Virtual Private Networks

1
Virtual Private Networks

• Globalizing LANs
• Timothy Hohman

2
What is A VPN?

• Tell me about it Microsoft
• A virtual private network (VPN) is the extension
  of a private network that encompasses links
  across shared or public networks like the
  Internet. (Microsoft, 2001)
• It provides LAN access to end systems not
  physically located on the LAN
• An alternative to WAN (Wide Area Networks) which
  use leased lines to connect

3

• Image courtesy Cisco Systems, Inc.A typical
  VPN might have a main LAN at the corporate
  headquarters of a company, other LANs at remote
  offices or facilities and individual users
  connecting from out in the field.

4
How does it work?

• Data is encrypted (cannot be deciphered without
  the key)
• Virtual Point to Point Connection
• To the user, it acts like a point to point
  connection
• Data is packaged with a header

5
Benefits of Using VPN

• Expand Globally
• Costs reduced
• No dedicated lines necessary
• Easier
• Technology is on the end systems, which makes it
  more scalable
• No single point of failure
• Easier Network Management

6
Types of VPN

• Two Types
• Site to Site VPN
• Remote Access VPN

7
Remote Access VPN

• Essentially provides LAN access through dial-up
  connection
• Typically done by purchasing a NAS (Network
  Access Server) with a toll free number
• Can instead be done through normal ISP connection
  using the VPN software to make a virtual
  connection to the LAN

8
Site to Site VPN

• Connects two LANs over local ISP connections
• Very useful if you need to connect a branch to a
  main hub (Big business)
• Much less expensive than purchasing one dedicated
  line between the hub and branch
• Intranet ? connects remote locations from one
  company
• Extranet ? connects two companies (partners)
  into one shared Private Network

9
Site to Site Connection
10
Two Ways to Get it Done

• Two Tunneling protocols can be used
• PPTP (Point to Point Tunneling Protocol)
• L2TP (Layer Two Tunneling Protocol)
• Tunneling encapsulates frames in an extra header
  to be passed over the internet appearing as
  normal frames. The process includes
• Encapsulation (adding extra frame), transmission,
  Decapsulation

11
Tunneling Protocols

• Both of these protocols support these methods
• User Authentication
• Token Card Support (one time passwords)
• Dynamic Address Assignment
• Data Compression
• Data Encryption
• Key Management
• Multi-protocol Support

12
Tunneling Protocols cont.

• Each are built on PPP (Point to Point Protocol)
• 4 Phases
• 1) Link Establishment - a physical link between
  ends
• 2) User Authentication Password protocols used
• PAP, CHAP, MS-CHAP
• 3) Call Back Control optional
• Disconnects and server calls back after
  authentication
• 4) Data Transfer Phase exactly what it sounds
  like

13
Tunneling Protocols cont.

• PPTP
• Uses IP datagrams for encapsulation
• Uses TCP for tunnel maintenance
• Uses encryption and compression
• L2TP
• Encapsulation in IP, ATM, Frame Relay, X.25
• IP when going over internet
• UDP used for tunnel maintenance

14
Advantages

• PPTP
• No certificate infrastructure
• Can be used on more operating systems
• Can operate behind NATs
• L2TP
• More tools to guarantee packet integrity and data
  security
• Require user and computer certificates
• PPP authentication is encrypted (takes place
  after IP security check)

15
Security

• Many types of Security are offered including
• Firewalls
• Encryption
• IPSec
• Certificates
• AAA servers

16
Firewalls

• Can be used with VPN is right technology is set
  up on the router
• Cisco 1700 router for example
• Can restrict
• The type of data being transferred
• The number of ports open
• Which protocols are allowed through

17
Encryption

• Symmetric Key Encryption (private key)
• All communicating computers use the same key
  stored on their computer
• Asymmetric Key Encryption
• Uses a Private key and a Public Key
• Private key on local computer
• Public key sent out to anyone who you want to
  communicate with
• Mathematically related through encryption
  algorithm
• Both must be used to decrypt anything sent

18
IPSec

• Made up of two parts
• Authentication Header
• Verify data integrity
• Encapsulation Security Payload
• Data integrity
• Data encryption

19
IPSec continued

• Authentication Header
• Authentication Data
• Sequence number
• Encapsulating Security Payload
• Encrypt data
• Another layer of integrity and authentication
  checks

20
Certificates

• Used alongside public keys
• Contains
• Certificate Name
• Owner of the public key
• Public key itself
• Expiration date
• Certificate authority
• Verifies that information is coming from the
  private key
• Can be distributed on disks, smart cards, or
  electronically

21
AAA Servers

• Authentication, Authorization, Accounting
• These advanced servers ask each user who they
  are, what they are allowed to do, and what the
  actually want to do each time they connect
• This allows the LAN to track usage from dial up
  connections and closely monitor those remotely
  connected as they would those physically
  connected.

22
How can I get this up and running?

• You need
• Software on each end system
• Windows PPTP
• Dedicated hardware (firewalls, routers, etc.)
• Dedicated VPN server
• May need NAS

23
A Hardware Example

• http//www.youtube.com/watch?vlq-ShHMofEQ

24
An Example of VPN in Action

• 2001, CISCO direct-connect company filed for
  bankruptcy
• Changing over the 9000 employees to different
  direct-connect companies would be very costly and
  take 10 times the available staff to pull off

25
The VPN Solution

• User managed solution based on VPN software
• Users provide own internet connection
• Cisco provided IT support for VPN problems and
  provide gateway from internet to CISCO network

26
Benefits of the Change

• Productivity
• Employee Satisfaction
• Able to work from home, making home work balance
  easier
• Globalization
• Flexibility
• Easier when letting employees go
• Ex-employees do not have to have their dedicated
  line removed, rather they just lose
  Authentication to AAA server
• Cost, cost, cost

27
Things to Come

• Expansion
• China and India
• Faster Upgrades
• Use of Microsoft installer
• Better encryption
• Advanced encryption standard
• Better compression
• Voice and Video or VPN

28
Things to come cont.

• Wireless vendor support
• Access to employees from anywhere
• PDA support
• Possible software packages to be used on PDAs
• Hardware for home client
• As shown in previous clip

29
References

• Cisco Systems (2004). Cisco VPN Client Brings
  Flexibility and Cost Reduction to Cisco Remote
  Access Solution. Retrieved from
  http//www.cisco.com/web/about/ciscoitatwork/downl
  oads/ciscoitatwork/pdf/Cisco_IT_Case_Study_VPN_Cli
  ent_print.pdf
• Jeff Tyson (2007). How Virtual Private Network
  Work. Retrieved from http//computer.howstuffwork
  s.com/vpn.htm
• Barrel, Matthew D. (2006). Take your network
  anywhere. PC Magazine, 25(21), p122-122.
• Calin, Doru McGee, Andrew R. Chandrashekhar,
  Uma Prasad, Ramjee (2006). MAGNET An approach
  for secure personal networking in beyond 3g
  wireless networks. Bell Labs Technical Journal,
  11(1), pp. 79 98.
• Tanner, John C. (2006). Ethernet rides the NGN
  wave. Americas Network, 110(2), pp. 40-43.