The world has changed a lot in the
last couple of decades. Instead of simply dealing with local or regional
concerns, many businesses now have to think about global markets and logistics.
Many companies have facilities spread out across the country, or even around
the world. But there is one thing that all companies need: a way to maintain
fast, secure, and reliable communications wherever their offices are located.
Until recently, reliable
communication has meant the use of leased lines to maintain a wide-area network
(WAN). Leased lines, ranging from Integrated Services Digital Network (ISDN,
which runs at 144 Kbps) to Optical Carrier-3 (OC3, which runs at 155 Mbps)
fiber, provide a company with a way to expand their private network beyond
their immediate geographic area. A WAN has obvious advantages over a public
network like the Internet when it comes to reliability, performance, and
security; but maintaining a WAN, particularly when using leased lines, can
become quite expensive (it often rises in cost as the distance between the
offices increases). Additionally, leased lines are not a viable solution for
organizations where part of the work force is highly mobile (as is the case
with the marketing staff) and might frequently need to connect to the corporate
network remotely and access sensitive data.
As the popularity of the Internet
has grown, businesses have turned to it as a means of extending their own
networks. First came intranets, which are sites designed for use only by company
employees. Now, many companies create their own Virtual Private Networks (VPNs)
to accommodate the needs of remote employees and distant offices.
A typical VPN might have a main
local-area network (LAN) at the corporate headquarters of a company, other LANs
at remote offices or facilities, and individual users that connect from out in
the field.
A VPN is a private network that uses
a public network (usually the Internet) to connect remote sites or users
together. Instead of using a dedicated, real-world connection, such as leased
line, a VPN uses "virtual" connections routed through the Internet
from the company's private network to the remote site or employee.
Analogy: Each LAN
is an Island
Imagine that you live on an island in
a huge ocean. There are thousands of other islands all around you, some very
close and others farther away. The common means of travel between islands is
via ferry. Traveling on the ferry means that you have almost no privacy: Other
people can see everything you do.
Let's say that each island
represents a private local area network (LAN) and the ocean is the Internet.
Traveling by ferry is like connecting to a Web server or other device through
the Internet. You have no control over the wires and routers that make up the
Internet, just like you have no control over the other people on the ferry.
This leaves you susceptible to security issues if you're trying to connect two
private networks using a public resource.
Continuing with our analogy, your
island decides to build a bridge to another island so that people have an
easier, more secure and direct way to travel between the two islands. It is
expensive to build and maintain the bridge, even if the islands are close
together. However, the need for a reliable, secure path is so great that you do
it anyway. Your island would like to connect to yet another island that is much
farther away, but decides that the costs are simply too much to bear.
This scenario represents having a
leased line. The bridges (leased lines) are separate from the ocean (Internet),
yet are able to connect the islands (LANs). Companies who choose this option do
so because of the need for security and reliability in connecting their remote
offices. However, if the offices are very far apart, the cost can be
prohibitively high -- just like trying to build a bridge that spans a great
distance.
So how does a VPN fit in? Using our
analogy, suppose each inhabitant on your island has a small submarine. Let's
assume that each submarine has these amazing properties:
- It's fast.
- It's easy to take with you wherever you go.
- It's able to completely hide you from any other boats or submarines.
- It's dependable.
- It costs little to add additional submarines to your fleet once you've purchased the first one.
Although they're traveling in the
ocean along with other traffic, the people could travel between islands whenever
they wanted to with privacy and security. That's essentially how a VPN works.
Each remote member of your network can communicate in a secure and reliable
manner using the Internet as the medium to connect to the private LAN. A VPN
can grow to accommodate more users and different locations much more easily
than a leased line. In fact, scalability is a major advantage that VPNs have
over leased lines. Moreover, the distance doesn't matter, because VPNs can
easily connect multiple geographic locations worldwide.
Next, we'll look at what constitutes
a good VPN, including its benefits and features.
What Makes a VPN?
A VPN's purpose is providing a
secure and reliable private connection between computer networks over an
existing public network, typically the Internet. Before looking at the
technology that makes a VPN possible, let's consider all the benefits and
features a business should expect in a VPN.
A well-designed VPN provides a
business with the following benefits:
- Extended connections across multiple geographic locations without using a leased line
- Improved security for exchanging data
- Flexibility for remote offices and employees to use the business intranet over an existing Internet connection as if they're directly connected to the network
- Savings in time and expense for employees to commute if they work from virtual workplaces
- Improved productivity for remote employees
A business might not require all
these benefits from its VPN, but it should demand the following essential VPN
features:
- Security -- The VPN should protect data while it's traveling on the public network. If intruders attempt to capture the data, they should be unable to read or use it.
- Reliability -- Employees and remote offices should be able to connect to the VPN with no trouble at any time (unless hours are restricted), and the VPN should provide the same quality of connection for each user even when it is handling its maximum number of simultaneous connections.
- Scalability -- As a business grows, it should be able to extend its VPN services to handle that growth without replacing the VPN technology altogether.
One interesting thing to note about
VPNs is that there are no standards about how to set them up. If you're
establishing your own VPN, though, it's up to you to decide which protocols and
components to use and to understand how they work together.
Equipment Used in a VPN
While a VPN can be configured on generic computer equipment such as standard servers, most businesses opt for dedicated equipment optimized for the VPN and general network security. A small company might have all of its VPN equipment on site or, as mentioned earlier, might outsource its VPN services to an enterprise service provider. A larger company with branch offices might choose to co-locate some of its VPN equipment, meaning that it will set up that equipment in a co-location facility (or colo). A colo is a large data center that rents space to businesses that need to set up servers and other network equipment on a very fast, highly reliable Internet connection.As mentioned earlier, there is no standard that all VPNs follow in terms of their setup. When planning or extending a VPN, though, you should consider the following equipment:
Network access server -- NAS is responsible for setting up and maintaining each tunnel in a remote-access VPN.
Firewall -- A firewall provides a strong barrier between your private network and the Internet. IT staff can set firewalls to restrict what type of traffic can pass through from the Internet onto a LAN, and on what TCP and UDP ports. Even without a VPN, a LAN should include a firewall to help protect against malicious Internet traffic.
AAA Server -- The acronym stands for the server's three responsibilities: authentication, authorization and accounting. For each VPN connection, the AAA server confirms who you are (authentication), identifies what you're allowed to access over the connection (authorization) and tracks what you do while you're logged in (accounting).
One widely used standard for AAA servers is Remote Authentication Dial-in User Service (RADIUS). Despite its name, RADIUS isn't just for dial-up users. When a RADIUS server is part of a VPN, it handles authentication for all connections coming through the VPN's NAS.
VPN components can run alongside other software on a shared server, but this is not typical, and it could put the security and reliability of the VPN at risk. A small business that isn't outsourcing its VPN services might deploy firewall and RADIUS software on generic servers. However, as a business's VPN needs increase, so does its need for equipment that's optimized for the VPN. The following are dedicated VPN devices a business can add to its network. You can purchase these devices from companies that produce network equipment:
VPN Concentrator -- This device replaces an AAA server installed on a generic server. The hardware and software work together to establish VPN tunnels and handle large numbers of simultaneous connections.
VPN-enabled/VPN-optimized Router -- This is a typical router that delegates traffic on a network, but with the added feature of routing traffic using protocols specific to VPNs.
VPN-enabled Firewall -- This is a conventional firewall protecting traffic between networks, but with the added feature of managing traffic using protocols specific to VPNs.
VPN Client -- This is software running on a dedicated device that acts as the tunnel interface for multiple connections. This setup spares each computer from having to run its own VPN client software.
Types of VPN’s:
a) Remote-access VPN
A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Another name for this type of VPN is virtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing in to a server using an analog telephone system.
There are two components required in a remote-access VPN. The first is a network access server (NAS, usually pronounced "nazz" conversationally), also called a media gateway or a remote-access server (RAS). (Note: IT professionals also use NAS to mean network-attached storage.) A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.
The other required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most operating systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure. You can read more about tunneling and encryption later in this article.
Large corporations or businesses with knowledgeable IT staff typically purchase, deploy and maintain their own remote-access VPNs. Businesses can also choose to outsource their remote-access VPN services through an enterprise service provider (ESP). The ESP sets up a NAS for the business and keeps that NAS running smoothly.
A remote-access VPN is great for individual employees, but what about entire branch offices with dozens or even hundreds of employees? Next, we'll look at another type of VPN used to keep businesses connected LAN-to-LAN.
b) Site-to-site VPN
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.
There are two types of site-to-site VPNs:
Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.
Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.
Encryption and
Security Protocols in a VPN
Now we know the two types of VPNs, let's look at how data is kept secure as
it travels across a VPN.Encryption is the process of encoding data so that only a computer with the right decoder will be able to read and use it. You could use encryption to protect files on your computer or e-mails you send to friends or colleagues. An encryption key tells the computer what computations to perform on data in order to encrypt or decrypt it. The most common forms of encryption are symmetric-key encryption or public-key encryption:
In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.
In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.
Tunneling is the process of placing an entire packet within another packet before it's transported over the Internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel.
This layering of packets is called encapsulation. Computers or other network devices at both ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen incoming packets. Users (at one end of the tunnel) and IT personnel (at one or both ends of the tunnel) configure the tunnel interfaces they're responsible for to use a tunneling protocol. Also called an encapsulation protocol, a tunneling protocol is a standardized way to encapsulate packets. Different protocols used by VPNs.
A well-designed VPN uses several methods in order to keep your connection and data secure.
·
Data
Confidentiality—This is perhaps the most important service provided by any
VPN implementation. Since your private data travels over a public network, data
confidentiality is vital and can be attained by encrypting the data. This is
the process of taking all the data that one computer is sending to another and
encoding it into a form that only the other computer will be able to decode.
Most VPNs use one of these protocols to provide
encryption.
o
IPsec—Internet
Protocol Security Protocol (IPsec) provides enhanced security features such as
stronger encryption algorithms and more comprehensive authentication. IPsec has
two encryption modes: tunnel and transport. Tunnel mode encrypts the header and
the payload of each packet while transport mode only encrypts the payload. Only
systems that are IPsec-compliant can take advantage of this protocol. Also, all
devices must use a common key or certificate and must have very similar
security policies set up.
For remote-access VPN users, some form of
third-party software package provides the connection and encryption on the user’s
PC. IPsec supports either 56-bit (single DES) or 168-bit (triple-DES)
encryption.
o
PPTP/MPPE—PPTP
was created by the PPTP Forum, a consortium which includes US Robotics,
Microsoft, 3COM, Ascend, and ECI Telematics. PPTP supports multi-protocol VPNs,
with 40-bit and 128-bit encryption using a protocol called Microsoft
Point-to-Point Encryption (MPPE). It is important to note that PPTP by itself
does not provide data encryption.
o
L2TP/IPsec—
Commonly called L2TP over IPsec, this provides the security of the IPsec
protocol over the tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the
product of a partnership between the members of the PPTP forum, Cisco, and the
Internet Engineering Task Force (IETF). Primarily used for remote-access VPNs
with Windows 2000 operating systems, since Windows 2000 provides a native IPsec
and L2TP client. Internet Service Providers can also provide L2TP connections
for dial-in users, and then encrypt that traffic with IPsec between their
access-point and the remote office network server.
·
Data
Integrity— While it is important that your data is encrypted over a public
network, it is just as important to verify that it has not been changed while
in transit. For example, IPsec has a mechanism to ensure that the encrypted
portion of the packet, or the entire header and data portion of the packet, has
not been tampered with. If tampering is detected, the packet is dropped. Data
integrity can also involve authenticating the remote peer.
·
Data
Origin Authentication— It is extremely important to verify the identity of
the source of the data that is sent. This is necessary to guard against a
number of attacks that depend on spoofing the identity of the sender.
·
Anti
Replay— This is the ability to detect and reject replayed packets and helps
prevent spoofing.
·
Data
Tunneling/Traffic Flow Confidentiality—Tunneling is the process of encapsulating
an entire packet within another packet and sending it over a network. Data
tunneling is helpful in cases where it is desirable to hide the identity of the
device originating the traffic. For example, a single device that uses IPsec
encapsulates traffic that belongs to a number of hosts behind it and adds its
own header on top of the existing packets. By encrypting the original packet
and header (and routing the packet based on the additional layer 3 header added
on top), the tunneling device effectively hides the actual source of the
packet. Only the trusted peer is able to determine the true source, after it
strips away the additional header and decrypts the original header. Traffic
flow confidentiality is the service that addresses this latter concern by
concealing source and destination addresses, message length, or frequency of
communication. In the IPsec context, using ESP in tunnel mode, especially at a
security gateway, can provide some level of traffic flow confidentiality."
All the encryption protocols listed here also use
tunneling as a means to transfer the encrypted data across the public network.
It is important to realize that tunneling, by itself, does not provide data
security. The original packet is merely encapsulated inside another protocol
and might still be visible with a packet-capture device if not encrypted. It is
mentioned here, however, since it is an integral part of how VPNs function.
Tunneling requires three different protocols.
o
Passenger
protocol— The original data (IPX, NetBeui, IP) that is carried.
o
Encapsulating
protocol— The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around
the original data.
o
Carrier
protocol— The protocol used by the network over which the information is
traveling.
The original packet (Passenger protocol) is
encapsulated inside the encapsulating protocol, which is then put inside the
carrier protocol's header (usually IP) for transmission over the public
network. Note that the encapsulating protocol also quite often carries out the
encryption of the data. Protocols such as IPX and NetBeui, which would normally
not be transferred across the Internet, can safely and securely be transmitted.
For
site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic
Routing Encapsulation (GRE). GRE includes information on what type of packet
you are encapsulating and information about the connection between the client
and server.
For
remote-access VPNs, tunneling normally takes place using Point-to-Point
Protocol (PPP). Part of the TCP/IP stack, PPP is the carrier for other IP
protocols when communicating over the network between the host computer and a
remote system. PPP tunneling will use one of PPTP, L2TP or Cisco's Layer 2
Forwarding (L2F).
·
AAA—Authentication,
authorization, and accounting is used for more secure access in a remote-access
VPN environment. Without user authentication, anyone who sits at a laptop/PC
with pre-configured VPN client software can establish a secure connection into
the remote network. With user authentication however, a valid username and
password also has to be entered before the connection is completed. Usernames
and passwords can be stored on the VPN termination device itself, or on an
external AAA server, which can provide authentication to numerous other
databases such as Windows NT, Novell, LDAP, and so on.
When a request to establish a tunnel comes in from
a dial-up client, the VPN device prompts for a username and password. This can
then be authenticated locally or sent to the external AAA server, which checks:
o
Who you are (Authentication)
o
What you are allowed to do (Authorization)
o
What you actually do (Accounting)
The Accounting information is especially useful for
tracking client use for security auditing, billing or reporting purposes.
·
Nonrepudiation—In
certain data transfers, especially those related to financial transactions,
nonrepudiation is a highly desirable feature. This is helpful in preventing
situations where one end denies having taken part in a transaction. Much like a
bank requires your signature before honoring your check, nonrepudiation works
by attaching a digital signature to the sent message, thus precluding the
possibility of sender denying participation in the transaction.
IP Sec VPN:
The IP Security (IPsec) protocol
provides a framework for configuring secure VPNs and is commonly deployed over
the Internet to connect branch offices, remote employees, and business
partners. It is a reliable way to maintain communication privacy while
streamlining operations, reducing costs, and allowing flexible network
administration.
IPSec VPN negotiation can be broken
down into five steps
Step
1. An IPsec tunnel is initiated when
Host A sends “interesting” traffic to Host B. Traffic is considered interesting
when it travels between the IPsec peers and meets the criteria that is defined
in the crypto access control list (ACL).
Step 2. Router1 and Router2 negotiate a Security Association (SA)
used to form an IKE Phase 1 tunnel, which is also known as an ISAKMP tunnel.
Step 3. Within the protection of the IKE Phase 1 tunnel, an IKE
Phase 2 tunnel is negotiated and set up. An IKE Phase 2 tunnel is also known as
an IPsec tunnel.
Step 4. After the IPsec tunnel is established, interesting traffic
flows through the protected IPsec tunnel
Step 5. After no interesting traffic has been seen for a specified
amount of time, or if the IPsec SA is deleted, the IPsec tunnel is torn down.
The site-to-site VPN requires
Internet or other common environments as the transport so security is the
primary concern and this can be protected by IPsec. IPsec operates at Layer 3
of the OSI model (Network layer) and it is independant of the applications. It
means that the applications don’t require any modifications to use IPsec.
IPsec Modes
IPsec uses 2 modes to establish a
secure communication channel between network nodes, Transport mode & Tunnel
mode. These 2 modes are different in what parts of IP headers and
payloads are to be kept confidential. In Transport mode, security is provided
only for the transport layer and above while Tunnel mode will encapsulate the
original IP header and creates a new IP header that is sent unencrypted across
the untrusted network. We will not go deeper in these modes to keep this
tutorial simple.
IPsec Transforms
IPsec delivers data confidentiality
services by executing a “transform” on plain text data into a block of
ciphertext. Common ciphers used in the IPsec transforms are DES, 3DES, and AES.
3DES and AES are considered to be stronger encryption ciphers than DES, as they
use longer encryption keys (128-bit key for 3DES and 256-bit key for AES).
PPTP VPN:
PTP stands for point to point
tunneling protocol and is one of several methods to implement virtual private
networks (VPN). PPTP uses a control channel rather than transmission control
protocol (TCP) or generic routing encapsulation (GRE) tunnel essentials to
encapsulate point to point (PPP) packets.
The security functionality relies on
the PPP protocol as the PPTP function does not encrypt or authenticate the
necessary features to provide security. PPTP was the first protocol to be
to be supported by dial up networking by Microsoft. All Windows releases are
now bundled with PPTP, but they are limited to 2 concurrent outbound
connections. Beginning with Windows Mobile 2003, PPTP is supported by the
various mobile devices.
PPTP works on the client server
model and are included in the Microsoft Windows default for Linux and Mac. PPTP
is a popular network protocol and often the choice of many and is especially
popular with windows and operates at Layer 2 of the OSI model. PPTP is best
used for remote access applications.
Setting up PPTP is not difficult but
includes a number of steps.
Step 1: The PPTP client connects to
their ISP using PPP dial-up networking.
Step 2: By using any device, PPTP creates a TCP control
connection between the VPN client and VPN server to establish a tunnel. PPTP
uses TCP port 1723 for these connections.
Once the VPN tunnel is established,
PPTP supports two types of information flow:
- control messages for managing and eventually tearing down the VPN connection. Control messages pass directly between VPN client and server.
- data packets that pass through the tunnel, to or from the VPN client
PPTP Control Connection
Once the
TCP connection is established in Step 2 above, PPTP utilizes a series of control
messages to maintain VPN connections. These messages are listed below.
Number
|
Name
|
Description
|
1
|
StartControlConnectionRequest
|
Initiates
setup of the VPN session; can be sent by either client or server.
|
2
|
StartControlConnectionReply
|
Sent in
reply to the start connection request (1); contains result code indicating
success or failure of the setup operation, and also the protocol version
number.
|
3
|
StopControlConnectionRequest
|
Request
to close the control connection.
|
4
|
StopControlConnectionReply
|
Sent in
reply to the stop connection request (3); contains result code indicating
success or failure of the close operation.
|
5
|
EchoRequest
|
Sent
periodically by either client or server to "ping" the connection
(keep alive).
|
6
|
EchoReply
|
Sent in
response to the echo request (5) to keep the connection active.
|
7
|
OutgoingCallRequest
|
Request
to create a VPN tunnel sent by the client.
|
8
|
OutgoingCallReply
|
Response
to the call request (7); contains a unique identifier for that tunnel.
|
9
|
IncomingCallRequest
|
Request
from a VPN client to receive an incoming call from the server.
|
10
|
IncomingCallReply
|
Response
to the incoming call request (9), indicating whether the incoming call should
be answered.
|
11
|
IncomingCallConnected
|
Response
to the incoming call reply (10); provides additional call parameters to the
VPN server.
|
12
|
CallClearRequest
|
Request
to disconnect either an incoming or outgoing call, sent from the server to a
client.
|
13
|
CallDisconnectNotify
|
Response
to the disconnect request (12); sent back to the server.
|
14
|
WANErrorNotify
|
Notification
periodically sent to the server of CRC, framing, hardware and buffer
overruns, timeout and byte alignment errors.
|
15
|
SetLinkInfo
|
Notification
of changes in the underlying PPP options.
|
The PPTP is ideal for the small,
home office network system or when logging onto the Internet by way of a
public, unsecured Wi-Fi hot spot.
One of the biggest advantages to
using PPTP is there is no requirement to use a public key infrastructure as the
authentication protocol. Utilizing EAP authentication increases the security of
PPTP virtual private networks and there can never be enough security.
PPTP VPN’s are supported by many
firewall applications, as well as enterprise level firewalls. PPTP
servers can be launched without the installation of client software, if the
PPTP is built into the Windows VPN platform. PPTP has proven to have a high
level of reliability even though it seems simplistic in design.
PPTP Security
PPTP supports authentication, encryption,
and packet filtering. PPTP authentication uses PPP-based protocols like EAP,
CHAP, and PAP. PPTP supports packet filtering on VPN servers. Intermediate
routers and other firewalls can also be configured to selectively filter PPTP
traffic.
Note: for more information how to configure
l2to with IPSec please refer the given link http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu