Virtual Private Networks VPNs

1
Virtual Private Networks (VPNs)

• Tunneling, VPNs and Roaming

2
Defining Some Terms
Extranet Extends an Intranet to include
customers, suppliers and partners
Intranet Internal corporate applications using
Web and Internet technology
Remote Access Uses the Internet to
link telecommuters and mobile workers to
the company Intranet
3
Tunneling Defined

• Creating a transparent virtual network link
  between two network nodes that is unaffected by
  physical network links and devices.

4
Tunneling Explained

• Tunneling is encapsulating one protocol in
  another
• Tunnels provide routable transport for unroutable
  packets
• encrypted, illegal addressing, non-supported
• Tunneling itself provides no security

5
One way to communicate
New York
Remote Access Server
Internet
LAN
Web Sites
Los Angeles HQ
Firewall
Router
CSU/DSU
CSU/DSU
LAN
Boston
PSTN
Router
CSU/DSU
Firewall
CSU/DSU
Router
LAN
Firewall
Remote Access Server
6
Another view of network possibilities... A
Virtual Private Network
New York
LAN
Web Sites
Los Angeles
Firewall
Router
VSU-1000
VSU-1000
CSU/DSU
Internet
LAN
Boston
Router
CSU/DSU
VSU-1000
Firewall
CSU/DSU
VSU-1000
LAN
Router
VPNmanager
Remote Clients (VPNremote)
7
Tunneling Illustrated
Step 2
Original IP
packet
encapsulated
in another IP
packet
Original IP
New IP
packet
Packet
Workstation
Tunnel
Tunnel
Router A
Router B
Y
Original IP
packet dest Y
Workstation
Step 1.
Step 3
X
Original IP
Original, unroutable
Original packet extracted, sent to destination
packet dest Y
IP Packet sent to router
8
Types of Tunnels(with thanks to Bernard Aboba)

• Two basic types of tunnels
• Voluntary tunnels
• Tunneling initiated by the end-user(Requires
  client software on remote computer)
• Compulsory tunnels
• Tunnel is created by NAS or router(Tunneling
  support required on NAS or Router)

9
Voluntary Tunnels

• Will work with any network device
• Tunneling transparent to leaf and intermediate
  devices
• But user must have a tunneling client compatible
  with tunnel server
• PPTP, L2TP, L2F, IPSEC, IP-IP, etc.
• Simultaneous access to Intranet (via tunnel) and
  Internet possible
• Employees can use personal accounts for corporate
  access
• Remote office applications
• Dial-up VPNs for low traffic volumes

10
A Voluntary L2TP Tunnel
11
Compulsory Tunnels

• Will work with any client
• But NAS must support same tunnel method
• But Tunneling transparent to intermediate
  routers
• Network access controlled by tunnel server
• User traffic can only travel through tunnel
• Internet access possible
• Must be by pre-defined facilities
• Greater control
• Can be monitored

12
Compulsory Tunnels

• Static Tunnels
• All calls from a given NAS/Router tunneled to a
  given server
• Realm-based tunnels
• Each tunnel based on information in NAI(I.e.
  user_at_realm)
• User-based tunnels
• Calls tunneled based on userID data stored in
  authentication system

13
A Compulsory L2TP Tunnel
14
RADIUS Support for Tunnels

• Can define tunnel type
• Can define/limit tunnel end points
• Allows tunnel configuration to be based on
  Calling-Station-ID or Called-Station-ID
• Additional accounting information
• Tunnel end points
• Tunnel ID, etc.

15
RADIUS Dial Up Security
Authenticates dial in users at boundary of
private network
Private Network
RADIUS Server
RADIUS Protocol
Boundary
RAS
User Login
Remote User
Hacker
16
Protocol Comparison
PPTP L2TP IPSEC Authenticated Tunnels
X X Compression X X X Smart
Cards X X Address Allocation X
X Multiprotocol X X Encryption
X Flow Control
X Requires Server X X
17
Layer 2 Tunneling Protocol (L2TP)
L2TP Network Server de-tunnels PPP, authenticates
via RADIUS and performs address assignment
LNS
Mobile Employee
LAC
RADIUS
Telecommuter
PPP
LAC
L2TP Tunnel
L2TP Access Concentrator (LAC) tunnels PPP
frames in IP
Private Network
Shared Dial Network