Virtual Private Network or VPN

8/9/2019 Virtual Private Network or VPN

http://slidepdf.com/reader/full/virtual-private-network-or-vpn 1/10

Virtual Private Network or VPN is a term that you may not have heard of, but is

becoming very common over the years.Instead of simply dealing with local or regional

branch, many companies today have facilities or businesses spread out across the

country or around the world. In order for

them to maintain a fast, secure and

reliable communications, these

companies are creating their

own virtual privatenetwork to

accommodate the needs of remote

employees and distant offices.

VPN Introduction

VPN is an acronym for V irtual P rivate N etwork, is a private data network ( usually used

within a company, or by several different companies or organizations ) which has

a secure connection created over a public network by using tunneling-mode

encryption and other security procedures. The tunneling-mode encryption and

security procedures ensure that only authorized users can access the network and data

cannot be intercepted.

VPN message traffic is carried on public networking infrastructure e.g. the Internet using

standard (often insecure) protocols, or over a service provider's network providing VPN

service guarded by well-defined Service Level Agreement (SLA) between the VPN

customer and the VPN service provider.

The main purpose of a VPN is to give the company the capabilities of having the same

protected sharing of public resources for data as the private leased lines, but at a much

lower cost by using the shared public infrastructure.

How it Works : To make use of the VPN , the remote user's workstation must have

the VPN client software installed. A firewall sits between a remote user's workstation or

client and the host network or server. When connection to the corporate network is

attempted, the VPN client software will first connect to the VPN server by means of a

tunneling protocol. After the remote computer has been successfully authenticated,



a secure connection (secret tunnel) between it and the VPN server will then be formed

as all subsequent data being exchanged through this tunnel will be encrypted at the

sending end and correspondingly decrypted at the receiving end of the tunnel. As such,

the network tunnel between them, even though established through the un-trusted

Internet, is still considered secure enough that the remote computer can be trusted by

local computers on the corporate LA N .

In short :

You connect to the Internet through your IS P . The VPN client software on your computer initiates a connection with the

VPN server. The VPN server encrypts the data on the connection so it cannot be read by others while it is in transit.

The VPN server decrypts the data and passes it on to other servers and resources.

For better security, many VPN client programs can be configured to require that all I P

traffic must pass through the tunnel while the VPN is active. From the user's standpoint,

this means that while the VPN client is active, all access outside their employer's secure

network must pass through the same firewall as would be the case while physically

connected to the office ethernet. This reduces the risk that an attacker might gain access

to the secured network.

Such security is important because other computers local to the network on which the

client computer is operating may not be fully trusted. Even with a home network that is

protected from the outside internet by a firewall, people who share a home may be

simultaneously working for different employers over their respective VPN connections

from the shared home network. Each employer would therefore want to ensure their

proprietary data is kept secure, even if another computer in the local network gets

infected with malware. And if a travelling employee uses a VPN client from a Wi-Fi

access point in a public place, such security is even more important. However, the use of

IPX/ S PX is one way users might still be able to access local resources.

Different Types of VPN



A VPN supports at least three different modes of use:

R emote Access ( R AS) VPN - Under this application only a single VPN gateway is

involved. The other party involved in negotiating the secure

communication channel with the VPN Gateway is a PC or laptopsthat is connected to the Internet and running VPN C lient software.

The VPN C lient allows telecommuters and traveling users to

communicate on the central network and access servers from many different locations.

B enefit : Significant cost savings by reducing the burden of long distance charges

associated with dial-up access. Also helps increase productivity and peace of mind by

ensuring secure network access regardless of where an employee physically is.

Site-to-Site Intranet VPN - With Intranet VPN , gateways at various physical locationswithin the same business negotiate a secure communication

channel across the Internet known as a VPN tunnel. An example

would be a network that exists in several buildings connected to

a data center or mainframe that has secureaccess through private lines. Users from the

networks on either side of the tunnel can communicate with one another as if it were a

single network. These may need strong encryption and strict performance and

bandwidth requirements.

B enefit : Substantial cost savings over traditional leased-line or frame relay technologies

through the use of Internet to

bridge potentially long

distances between sites.

Site-to-Site Extranet VPN

- Almost identical to

Intranets, except they are

meant for external business

partners. As such, firewall

access restrictions are used

in conjunction with VPN

tunnels, so that business partners are only able to gain secure access to specific data /

resources, while not gaining access to private corporate information.



B enefit : B usinesses enjoy the same policies as a private network, including security,

QoS, manageability, and reliability.

Advangages of VPN

Cost Saving

VPN eliminate the needs for expensive long-distance leased lines. What a corporate

require was only a relatively short dedicated connection to the service provider. The

connection can be either a local broadband connection such as DSL service or a local

leased line. B oth of the stated connection are much cheaper than a long-distance leased

lines. Service providers can in theory charge much less for their support than it costs a

company internally because the public provider's cost is shared amongst potentiallythousands of customers.

Elements of cost reduction also include transport media, bandwidth, backbone

equipment, and operations. According to industry research, site-to-site connectivity costs

are typically reduced by average 30% over domestic leased line networks. C ost

reduction for client to site dial access is even greater, in the 60%-80% range.

Instead of owning and operating a private network infrastructure, company may

outsource some or all of their wide area networking functions to a service provider. B y

doing so, the cost of management and upkeep of the network setup can be reduced

substantially. N ot only that, it also enables company to focus on core business

objectives, instead of managing a WA N or dial access network.

Scalability

The cost of using traditional leased lines may be reasonable at the beginning stage, but

as the the organization grows the number of leased lines required increases

exponentially as more branches must be added to the network. With VPN , company can

just tap into the geographically-distributed access already available, which is limited in

the case of a traditional leased lines.

Disadvantages of VPN

Listed below are some of the potential pitfalls in VPN :



L ack of Security

VPN message traffic is carried on public networking infrastructure e.g. the Internet , or

over a service provider's network , which mean - circulating corporate data ²one of your

most valuable assets²on the line (literally). Even though there are many methodsand technologies available to ensure data protection (like encryption implementation)

, the level of concern about Internet security is quite high and data on transmission is

vulnerable to hackers. The use of VPN s at this moment still require an in-depth

understanding of public network security issues.

L ess Bandwidth than Dedicated L ine

The other major downside of VPN s relates to guaranteeing adequate bandwidth for the

work being done. Every use of internet system consume bandwidth; the more usersthere are, the less bandwidth there is for any single user. Some VPN service providers

offer guaranteed bandwidth, and private networks can be built with guaranteed

bandwidth allocations, however, these options will increase the cost of the system.

The needs to accomodate protocols other than IP and existing ("legacy") internal

network technology.

IP applications were designed for low-latency, high-reliability networks. An increasing

number of real-time, interactive applications are being used on the network. Although

some applications can be tuned to allow for increased latency, many of the applications

tested cannot be easily adjusted or cannot be adjusted at all, making the use of the

application problematic.

O thers pitfall to consider;

y VPN technologies from different vendors may not work well together due to

different standard compliant or immature standards. y VPN is more prone to Internet connectivity problems. y The availability and performance of an organization's wide-area VPN (over the

Internet in particular) depends on factors largely outside of their control.

SS L VPN



SSL VPN or Secure Sockets Layer VPN is a protocol, which is already imbedded in most

IP stacks and sits at the base of the application layer. This application can deliver

remote network access via HTT P S from a web browser. It require only minimal client

configuration, so virtually any client with a network connection can use SSL VPN without

the needs of additional VPN client software or a complex configuration and setup.

The main drivers for SSL VPN are:

y C ost saving - B ecause SSL VPN s can be clientless, the cost of deploying clients

is saved. y P latform independent & mobile - Access can be granted from many types of

machine (Linux, Windows, P DAs) and from many locations. y IP mobility - N ot bound to the source I P address, thus connections can be

maintained as clients move. y Greater granular access control - Ability to offer a greater granularity, even as

far as URL. SSL VPN s also lend themselves to more granular access control

because each resource accessed must be explicitly defined. y N o N AT issues - do not suffer Hide N etwork Address Translation (Hide N AT)

issues as it is not tied to the I P layer.

SS L VPN Category

There are 3 different techniques in used and most commercial SSL VPN products will

use a combination of these.

y Application layer proxies y P rotocol redirectors y Remote control enhancers

Application layer proxies

This is the simplest form of SSL VPN s because they rely on the SSL functionality

used by existing applications and simplest form of SSL VPN s because they rely on

the SSL functionality used by existing applications. This application only support E-

mail and Web based traffic. There are additional function such as file transfer,

however the function tends to be limited.

Advantages of Application layer proxies : C lientless - operate with nearly all

operating systems and web browsers.



Protocol redirectors

M ore flexible than application layer proxies, but not truly clientless in their

operation. It works by downloading a mini client from the gateway, which installs

locally and redirects traffic.

Advantages of P rotocol redirectors : It can support any application that works on

fixed T CP or UD P ports and in some implementations, applications with dynamic

port applications can be supported (such as M S Outlook).

R emote control enhancers

This is the most flexible form of SSL based VPN , but they also have the highest

overhead. They work by enhancing a remote control protocol like Windows

Terminal Services or C itrix M etaframe and adding SSL VPN functionality and Web

B rowser support. This means any application can be added to the SSL VPN by

adding the application to the remote control desktop.

Remote control enhancers are usually with other SSL VPN technologies because

applications that reside on the local desktop cannot be used directly.

Advantages of Remote control enhancers : Offer features like the ability to read and

update a documents held centrally without ever having to download the entire

document.

VPN Firewalls

A computer firewalls act as a barrier between computers on a network .

It protect inside networks from unauthorized access by users on an

outside network and protect inside networks from each other.

Why we need a VPN Firewall?

Without a firewall, intruders /hacker on the network would likely be able to destroy,

tamper with or gain access to the files on your computer. With a firewall, you block all

traffic to your box, except for the traffic you initiate.

How it Works?

Firewalls function with a set of filters that are continuously monitoring traffic on the



network. Whenever a packet of information triggers one of the filters, the firewall

prevents it from passing through to prevent any unwanted damages. Of course, Firewalls

sometimes block wanted traffic, and through a continual process of refinement, the filters

can be customized to improve their efficacy.

Controlling network resources to an outside user

If you have network resources that need to be available to an outside user, such as a

web or FT P server , you can place a demilitarized zone (DMZ ) on a separate network

behind the firewall. The firewall allows limited access to the D MZ , but because the D MZ

only includes the public servers, an attack there only affects the servers and does not

affect the other inside networks.

Controlling inside users accessing outside network

You may also control inside users access outside networks,

y by allowing only certain addresses out, y by requiring authentication or authorization, or y by coordinating with an external URL filtering server.

VPN Tunnel

A VPN tunnel establishes a secure connection between two sites over the Internet .

VPN Tunnel Policy

This policy consists of a set of rules that define:

y what traffic will be securely transmitted into the tunnel, and y how the traffic is secured in the tunnel - which authentication

and encryption algorithms will be applied to the data to ensure its authenticity,

integrity, and confidentiality.

This information is defined in a crypto map entry. C rypto map entries with the same

crypto map name- but different map sequence numbers, are grouped into a crypto map

set, which is applied to the VPN interfaces on the relevant devices. All I P traffic passing

through the interface is evaluated against the applied crypto map set. If a crypto map

entry sees outbound I P traffic that should be protected and the crypto map specifies the



use of IKE, a security association is negotiated with the remote peer according to the

parameters included in the crypto map entry.

When two peers try to establish a security association, they must each have at least one

crypto map entry that is compatible with one of the other peer's crypto map entries. Thefollowing minimum criteria for two crypto map entries to be compatible,

y The crypto map entries must contain compatible crypto access lists (for

example, mirror image access lists). If the responding peer is using dynamic

crypto maps, the entries in the local crypto access list must be "permitted" by the

peer's crypto access list. y The crypto map entries must each identify the other peer (unless the responding

peer is using dynamic crypto maps). y The crypto map entries must have at least one transform set in common.

Tunnel policies define the VPN connection between two peers. They specify which traffic

will be secured and the authentication and encryption algorithms that will be used to

secure the traffic.

A tunnel policy's priority is indicated by its position in the list of policies (higher indicates

higher priority). If a traffic flow matches the filter conditions in more than one tunnel

policy, the policy with the highest priority is applied. You can change the order of the

policies in the list according to the priority you want them to have.

www. vpn -info.com access on 13 /10 /2 009 vpn advs

http://en.wikipedia.org/wiki/Virtual_private_network vpn

http://networking.champlain.edu/gck/security_sit/sld008.htm applications

http://www.ncl.ac.uk/iss/netcomms/network/services/vpn/dock.html applictions

http://compnetworking.about.com/od/vpn/a/what_is_a_vpn.htm applications

http://www.vpntools.com/vpntools_articles/what-is-a-vpn.htm VPN client

http://compnetworking.about.com/od/vpn/g/bldef_vpn.htm VPN definition



Documents

Virtual Private Network or VPN