VPN – Technologies and Solutions

1
VPN Technologies and Solutions

• CS158B Network Management
• April 11, 2005
• Alvin Tsang
• Eyob Solomon
• Wayne Tsui

2
Virtual Private Network (VPN)

• a private network constructed within a public
  network infrastructure, such as the global
  Internet
• two categories of VPNs
• A remote access VPN enables remotely located
  employees to communicate with a central location.
• Site-to-site VPN interconnects two private
  networks via a public network such as the
  Internet

3
Protocols used by VPN

• Point-to-Point-Tunneling Protocol (PPTP)
• simple VPN technology based on point-to-point
  protocol
• supports multiple encapsulation, authentication,
  and encryption.
• Layer 2 Tunneling Protocol (L2TP)
• combination of PPTP and Layer 2 Forwarding (L2F)
  
• Two types of L2TP
• L2TP Access Concentrator (LAC)
• L2TP Network Server (LNS)
• Internet Protocol Security (IPSec)
• framework for protecting the confidentiality and
  integrity of data in transit
• A common use of IPSec is the construction of a
  VPN

4
IPSec Protocols

• IPSec defines new set of headers to be added to
  IP datagrams
• ESP - Confidentiality, data integrity, and data
  source authentication. (frc2406)
• AH - Data integrity, source authentication
  (frc2402)

5
IPSec Modes

• Transport Mode
• Protect upper-layer protocol, endpints exposed
• IPSec header insert between IP header and upper
  layer protocol header
• Tunnel Mode
• Entire IP Packet is protected, become payload of
  new packet
• IPSec header is inserted between the outer and
  inner IP header.
• Used by gateway for VPN, perform encryption on
  behalf of host
• IPSec SA
• Relationship between entities on how to
  communicate securely.
• Unidirectional, two for each pair, one from A to
  B, and B to A
• Identified by a SPI, destination addr, security
  protocol identifier

6
IPSec Phases

• SPD
• Security Policy Database maintains IPSec Policy
• Each entry defines the traffic to be protected,
  how to protect
• Three actions on traffic match discard, bypass
  and protect
• IP traffic mapped to IPSec policy by selector
• IKE
• Establish security parameters, authentication
  (SAs) between IPSec peers
• IKE SAs defines the way in which two peers
  communicate, which algorithm to use to encrypt
  IKE traffic, how to authenticate the remote
  peers.
• SPD instruct IKE what to establish, IKE establish
  IPSec SAs based on its own policy settings
• Phase 1 communication
• Identify the peers.
• Create IKE SAs by authentication and key
  exchange
• One side offers a set of algorithm, other side
  accept or reject. Derive key material to use for
  IPSec with AH, ESP or both
• Phase 2 communication
• IPSec SAs negotiations are under protection of
  IKE SAs created in phase 1
• IPSec shared key derived by using Diffie-Hellman
  or refresh shared secret.

7
VPN Solutions

• Access VPN
• offers remote access to a companys Intranet or
  Extranet. Example employees who are on business
  trip or in home office
• Intranet VPN
• offers the Intranet connection. Example Branch
  offices
• Extranet VPN
• offers the Extranet connection. Example Business
  partners, customers

8
VPN Solutions Benefits

• Access VPN
• Economical Internet access Vs. long distance
  dialup
• Secure
• Intranet VPN
• Economical ISP Vs. dedicated connection
• Flexible topological design, new office
• Reliable Redundant ISP
• Secure
• Extranet VPN
• Same as Intranet VPN
• Management, Authentication and authorization

9
VPN Example
10
VPN Example - Extranet VPN
11
Conclusion

• Cheaper and Secure, Go for it!

12
Q A

• Any questions?