VPN (Virtual Private Network)

The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country, or even around the world. But there is one thing that all companies need: a way to maintain fast, secure, and reliable communications wherever their offices are located.

Until recently, reliable communication has meant the use of leased lines to maintain a wide-area network (WAN). Leased lines, ranging from Integrated Services Digital Network (ISDN, which runs at 144 Kbps) to Optical Carrier-3 (OC3, which runs at 155 Mbps) fiber, provide a company with a way to expand their private network beyond their immediate geographic area. A WAN has obvious advantages over a public network like the Internet when it comes to reliability, performance, and security; but maintaining a WAN, particularly when using leased lines, can become quite expensive (it often rises in cost as the distance between the offices increases). Additionally, leased lines are not a viable solution for organizations where part of the work force is highly mobile (as is the case with the marketing staff) and might frequently need to connect to the corporate network remotely and access sensitive data.

As the popularity of the Internet has grown, businesses have turned to it as a means of extending their own networks. First came intranets, which are sites designed for use only by company employees. Now, many companies create their own Virtual Private Networks (VPNs) to accommodate the needs of remote employees and distant offices. 

  

A typical VPN might have a main local-area network (LAN) at the corporate headquarters of a company, other LANs at remote offices or facilities, and individual users that connect from out in the field.

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection, such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.

Analogy: Each LAN is an Island

Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The common means of travel between islands is via ferry. Traveling on the ferry means that you have almost no privacy: Other people can see everything you do.

Let's say that each island represents a private local area network (LAN) and the ocean is the Internet. Traveling by ferry is like connecting to a Web server or other device through the Internet. You have no control over the wires and routers that make up the Internet, just like you have no control over the other people on the ferry. This leaves you susceptible to security issues if you're trying to connect two private networks using a public resource.

Continuing with our analogy, your island decides to build a bridge to another island so that people have an easier, more secure and direct way to travel between the two islands. It is expensive to build and maintain the bridge, even if the islands are close together. However, the need for a reliable, secure path is so great that you do it anyway. Your island would like to connect to yet another island that is much farther away, but decides that the costs are simply too much to bear.

This scenario represents having a leased line. The bridges (leased lines) are separate from the ocean (Internet), yet are able to connect the islands (LANs). Companies who choose this option do so because of the need for security and reliability in connecting their remote offices. However, if the offices are very far apart, the cost can be prohibitively high -- just like trying to build a bridge that spans a great distance.

So how does a VPN fit in? Using our analogy, suppose each inhabitant on your island has a small submarine. Let's assume that each submarine has these amazing properties:

• It's fast.
• It's easy to take with you wherever you go.
• It's able to completely hide you from any other boats or submarines.
• It's dependable.
• It costs little to add additional submarines to your fleet once you've purchased the first one.

Although they're traveling in the ocean along with other traffic, the people could travel between islands whenever they wanted to with privacy and security. That's essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much more easily than a leased line. In fact, scalability is a major advantage that VPNs have over leased lines. Moreover, the distance doesn't matter, because VPNs can easily connect multiple geographic locations worldwide.

Next, we'll look at what constitutes a good VPN, including its benefits and features.

What Makes a VPN?

A VPN's purpose is providing a secure and reliable private connection between computer networks over an existing public network, typically the Internet. Before looking at the technology that makes a VPN possible, let's consider all the benefits and features a business should expect in a VPN.

A well-designed VPN provides a business with the following benefits:

• Extended connections across multiple geographic locations without using a leased line
• Improved security for exchanging data
• Flexibility for remote offices and employees to use the business intranet over an existing Internet connection as if they're directly connected to the network
• Savings in time and expense for employees to commute if they work from virtual workplaces
• Improved productivity for remote employees

A business might not require all these benefits from its VPN, but it should demand the following essential VPN features:

• Security -- The VPN should protect data while it's traveling on the public network. If intruders attempt to capture the data, they should be unable to read or use it.
• Reliability -- Employees and remote offices should be able to connect to the VPN with no trouble at any time (unless hours are restricted), and the VPN should provide the same quality of connection for each user even when it is handling its maximum number of simultaneous connections.
• Scalability -- As a business grows, it should be able to extend its VPN services to handle that growth without replacing the VPN technology altogether.

One interesting thing to note about VPNs is that there are no standards about how to set them up. If you're establishing your own VPN, though, it's up to you to decide which protocols and components to use and to understand how they work together.

  Equipment Used in a VPN

While a VPN can be configured on generic computer equipment such as standard servers, most businesses opt for dedicated equipment optimized for the VPN and general network security. A small company might have all of its VPN equipment on site or, as mentioned earlier, might outsource its VPN services to an enterprise service provider. A larger company with branch offices might choose to co-locate some of its VPN equipment, meaning that it will set up that equipment in a co-location facility (or colo). A colo is a large data center that rents space to businesses that need to set up servers and other network equipment on a very fast, highly reliable Internet connection.
As mentioned earlier, there is no standard that all VPNs follow in terms of their setup. When planning or extending a VPN, though, you should consider the following equipment:
Network access server -- NAS is responsible for setting up and maintaining each tunnel in a remote-access VPN.
Firewall -- A firewall provides a strong barrier between your private network and the Internet. IT staff can set firewalls to restrict what type of traffic can pass through from the Internet onto a LAN, and on what TCP and UDP ports. Even without a VPN, a LAN should include a firewall to help protect against malicious Internet traffic.
AAA Server -- The acronym stands for the server's three responsibilities: authentication, authorization and accounting. For each VPN connection, the AAA server confirms who you are (authentication), identifies what you're allowed to access over the connection (authorization) and tracks what you do while you're logged in (accounting).
One widely used standard for AAA servers is Remote Authentication Dial-in User Service (RADIUS). Despite its name, RADIUS isn't just for dial-up users. When a RADIUS server is part of a VPN, it handles authentication for all connections coming through  the VPN's NAS.
VPN components can run alongside other software on a shared server, but this is not typical, and it could put the security and reliability of the VPN at risk. A small business that isn't outsourcing its VPN services might deploy firewall and RADIUS software on generic servers. However, as a business's VPN needs increase, so does its need for equipment that's optimized for the VPN. The following are dedicated VPN devices a business can add to its network. You can purchase these devices from companies that produce network equipment:
VPN Concentrator -- This device replaces an AAA server installed on a generic server. The hardware and software work together to establish VPN tunnels and handle large numbers of simultaneous connections.
VPN-enabled/VPN-optimized Router -- This is a typical router that delegates traffic on a network, but with the added feature of routing traffic using protocols specific to VPNs.
VPN-enabled Firewall -- This is a conventional firewall protecting traffic between networks, but with the added feature of managing traffic using protocols specific to VPNs.
VPN Client -- This is software running on a dedicated device that acts as the tunnel interface for multiple connections. This setup spares each computer from having to run its own VPN client software.

Types of VPN’s: 

a)           Remote-access VPN

A remote-access VPN allows individual users to establish secure connections with a remote computer network. Those users can access the secure resources on that network as if they were directly plugged in to the network's servers. An example of a company that needs a remote-access VPN is a large firm with hundreds of salespeople in the field. Another name for this type of VPN is virtual private dial-up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing in to a server using an analog telephone system.
There are two components required in a remote-access VPN. The first is a network access server (NAS, usually pronounced "nazz" conversationally), also called a media gateway or a remote-access server (RAS). (Note: IT professionals also use NAS to mean network-attached storage.) A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the Internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.
The other required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most operating systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet address. The software also manages the encryption required to keep the connection secure. You can read more about tunneling and encryption later in this article.
Large corporations or businesses with knowledgeable IT staff typically purchase, deploy and maintain their own remote-access VPNs. Businesses can also choose to outsource their remote-access VPN services through an enterprise service provider (ESP). The ESP sets up a NAS for the business and keeps that NAS running smoothly.

A remote-access VPN is great for individual employees, but what about entire branch offices with dozens or even hundreds of employees? Next, we'll look at another type of VPN used to keep businesses connected LAN-to-LAN. 
b)          Site-to-site VPN

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.
There are two types of site-to-site VPNs:
Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.

Encryption and Security Protocols in a VPN

Now we know the two types of VPNs, let's look at how data is kept secure as it travels across a VPN.
Encryption is the process of encoding data so that only a computer with the right decoder will be able to read and use it. You could use encryption to protect files on your computer or e-mails you send to friends or colleagues. An encryption key tells the computer what computations to perform on data in order to encrypt or decrypt it. The most common forms of encryption are symmetric-key encryption or public-key encryption:
In symmetric-key encryption, all computers (or users) share the same key used to both encrypt and decrypt a message.
In public-key encryption, each computer (or user) has a public-private key pair. One computer uses its private key to encrypt a message, and another computer uses the corresponding public key to decrypt that message.
Tunneling is the process of placing an entire packet within another packet before it's transported over the Internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel.
This layering of packets is called encapsulation. Computers or other network devices at both ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen incoming packets. Users (at one end of the tunnel) and IT personnel (at one or both ends of the tunnel) configure the tunnel interfaces they're responsible for to use a tunneling protocol. Also called an encapsulation protocol, a tunneling protocol is a standardized way to encapsulate packets. Different protocols used by VPNs.
A well-designed VPN uses several methods in order to keep your connection and data secure.

·         Data Confidentiality—This is perhaps the most important service provided by any VPN implementation. Since your private data travels over a public network, data confidentiality is vital and can be attained by encrypting the data. This is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode.

Most VPNs use one of these protocols to provide encryption.

o    IPsec—Internet Protocol Security Protocol (IPsec) provides enhanced security features such as stronger encryption algorithms and more comprehensive authentication. IPsec has two encryption modes: tunnel and transport. Tunnel mode encrypts the header and the payload of each packet while transport mode only encrypts the payload. Only systems that are IPsec-compliant can take advantage of this protocol. Also, all devices must use a common key or certificate and must have very similar security policies set up.

For remote-access VPN users, some form of third-party software package provides the connection and encryption on the user’s PC. IPsec supports either 56-bit (single DES) or 168-bit (triple-DES) encryption.

o    PPTP/MPPE—PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend, and ECI Telematics. PPTP supports multi-protocol VPNs, with 40-bit and 128-bit encryption using a protocol called Microsoft Point-to-Point Encryption (MPPE). It is important to note that PPTP by itself does not provide data encryption.

o    L2TP/IPsec— Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the tunneling of Layer 2 Tunneling Protocol (L2TP). L2TP is the product of a partnership between the members of the PPTP forum, Cisco, and the Internet Engineering Task Force (IETF). Primarily used for remote-access VPNs with Windows 2000 operating systems, since Windows 2000 provides a native IPsec and L2TP client. Internet Service Providers can also provide L2TP connections for dial-in users, and then encrypt that traffic with IPsec between their access-point and the remote office network server.

·         Data Integrity— While it is important that your data is encrypted over a public network, it is just as important to verify that it has not been changed while in transit. For example, IPsec has a mechanism to ensure that the encrypted portion of the packet, or the entire header and data portion of the packet, has not been tampered with. If tampering is detected, the packet is dropped. Data integrity can also involve authenticating the remote peer.

·         Data Origin Authentication— It is extremely important to verify the identity of the source of the data that is sent. This is necessary to guard against a number of attacks that depend on spoofing the identity of the sender.

·         Anti Replay— This is the ability to detect and reject replayed packets and helps prevent spoofing.

·         Data Tunneling/Traffic Flow Confidentiality—Tunneling is the process of encapsulating an entire packet within another packet and sending it over a network. Data tunneling is helpful in cases where it is desirable to hide the identity of the device originating the traffic. For example, a single device that uses IPsec encapsulates traffic that belongs to a number of hosts behind it and adds its own header on top of the existing packets. By encrypting the original packet and header (and routing the packet based on the additional layer 3 header added on top), the tunneling device effectively hides the actual source of the packet. Only the trusted peer is able to determine the true source, after it strips away the additional header and decrypts the original header. Traffic flow confidentiality is the service that addresses this latter concern by concealing source and destination addresses, message length, or frequency of communication. In the IPsec context, using ESP in tunnel mode, especially at a security gateway, can provide some level of traffic flow confidentiality."

All the encryption protocols listed here also use tunneling as a means to transfer the encrypted data across the public network. It is important to realize that tunneling, by itself, does not provide data security. The original packet is merely encapsulated inside another protocol and might still be visible with a packet-capture device if not encrypted. It is mentioned here, however, since it is an integral part of how VPNs function.

Tunneling requires three different protocols.

o    Passenger protocol— The original data (IPX, NetBeui, IP) that is carried.

o    Encapsulating protocol— The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data.

o    Carrier protocol— The protocol used by the network over which the information is traveling.

The original packet (Passenger protocol) is encapsulated inside the encapsulating protocol, which is then put inside the carrier protocol's header (usually IP) for transmission over the public network. Note that the encapsulating protocol also quite often carries out the encryption of the data. Protocols such as IPX and NetBeui, which would normally not be transferred across the Internet, can safely and securely be transmitted.

For site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic Routing Encapsulation (GRE). GRE includes information on what type of packet you are encapsulating and information about the connection between the client and server.

For remote-access VPNs, tunneling normally takes place using Point-to-Point Protocol (PPP). Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. PPP tunneling will use one of PPTP, L2TP or Cisco's Layer 2 Forwarding (L2F).

·         AAA—Authentication, authorization, and accounting is used for more secure access in a remote-access VPN environment. Without user authentication, anyone who sits at a laptop/PC with pre-configured VPN client software can establish a secure connection into the remote network. With user authentication however, a valid username and password also has to be entered before the connection is completed. Usernames and passwords can be stored on the VPN termination device itself, or on an external AAA server, which can provide authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on.

When a request to establish a tunnel comes in from a dial-up client, the VPN device prompts for a username and password. This can then be authenticated locally or sent to the external AAA server, which checks:

o    Who you are (Authentication)

o    What you are allowed to do (Authorization)

o    What you actually do (Accounting)

The Accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.

·         Nonrepudiation—In certain data transfers, especially those related to financial transactions, nonrepudiation is a highly desirable feature. This is helpful in preventing situations where one end denies having taken part in a transaction. Much like a bank requires your signature before honoring your check, nonrepudiation works by attaching a digital signature to the sent message, thus precluding the possibility of sender denying participation in the transaction.

IP Sec VPN:

The IP Security (IPsec) protocol provides a framework for configuring secure VPNs and is commonly deployed over the Internet to connect branch offices, remote employees, and business partners. It is a reliable way to maintain communication privacy while streamlining operations, reducing costs, and allowing flexible network administration.

IPSec VPN negotiation can be broken down into five steps

Step 1. An IPsec tunnel is initiated when Host A sends “interesting” traffic to Host B. Traffic is considered interesting when it travels between the IPsec peers and meets the criteria that is defined in the crypto access control list (ACL).

Step 2. Router1 and Router2 negotiate a Security Association (SA) used to form an IKE Phase 1 tunnel, which is also known as an ISAKMP tunnel.

Step 3. Within the protection of the IKE Phase 1 tunnel, an IKE Phase 2 tunnel is negotiated and set up. An IKE Phase 2 tunnel is also known as an IPsec tunnel.

Step 4. After the IPsec tunnel is established, interesting traffic flows through the protected IPsec tunnel

Step 5. After no interesting traffic has been seen for a specified amount of time, or if the IPsec SA is deleted, the IPsec tunnel is torn down.

The site-to-site VPN requires Internet or other common environments as the transport so security is the primary concern and this can be protected by IPsec. IPsec operates at Layer 3 of the OSI model (Network layer) and it is independant of the applications. It means that the applications don’t require any modifications to use IPsec.

IPsec Modes

IPsec uses 2 modes to establish a secure communication channel between network nodes, Transport mode & Tunnel mode.  These 2 modes are different in what parts of IP headers and payloads are to be kept confidential. In Transport mode, security is provided only for the transport layer and above while Tunnel mode will encapsulate the original IP header and creates a new IP header that is sent unencrypted across the untrusted network. We will not go deeper in these modes to keep this tutorial simple.

IPsec Transforms

IPsec delivers data confidentiality services by executing a “transform” on plain text data into a block of ciphertext. Common ciphers used in the IPsec transforms are DES, 3DES, and AES. 3DES and AES are considered to be stronger encryption ciphers than DES, as they use longer encryption keys (128-bit key for 3DES and 256-bit key for AES).

PPTP VPN:

PTP stands for point to point tunneling protocol and is one of several methods to implement virtual private networks (VPN). PPTP uses a control channel rather than transmission control protocol (TCP) or generic routing encapsulation (GRE) tunnel essentials to encapsulate point to point (PPP) packets.

The security functionality relies on the PPP protocol as the PPTP function does not encrypt or authenticate the necessary features to provide security.  PPTP was the first protocol to be to be supported by dial up networking by Microsoft. All Windows releases are now bundled with PPTP, but they are limited to 2 concurrent outbound connections. Beginning with Windows Mobile 2003, PPTP is supported by the various mobile devices.

PPTP works on the client server model and are included in the Microsoft Windows default for Linux and Mac. PPTP is a popular network protocol and often the choice of many and is especially popular with windows and operates at Layer 2 of the OSI model. PPTP is best used for remote access applications.

Setting up PPTP is not difficult but includes a number of steps.

Step 1: The PPTP client connects to their ISP using PPP dial-up networking.

Step 2:  By using any device, PPTP creates a TCP control connection between the VPN client and VPN server to establish a tunnel. PPTP uses TCP port 1723 for these connections.

Once the VPN tunnel is established, PPTP supports two types of information flow:

• control messages for managing and eventually tearing down the VPN connection. Control messages pass directly between VPN client and server.
• data packets that pass through the tunnel, to or from the VPN client

PPTP Control Connection

Once the TCP connection is established in Step 2 above, PPTP utilizes a series of control messages to maintain VPN connections. These messages are listed below.

Number	Name	Description
1	StartControlConnectionRequest	Initiates setup of the VPN session; can be sent by either client or server.
2	StartControlConnectionReply	Sent in reply to the start connection request (1); contains result code indicating success or failure of the setup operation, and also the protocol version number.
3	StopControlConnectionRequest	Request to close the control connection.
4	StopControlConnectionReply	Sent in reply to the stop connection request (3); contains result code indicating success or failure of the close operation.
5	EchoRequest	Sent periodically by either client or server to "ping" the connection (keep alive).
6	EchoReply	Sent in response to the echo request (5) to keep the connection active.
7	OutgoingCallRequest	Request to create a VPN tunnel sent by the client.
8	OutgoingCallReply	Response to the call request (7); contains a unique identifier for that tunnel.
9	IncomingCallRequest	Request from a VPN client to receive an incoming call from the server.
10	IncomingCallReply	Response to the incoming call request (9), indicating whether the incoming call should be answered.
11	IncomingCallConnected	Response to the incoming call reply (10); provides additional call parameters to the VPN server.
12	CallClearRequest	Request to disconnect either an incoming or outgoing call, sent from the server to a client.
13	CallDisconnectNotify	Response to the disconnect request (12); sent back to the server.
14	WANErrorNotify	Notification periodically sent to the server of CRC, framing, hardware and buffer overruns, timeout and byte alignment errors.
15	SetLinkInfo	Notification of changes in the underlying PPP options.

With control messages, PPTP utlizes a so-called magic cookie. The PPTP magic cookie is hardwired to the hexadecimal number 0x1A2B3C4D. The purpose of this cookie is to ensure the receiver interprets the incoming data on the correct byte boundaries.

The PPTP is ideal for the small, home office network system or when logging onto the Internet by way of a public, unsecured Wi-Fi hot spot.

One of the biggest advantages to using PPTP is there is no requirement to use a public key infrastructure as the authentication protocol. Utilizing EAP authentication increases the security of PPTP virtual private networks and there can never be enough security.

PPTP VPN’s are supported by many firewall applications, as well as enterprise level firewalls.  PPTP servers can be launched without the installation of client software, if the PPTP is built into the Windows VPN platform. PPTP has proven to have a high level of reliability even though it seems simplistic in design.

PPTP Security

PPTP supports authentication, encryption, and packet filtering. PPTP authentication uses PPP-based protocols like EAP, CHAP, and PAP. PPTP supports packet filtering on VPN servers. Intermediate routers and other firewalls can also be configured to selectively filter PPTP traffic.

Note: for more information how to configure l2to with IPSec please refer the given link     http://blog.riobard.com/2010/04/30/l2tp-over-ipsec-ubuntu