Dynamic VPN

CONTENTS 1 Introduction 2 What is Dynamic Virtual Private Network 3 Introduction Of VPN 4 VPN Architecture 5 Basic VPN Requirements 6 Common Uses 7 Avantages & Disadvantages Of VPN 8 Why DVPN 9 DVPN Architecture 10 DVPN Example 11 Benefits Of DVPN 12 Limitations Of DVPN 13 Comparison Of VPN & DVPN 14 Conclusion

Page 1

Dynamic VPN

INTRODUCTION
Based on internet technology, intranets are becoming an essential part of corporate information systems today. However, internets were not originally designed with businesses in mind. It lacks the technology required for secure business transactions and communications. A challenge therefore arises for businesses with intranet, i.e. how to establish and maintain trust in an environment which was originally designed for open access to information. More specifically, a way has to be found to secure an intranet without impinging on its inherent benefits of flexibility, interoperability and ease of use. Unlike traditional VPNs that offer limited or inflexible security, a dynamic VPN provide both high levels of security and, equally important, the flexibility to accommodate dynamically changing groups of users and information needs. Our dynamic VPN can provide this flexibility based on a unique agent-based architecture as well as other features. Because information can now be made available in such a flexible and fine-grained fashion, a company's files, documents or data that had to locked in the past can now be accessed in either whole or in part to carefully selected groups of users in precisely determined ways. As a result, a dynamic VPN is an intranet enabler. It enables an intranet to offer more services and services than it could otherwise, thereby allowing the business to make more use of its information resources.

What is DYNAMIC VIRTUAL PRIVATE NETWORK

A Dynamic Virtual Private Network is an enhancement of the virtual private network (VPN) configuration process of Cisco IOS-based routers. DMVPN prevents the need for pre-configured (static) IPsec (Internet Protocol Security) peers in crypto-map configurations and ISAKMP (Internet Security Association and Key Management Protocol) peer statements. This feature of Cisco IOS allows greater scalability over previous IPsec configurations. An IPsec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router (VPN headend), or between spokes. This greatly alleviates the need for the hub to route data between spoke networks, as was common in a non-fully meshed frame relay topology. In order to accommodate new, changing and expanding groups of users and provide these users with information in a number of ways, intranets should deliver several benefits, including flexibility, interoperability, ease of use and extendibility. In particular, they should be open and and standards based, so information can be read by different users with different applications on different platforms. However, the benefits promised by intranets lead to an important challenge for businesses using this technology: how to establish and maintain trust in an environment which was designed originally for free and open access to information. The Internet was not designed with business security in mind. It was designed by universities as an open network where users could access, share and add to information as early as possible. A way has to be found to secure an intranet for businesses without impinging on the intranet's inherent benefits of flexibility interoperability and ease of use. Indeed, an ideal solution must also provide not only the highest levels of security but also security in such a way that users can easily access, modify and share more information, not less, under carefully controlled and maintained conditions.

Page 2

Dynamic VPN

The most appropriate and successful answer to this challenge will be a DYNAMIC VIRTUAL PRIVATE NETWORK. Unlike traditional VPNs that offer limited or inflexible security, a dynamic VPN provides both extremely high levels of security and, equally important, the flexibility to accommodate dynamically changing groups of users and information needs. A dynamic VPN is actually an intranet enabler. It enables an intranet to offer more resources and services than it could otherwise, thereby allowing the business to make more use of its information resources.

INTRODUCTION OF VPN
A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization.

Figure logical connection

A virtual private network (VPN) is the next version of a private network that includes links across public and networks like the Internet. A VPN permits to send data between two computers over a shared or public internetwork in such a manner that imitates the properties of a point-to-point private link. Virtual Private Networking means act of configuring and creating a virtual private network. VPNs do not provide any network services that aren't already offered by alternative mechanisms. But VPN makes a unique mixing of technologies that improve on the traditional approaches of technologies. VPN connections allow users working at home or on the road to connect in a secure fashion to a remote corporate server using the routing infrastructure provided by a public internetwork (such as the Internet). From the users perspective, the VPN connection is a point-to-point connection between the users computer and a corporate server. The nature of the intermediate internetwork is irrelevant to the user because it appears as if the data is being sent over a dedicated private link. VPN technology also allows a corporation to connect to branch offices or to other companies over a public internetwork (such as the Internet), while maintaining secure communications. The VPN connection across the Internet logically operates as a wide area network (WAN) link between the sites. In both of these cases, the secure connection across the internetwork appears to the user as a private network communicationdespite the fact that this communication occurs over a public internetworkhence the name virtual private network.
Page 3

Dynamic VPN

VPN ARCHITECTURE
Designing a Virtual Private Network (VPN) into corporate network architecture should be done as an integral part of a company's overall information security plan. This plan should recognize that the company's information security is only as good as the weakest link in its protections. The weakest link will typically involve people, not technology used by people. Most security industry research shows that the majority of security breaches result from inadequate training of the people who are expected to use security technologies. The security features found in VPNs are designed to protect against the risks introduced by using the Internet as a transport method for private corporate data. A properly implemented VPN can be the strongest point in the network's overall security profile. The Internet is an incredible tool for information sharing. On the plus side, it's inexpensive, flexible and powerful and provides easy access via a well-defined, universal standard. The single biggest drawback when using the Internet is its openness and therefore a lack of privacy, a huge challenge when using the Internet for sensitive data. Three attributes of a properly implemented Virtual Private Network (VPN) will ensure user authentication, data integrity, and data confidentiality. By manipulating the basic Internet Protocol (IP), the transmission protocol that everyone uses to communicate across the Internet it is possible to build protections for specific information traveling over it. An international group of Internet experts from the Internet Engineering Task Force developed the IP Security Protocol Suite (IPSEC), a set of extensions for IP that deliver secure communications capabilities.

Fig architecture

These extensions enable the creation of secure Internet-based VPNs. IPSEC differs from other attempts to protect information-on-the-move by securing the network itself, not simply the individual applications being used. The fundamental assumption of the IPSEC design is that the network segments outside the communicating parties' own networks are insecure. Leading security experts now consider VPNs using IPSEC to be more secure than traditional private WAN or dial-in remote access service. Virtual Private Networks (VPNs) uses the tunnelling capability of IPSEC to transparently move private data across the public Internet. Tunnelling treats entire packets from a private internetwork as payload data that must be transported across a public transport network.
Page 4

Dynamic VPN

A Virtual Private Network (VPN) gateway acts as one end of a "tunnel," encapsulating entire packets from the private inter-network in new IP packets before they travel across the public Internet. The new packets, carrying the private source and destination addresses, are simple directed to a second VPN gateway that protects the other end of the transmission. The receiving gateway then recognizes and disassembles the encapsulated packet before passing its contents on to the correct address on the private internetwork. A variety of different network devices and software products can act as VPN gateways, including VPN access servers, VPN routers, and computers with VPN client software installed. The private network resources on each internal network, whether single machines or entire internetworks, remain unaware of the fact that the Internet is being used as a transmission medium. A VPN gateway forms the foundation of a secure Internet-based portal to those resources, since it is designed to unconditionally reject all Internet traffic that is not tunneled IPSEC.

BASIC VPN REQUIREMENTS

Typically, when deploying a remote networking solution, an enterprise needs to facilitate controlled access to corporate resources and information. The solution must allow roaming or remote clients to connect to LAN resources, and the solution must allow remote offices to connect to each other to share resources and information (router-to-router connections). In addition, the solution must ensure the privacy and integrity of data as it traverses the Internet. The same concerns apply in the case of sensitive data traversing a corporate internetwork. Therefore, a VPN solution should provide at least all of the following:

User Authentication. The solution must verify the VPN client's identity and restrict VPN access to authorized users only. It must also provide audit and accounting records to show who accessed what information and when. Address Management. The solution must assign a VPN client's address on the intranet and ensure that private addresses are kept private. Data Encryption. Data carried on the public network must be rendered unreadable to unauthorized clients on the network. Key Management. The solution must generate and refresh encryption keys for the client and the server. Multiprotocol Support. The solution must handle common protocols used in the public network. These include IP, Internetwork Packet Exchange (IPX), and so on.

An Internet VPN solution based on the Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) meets all of these basic requirements and takes advantage of the broad availability of the Internet. Other solutions, including Internet Protocol Security (IPSec), meet only some of these requirements, but remain useful for specific situations.

Page 5

Dynamic VPN

COMMON USES OF VPNs

Remote Access Over the Internet VPNs provide remote access to corporate resources over the public Internet, while maintaining privacy of information. Figure 2 shows a VPN connection used to connect a remote user to a corporate intranet.

Figure : Using a VPN connection to connect a remote client to a private intranet Rather than making a long distance (or 1-800) call to a corporate or outsourced network access server (NAS), the user calls a local ISP. Using the connection to the local ISP, the VPN software creates a virtual private network between the dial-up user and the corporate VPN server across the Internet. Connecting Networks Over the Internet There are two methods for using VPNs to connect local area networks at remote sites:

Using dedicated lines to connect a branch office to a corporate LAN. Rather than usingan expensive long-haul dedicated circuit between the branch office and the corporate hub, both the branch office and the corporate hub routers can use a local dedicated circuit and local ISP to connect to the Internet. The VPN software uses the local ISP connections and the Internet to create a virtual private network between the branch office router and corporate hub router. Using a dial-up line to connect a branch office to a corporate LAN. Rather than having a router at the branch office make a long distance (or 1-800) call to a corporate or outsourced NAS, the router at the branch office can call the local ISP. The VPN software uses the connection to the local ISP to create a VPN between the branch office router and the corporate hub router across the Internet.

Page 6

Dynamic VPN

Figure Using a VPN connection to connect two remote sites In both cases, the facilities that connect the branch office and corporate offices to the Internet are local. The corporate hub router that acts as a VPN server must be connected to a local ISP with a dedicated line. This VPN server must be listening 24 hours a day for incoming VPN traffic. Connecting Computers over an Intranet In some corporate internetworks, the departmental data is so sensitive that the department's LAN is physically disconnected from the rest of the corporate internetwork. Although this protects the department's confidential information, it creates information accessibility problems for those users not physically connected to the separate LAN.

Figure :Using a VPN connection to connect to a secured or hidden network

VPNs allow the department's LAN to be physically connected to the corporate internetwork but separated by a VPN server. The VPN server is not acting as a router between the corporate internetwork and the department LAN. A router would connect the two networks, allowing everyone access to the sensitive LAN. By using a VPN, the network administrator can ensure that only those users on the corporate internetwork who have appropriate credentials (based on a needto-know policy within the company) can establish a VPN with the VPN server and gain access to the protected resources of the department. Additionally, all communication across the VPN can be encrypted for data confidentiality. Those users who do not have the proper credentials cannot view the department LAN.

ADVANTAGES OF VIRTUAL PRIVATE NETWORK

VPNs promise two main advantages over competing approaches -- cost savings, and scalability. Costs Savings 1. One way a VPN lowers costs is by eliminating the need for expensive long-distance leased lines. With VPNs, an organization needs only a relatively short dedicated connection to the service provider. This connection could be a local leased or it could be a local broadband connection such as DSL service.
Page 7

Dynamic VPN

2. Another way VPNs reduce costs is by lessening the need for long-distance telephone charges for remote access. Recall that to provide remote access service, VPN clients need only call into the nearest service provider's access point. In some cases this may require a long distance call, but in many cases a local call will suffice. 3. A third, more subtle way that VPNs may lower costs is through offloading of the support burden. With VPNs, the service provider rather than the organization must support dial-up access for example. Service providers can in theory charge much less for their support than it costs a company internally because the public provider's cost is shared amongst potentially thousands of customers. Scalability and VPNs 1. The cost to an organization of traditional leased lines may be reasonable at first but can increase exponentially as the organization grows. A company with two branch offices, for example, can deploy just one dedicated line to connect the two locations. If a third branch office needs to come online, just two additional lines will be required to directly connect that location to the other two. 2. However, as an organization grows and more companies must be added to the network, the number of leased lines required increases dramatically. Four branch offices require six lines for full connectivity five offices require ten lines, and so on. Mathematicians call this phenomenon a combinatorial explosion, and in a traditional WAN this explosion limits the flexibility for growth. VPNs that utilize the Internet avoid this problem by simply tapping into the geographically-distributed access already available.

DISADVANTAGES OF VIRTUAL PRIVATE NETWORK

With the hype that has surrounded VPNs historically, the potential pitfalls or "weak spots" in the VPN model can be easy to forget. These four concerns with VPN solutions are often raised. 1. VPNs require an in-depth understanding of public network security issues and proper deployment of precautions. 2. The availability and performance of an organization's wide-area VPN (over the Internet in particular) depends on factors largely outside of their control. 3. VPN technologies from different vendors may not work well together due to immature standards. 3. VPNs need to accommodate protocols other than IP and existing ("legacy") internal network technology.

Why DVPN?
The single major problem on the road to VPN is network security. Because VPN is connected to a public network. , the internet, it is prone to be hacked. Though all networks have some basic security that prevents such access they are often insufficient. The main threat is to the data that is transmitted through the internet. Then the user at this has to be sure that the person at the other is really the person who he claims to be. This protects data through a combination of encryption, host authentication and protocol tunneling. The commonly used basic protecting data is encryption. This involves scrambling the data using an algorithm so that even if
Page 8

Dynamic VPN

the transmitted data is tapped, it cannot be decoded without the correct key. Unlike traditional VPNs that offer limited or inflexible security, a dynamic VPN provide both high levels of security and, equally important, the flexibility to accommodate dynamically changing groups of users and information needs. Our dynamic VPN can provide this flexibility based on a unique agent-based architecture as well as other features. Because information can now be made available in such a flexible and fine-grained fashion, a company's files, documents or data that had to locked in the past can now be accessed in either whole or in part to carefully selected groups of users in precisely determined ways. As a result, a dynamic VPN is an intranet enabler. It enables an intranet to offer more services and services than it could otherwise, thereby allowing the business to make more use of its information resources. Dynamic VPN is Junipers clientless solution for remote access IPSEC VPN. This client is dynamically delivered from the SRX to end users, and simplifies remote access by enabling users to establish secure IPSec VPN tunnels without having to configure VPN settings on their computers. Dynamic-VPN is a licensed feature. Licenses are available for 5, 10, 25 and 50 concurrent users. A two user evaluation license is provided free of cost.

Platform support
Table below lists the minimum software release required to support DVPN on SRX platforms:

Platform SRX 100 SRX 210 SRX 240 SRX 650 SRX 3000 series SRX 5000 series

JUNOS release 10.0 9.6 9.6 Not supported yet Not supported Not supported

The Dynamic-VPN client is supported on Windows XP and Windows Vista both32 bit and 64 bit versions

The DVPN ARCHITECTURE

An illustration of the architecture is given in Figure 1. As far as possible the dynamic architecture makes use of existing forwarding and signalling methods, or schemes that are under consideration in IETF RFC documents .The principle addition is the inclusion of a new piece on equipment within each Autonomous System (AS), referred to as a Dynamic VPN Manager (DVM) and its associated communications protocols. Each DVM is responsible for managing VPN communities under its jurisdiction. This involves regulating the creating and membership of a given VPN. However, the DVM is not responsible for MPLS connection management and the formation of Label Switched Paths (LSPs). This action is left to separate connection management software that existing within the operators domain. The DVMs role is to identify the member end-points and to request the connection management function to interconnect them via LSPs that have the desired QoS characteristics.

Page 9

Dynamic VPN

These requests are made between the DVM and the LSRs originating the LSPs within the operators AS. Users, be they human or CE-based software entities, can request to create or join a VPN using DVM User-Network Interface (UNI) signalling. Assuming the DVM accepts the request, it then coordinates the setting up of LSPs between the users / entities as well as managing the use of certain processing resources that can be thought of as additional community members. The aim is to exploit an environment in which individual users can reserve / access on-demand computers, databases and experimental facilities simply and transparently, without having to consider where those facilities are located. It is possible that operators could provide grid-computing resource farms within their Autonomous System that users can connect to and exploit as part of their dynamic VPN. This provides a means for operators to not only to obtain revenue from the transport infrastructure but also by leasing the value added resources that form part of a specific communitys grid computing needs. For example, data storage facilities, high performance computing and access to specific databases could all be components of the communitys infrastructure requirements.

The DVM acts as an agent, liaising with separate resource and connection management software to deliver the infrastructure necessary for the business process action(s) that are to be undertaken. In order for the DVM to provide the management and coordination of the dynamic VPNs, it comprises a number of functional elements.

A
PE P CE PE PE P CE

B
Autonomous System 1

BGP Peering Inter DVM NNI Signalling User DVM UNI Signalling

A,B and C are PE Autonomous System 2 community members of an example VPN

VPN Community Member

(Human/Software App. Etc)

VPN Community Resource DVM / LSR Signalling DVM / AS Border Signalling DVM / Resource Mgr Signalling Physical Links PE / P Label Switched Routers AS Border Router / LER Dynamic VPN Manager

Page 10

Dynamic VPN

DVPN EXAMPLE
Dynamic VPN requires configuration only on the SRX services gateway. The example below illustrates how two remote users, Boston and Newyork will establish a secure tunnel and communicate with a protected resource behind the SRX gateway. The user first navigates to the URL https://10.0.0.1/dynamic-vpn. The address 10.0.0.1 is the IP address of the public interface of the SRX gateway. The user then authenticates to the SRX gateway. The Dynamic-VPN client along with the necessary configuration is automatically downloaded. The user will be prompted to enter the Xauth username and password. The tunnel is then established and a virtual interface will be created on the Windows PC along with routes for the protected resources.

Sequence of Events
This section describes the sequence of events in establishing an IPSec tunnel to access the protected resource behind the SRX gateway. 1. User points the browser to https://10.0.0.1/dynamic-vpn 2. The WEBAUTH process on the SRX gateway prompts the user for login credentials. The user can be authenticated by local database on the SRX device or via a RADIUS server.

Page 11

Dynamic VPN

3. Upon successful authentication IPSec client is downloaded to the users computer. 4. The user is then prompted to accept the certificate from the SRX gateway. Once the certificate is accepted, the relevant IPSec configuration to establish the tunnel is pushed from the SRX gateway to the IPSec client.

5. The dynamic client attempts to establish the IPSec tunnel. 6. The configuration on the SRX gateway initiates the XAUTH process, prompting the user for XAUTH credentials. XAUTH process on the SRX gateway requires a RADIUS server.

Page 12

Dynamic VPN

7. The user credentials are passed on to RADIUS server. The RADIUS server authenticates the user and also pushes an IP address and a subnet mask. In this example the client is assigned an IP address 5.1.1.100 and with subnet mask 255.255.255.0

8. The IKE and IPSec SAs are negotiated between the SRX and the dynamic-VPN client.

Page 13

Dynamic VPN

9. A virtual adapter is created on the client PC and routes to the protected resource are installed. 10. The user can now access the protected resources.

BENEFITS OF DYNAMIC VPN

Capabilities
TradeVPI is a set of applications and related services. TradeVPI allows a business to create and deploy a dynamic VPN solution with the following capabilities: Provides "industrial-strength" security Accommodates dynamically changing communities of users Provides the ability to exchange information in various forms (Web pages, files, etc.) Accommodates different users with different browsers, applications, operating systems, etc. Allows users to join groups or administrators to assign identities in a controlled but simple fashion Maintains integrity over time, regardless of administrative turnover, changes in technology or the increasing complexity of the corporate information system

Enabling Intranets for Business

A dynamic VPN based on TradeVPI offers businesses the ability to use intranets and Internet technology with the assurance that communications and transactions will be protected by the highest levels of security. At the same time, a dynamic VPN allows businesses to extend their communications and information access in a controlled, yet versatile, fashion. Instead of being designed primarily to "lock out" certain users with limited or inflexible security schemes, a dynamic VPN is designed to provide the highest level of freedom in a secure environment. As a result, the largest number of users can do the greatest amount of work with the broadest range of information. Because information can now be made available in such a dynamic and fine-grained fashion, a company's files, documents or data that had to be locked away in the past can now be accessed either in whole or in part to carefully selected groups of users in precisely determined ways. As a result, a dynamic VPN is actually an intranet enabler. It enables an intranet to offer more resources and services than it could otherwise, thereby allowing the business to make more use of its information resources. Speaking in business terms, a company implements a dynamic VPN for the same reasons it implemented an intranet in the first place: flexible

Page 14

Dynamic VPN

communications, interoperability, extendibility, ease of use, etc. A dynamic VPN simply allows a company to receive these intranet benefits to a full and appropriate degree. Conversely, without a dynamic VPN, a company will not receive the full benefits of intranet technology, nor can it receive an adequate return on its investment in this technology.

Security Mechanisms
In order to better understand how VPNs work, including TradeWave's TradeVPI, we need to first examine some of the basic elements of a secure network system. The main advantage offered by public-key technology is increased security. Although slower than some private-key systems, public-key encryption generally is more suitable for intranets for three reasons: 1) It is more scalable to very large systems with tens of millions of users. 2) It has a more flexible means of authentication, and 3) It can support digital signatures. Public-key technology also enables non-repudiation enforcement to verify the transmission or receipt of a given transaction.

LIMITATIONS OF DVPN
1. To use the Dynamic VPN featurs you purchase and licenses for the clients.This isnt a limitation on the number of clients,but rather the number of clients which can connect at the same time.See the data sheets for more information on platform specific limits. 2. Only window XP and Vista (both 32 and 64-bit) are supported by the Dynamic VPn client.Window 7 support will come in the future, so stay tuned for the release notes. 3. Dynamic VPN requires XAuth, and XAuth does not support local authention in 10.2.this means you must use a RADIUS server to authenticate the remote client.local XAuth authentication will be supported.

COMPARSION B/W VPN & DVPN

A dynamic virtual private network (DVPN) is a secure network that exchanges data between sites without needing to pass traffic through an organization's headquarter virtual private network (VPN) server or router. VPNs traditionally connect each remote site to the headquarters; the DVPN essentially creates a mesh VPN topology. This means that each site (spoke) can connect directly with all other sites, no matter where they are located. A DVPN service runs on VPN routers and firewall concentrators. Each remote site has a router configured to connect to the companys headquarters VPN device (hub), providing access to the resources available. When two spokes are required to exchange data between each other -- for a VoIP telephone call, for example -- the spoke will contact the hub, obtain the necessary information about the other end, and create a dynamic IPsec VPN tunnel directly between them. Example network diagram of a dynamic VPN

Page 15

Dynamic VPN

Direct spoke-to-spoke deployments provide a number of advantages when compared to traditional VPN deployments: Traffic between remote sites does not need to traverse the hub (headquarter VPN router). A DVPN deployment eliminates additional bandwidth requirements at the hub. DVPNs eliminate additional network delays. DVPNs conserve WAN bandwidth. They lower costs for VPN circuits. They increase resiliency and redundancy. DVPN deployments include mechanisms such as GRE tunneling and IPsec encryption with Next Hop Resolution Protocol (NHRP) routing that are designed to reduce administrative burden and provide reliable dynamic connectivity between sites. It is in every companys advantage to make use of DVPN where possible, to help reduce WAN costs and increase bandwidth and reliability.

Page 16

Dynamic VPN

CONCLUSION
A Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private network (VPN) configuration process of Cisco IOS-based routers. DVPN prevents the need for preconfigured (static) IPsec (Internet Protocol Security) peers in crypto-map configurations and ISAKMP (Internet Security Association and Key Management Protocol) peer statements. Unlike traditional VPNs that offer limited or inflexible security, a dynamic VPN provide both high levels of security and, equally important, the flexibility to accommodate dynamically changing groups of users and information needs. Our dynamic VPN can provide this flexibility based on a unique agent-based architecture as well as other features. The most appropriate and successful answer to this challenge will be a DYNAMIC VIRTUAL PRIVATE NETWORK. Unlike traditional VPNs that offer limited or inflexible security, a dynamic VPN provides both extremely high levels of security and, equally important, the flexibility to accommodate dynamically changing groups of users and information needs.

Page 17

Dynamic VPN

REFERENCES
http://searchenterprisewan.techtarget.com/definition/Dynamic-multipoint-VPNDMVPN http://searchenterprisewan.techtarget.com/definition/Dynamic-multipoint-VPNDMVPN http://acronyms.thefreedictionary.com/DVPN http://www.techopedia.com/definition/25872/dynamic-virtual-private-networkdvpn

Page 18