Virtual Private NetworksVirtual Private Networks(VPN’s)(VPN’s)

By: Agasi AslanyanBy: Agasi Aslanyan

Joel AlmasolJoel Almasol

Joe NgheJoe Nghe

Michael WongMichael Wong

CIS 484CIS 484

May 20, 2004May 20, 2004

Table Of ContentsTable Of Contents VPN Introduction – What is VPN and who uses it?VPN Introduction – What is VPN and who uses it? 3 Types of VPN’s3 Types of VPN’s VPN ProtocolsVPN Protocols VPN TunnelingVPN Tunneling VPN Packet TransmissionVPN Packet Transmission VPN Security: FirewallsVPN Security: Firewalls VPN DevicesVPN Devices VPN Advantages/DisadvantagesVPN Advantages/Disadvantages VPN Connections in Windows XPVPN Connections in Windows XP Summary/ConclusionSummary/Conclusion

What is a VPN?What is a VPN?

A virtual private A virtual private network (VPN) is a network (VPN) is a network that uses network that uses public means of public means of transmission (Internet) transmission (Internet) as its WAN linkas its WAN link

What is a VPN? (Cont.)What is a VPN? (Cont.)

A VPN can be created by connecting A VPN can be created by connecting offices and single users (including mobile offices and single users (including mobile users) to the nearest service providers POP users) to the nearest service providers POP (Point of Presence) and using that service (Point of Presence) and using that service provider’s backbone network, or even the provider’s backbone network, or even the Internet, as the tunnel between officesInternet, as the tunnel between offices

Traffic that flows through the backbone is Traffic that flows through the backbone is encrypted to prevent intruders from spying encrypted to prevent intruders from spying or intercepting the dataor intercepting the data

What is a VPN? (Cont.)What is a VPN? (Cont.)

Who uses VPN’s?Who uses VPN’s?

VPN’s can be found in homes, workplaces, or VPN’s can be found in homes, workplaces, or anywhere else as long as an ISP (Internet Service anywhere else as long as an ISP (Internet Service Provider) is available. Provider) is available.

VPN’s allow company employees who travel VPN’s allow company employees who travel often or who are outside their company often or who are outside their company headquarters to safely and securely connect to headquarters to safely and securely connect to their company’s Intranettheir company’s Intranet

3 Types of VPN3 Types of VPN

Remote-Access VPNRemote-Access VPN

Site-to-Site VPN (Site-to-Site VPN (Intranet-basedIntranet-based))

Site-to-Site VPN (Site-to-Site VPN (Extranet-basedExtranet-based))

Remote-Access VPNRemote-Access VPN

Remote-accessRemote-access, also called a , also called a virtual private dial-up virtual private dial-up networknetwork ( (VPDNVPDN), is a user-to-LAN connection used ), is a user-to-LAN connection used by a company that has employees who need to by a company that has employees who need to connect to the private network from various remote connect to the private network from various remote locations.locations.

A good example of a company that needs a remote-A good example of a company that needs a remote-access VPN would be a large firm with hundreds of access VPN would be a large firm with hundreds of sales people in the field.sales people in the field.

Remote-access VPNs permit secure, encrypted Remote-access VPNs permit secure, encrypted connections between a company's private network and connections between a company's private network and remote users through a third-party service provider.remote users through a third-party service provider.

Site-to-Site VPNSite-to-Site VPN

Intranet-basedIntranet-based - If a company has one or more - If a company has one or more remote locations that they wish to join in a single remote locations that they wish to join in a single private network, they can create an intranet VPN private network, they can create an intranet VPN to connect LAN to LAN.to connect LAN to LAN.

Extranet-basedExtranet-based - When a company has a close - When a company has a close relationship with another company (for example, a relationship with another company (for example, a partner, supplier or customer), they can build an partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a allows all of the various companies to work in a shared environment. shared environment.

All 3 types of VPNAll 3 types of VPN

VPN ProtocolsVPN Protocols

There are three main There are three main protocols that power the protocols that power the vast majority of VPN’s:vast majority of VPN’s:– PPTPPPTP– L2TPL2TP– IPsecIPsec

All three protocols All three protocols emphasize encryption and emphasize encryption and authentication; preserving authentication; preserving data integrity that may be data integrity that may be sensitive and allowing sensitive and allowing clients/servers to establish clients/servers to establish an identity on the networkan identity on the network

VPN Protocols (In depth)VPN Protocols (In depth)

Point-to-point tunneling protocol (PPTP)Point-to-point tunneling protocol (PPTP)– PPTP is widely supported by Microsoft as it is built PPTP is widely supported by Microsoft as it is built

into the various flavors of the Windows OSinto the various flavors of the Windows OS– PPTP initially had weak security features, however, PPTP initially had weak security features, however,

Microsoft continues to improve its supportMicrosoft continues to improve its support Layer Two tunneling protocol (L2TP)Layer Two tunneling protocol (L2TP)

– L2TP was the original competitor to PPTP and was L2TP was the original competitor to PPTP and was implemented primarily in Cisco productsimplemented primarily in Cisco products

– L2TP is a combination of the best features of an older L2TP is a combination of the best features of an older protocol L2F and PPTPprotocol L2F and PPTP

– L2TP exists at the datalink layer (Layer 2) of the OSI L2TP exists at the datalink layer (Layer 2) of the OSI modelmodel

Internet Protocol Security Protocol (IPSec) provides Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption enhanced security features such as better encryption algorithms and more comprehensive authentication.algorithms and more comprehensive authentication.

IPSec has two encryption modes: IPSec has two encryption modes: tunneltunnel and and transporttransport. . Tunnel encrypts the header and the payload of each Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of systems that are IPSec compliant can take advantage of this protocol. this protocol.

IPSec can encrypt data between various devices, such as: IPSec can encrypt data between various devices, such as: – Router to router Router to router – Firewall to router Firewall to router – PC to router PC to router – PC to serverPC to server

VPN Protocols (continued)VPN Protocols (continued)

VPN TunnelingVPN Tunneling

VPN Tunneling supports two types: voluntary tunneling and VPN Tunneling supports two types: voluntary tunneling and compulsory tunnelingcompulsory tunneling

Voluntary tunneling is where the VPN client manages the connection Voluntary tunneling is where the VPN client manages the connection setup. setup.

Compulsory tunneling is where the carrier network provider manages Compulsory tunneling is where the carrier network provider manages the VPN connection setup. the VPN connection setup.

TunnelingTunneling Most VPNs rely on Most VPNs rely on tunnelingtunneling to create a private to create a private

network that reaches across the Internet. Essentially, network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet tunneling is the process of placing an entire packet within another packet and sending it over a network.within another packet and sending it over a network.

Tunneling requires three different protocols: Tunneling requires three different protocols: Passenger protocolPassenger protocol - The original data (IPX, IP) - The original data (IPX, IP)

being carriedbeing carried Encapsulating protocolEncapsulating protocol - The protocol (GRE, IPSec, - The protocol (GRE, IPSec,

L2F, PPTP, L2TP) that is wrapped around the L2F, PPTP, L2TP) that is wrapped around the original dataoriginal data

Carrier protocolCarrier protocol - The protocol used by the network - The protocol used by the network that the information is traveling over that the information is traveling over

VPN Packet TransmissionVPN Packet Transmission

Packets are first encrypted before sent out for Packets are first encrypted before sent out for transmission over the Internet. The encrypted transmission over the Internet. The encrypted packet is placed inside an unencrypted packet. The packet is placed inside an unencrypted packet. The unencrypted outer packet is read by the routing unencrypted outer packet is read by the routing equipment so that it may be properly routed to its equipment so that it may be properly routed to its destinationdestination

Once the packet reaches its destination, the outer Once the packet reaches its destination, the outer packet is stripped off and the inner packet is packet is stripped off and the inner packet is decrypteddecrypted

VPN Security: FirewallsVPN Security: FirewallsA well-designed VPN uses several methods for A well-designed VPN uses several methods for keeping your connection and data secure: keeping your connection and data secure:

FirewallsFirewalls EncryptionEncryption IPSecIPSec AAA ServerAAA Server

You can set firewalls to restrict the number of open You can set firewalls to restrict the number of open ports, what type of packets are passed through and ports, what type of packets are passed through and which protocols are allowed through.which protocols are allowed through.

Some VPN products, Some VPN products, such as Cisco 1700 such as Cisco 1700 routers, can be routers, can be upgraded to include upgraded to include firewall capabilities by firewall capabilities by running the appropriate running the appropriate Cisco IOS on them.Cisco IOS on them.

Cisco 1700 Series RoutersCisco 1700 Series Routers

VPN ConcentratorVPN Concentrator

Incorporating the most Incorporating the most advanced encryption and advanced encryption and authentication techniques authentication techniques available, Cisco VPN available, Cisco VPN concentrators are built concentrators are built specifically for creating a specifically for creating a remote-access VPN.remote-access VPN.

The concentrators are offered in The concentrators are offered in models suitable for everything models suitable for everything from small businesses with up from small businesses with up to 100 remote-access users to to 100 remote-access users to large organizations with up to large organizations with up to 10,000 simultaneous remote 10,000 simultaneous remote users.users.

Advantages of VPN’sAdvantages of VPN’s

There are two main advantages of There are two main advantages of VPN’s, namely cost savings and VPN’s, namely cost savings and scalabilityscalability

VPN’s lower costs by eliminating VPN’s lower costs by eliminating the need for expensive long-the need for expensive long-distance leased lines. A local distance leased lines. A local leased line or even a broadband leased line or even a broadband connection is all that’s needed to connection is all that’s needed to connect to the Internet and utilize connect to the Internet and utilize the public network to securely the public network to securely tunnel a private connectiontunnel a private connection

Advantages of VPN’s (continued)Advantages of VPN’s (continued)

As the number of company branches grows, As the number of company branches grows, purchasing additional leased-lines increases purchasing additional leased-lines increases cost exponentially, which is why VPN’s cost exponentially, which is why VPN’s offer even greater cost savings when offer even greater cost savings when scalability is an issuescalability is an issue

VPN’s may also be used to span globally, VPN’s may also be used to span globally, which lowers cost even more when which lowers cost even more when compared to traditional leased linescompared to traditional leased lines

Disadvantages of VPN’sDisadvantages of VPN’s

Because the connection travels over public Because the connection travels over public lines, a strong understanding of network lines, a strong understanding of network security issues and proper precautions security issues and proper precautions before VPN deployment are necessarybefore VPN deployment are necessary

VPN connection stability is mainly in VPN connection stability is mainly in control of the Internet stability, factors control of the Internet stability, factors outside an organizations controloutside an organizations control

Differing VPN technologies may not work Differing VPN technologies may not work together due to immature standardstogether due to immature standards

VPN Connection in XPVPN Connection in XP

SummarySummary A virtual private network (VPN) is a network that A virtual private network (VPN) is a network that

uses public means of transmission (Internet) as its uses public means of transmission (Internet) as its WAN link, connecting clients who are WAN link, connecting clients who are geographically separated through secure tunneling geographically separated through secure tunneling methodsmethods

Main VPN protocols include PPTP, L2TP, and Main VPN protocols include PPTP, L2TP, and IPsecIPsec

VPN Tunneling supports two types: voluntary VPN Tunneling supports two types: voluntary tunneling and compulsory tunnelingtunneling and compulsory tunneling

Cost and Scalability are the main advantages of a Cost and Scalability are the main advantages of a VPNVPN

Network security and Internet stability are the Network security and Internet stability are the main concerns for VPN’smain concerns for VPN’s

Resources UsedResources Used

http://vpn.shmoo.com/http://vpn.shmoo.com/ http://www.uwsp.edu/it/vpn/http://www.uwsp.edu/it/vpn/ http://info.lib.uh.edu/services/vpn.htmlhttp://info.lib.uh.edu/services/vpn.html http://www.cites.uiuc.edu/vpn/http://www.cites.uiuc.edu/vpn/ http://www.positivenetworks.net/images/clihttp://www.positivenetworks.net/images/cli

ent-uploads/jumppage2.htment-uploads/jumppage2.htm

The EndThe End

Thank you all for your time. We hope you Thank you all for your time. We hope you found this presentation informative. found this presentation informative.