned packets are routed back
through the same session rather
than through a non-tunneled and
unsecured path and to eliminate
static, manual end-system

26
Feature Description
PPT
P/ PPP P/ PP
configuration.
Encryption Can encrypt Yes
traffic it carries.
Uses PKI Can use PKI Yes
to implement encryption and/or
authentication.
Packet Provides an No
Authenticity authenticity method to ensure
packet content is not changed in
transit.
Multicast Can carry IP Yes
support multicast traffic in addition to IP
unicast traffic.
5.6. Microsoft Support for IPSec, L2tp, and PPTP
IPSec
The Microsoft Windows 2000 operating system simplifies

deployment and management of network security with Windows IP Security, a robust
implementation of IPSec. IPSec protocol is an integral part of the TCP/IP protocol stack.
Microsoft and Cisco Systems, Inc., have jointly developed IPSec and related services in
Windows 2000. Interoperability is tested with Cisco and a number of other vendors for
each of the examples below.
Using IPSec, you can provide privacy, integrity and authenticity

for network traffic in the following situations.
• End-to-end security for IP unicast traffic,

from client-to-server, server-to-server and client-to-client using
IPSec transport mode
• Remote access VPN client and gateway
functions using L2TP secured by IPSec transport mode.
• Site-to-Site VPN connections, across
outsourced private WAN or Internet- based connections using
L2TP/IPSec or IPSec tunnel mode.
Windows IP Security builds upon the IETF IPSec architecture by

integrating with Windows 2000 domains and the Active Directory service. Active
Directory delivers policy-based, directory-enabled networking. IPSec policy is assigned
and distributed to Windows 2000 domain members through Windows 2000 Group

27
Policy. Local policy configuration is provided, so membership in a domain is not

required.
An automatic security negotiation and key management service is

also provided using the IETF-defined Internet Key Exchange (IKE) protocol, RFC 2409.
The implementation of IKE provides three authentication methods to establish trust
between computers:
• Kerberos v5.0 authentication is provided

by the Windows 2000 domain that serves as a Kerberos version
5.0 Key Distribution Center (KDC). This provides easy
deployment of secure communications between Windows 2000
computers that are members in a domain or across trusted
domains. IKE only uses the authentication properties of
Kerberos, as documented in draft- ietf- ipsec- isakmp-gss-auth-
02.txt. Key generation for IPSec security associations is done
using IKE RFC2409 methods.
• Public/Private key signatures using
certificates is compatible with several certificate systems,
including Microsoft, Entrust, Verisign, and Netscape. This is
part of RFC 2409.
• Passwords , termed pre-shared
authentication keys, are used strictly for establishing trust
between computers. This is part of RFC 2409.
Once configured with an IPSec policy, peer computers negotiate

using IKE to establish a main security association for all traffic between the two
computers. This involves authenticating using one of the methods above and generating a
shared master key. The systems then use IKE to negotiate another security association for
the application traffic they are trying to protect at the moment. This involves generating
shared session keys. Only the two computers know both sets of keys. The data exchanged
using the security association is very well-protected against modification or interpretation
by attackers who may be in the network. The keys are automatically refreshed according
to IPSec policy settings to provide constant protection according to the administrator
defined policy.
For customers familiar with technical details of IPSec, Windows

2000 supports DES (56-bit key strength) and 3DES (168-bit key strength) encryption
algorithms, and SHA-1 and MD5 integrity algorithms. These algorithms are supported in
all combinations in the ESP format. Because the AH format provides only integrity and
authenticity, only MD5 and SHA-1 are used.
L2TP
Windows 2000 includes L2TP support when used with IPSec for
client-to-gateway and gateway-to-gateway configurations. In these configurations, all

28
traffic from the client to a gateway, and all traffic between two gateways is encrypted.
This implementation has been tested with a variety of other vendor implementations of
L2TP/IPSec.
PPTP
Windows 2000 includes PPTP support for client-to-gateway and

gateway-to-gateway configurations. This implementation is consistent with the PPTP
services available for the Microsoft Windows NT® Server, Windows NT Workstation,
Windows 98, and Windows 95 operating systems. Customers can take advantage of their
existing investment in Windows operating system–based platforms by using PPTP.
Windows 2000-based systems can interoperate with Windows NT–based PPTP servers,
and today's Windows–based systems interoperate with Windows 2000–based PPTP
servers. In addition to password-based authentication, Windows 2000 PPTP can support
public key authentication through the Extensible Authentication Protocol (EAP).
5.7. Remote Access Policy Management
Another dimension of security policy management that goes

beyond encryption policy is access policy. In client-to-gateway and gateway-to-gateway
situations, Windows 2000 provides a rich set of administrative policies that can be
implemented to control user access through direct-dial, PPTP, and L2TP/IPSec
connections. These access policies allow administrators to grant or deny access based
upon a combination of user ID, time-of-day, protocol port, encryption level, and more.
While available natively within a Windows 2000 Active Directory environment, these
access policies can also be enforced on non-Windows 2000 environments through the use
of RADIUS. For example, an existing Windows NT–based PPTP server can be
configured to use a Windows 2000 Server to authenticate users through RADIUS. When
used in this way, the Windows 2000 Server can be configured to enforce access policies
and apply them to the Windows NT–based PPTP server. This is an example of how
Windows 2000 can simplify and strengthen central administration during a transition to
Windows 2000, and demonstrates one of the many benefits of using Windows 2000 for
authentication in heterogeneous environments.
5.8. Client Management
As previously mentioned for IPSec, Active Directory is used to

define and control IPSec policy. Installation of the PPTP, L2TP, and IPSec protocols is
inherent in the installation of Windows 2000. Client configuration of these protocols for
client-to-gateway scenarios can be accomplished in two ways:
• On end systems, a New Connections

wizard prompts the user through a simple set of screens to set
configure the connection.
• In larger scale installations, the

29
Connection Manager Administration Kit and Connection Point

Services can be used together to deliver a customized remote
access direct-dial and VPN client to corporate systems.
With these tools the administrator can provide the client with a
specially configured profile that:
• Brands the dialer consistent with corporate

remote access programs.
• Integrates customize help files and
corporate remote access use licenses.
• Integrates applications and other tools for
automatic launch at various stages of the connection process.
• Administers a central phonebook of
remote access numbers.
• Contracts with Internet Service Providers
(ISPs) for management of point-of-presence (POP) phone
numbers.
• Configures clients to automatically
update, and collates phonebooks from the ISP and the corporate
phonebook servers.
The resulting profile can be distributed centrally to clients through

Microsoft System Management Services, Web downloads, file transfers, e- mail, floppy
disks, or CDs. This lets administrators centrally manage clients while users get a single
interface that:
• Connects, regardless of type of protocol or

connection (direct dial or VPN protocol).
• Hides the complexity of the connection
process (single click access).
• Provides single sign-on using company
user IDs (no separate ISP account required).
Based on customer feedback, Microsoft considers this to be one of

the most important components for deploying VPN services.
6.SECURITY OF VPN:
The key word in "virtual private networks" is private. The last thing a
business wants is to have sensitive corporate information end up in the hands of some

30
pubescent hacker, or worse, the competition. Fortunately, VPNs are widely considered
extremely secure, despite using public networks.
In order to authenticate the VPN's users, a firewall will be necessary.

While in the past, firewalls have been a major source of headaches for network
administrators, the new generation of firewalls are far simpler to create and maintain.
Nowadays, there is a wide variety of hassle- free, prepackaged appliances to keep
unwanted packets out of the network. Many "black box" security systems also include
some sort of encryption system, although some VPNs do not.
Firewall products for VPNs, such as Net Screen, Watch guard, or Net
Fortress are often relatively simple, plug-and-play solutions for network security. The
system can be connected to as many LANs as needed, keys are exchanged between the
two units, and the VPN is complete. However, these solutions can come at a substantial
cost, and the right choice will depend on the unique networking and security needs of the
company or companies using the network. Generally, if you already own the appropriate
equipment and Internet connection, an out-of-the-box solution is not necessary.
All VPNs require configuration of an access device, either software- or

hardware-based, to set up a secure channel. A random user cannot simply log in to a
VPN, as some information is needed to allow a remote user access to the network, or to
even begin a VPN handshake. When used in conjunction with strong authentication,
VPNs can prevent intruders from successfully authenticating to the network, even if they
were able to somehow capture a VPN session.
Most VPNs use IPSec technologies, the evolving framework of protocols

that has become the standard for most vendors. IPSec is useful because it is compatible
with most different VPN hardware and software, and is the most popular for networks
with remote access clients. IPSec requires very little knowledge for clients, because the
authentication is not user-based, which means a token (such as Secure ID or Crypto Card)
is not used. Instead, the security comes from the workstation's IP address or its certificate,
establishing the user's identity and ensuring the integrity of the network. An IPSec tunnel
basically acts as the network layer protecting all the data packets that pass through,
regardless of the application.
Depending on the solution used, it is possible to control the type of traffic

sent over a VPN solution. Many devices allow the administrator to define group-based
filter, which controls UP address and protocol/port services allowed through the tunnel.
IPSec-based VPNs also allow the administrator to define a list of specific networks and
applications to which traffic can be passed.
One downside to IPSec-compliant products is that they provide access

control over the network and transport layers only, and not a great deal of measures to
selectively regulate access to individual resources within these hosts. If customers given

31
access to particular company information on a server, for instance, highly selective

controls are needed to make sure they access only the information they've been
authorized to see.
This type of selective or unidirectional access, within a VPN is available

in some non-IPSec solutions, such as Aventail's SOCKS 5 server. In a unidirectional
connection, a two-way trusted relationship is not assumed as it is with tunneled VPNs.
With this model, if there is some kind of breach in security, only the destination network
is affected. SOCKS 5 are also able to handle virtually any authentication and encryption
standards.
Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Forwarding

(L2F) are also available, and although only a handful of firewall vendors support these
security protocols, they are part of the reason why there is no current universally accepted
standard. Although VPN vendors must decide which standard they use, it is the
administrators who will eventually decide the outcome of this emerging technology.
Because of factors like this, it is all the more important to make a wise, informed decision
before purchasing a VPN.
7. VPN -H\W & S\W SPECIFICATION:
Depending on the type of VPN (Remote-Access or Site-to-Site), you will

need to put in place certain components to build your VPN. These might include:
Desktop software client for each remote user
Dedicated hardware such as a VPN Concentrator or Secure
PIX Fire wall
Dedicated VPN server for dial-up services
NAS (Network Access Server) used by service provide r for
re mote user VPN access
VPN Concentrator: Incorporating the most advanced encryption and

authentication techniques available, Cisco VPN Concentrators are built specifically for
creating a Remote-Access VPN. They provide high availability, high performance and
scalability and include components, called Scalable Encryption Processing (SEP)
modules that enable users to easily increase capacity and throughput. The Concentrators
are offered in models suitable for small businesses with 100 or fewer remote-access users
to large enterprise organizations with up to 10,000 simultaneous remote users.

32
Photo courtesy of Cisco Systems, Inc.

The Cisco VPN 3000 Concentrator
VPN-optimized router: Cisco's VPN-optimized routers provide

scalability, routing, security and QoS (quality of service). Based on the Cisco IOS
(Internet Operating System) software, there is a router suitable for every situation, from
small-office/home-office (SOHO) access through central-site VPN aggregation, to large-
scale enterprise needs.

The Cisco 1750 Modular Access Router
Cisco Secure PIX Fire wall: An amazing piece of technology, the PIX
(Private Internet exchange) Firewall combines dynamic network address translation,
proxy server, packet filtration, firewall and VPN capabilities in a single piece of
hardware. Instead of using Cisco IOS, this device has a highly streamlined OS that trades
the ability to handle a variety of protocols for extreme robustness and performance by
focusing on IP.

33

The Cisco PIX Fire wall
8.APPLICATION:
VPN/VOIP Application
Once you’ve set up your VPN network, you can easily save money
on interoffice long distance calling by bridging your voice network to your data network
with Multi-Tech’s MultiVOIP Voice over IP gateway. MultiVOIP is a point-to-point
solution (one box is required at each location) that merges voice/fax from traditional
telephones onto an IP data network. It then utilizes another MultiVOIP gateway at the
remote end to separate the voice/fax from the data network and send it back to the
receiving phone. With MultiVOIP a company can save thousands of dollars on recurring
long distance charges.

34
9.ADVANTAGES OF VPN:
There are a number of reasons to set up a VPN for remote access, but the
biggest selling point by far is the potential cost savings.
Using the Internet to distribute network services over long distances

means companies no longer have to purchase expensive leased lines to branch or partners'
offices as a VPN connection needs only to use a relatively short dedicated connection. In
an organization experiencing rapid growth, this can make a enormous difference in costs.
As an organization adds companies to its network, the number of leased lines required
climbs with it exponentially. In a traditional WAN, this can limit the flexibility for
growth, whereas VPNs avoid this problem by tapping into an almost universally available
network.
VPNs can further reduce costs by lessening the need for long-distance
telephone charges, as clients can gain access by dialing into the nearest service provider's
access point. While in some cases this may entail making a long-distance call or using an
800 service, a local call is usually sufficient. This can dramatically cut
telecommunications costs for enterprises with many international sites, sometimes in the
range of thousands of dollars per person, each month.
A third, more subtle way that VPNs may result in lower expenditures, is
through reducing the company's support burden. With a VPN, the service provider must
support dial- up access, instead of the organization using it. Theoretically, a public service
provider can charge much less for support, because its cost is shared among a wider
customer base.
Finally, VPNs save a company on operational costs for equipment

previously used to support remote users. A company using a VPN can get rid of its
modem pools, remote-access servers, and other WAN equipment and simply use its
existing Internet installation. Many companies employ several links with different
functions prior to setting up a VPN.
Companies enjoy the flexibility that comes with VPNs, since they
typically do not require long-term contracts, as is the case with most data services. This
allows companies to easily switch over to a lower-priced service if they so desire.
Companies can usually get a high-speed Internet connection established and configured
in a much shorter time than it takes to get a similar data service. In some foreign
countries, it can take as long as a year to get a leased line installed. For some industries,
such as construction or insurance, this can make a crucial difference in a company's
operations and financial health.
VPN technologies are also considered remarkably secure. Since the

introduction of IPSec, VPN data protection has become more standardized among service
providers. Data that is sent over VPNs is confidential, requiring authorization to be
35
received or replayed. Users can authenticate packets to establish the validity of the
information, and the integrity of the data is usually guaranteed.
Companies may also choose to build an extranet application on a VPN, in

order to use its access controls and authentication services to deny or grant access to
specific information for customers, trading partners or business associates. This can help
build customer loyalty, as clients who are given higher levels of access would be less
likely to switch to another business partner. The same technology can also be used
internally to assign worker populations to segmented groups with different access levels.
This solution is simpler and more economical than traditional methods used by IT
managers.
A VPN-based extranet may replace a more expensive system, such

as an electronic data interchange (EDI), which typically necessitate custom software and
the use of a value-added network (VAN) provider. Some VANs charge upwards of $6 to
$12 (US) per hour of connectivity, much more than ordinary service providers.
10. DISADVANTAGES OF VPN:
With the hype that has surrounded VPNs historically, the potential
pitfalls or "weak spots" in the VPN model can be easy to forget.
These four conce rns with VPN solutions are often raised.
1. VPNs require an in-depth understanding of public network security issues and

taking proper precautions in VPN deployment.
2. The availability and performance of an organization's wide-area VPN (over the

Internet in particular) depends on factors largely outside of their control.
3. VPN technologies from different vendors may not work well together due to immature
standards.
4. VPNs need to accomodate protocols other than IP and existing ("legacy") internal
network technology.
Generally speaking, these four factors comprise the hidden costs of

a VPN solution. Whereas VPN advocates tout cost savings as the primary advantage of
this technology, detractors cite hidden costs as the primary disadvantage of VPNs.

36
11. CONCLUSION: VPN’s

are an effective way to create secure communication channels across the Internet or
between sensitive systems within a company’s internal network. With the inclusion of
VPN support in Microsoft 2000, Cisco routers, Checkpoint 2000, and a host of other
systems, the deployment of VPN’s is going to become more commonplace. Without
proper security design, these VPN’s could add many more unwanted entrances to
corporate networks. Use VPN’s where appropriate but ensure security issues including
machine configuration, policy and user security awareness have been considered

37
12.BIBLIOGRAPHY:
our reference sites are :
www.iec.org
www.howstuffworks.com
www. ietf.org
www. vpnc.org

38

Seminar Report On VIRTUAL PRIVATE NETWORK

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Seminar Report On VIRTUAL PRIVATE NETWORK

Uploaded by

Copyright:

Available Formats

VIRTUAL PRIVATE NETWORK

VIRTUAL PRIVATE NETWORK

For Download Visit http://www.nectarkunj.byethost14.com/

 What Exactly Is A VPN?

 Remote access client connections

 VPN Pros and Cons

Like many commercialized network technologies, a significant amount of sales and

For Download Visit http://www.nectarkunj.byethost14.com/

 Technology Behind VPNs

Several network protocols have become popular as a result of VPN developments:

These protocols emphasize authentication and encryption in VPNs. Authentication

 The Future of VPN

For Download Visit http://www.nectarkunj.byethost14.com/

For Download Visit http://www.nectarkunj.byethost14.com/

Businesses today are faced with supporting a broader variety of

Employees are looking to access the resources of their corporate intranets

For Download Visit http://www.nectarkunj.byethost14.com/

Plus business partners are joining together in extranets to share business

Meanwhile, the growth of the number of telecommuters and an

The trend toward mobile connectivity shows no sign of abating; Forrester

 Comparison of vpn with exiting network:

 VPN resolves the limitations of ordinary networks:

For Download Visit http://www.nectarkunj.byethost14.com/

VPNs allow network managers to connect remote branch offices and

Rather than depend on dedicated leased lines or frame relay's permanent

Companies using an Internet VPN set up connections to the local

Because the Internet is a public network with open transmission of most

For Download Visit http://www.nectarkunj.byethost14.com/

As the popularity of the Internet grew, businesses turned to it as a means

Image courtesy of Cisco Systems, Inc.

For Download Visit http://www.nectarkunj.byethost14.com/

Basically, a VPN is a private network that uses a public network (usually

The traffic reaches these backbones using any combination of access

The most commonly accepted method of creating VPN tunnels is by

L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and

For Download Visit http://www.nectarkunj.byethost14.com/

Another approach to VPN is SOCKS 5, which follows a pro xy server

VPN technology can be used for site-to-site connectivity as well, which

2.1. Example use of VPN:

For Download Visit http://www.nectarkunj.byethost14.com/

For Download Visit http://www.nectarkunj.byethost14.com/

For Download Visit http://www.nectarkunj.byethost14.com/

The destination Security server receives the encrypted data and

For Download Visit http://www.nectarkunj.byethost14.com/

3.1.Virtual Leased Lines (VLL)

For Download Visit http://www.nectarkunj.byethost14.com/

Figure 3.1: Virtual Leased Lines (VLL)

3.2. Virtual Private Routed Network (VPRN)

VPRN Require ments

1. VPN Identifier The use of a globally unique VPN identifier.

2. VPRN me mbership determination An edge router must learn

3. Stub link reachability information An edge router must learn

4. Intra-VPRN reachability information Edge router must

5. Tunneling mechanism An edge router must construct the

For Download Visit http://www.nectarkunj.byethost14.com/

Figure 3.2: Virtual Private Routed Network (VPRN)

3.3. Virtual Private Dial Network (VPDN)

In this scenario L2TP Access Contractor (LAC) acting as a dial or

For Download Visit http://www.nectarkunj.byethost14.com/

Figure 3.3: Compulsory Tunnel (VPDN)

Voluntary tunnel refers to the case where an individual host

Figure 3.4: Voluntary Tunnel (VPDN)

For Download Visit http://www.nectarkunj.byethost14.com/

3.4.Virtual Private Lan Segment (VPLS)