VIEWS: 2 PAGES: 4 POSTED ON: 2/2/2012
7 VPN – Virtual Private Network 7.1 Introduction Early days of wide area networks (WAN) includes leased, frame relay or dial-up connections which are consider to be secure but with heavy monthly rentals. It was really expensive to interconnect branch offices and head office (also mobile and home workers) which are located different cities (trunk calls) or offer the shore. With the advancement of Internet, it was much cheaper to connect these offices, mobile users and home workers to the central office through the public Internet. It allows all forms of IP traffic through ISDN, ADSL, Dial-up, Cable, T1, ATM connections. But Internet being an open network (public path) ones privacy along it became an issue and VPN (virtual Private Network) was the technology that was suggested to overcome this. In simple terms VPN is a virtual private channel (or path) within a public channel. VPN includes authentication and encryption to protect data integrity and confidentiality. 7.2 VPN pros and cons It allows interconnecting branch offices, home workers, mobile users, customers and suppliers securely, increasing trust worthiness. It is much more cost effective than leased or privately owned lines. Flexible since it allows all forms of IP traffic Scalable since its ability to dynamically add more sites and scalable bandwidth management. But nothing comes free, the users need to buy special devices; dedicated VPN servers, Firewalls or routers with integrated VPN support, etc. But still this is still 30-80% lower than leased connections. Considerable latency – Requires lot of processing power such that client PCs could get slower and it does not allow wire speed performance when it comes to networking devices. Various policies have to be defined that guards against public network security issues and require effective management. Different solution from different vendors are still not fully interoperable Figure 7.1 – A simple VPN network 1 Best security through nature…. 7.3 Technology Most of the time VPN is not a point-to-point connection (PC-to-PC), as you can see in the above picture (figure 71) mostly it is established among two VPN gateway devices. This connection is called to be a VPN tunnel and it is established with the help of tunneling protocols like IPSec, PPTP, L2TP and SOCKS. These protocols emphasize authentication and encryption in VPN. Authentication allows VPN clients and servers to correctly establish the identity of people on the network. Encryption allows potentially sensitive data to be hidden from the general public. 7.3.1 PPTP – Point-to-Point Tunneling Protocol Is a protocol proposed by Microsoft and being heavily used in industry due to Microsoft’s domination. It is a layer-2 remote access protocol for dial-up connections which is extension of the PPP and it allows multiple layer-3 protocols. This is a proprietary protocol and is not as strong as some of the other protocols. 7.3.2 IPsec – Internet Protocol Security Is a collection of multiple protocols proposed by IETF which is considered to be a complete solution. It works at layer-3 and supports multi point tunnels. It requires key management. 7.3.3 L2TP – Layer Two Tunneling Protocol This is a layer-2 remote access protocol which is primarily supported by Cisco products. This is a combination of PPTP and L2F (layer-2 forwarding), not as strong as IPSec and it requires combination with IPSec for enterprise level security. This is also a single point-to-point tunnel 7.3.4 SOCKS – 5V Is a protocol proposed by NEC and now considered to be a standard by IETF which works at the application layer (layer-7). This is more suitable for Client/Server applications using TCP/UDP. Has better security but since it works in the application level it reduces the performance. 7.4 Types of VPN 7.4.1 Remote access VPN Provides access to internal corporate networks over the Internet. Suitable for dial-up connections with either mobile users or home workers. 7.4.2 Site-To-Site VPN Connects multiple offices over the Internet. Suitable for interconnecting branch offices, and resellers. 7.4.3 Extranet VPN Allow business partners to access critical information interconnection multiple Intranets. Interconnects resellers and suppliers. 7.4.4 Client/Server VPN Suitable for internal applications (between the server and client PCs) which needs to guard against internal attacks. 7.5 Universal BioSys and VPN rd Universal BioSys is a 3 party security solution which allows user verification and identification with the use of biometrics. It’s Server (engine) and Console is to be designed as used as 2 separate applications which runs on different locations allowing remote management of the server. The Console could be installed at the administrator PC while the server (i.e. the engine) is located in the server room. If pure 2 Best security through nature…. data is passed between the Server and Console any intruder within the internal network could extract those packets and either could use for replay attacks or could misuse them. To guard against such internal attacks it is essential to have a secure communication between the Server and the Console. In such a case Client/Server VPN is a really good solution. Since we are working with the application layer SOCKS would be a suitable tunneling protocol. Universal BioSys is supposed to be extended beyond an organization to the Internet allowing uses (mobile and home workers) to login to the internal network (through Web Services), allowing registered uses to access certain web resources and other solutions which require verification. In such cases the client should establish a secure communication between him self and the server. To accommodate this requirement remote access VPN would be suitable with IPSec as the tunneling protocol. 7.6 VPN and its competitors in the domain of BioSys Universal BioSys will be using Web Services to communicate with both the Client (if client supports) and the Application. Web Services are still and immerging set of technologies which still not so stable when it comes to secure communication. In situations where Web Services could allow secure communication VPN solutions will not be useful because it could be too much overhead to have both web service security and VPN. Web Services do not need special dedicated hardware or software components. But this is only suitable in application like accessing web sites or e-mails, because after the authentication stage there is no need for any more secure communication unless the transferring data is not so valuable. But when a mobile user (or home worker) connects to the internal network, entire session needs to be secure even after the authentication stage. This cannot be supplied by Web Services (since Web service is used only for authentication) and in such cases VPN is the only solution. In such scenarios Web Service security is redundant and it could be turned off. Any way up until Web Service security get matured enough VPN is the better solution. 7.7 References 1. presentation “The introduction of Virtual Private Network” by Shang-chieh J. Wu 2. White papers by WatchGuard Technologies www.watchguard.com a. STRAIGHT TALK ABOUT VPN b. Defense-in-Depth Virtual Private Networking Course Guide 3. White paper by Microsoft “MS Privacy Protected Network Access: Virtual Private Networking and Intranet Security” www.microsoft.com 7.8 Abbreviations ADSL Asymetric Digital Subscriber Loop ATM Asynchronous Transfer Mode ISDN Integrated Services Digital Network IETF Internet Engineering Task Force IP Internet Protocol 3 Best security through nature…. IPSec Internet Protocol Security L2F Layer 2 Forwarding L2TP Layrer 2 Tunneling Protocol PPP Point to Point Protocol PPTP Point to Point Tunneling Protocol TCP Transmission Control Protocol UDP User Datagram Protocol VPN Virtual Private Network WAN Wide Area Network 4 Best security through nature….
Pages to are hidden for
"VPN – Virtual Private Network"Please download to view full document