Professional Documents
Culture Documents
Seminar
On
Guided By
Submitted By
ABSTRACT
The Virtual Private Network - VPN - has attracted the attention of many organizations looking to both expand their networking capabilities and reduce their costs. The VPN can be found in workplaces and homes, where they allow employees to safely log into company networks. Telecommuters and those who travel often find a VPN a more convenient way to stay "plugged in" to the corporate intranet. No matter your current involvement with VPNs, this is a good technology to know something about. A study of VPN involves many interesting aspects of network protocol design, Internet security, network service outsourcing, and technology standards.
Remote access client connections LAN-to-LAN internetworking Controlled access within an intranet
These protocols emphasize authentication and encryption in VPNs. Authentication allows VPN clients and servers to correctly establish the identity of people on the network. Encryption allows potentially sensitive data to be hidden from the general public. Many vendors have developed VPN hardware and/or software products. Unfortunately, immature VPN standards mean that some of these products remain incompatible with each other.
INDEX
1. INTRODUCTION 1 1.1.DEFINITION 1.2.OVERVIEW 2.WORKING OF VPN 3 2.1. EXAM PLE USE OF VPN 3.TYPES OF VPN 9 3.1.VIRTUAL LEASED LINE(VLL) 3.2. VIRTUAL PRIVATE ROUTED NETWORK(VPRN) 3.3. VIRTUAL PRIVATE DIAL NETWORK(VPDN) -UP 3.4. VIRTUAL PRIVATE LAN SEGMENT(VPLS) 3.5. INTRANET VPN 3.6. EXTRANET VPN 3.7. REMOTE ACCESS VPN 4. TUNNELING 16 5. TUNNELING PROTOCOLS 18 5.1. MOTIVE OF PROTOCOLS 5.2. HISTORY 5.3. IPSec DESIGN GOALS AN OVERVIEW D 5.4. L2TP DESIGN GOALS AND OVERVIEW 5.5. PPTP DESIGN GOALS AND OVERVIEW 5.6. MICROSOFT SUPPORT FOR IPSec,L2TP & PPTP 5.7. REMOTE ACCESS POLICY MANAGEMENT 5.8. CLIENT MANAGEMENT 6. SECURTY OF VPN 26 7. VPN H|W & S SPECIFICATION \W 27 8. APPLICATION OF VPN 29 9. ADVANTAGES OF VPN 30 10.DISADVANTAGES OF VPN 31 11.CONCLUSION 32 12.BIBLIOGRAPHY 33
1. INTORDUCTION : 1.1.Definition
An Internet-based virtual private network (VPN) uses the open, distributed infrastructure of the Internet to transmit data between corporate sites.
1.2.Overview
Why to develop vpn ?
Businesses today are faced with supporting a broader variety of communications among a wider range of sites even as they seek to reduce the cost of their communications infrastructure. Employees are looking to access the resources of their corporate intranets as they take to the road, telecommute, or dial in from customer sites. Plus business partners are joining together in extranets to share business information, either for a joint project of a few months' duration or for long-term strategic advantage. At the same time, businesses are finding that past solutions to widearea networking between the main corporate network and branch offices, such as dedicated leased lines or frame-relay circuits, do not provide the flexibility required for quickly creating new partner links or supporting project teams in the field.
Meanwhile, the growth of the number of telecommuters and an increasingly mobile sales force is eating up resources as more money is spent on modem banks, remote-access servers, and phone charges. The trend toward mobile connectivity shows no sign of abating; Forrester Research estimated that more than 80 percent of the corporate workforce would have at least one mobile computing device by 1999. Comparison of vpn with exiting network:
First and foremost are the cost savings of Internet VPNs when compared to traditional VPNs. A traditional corporate network built using leased T1 (1.5 Mbps) links and T3 (45 Mbps) links must deal with tariffs that are structured to include an installation fee, a monthly fixed cost, and a mileage charge, adding up to monthly fees that are greater than typical fees for leased Internet connections of the same speed. Leased Internet lines offer another cost advantage because many providers offer prices that are tiered according to usage. For businesses that require the use of a full T1 or T3 only during busy times of the day but do not need the full bandwidth most of the time, ISP services, such as burstable T1, are an excellent option. Burstable T1 provides on-demand bandwidth with flexible pricing. For example, a customer who signs up for a full T1 but whose traffic averages 512 kbps of usage on the T1 circuit will pay less than a T1 customer whose average monthly traffic is 768 kbps. Because point-to-point links are not a part of the Internet VPN, companies do not have to support one of each kind of connection, further reducing equipment and support costs. With traditional corporate networks, the media that serve smaller branch offices, telecommuters, and mobile worksdigital subscriber line (xDSL), integrated services digital network (ISDN), and high-speed modems, for instancemust be supported by additional equipment at corporate headquarters. In a VPN, not only can T1 or T3 lines be used between the main office and the ISP, but many other media can be used to connect smaller offices and mobile workers to the ISP and, therefore, to the VPN without installing any added equipment at headquarters. VPN resolves the limitations of ordinary networks:
VPNs using the Internet have the potential to solve many of these business networking problems. VPNs allow network managers to connect remote branch offices and project teams to the main corporate network economically and provide remote access to employees while reducing the in-house requirements for equipment. Rather than depend on dedicated leased lines or frame relay's permanent virtual circuits (PVCs), an Internet-based VPN uses the open, distributed infrastructure of the Internet to transmit data between corporate sites. For Download Visit http://www.nectarkunj.byethost14.com/ 6
Companies using an Internet VPN set up connections to the local connection points (called points-of-presence [POPs]) of their Internet service provider (ISP) and let the ISP ensure that the data is transmitted to the appropriate destinations via the Internet, leaving the rest of the connectivity details to the ISP's network and the Internet infrastructure. Because the Internet is a public network with open transmission of most data, Internet-based VPNs include measures for encrypting data passed between VPN sites, which protects the data against eavesdropping and tampering by unauthorized parties. In addition, VPNs are not limited to corporate sites and branch offices. As an added advantage, a VPN can provide secure connectivity for mobile workers. These workers can connect to their company's VPN by dialing into the POP of a local ISP, which reduces the need for long-distance charges and outlays for installing and maintaining large banks of modems at corporate sites. While VPNs offer direct cost savings over other communications methods (such as leased lines and long-distance calls), they can also offer other advantages, including indirect cost savings as a result of reduced training requirements and equipment, increased flexibility, and scalability.
2.WORKING OF VPN:
The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or even around the world. But there is one thing that all of them need: A way to maintain fast, secure and reliable communications wherever their offices are. Until recently, this has meant the use of leased lines to maintain a Wide Area Network (WAN). Leased lines, ranging from ISDN (Integrated Services Digital Network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand their private network beyond their immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines can become quite expensive and often rises in cost as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. Now, many companies are creating For Download Visit http://www.nectarkunj.byethost14.com/ 7
their own VPNs (Virtual Private Networks) to accommodate the needs of remote employees and distant offices.
Image courtesy of Cisco Systems, Inc. A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field.
Basically, a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, realworld connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. For years, voice, data, and just about all software-defined network services were called "virtual private networks" by the telephone companies. The current generation of VPNs, however, is a more advanced combination of tunneling, encryption, authentication and access control technologies and services used to carry traffic over the Internet, a managed IP network or a provider's backbone. The traffic reaches these backbones using any combination of access technologies, including T1, frame relay, ISDN, ATM or simple dial access. VPNs use familiar networking technology and protocols. The client sends a stream of encrypted Point-to-Point Protocol (PPP) packets to a remote server or router, except instead of For Download Visit http://www.nectarkunj.byethost14.com/ 8
going across a dedicated line (as in the case of WANs); the packets go across a tunnel over a shared network. The general idea behind using this method is that a company reduces the recurring telecommunications charges that are shouldered when connecting remote users and branch offices to resources in a corporation's headquarters. The most commonly accepted method of creating VPN tunnels is by encapsulating a network protocol (including IPX, NetBEUI, AppleTalk, and others) inside the PPP, and then encapsulating the entire package inside a tunneling protocol, which is typically IP, but could also be ATM or frame relay. This increasingly popular approach is called Layer 2 tunneling, because the passenger is a Layer-2 Tunneling Protocol (L2TP). Using this VPN model, packets headed towards the remote network will reach a tunnel-initiating device, which can be anything from an extranet router to a PC with VPN-enabled dial-up software. The tunnel initiator communicates with a VPN terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then encrypts the package for security before transmitting to the terminator, which decrypts the packet and delivers it to the appropriate destination on the network. L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). It supports any routed protocol, including IP, IPX, and AppleTalk, as well as any WAN backbone technology, including frame relay, ATM, X.25, and SONET. Because of L2TP's use of Microsoft's PPTP, it is included as part of the remote access features of most Windows products. Another approach to VPN is SOCKS 5, which follows a proxy server model and works at the TCP socket level. It requires a SOCKS 5 server and appropriate software in order to work. The SOCKS 5 client intercepts a request for service, and checks it against a security database. If the request is granted, the server establishes an authenticated session with the client, acting as a proxy. This allows network managers to apply specific controls and proxies traffic, and specify which applications can cross the firewall into the Internet. VPN technology can be used for site-to-site connectivity as well, which would allow a branch office with multiple access lines get rid of the data line, and move traffic over the existing Internet access connection. Since many sites use multiple lines, this can be a very useful application, and it can be deployed without adding additional equipment or software.
2.1.
Step 1. The remote user dials into their local ISP and logs into the ISPs network as usual.
Step 2. When connectivity to the corporate network is desired, the user initiates a tunnel request to the destination Security server on the corporate network. The Security server authenticates the user and creates the other end of tunnel.
Step 3. The user then sends data through the tunnel which encrypted by the VPN software before being sent over the ISP connection.
Step 4 The destination Security server receives the encrypted data and decrypts. The Security server then forwards the decrypted data packets onto the corporate network. Any information sent back to the Remote user is also encrypted before being sent over the Internet.
The figure below illustrates that VPN software can be used from any location through any existing ISPs dial-in service.
Figure 3.1: Virtual Leased Lines (VLL) For Download Visit http://www.nectarkunj.byethost14.com/ 13
VPRN Requirements 1. VPN Identifier The use of a globally unique VPN identifier. 2. VPRN membership determination An edge router must learn of the local stub links that are in each VPRN and the set of other routers that have members in that VPRN. 3. Stub link reachability information An edge router must learn the set of addresses and address prefixes reachable via each stub link. 4. Intra-VPRN reachability information Edge router must disseminate the address prefixes information associated with each of its stub links to each other edge router in the VPRN. 5. Tunneling mechanism An edge router must construct the necessary tunnels to other routers that have members in the VPRN, and must perform the encapsulation and decapsulation necessary to send and receive packets over the tunnels.
Voluntary Tunnel Voluntary tunnel refers to the case where an individual host connects to a remote site using a tunnel originating on the host, with no involvement from intermediate network nodes. Tunnel mechanism chosen can be IPSec or L2TP. There is considerable overhead with such a protocol stack, particularly when IPSec is also needed. The overhead consists of both extra headers in the data plane and extra control protocols needed in the control plane.
The branch office scenario securely connects two trusted intranets within the organization. Routers or firewalls acting as gateways for the office with vpn capabilities can be used to protect the corporate traffic. They provide the necessary data authentication and encryption.
Design Considerations The clients have to support the IPSec protocols. Client addresses are dynamic hence dynamic tunnel establishing is needed. Manual tunnels are possible only in case of fixed remote client IP addresses. Dial in traffic that cannot be authenticated will be rejected by firewall.
4.Tunneling:
Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network. Tunneling requires three different protocols: Carrier protocol: The protocol used by the network that the information is traveling over Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data For Download Visit http://www.nectarkunj.byethost14.com/ 20
Passenger protocol: The original data (IPX, NetBeui, IP) being carried
Tunneling has amazing implications for VPNs. For example, you can place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside an IP packet and send it safely over the Internet. Or you could put a packet that uses a private (non-routable) IP address inside a packet that uses a globally unique Ip address to extend a private network over the Internet. In a Site-to-Site VPN, GRE (Generic Routing Encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet you are encapsulating and information about the connection between the client and server. Instead of GRE, IPSec in Tunnel Mode is sometimes used as the encapsulating protocol. IPSec works well on both Remote-Access and Site-to-Site VPNs. IPSec must be supported at both tunnel interfaces to use. In a Remote-Access VPN, tunneling normally takes place-using PPP. Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. Remote-Access VPN tunneling relies on PPP. Each of the protocols listed below were built using the basic structure of PPP and are used by Remote-Access VPNs. L2F (Layer 2 Forwarding): Developed by Cisco, L2F will use any authentication scheme supported by PPP. PPTP (Point-to-Point Tunneling Protocol): PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication scheme supported by PPP. L2TP (Layer 2 Tunneling Protocol): The most recent addition, L2TP is the product of a partnership between the members of the PPTP Forum, Cisco and the IETF (Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP also fully supports IPSec. L2TP can be used as a tunneling protocol for Site-to-Site VPNs as well as Remote-Access VPNs. In fact, L2TP can create a tunnel between: Client and Router NAS and Router Router and Router
The truck is the carrier protocol, the box is the encapsulating protocol and the computer is the passenger protocol. Think of tunneling like having a computer delivered to you by UPS. The vendor packs the computer (passenger protocol) into a box (encapsulating protocol), which is then put on a UPS truck (carrier protocol) at the vendor's warehouse (entry tunnel interface). The truck (carrier protocol) travels over the highways (Internet) to your home (exit tunnel interface) and delivers the computer. You open the box (encapsulating protocol) and remove the computer (passenger protocol). Tunneling is just that simple! As you can see, VPNs are a great way for a company to keep its employees and partners connected no matter where they are.
5. TUNNELING PROTOCOLS:
5.1.Motive of protocols: Four different protocols have been suggested for creating VPNs over the Internet: point-to-point tunneling protocol (PPTP), layer-2 forwarding (L2F), layer-2 tunneling protocol (L2TP), and IP security protocol (IPSec). One reason for the number of protocols is that, for some companies, a VPN is a substitute for remote-access servers, allowing mobile users and branch offices to dial into the protected corporate network via their local ISP. For others, a VPN may consist of traffic traveling in secure tunnels over the Internet between protected LANs. The protocols that have been developed for VPNs reflect this
dichotomy. PPTP, L2F, and L2TP are largely aimed at dial-up VPNs, while IPSec's main focus has been LANtoLAN solutions.
5.2.History: the first protocols deployed for VPNs was PPTP. It has been a widely deployed solution for dial-in VPNs since Microsoft included support for it in RRAS for Windows NT Server 4.0 and offered a PPTP client in a service pack for Windows 95. Microsoft's inclusion of a PPTP client in Windows 98 practically ensures its continued use for the next few years, although it is not likely that PPTP will become a formal standard endorsed by any of the standards bodies (like the Internet Engineering Task Force [IETF]). The most commonly used protocol for remote access to the Internet is point-to-point protocol (PPP). PPTP builds on the functionality of PPP to provide remote access that can be tunneled through the Internet to a destination site. As currently implemented, PPTP encapsulates PPP packets using a modified version of the generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols other than IP, such as Internet packet exchange (IPX) and network basic input/output system extended user interface (NetBEUI). Because of its dependence on PPP, PPTP relies on the authentication mechanisms within PPP, namely password authentication protocol (PAP) and CHAP. Because there is a strong tie between PPTP and Windows NT, an enhanced version of CHAP, MSCHAP, is also used, which utilizes information within NT domains for security. Similarly, PPTP can use PPP to encrypt data, but Microsoft has also incorporated a stronger encryption method called Microsoft point-to-point encryption (MPPE) for use with PPTP. Aside from the relative simplicity of client support for PPTP, one of the protocol's main advantages is that PPTP is designed to run at open systems interconnection (OSI) Layer 2, or the link layer, as opposed to IPSec, which runs at Layer 3. By supporting data communications at Layer 2, PPTP can transmit protocols other than IP over its tunnels. PPTP does have some limitations. For example, it does not provide strong encryption for protecting data nor does it support any token-based methods for authenticating users.
IP protocol 50 called the Encapsulating Security Payload (ESP) format, which provides privacy, authenticity, and integrity. IP protocol 51 called the Authentication Header (AH) format, which only provides integrity and authenticity for packets, but not privacy IPSec can be used in two modes; transport mode which secures an existing IP packet from source to destination, and tunnel mode which puts an existing IP packet inside a new IP packet that is sent to a tunnel end point in the IPSec format. Both transport and tunnel mode can be encapsulated in ESP or AH headers. IPSec transport mode was designed to provide security for IP traffic end-to-end between two communicating systems, for example to secure a TCP connection or a UDP datagram. IPSec tunnel mode was designed primarily for network midpoints, routers, or gateways, to secure other IP traffic inside an IPSec tunnel that connects one private IP network to another private IP network over a public or untrusted IP network (for example, the Internet). In both cases, a complex security negotiation is performed between the two computers through the Internet Key Exchange (IKE), normally using PKI certificates for mutual authentication. The IETF RFC IPSec tunnel protocol specifications did not include mechanisms suitable for remote access VPN clients. Omitted features include user authentication options or client IP address configuration. To use IPSec tunnel mode for remote access, some vendors chose to extend the protocol in proprietary ways to solve these issues. While a few of these extensions are documented as Internet drafts, they lack standards status and are not generally interoperable. As a result, customers must seriously consider whether such implementations offer suitable multi-vendor interoperability.
interoperable tunneling, with the strong and interoperable security of IPSec. It is a good solution for secure remote access and secure gateway-to-gateway connections.
PPTP/ PPP Can Authentication authenticate the user that is initiating the communications. Machine Authenticates Authentication the machines involved in the communications. NAT Can pass Capable through Network Address Translators to hide one or both endpoints of the communications. Multiprotocol Defines a Support standard method for carrying IP and non-IP traffic. Dynamic Defines a Tunnel IP Address Assignment standard way to negotiate an IP address for the tunneled part of the communications. Important so that returned packets are routed back through the same session rather than through a non-tunneled and For Download Visit http://www.nectarkunj.byethost14.com/ 25
L2TP
Yes Yes
Feature
Description PPTP/ PPP unsecured path and to eliminate static, manual end-system configuration. Can encrypt traffic it carries. Can use PKI to implement encryption and/or authentication. Provides an authenticity method to ensure packet content is not changed in transit. Can carry IP multicast traffic in addition to IP unicast traffic.
L2TP
Yes Yes No
Yes
Directory delivers policy-based, directory-enabled networking. IPSec policy is assigned and distributed to Windows 2000 domain members through Windows 2000 Group Policy. Local policy configuration is provided, so membership in a domain is not required. An automatic security negotiation and key management service is also provided using the IETF-defined Internet Key Exchange (IKE) protocol, RFC 2409. The implementation of IKE provides three authentication methods to establish trust between computers: Kerberos v5.0 authentication is provided by the Windows 2000 domain that serves as a Kerberos version 5.0 Key Distribution Center (KDC). This provides easy deployment of secure communications between Windows 2000 computers that are members in a domain or across trusted domains. IKE only uses the authentication properties of Kerberos, as documented in draft-ietf-ipsec-isakmp-gss-auth02.txt. Key generation for IPSec security associations is done using IKE RFC2409 methods. Public/Private key signatures using certificates is compatible with several certificate systems, including Microsoft, Entrust, Verisign, and Netscape. This is part of RFC 2409. Passwords , termed pre-shared authentication keys, are used strictly for establishing trust between computers. This is part of RFC 2409. Once configured with an IPSec policy, peer computers negotiate using IKE to establish a main security association for all traffic between the two computers. This involves authenticating using one of the methods above and generating a shared master key. The systems then use IKE to negotiate another security association for the application traffic they are trying to protect at the moment. This involves generating shared session keys. Only the two computers know both sets of keys. The data exchanged using the security association is very well-protected against modification or interpretation by attackers who may be in the network. The keys are automatically refreshed according to IPSec policy settings to provide constant protection according to the administrator defined policy. For customers familiar with technical details of IPSec, Windows 2000 supports DES (56-bit key strength) and 3DES (168-bit key strength) encryption algorithms, and SHA-1 and MD5 integrity algorithms. These algorithms are supported in all combinations in the ESP format. Because the AH format provides only integrity and authenticity, only MD5 and SHA-1 are used. L2TP
Windows 2000 includes L2TP support when used with IPSec for client-to-gateway and gateway-to-gateway configurations. In these configurations, all traffic from the client to a gateway, and all traffic between two gateways is encrypted. This implementation has been tested with a variety of other vendor implementations of L2TP/IPSec. PPTP Windows 2000 includes PPTP support for client-to-gateway and gateway-to-gateway configurations. This implementation is consistent with the PPTP services available for the Microsoft Windows NT Server, Windows NT Workstation, Windows 98, and Windows 95 operating systems. Customers can take advantage of their existing investment in Windows operating systembased platforms by using PPTP. Windows 2000-based systems can interoperate with Windows NTbased PPTP servers, and today's Windowsbased systems interoperate with Windows 2000based PPTP servers. In addition to password-based authentication, Windows 2000 PPTP can support public key authentication through the Extensible Authentication Protocol (EAP).
5.7.
Another dimension of security policy management that goes beyond encryption policy is access policy. In client-to-gateway and gateway-to-gateway situations, Windows 2000 provides a rich set of administrative policies that can be implemented to control user access through direct-dial, PPTP, and L2TP/IPSec connections. These access policies allow administrators to grant or deny access based upon a combination of user ID, time-of-day, protocol port, encryption level, and more. While available natively within a Windows 2000 Active Directory environment, these access policies can also be enforced on non-Windows 2000 environments through the use of RADIUS. For example, an existing Windows NTbased PPTP server can be configured to use a Windows 2000 Server to authenticate users through RADIUS. When used in this way, the Windows 2000 Server can be configured to enforce access policies and apply them to the Windows NTbased PPTP server. This is an example of how Windows 2000 can simplify and strengthen central administration during a transition to Windows 2000, and demonstrates one of the many benefits of using Windows 2000 for authentication in heterogeneous environments.
In larger scale installations, the Connection Manager Administration Kit and Connection Point Services can be used together to deliver a customized remote access direct-dial and VPN client to corporate systems.
With these tools the administrator can provide the client with a specially configured profile that: Brands the dialer consistent with corporate remote access programs. Integrates customize help files and corporate remote access use licenses. Integrates applications and other tools for automatic launch at various stages of the connection process. Administers a central phonebook of remote access numbers. Contracts with Internet Service Providers (ISPs) for management of point-of-presence (POP) phone numbers. Configures clients to automatically update, and collates phonebooks from the ISP and the corporate phonebook servers.
The resulting profile can be distributed centrally to clients through Microsoft System Management Services, Web downloads, file transfers, e-mail, floppy disks, or CDs. This lets administrators centrally manage clients while users get a single interface that: Connects, regardless of type of protocol or connection (direct dial or VPN protocol). Hides the complexity of the connection process (single click access). Provides single sign-on using company user IDs (no separate ISP account required). Based on customer feedback, Microsoft considers this to be one of the most important components for deploying VPN services.
6.SECURITY OF VPN:
The key word in "virtual private networks" is private. The last thing a business wants is to have sensitive corporate information end up in the hands of some For Download Visit http://www.nectarkunj.byethost14.com/ 29
pubescent hacker, or worse, the competition. Fortunately, VPNs are widely considered extremely secure, despite using public networks. In order to authenticate the VPN's users, a firewall will be necessary. While in the past, firewalls have been a major source of headaches for network administrators, the new generation of firewalls are far simpler to create and maintain. Nowadays, there is a wide variety of hassle-free, prepackaged appliances to keep unwanted packets out of the network. Many "black box" security systems also include some sort of encryption system, although some VPNs do not. Firewall products for VPNs, such as Net Screen, Watch guard, or Net Fortress are often relatively simple, plug-and-play solutions for network security. The system can be connected to as many LANs as needed, keys are exchanged between the two units, and the VPN is complete. However, these solutions can come at a substantial cost, and the right choice will depend on the unique networking and security needs of the company or companies using the network. Generally, if you already own the appropriate equipment and Internet connection, an out-of-the-box solution is not necessary. All VPNs require configuration of an access device, either software- or hardware-based, to set up a secure channel. A random user cannot simply log in to a VPN, as some information is needed to allow a remote user access to the network, or to even begin a VPN handshake. When used in conjunction with strong authentication, VPNs can prevent intruders from successfully authenticating to the network, even if they were able to somehow capture a VPN session. Most VPNs use IPSec technologies, the evolving framework of protocols that has become the standard for most vendors. IPSec is useful because it is compatible with most different VPN hardware and software, and is the most popular for networks with remote access clients. IPSec requires very little knowledge for clients, because the authentication is not user-based, which means a token (such as Secure ID or Crypto Card) is not used. Instead, the security comes from the workstation's IP address or its certificate, establishing the user's identity and ensuring the integrity of the network. An IPSec tunnel basically acts as the network layer protecting all the data packets that pass through, regardless of the application. Depending on the solution used, it is possible to control the type of traffic sent over a VPN solution. Many devices allow the administrator to define group-based filter, which controls UP address and protocol/port services allowed through the tunnel. IPSec-based VPNs also allow the administrator to define a list of specific networks and applications to which traffic can be passed. One downside to IPSec-compliant products is that they provide access control over the network and transport layers only, and not a great deal of measures to selectively regulate access to individual resources within these hosts. If customers given For Download Visit http://www.nectarkunj.byethost14.com/ 30
access to particular company information on a server, for instance, highly selective controls are needed to make sure they access only the information they've been authorized to see. This type of selective or unidirectional access, within a VPN is available in some non-IPSec solutions, such as Aventail's SOCKS 5 server. In a unidirectional connection, a two-way trusted relationship is not assumed as it is with tunneled VPNs. With this model, if there is some kind of breach in security, only the destination network is affected. SOCKS 5 are also able to handle virtually any authentication and encryption standards. Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Forwarding (L2F) are also available, and although only a handful of firewall vendors support these security protocols, they are part of the reason why there is no current universally accepted standard. Although VPN vendors must decide which standard they use, it is the administrators who will eventually decide the outcome of this emerging technology. Because of factors like this, it is all the more important to make a wise, informed decision before purchasing a VPN.
7.
Depending on the type of VPN (Remote-Access or Site-to-Site), you will need to put in place certain components to build your VPN. These might include: Desktop software client for each remote user Dedicated hardware such as a VPN Concentrator or Secure PIX Firewall
Dedicated VPN server for dial-up services NAS (Network Access Server) used by service provider for remote user VPN access VPN Concentrator: Incorporating the most advanced encryption and authentication techniques available, Cisco VPN Concentrators are built specifically for creating a Remote-Access VPN. They provide high availability, high performance and scalability and include components, called Scalable Encryption Processing (SEP) modules that enable users to easily increase capacity and throughput. The Concentrators are offered in models suitable for small businesses with 100 or fewer remote-access users to large enterprise organizations with up to 10,000 simultaneous remote users.
Systems,
Inc.
VPN-optimized router: Cisco's VPN-optimized routers provide scalability, routing, security and QoS (quality of service). Based on the Cisco IOS (Internet Operating System) software, there is a router suitable for every situation, from small-office/home-office (SOHO) access through central-site VPN aggregation, to largescale enterprise needs.
Systems,
Inc.
Cisco Secure PIX Firewall: An amazing piece of technology, the PIX (Private Internet exchange) Firewall combines dynamic network address translation, proxy server, packet filtration, firewall and VPN capabilities in a single piece of hardware. Instead of using Cisco IOS, this device has a highly streamlined OS that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP.
For Download Visit http://www.nectarkunj.byethost14.com/ Photo courtesy of Cisco Systems, 32 The Cisco PIX Firewall
Inc.
8.APPLICATION:
VPN/VOIP Application Once youve set up your VPN network, you can easily save money on interoffice long distance calling by bridging your voice network to your data network with Multi-Techs MultiVOIP Voice over IP gateway. MultiVOIP is a point-to-point solution (one box is required at each location) that merges voice/fax from traditional telephones onto an IP data network. It then utilizes another MultiVOIP gateway at the remote end to separate the voice/fax from the data network and send it back to the receiving phone. With MultiVOIP a company can save thousands of dollars on recurring long distance charges.
9.ADVANTAGES OF VPN:
For Download Visit http://www.nectarkunj.byethost14.com/ 33
There are a number of reasons to set up a VPN for remote access, but the biggest selling point by far is the potential cost savings. Using the Internet to distribute network services over long distances means companies no longer have to purchase expensive leased lines to branch or partners' offices as a VPN connection needs only to use a relatively short dedicated connection. In an organization experiencing rapid growth, this can make a enormous difference in costs. As an organization adds companies to its network, the number of leased lines required climbs with it exponentially. In a traditional WAN, this can limit the flexibility for growth, whereas VPNs avoid this problem by tapping into an almost universally available network. VPNs can further reduce costs by lessening the need for long-distance telephone charges, as clients can gain access by dialing into the nearest service provider's access point. While in some cases this may entail making a long-distance call or using an 800 service, a local call is usually sufficient. This can dramatically cut telecommunications costs for enterprises with many international sites, sometimes in the range of thousands of dollars per person, each month. A third, more subtle way that VPNs may result in lower expenditures, is through reducing the company's support burden. With a VPN, the service provider must support dial-up access, instead of the organization using it. Theoretically, a public service provider can charge much less for support, because its cost is shared among a wider customer base. Finally, VPNs save a company on operational costs for equipment previously used to support remote users. A company using a VPN can get rid of its modem pools, remote-access servers, and other WAN equipment and simply use its existing Internet installation. Many companies employ several links with different functions prior to setting up a VPN. Companies enjoy the flexibility that comes with VPNs, since they typically do not require long-term contracts, as is the case with most data services. This allows companies to easily switch over to a lower-priced service if they so desire. Companies can usually get a high-speed Internet connection established and configured in a much shorter time than it takes to get a similar data service. In some foreign countries, it can take as long as a year to get a leased line installed. For some industries, such as construction or insurance, this can make a crucial difference in a company's operations and financial health. VPN technologies are also considered remarkably secure. Since the introduction of IPSec, VPN data protection has become more standardized among service providers. Data that is sent over VPNs is confidential, requiring authorization to be received or replayed. Users can authenticate packets to establish the validity of the For Download Visit http://www.nectarkunj.byethost14.com/ 34
information, and the integrity of the data is usually guaranteed. Companies may also choose to build an extranet application on a VPN, in order to use its access controls and authentication services to deny or grant access to specific information for customers, trading partners or business associates. This can help build customer loyalty, as clients who are given higher levels of access would be less likely to switch to another business partner. The same technology can also be used internally to assign worker populations to segmented groups with different access levels. This solution is simpler and more economical than traditional methods used by IT managers. A VPN-based extranet may replace a more expensive system, such as an electronic data interchange (EDI), which typically necessitate custom software and the use of a value-added network (VAN) provider. Some VANs charge upwards of $6 to $12 (US) per hour of connectivity, much more than ordinary service providers.
2. The availability and performance of an organization's wide-area VPN (over the Internet in particular) depends on factors largely outside of their control. 3. VPN technologies from different vendors may not work well together due to immature standards. 4. VPNs need to accomodate protocols other than IP and existing ("legacy") internal network technology. Generally speaking, these four factors comprise the hidden costs of a VPN solution. Whereas VPN advocates tout cost savings as the primary advantage of this technology, detractors cite hidden costs as the primary disadvantage of VPNs.
11. CONCLUSION: VPNs are an effective way to create secure communication channels across the Internet or between sensitive systems within a companys internal network. With the inclusion of
For Download Visit http://www.nectarkunj.byethost14.com/ 35
VPN support in Microsoft 2000, Cisco routers, Checkpoint 2000, and a host of other systems, the deployment of VPNs is going to become more commonplace. Without proper security design, these VPNs could add many more unwanted entrances to corporate networks. Use VPNs where appropriate but ensure security issues including machine configuration, policy and user security awareness have been considered
12.BIBLIOGRAPHY: