Docstoc

virtual_private_network_Jibran

Document Sample
virtual_private_network_Jibran Powered By Docstoc
					VU, Academics Research




               Virtual Private Network
                     Jibran Khan
                    11 May, 2011




 Virtual Private Network        Academics Research, VU Pakistan
                                                             Table of Contents


Executive Summary .............................................................................................................................. 3
Introduction ........................................................................................................................................... 3
History.................................................................................................................................................... 4
What problems were solved with Virtual Private Networks ............................................................. 4
Brief Explanation of Concepts related ................................................................................................ 4
   Tunneling............................................................................................................................................ 4
   Encapsulation ..................................................................................................................................... 5
   Authentication .................................................................................................................................... 5
   Encryption .......................................................................................................................................... 5
How a virtual private network works ................................................................................................. 6
Types of virtual private network ......................................................................................................... 6
   Remote Access VPNs ......................................................................................................................... 6
Advantages of Virtual Private Network.............................................................................................. 8
   Greater scalability............................................................................................................................... 8
   Easy to add/remove users ................................................................................................................... 8
   Reduced long-distance telecommunications costs.............................................................................. 9
   Mobility .............................................................................................................................................. 9
   Security............................................................................................................................................... 9
Disadvantages ........................................................................................................................................ 9
   Understanding of security issues ........................................................................................................ 9
   Unpredictable Internet traffic ............................................................................................................. 9
   Difficult to accommodate products from different vendors ............................................................... 9
VPN components ................................................................................................................................. 10
Protocols............................................................................................................................................... 10
   IPsec (Internet Protocol Security)..................................................................................................... 10
   PPTP (point to point tunneling protocol) ......................................................................................... 10
   L2TP (layer2 Tunneling Protocol) ................................................................................................... 10
Security ................................................................................................................................................ 11
   Encryption ........................................................................................................................................ 11
   Authentication .................................................................................................................................. 11
   Intrusion detection firewalls ............................................................................................................. 11
Windows XP VPN Configuration ...................................................................................................... 12
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration
Example ............................................................................................................................................... 17
   VPN Client Configuration ................................................................................................................ 17
   ROUTER Configuration................................................................................................................... 17
Future of virtual private networks .................................................................................................... 24
References ............................................................................................................................................ 24




        Virtual Private Network                                                                          Academics Research, VU Pakistan
Executive Summary

The purpose of this report is to provide knowledge about virtual private networks, its basic concepts
and the basic implementation of virtual private network. Virtual private network is an emerging
concept and many enterprises are rapidly implementing this concept to secure its internal environment
from the outside environment. My report provides and in depth analysis of virtual private networks in
businesses and other organizations required to secure its data from outside word.


Introduction

Virtual private network (VPN) is a secure way of connecting to a private Local Area Network at a
remote location, using the Internet or any unsecure public network to transport the network data
packets privately, using encryption. Virtual private networks uses two mechanisms i.e. Authentication,
and encryption. Authorization is used to, and encryption to prevent unauthorized users from reading
the private network packets. A virtual private network (VPN) is a network set up for use by a limited
number of individuals, such as employees of a company, operating over a large area. The network
typically uses encryption to keep information secure A VPN enables one to send data between two
computers across a shared, or public internetwork, in a manner that contains the properties of a point-
to-point private link.


The VPN can be used to send any kind of network traffic securely, including voice, video or data.


Virtual private networks are used by workers that are at remote offices to connect to the head office
and to share private data and network resources. Virtual private network also allows bypassing the
public network restrictions like internet, web filtering and firewalls but using a technique called
tunneling.


Virtual private network combines or groups the data and secure it by using cryptographic method and
sends it to the devices which are not on the same private network, to keep the data private as it passes
through the connecting nodes of a local or wide area network.


The act of configuring and creating a virtual private network is known as virtual private networking.




      Virtual Private Network                                        Academics Research, VU Pakistan
History

Until the end of the 1990s, networked computers were connected through expensive leased lines
and/or dial-up phone lines. Because a virtual private network uses the current public network to
provide security to the organizations that’s why virtual private networks greatly removed the cost of
the private networks.


Virtual Private Networks reduce network costs because they avoid a need for physical leased lines that
individually connect remote offices (or remote users) to a private Intranet (internal network). Users
can exchange private data securely, making the expensive leased lines unnecessary.


What problems were solved with Virtual Private Networks?

With virtual private networks the cost of leased lines were decreased. Before virtual private networks
expensive leased lines were required to setup a private network


Virtual private networks allowed you to extend your offices to large geographical regions.


Through virtual private networks you can authorize your users by requiring a user name and
password.


Encryption is used in virtual private networks that allow you to prevent access to your confidential
data. You can also monitor the access to your insecure network application.


Brief Explanation of Concepts related

Tunneling

Tunneling is also called port forwarding. Tunneling is a process in which Routing nodes in the public
network are unaware that the transmission is part of a private network. Tunneling, also known as "port
forwarding," is the transmission of data intended for use only within a private, usually corporate
network through a public network in such a way that the routing nodes in the public network are
unaware that the transmission is part of a private network.Typically a VPN consists of a set of point to
point connections tunnelled over the Internet. Within the VPN each P2P connection is seen as an
unrouted connection.



     Virtual Private Network                                         Academics Research, VU Pakistan
Encapsulation

In order to achieve tunnelling, the packets, to and from addresses, port numbers and other standard
protocol packet headers are encapsulated as the payload of packets as seen by the external routers
carrying the connection.


This is similar conceptually to a stamped and addressed conventional mail envelope being placed
inside another with more expensive postage and a different address. Packet headers seen externally
will carry the addresses of the VPN endpoints and the port numbers used by the VPN client and server
software.


Authentication

A digital signing scheme is typically used to enable verification of the VPN principals. Note that both
the client and the server need to authenticate each other. Message authentication codes, hashes or
checksums are typically used to authenticate message contents


Encryption
To protect the privacy of the connection from external snooping, the payload of the packets visible
externally will be encrypted. To enable routing over conventional networks, the packet headers of the
encapsulating packets are not encrypted, but the packet headers of the encapsulated packets are
encrypted along with their contents.




     Virtual Private Network                                         Academics Research, VU Pakistan
How a virtual private network works


               Sending Data Through the VPN Tunnel




                                                                                 Intranet
                                                                                                 Server



                                     Secure VPN Tunnel




Figure 1 A tunnel establishes a secure connection between two private networks over
                          a public medium like the Internet.


Types of Virtual Private Network
The followings are types of Virtual Private Networks
     Remote Access Networks
     Site to site networks
                    Intranet VPNs
                    Extranet VPNs



Remote Access VPNs

Remote access VPNs extend almost any data, voice, or video application to the remote desktop,
emulating the main office desktop. With this VPN, you can provide highly secure, customizable
remote access to anyone, anytime, anywhere, with almost any device. Cisco remote access VPNs:


          Create a remote user experience that emulates working on the main office desktop
          Deliver VPN access safely and easily to a wide range of users and devices
          Support a wide range of connectivity options, endpoints, and platforms to meet your dynamic
           remote access needs



        Virtual Private Network                                       Academics Research, VU Pakistan
A remote-access VPN allows individual users to establish secure connections with a remote computer
network. Those users can access the secure resources on that network as if they were directly plugged
in to the network's servers. An example of a company that needs a remote-access VPN is a large firm
with hundreds of salespeople in the field. Another name for this type of VPN is virtual private dial-
up network (VPDN), acknowledging that in its earliest form, a remote-access VPN required dialing
in to a server using an analog telephone system.




                                        Figure 2 Remote access VPN
Site-to-site VPN
Site-to-site VPNs provide an Internet-based WAN infrastructure to extend network resources to
branch offices, home offices, and business partner sites. All traffic between sites is encrypted using
IPsec protocol and integrates network features such as routing, quality of service, and multicast
support. Cisco VPNs also offer:


          Reliable and high-quality transport of complex, mission-critical traffic, such as voice and
           client server applications
          Simplified provisioning and reduced operational tasks for network designs
          Integrated advanced network intelligence and routing for a wide range of network designs


A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each
other over a public network such as the Internet. Site-to-site VPN extends the company's network,
making computer resources from one location available to employees at other locations. An example
of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices
around the world.




        Virtual Private Network                                       Academics Research, VU Pakistan
There are two types of site-to-site VPNs:


          Intranet-based -- If a company has one or more remote locations that they wish to join in a
           single private network, they can create an intranet VPN to connect each separate LAN to a
           single WAN.
          Extranet-based -- When a company has a close relationship with another company (such as a
           partner, supplier or customer), it can build an extranet VPN that connects those companies'
           LANs. This extranet VPN allows the companies to work together in a secure, shared network
           environment while preventing access to their separate intranets.




                                          Figure 3 Site to site VPN

Advantages of Virtual Private Network


Greater scalability
                     Scalability means that if your business grows, your network can still provide the
                     services to fulfill the requirements of the users. You don’t need to setup your
                     network from the scratch; you can extend your network easily with the business
                     growth.



Easy to add/remove users
                     Due to scalability you can easily add or remove users from the network.




        Virtual Private Network                                         Academics Research, VU Pakistan
Reduced long-distance telecommunications costs
                 In virtual private network expensive leased lines are not required. it is setup on the
                 public network and public networks are very less expensive as compared to public
                 networks.



Mobility
                 Virtual private network provides the facility of mobility. Employees can easily
                 contact their head offices when they are at other geographical regions and they can
                 access their office computers when they are somewhere else.



Security
                 Virtual private network uses encryption mechanism to protect the data from invaders.

Disadvantages

Understanding of security issues
                 For deploying virtual private network you need to have extra knowledge of security
                 mechanisms like cryptography, authorization etc



Unpredictable Internet traffic
                 As virtual private network is implemented on public network like internet. Internet is
                 accessible to anyone and there is no central place from where internet can be
                 handled.



Difficult to accommodate products from different vendors
                 Virtual private network allows product from different vendors like juniper, Cisco
                 etc.It is very difficult to accommodate then in a single network because each vendor
                 have its own standards.




    Virtual Private Network                                          Academics Research, VU Pakistan
VPN Components
There are three components of virtual private networks
     Protocols
     Security
     Appliances

Protocols

IPsec (Internet Protocol Security)
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session. IPsec
also includes protocols for establishing mutual authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used during the session. IPsec can be implemented
in a host to host transport mode as well as in a network tunnel mode. In transport mode only the
payload (data to be transferred) of the packet is encrypted and authenticated and the head is not
modified. While in tunnel mode the entire IP packet and authenticated, it is then encapsulated into a
new packet. It is used for host to network communication.



PPTP (point to point tunneling protocol)
The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private
networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP
packets. PPTP uses voluntary tunneling. In voluntary tunneling a discrete PPP connection is created
from client computer to PPTP servers without NAS participating in a PPTP. In voluntary tunneling
tunnel is created at user’s request



L2TP (layer2 Tunneling Protocol)

Layer 2 tunneling protocol exits at data link layer. Layer 2 Tunneling Protocol (L2TP) is a tunneling
protocol used to support virtual private networks (VPNs). It does not provide any encryption or
confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide
privacy. It uses compulsory tunneling method. In compulsory tunneling tunnel is created without
user’s request.




      Virtual Private Network                                          Academics Research, VU Pakistan
Security

Encryption
Encryption is the process to scramble and unscramble the data for security purposes. The scramble
text is called cipher text and the unscramble text is called clear text.


Authentication
Authentication determines if the sender is the authorized person and if the data has been redirect or
corrupted .Authorization includes both User/System Authentication
Appliances

Intrusion detection firewalls
Intrusion detection firewalls Monitors traffic crossing network parameters and protects enterprises
from unauthorized access. There are two types of firewall i.e. packet level firewall and application
level firewall. Packet-level firewall checks source and destination. Application-level firewall acts as a
host computer between the organization’s network and the Internet




      Virtual Private Network                                              Academics Research, VU Pakistan
Windows XP VPN Configuration




                            Figure 4.1 Windows XP VPN Configuration




  Virtual Private Network                                   Academics Research, VU Pakistan
                                         Figure 4.2




                          Figure 4.3 Windows XP VPN Configuration




                          Figure 4.4 Windows XP VPN Configuration




Virtual Private Network                                    Academics Research, VU Pakistan
                          Figure 4.5 Windows XP VPN Configuration




                          Figure 4.6 Windows XP VPN Configuration




Virtual Private Network                                    Academics Research, VU Pakistan
                          Figure 4.7 Windows XP VPN Configuration




                          Figure 4.8 Windows XP VPN Configuration




Virtual Private Network                                    Academics Research, VU Pakistan
                          Figure 4.9 Windows XP VPN Configuration




Virtual Private Network                                    Academics Research, VU Pakistan
Router Allows VPN Clients to Connect IPsec and Internet
Using Split Tunneling Configuration Example




                              Figure 5 Router Topology




VPN Client Configuration

ROUTER Configuration

VPN#show run
Building configuration...

Current configuration : 2170 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!

!--- Enable authentication, authorization and accounting (AAA)
!--- for user authentication and group authorization.


aaa new-model
!

!--- In order to enable Xauth for user authentication,
!--- enable the aaa authentication commands.


aaa authentication login userauthen local


!--- In order to enable group authorization, enable


    Virtual Private Network                              Academics Research, VU Pakistan
!--- the aaa authorization commands.

aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!

!--- For local authentication of the IPsec user,
!--- create the user with a password.


username user password 0 cisco
!
!
!

!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.



crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2


!---    Create a group that is used to specify the
!---    WINS and DNS server addresses to the VPN Client,
!---    along with the pre-shared key for authentication. Use ACL 101 used for
!---    the Split tunneling in the VPN Clinet end.


crypto isakmp client configuration group vpnclient
 key cisco123
 dns 10.10.10.10
 wins 10.10.10.20
 domain cisco.com
 pool ippool
 acl 101
!

!--- Create the Phase 2 Policy for actual data encryption.



crypto ipsec transform-set myset esp-3des esp-md5-hmac
!


!--- Create a dynamic map and apply
!--- the transform set that was created earlier.


crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route



       Virtual Private Network                       Academics Research, VU Pakistan
!


!--- Create the actual crypto map,
!--- and apply the AAA lists that were created earlier.


crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
 ip address 10.10.10.1 255.255.255.0
 half-duplex
 ip nat inside


!--- Apply the crypto map on the outbound interface.


interface FastEthernet1/0
 ip address 172.16.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface Serial2/0
 no ip address
!
interface Serial2/1
 no ip address
 shutdown
!
interface Serial2/2
 no ip address
 shutdown
!
interface Serial2/3
 no ip address
 shutdown

!--- Create a pool of addresses to be
!--- assigned to the VPN Clients.


!
ip   local pool ippool 192.168.1.1 192.168.1.2
ip   http server
no   ip http secure-server
!
ip   route 0.0.0.0 0.0.0.0 172.16.1.2

!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111



      Virtual Private Network                     Academics Research, VU Pakistan
!--- and gets PATed with the FastEthernet IP address.


ip nat inside source list 111 interface FastEthernet1/0 overload
!

!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.


access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any



!--- Configure the interesting traffic to be encrypted from the VPN Client
!--- to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.

access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

control-plane
!
line con 0
line aux 0
line vty 0 4
!end

Complete these steps in order to configure the VPN Client 4.8.

    1. Choose Start > Programs > Cisco Systems VPN Client > VPN Client.
    2. Click New in order to launch the Create New VPN Connection Entry window.




                                              Figure 6



     Virtual Private Network                                     Academics Research, VU Pakistan
3. Enter the name of the Connection Entry along with a description, enter the outside IP address
   of the router in the Host box, and enter the VPN Group name and password. Click Save.




                                         Figure 7


4.   Click on the connection you would like to use and click Connect from the VPN Client main
     window.




                                         Figure 8



 Virtual Private Network                                       Academics Research, VU Pakistan
5. When prompted, enter the Username and Password information for Xauth and click OK in
   order to connect to the remote network.




                                          Figure 9


6. The VPN Client gets connected with the router at the central site.




                                          Figure 10




 Virtual Private Network                                        Academics Research, VU Pakistan
7. Choose Status > Statistics in order to check the tunnel statistics of the VPN Client.




                                          Figure 11


8. Go to the Route Details tab in order to see the routes that the VPN Client secures to the
   router.

    In this example, the VPN Client secures access to 10.10.10.0/24 while all other traffic is not
    encrypted and not sent across the tunnel. The secured network is downloaded from ACL 101
    which is configured in the central site router.




                                          Figure 12



 Virtual Private Network                                         Academics Research, VU Pakistan
Future of Virtual Private Networks
Virtual private networks have growing in popularity. It saves money and improves access to
employees. Many corporations have also adopted VPNs as a security solution for private Wi-Fi
wireless networks. Expect a continued gradual expansion in use of VPN technology to continue in the
coming years.




References
http://computer.howstuffworks.com/vpn.htm

http://en.wikipedia.org/wiki/Virtual_private_network

http://en.wikipedia.org/wiki/L2TP

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080
819289.shtml#diag

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafc
b.shtml

http://www.cs.fsu.edu/~breno/CIS-5357/lecture_slides/class12.ppt.htm

http://www.starlancs.com/EducateMe/educate_vpn.html

http://www.cisco.com




     Virtual Private Network                                      Academics Research, VU Pakistan

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:11/4/2011
language:English
pages:24