VPN – Virtual Private Network by jianghongl


                        VPN – Virtual Private Network

7.1       Introduction

Early days of wide area networks (WAN) includes leased, frame relay or dial-up connections which are
consider to be secure but with heavy monthly rentals. It was really expensive to interconnect branch
offices and head office (also mobile and home workers) which are located different cities (trunk calls) or
offer the shore.

With the advancement of Internet, it was much cheaper to connect these offices, mobile users and home
workers to the central office through the public Internet. It allows all forms of IP traffic through ISDN,
ADSL, Dial-up, Cable, T1, ATM connections. But Internet being an open network (public path) ones
privacy along it became an issue and VPN (virtual Private Network) was the technology that was
suggested to overcome this. In simple terms VPN is a virtual private channel (or path) within a public
channel. VPN includes authentication and encryption to protect data integrity and confidentiality.

7.2       VPN pros and cons

         It allows interconnecting branch offices, home workers, mobile users, customers and suppliers
          securely, increasing trust worthiness.
         It is much more cost effective than leased or privately owned lines.
         Flexible since it allows all forms of IP traffic
         Scalable since its ability to dynamically add more sites and scalable bandwidth management.
         But nothing comes free, the users need to buy special devices; dedicated VPN servers, Firewalls
          or routers with integrated VPN support, etc. But still this is still 30-80% lower than leased
         Considerable latency – Requires lot of processing power such that client PCs could get slower
          and it does not allow wire speed performance when it comes to networking devices.
         Various policies have to be defined that guards against public network security issues and require
          effective management.
         Different solution from different vendors are still not fully interoperable

                                        Figure 7.1 – A simple VPN network

                                       Best security through nature….
7.3     Technology

Most of the time VPN is not a point-to-point connection (PC-to-PC), as you can see in the above picture
(figure 71) mostly it is established among two VPN gateway devices. This connection is called to be a
VPN tunnel and it is established with the help of tunneling protocols like IPSec, PPTP, L2TP and SOCKS.
These protocols emphasize authentication and encryption in VPN. Authentication allows VPN clients and
servers to correctly establish the identity of people on the network. Encryption allows potentially sensitive
data to be hidden from the general public.

7.3.1   PPTP – Point-to-Point Tunneling Protocol
Is a protocol proposed by Microsoft and being heavily used in industry due to Microsoft’s domination. It is
a layer-2 remote access protocol for dial-up connections which is extension of the PPP and it allows
multiple layer-3 protocols. This is a proprietary protocol and is not as strong as some of the other
7.3.2   IPsec – Internet Protocol Security
Is a collection of multiple protocols proposed by IETF which is considered to be a complete solution. It
works at layer-3 and supports multi point tunnels. It requires key management.
7.3.3   L2TP – Layer Two Tunneling Protocol
This is a layer-2 remote access protocol which is primarily supported by Cisco products. This is a
combination of PPTP and L2F (layer-2 forwarding), not as strong as IPSec and it requires combination
with IPSec for enterprise level security. This is also a single point-to-point tunnel
7.3.4   SOCKS – 5V
Is a protocol proposed by NEC and now considered to be a standard by IETF which works at the
application layer (layer-7). This is more suitable for Client/Server applications using TCP/UDP. Has better
security but since it works in the application level it reduces the performance.

7.4     Types of VPN

7.4.1   Remote access VPN
Provides access to internal corporate networks over the Internet. Suitable for dial-up connections with
either mobile users or home workers.
7.4.2   Site-To-Site VPN
Connects multiple offices over the Internet. Suitable for interconnecting branch offices, and resellers.
7.4.3   Extranet VPN
Allow business partners to access critical information interconnection multiple Intranets. Interconnects
resellers and suppliers.
7.4.4   Client/Server VPN
Suitable for internal applications (between the server and client PCs) which needs to guard against
internal attacks.

7.5     Universal BioSys and VPN
Universal BioSys is a 3 party security solution which allows user verification and identification with the
use of biometrics. It’s Server (engine) and Console is to be designed as used as 2 separate applications
which runs on different locations allowing remote management of the server. The Console could be
installed at the administrator PC while the server (i.e. the engine) is located in the server room. If pure

                                   Best security through nature….
data is passed between the Server and Console any intruder within the internal network could extract
those packets and either could use for replay attacks or could misuse them.

To guard against such internal attacks it is essential to have a secure communication between the Server
and the Console. In such a case Client/Server VPN is a really good solution. Since we are working with
the application layer SOCKS would be a suitable tunneling protocol.

Universal BioSys is supposed to be extended beyond an organization to the Internet allowing uses
(mobile and home workers) to login to the internal network (through Web Services), allowing registered
uses to access certain web resources and other solutions which require verification. In such cases the
client should establish a secure communication between him self and the server. To accommodate this
requirement remote access VPN would be suitable with IPSec as the tunneling protocol.

7.6      VPN and its competitors in the domain of BioSys

Universal BioSys will be using Web Services to communicate with both the Client (if client supports) and
the Application. Web Services are still and immerging set of technologies which still not so stable when it
comes to secure communication.

In situations where Web Services could allow secure communication VPN solutions will not be useful
because it could be too much overhead to have both web service security and VPN. Web Services do not
need special dedicated hardware or software components.

But this is only suitable in application like accessing web sites or e-mails, because after the authentication
stage there is no need for any more secure communication unless the transferring data is not so valuable.
But when a mobile user (or home worker) connects to the internal network, entire session needs to be
secure even after the authentication stage. This cannot be supplied by Web Services (since Web service
is used only for authentication) and in such cases VPN is the only solution. In such scenarios Web
Service security is redundant and it could be turned off. Any way up until Web Service security get
matured enough VPN is the better solution.

7.7      References
      1. presentation “The introduction of Virtual Private Network” by Shang-chieh J. Wu
      2. White papers by WatchGuard Technologies www.watchguard.com
             b. Defense-in-Depth Virtual Private Networking Course Guide
      3. White paper by Microsoft “MS Privacy Protected Network Access: Virtual Private Networking and
         Intranet Security” www.microsoft.com

7.8      Abbreviations
          ADSL              Asymetric Digital Subscriber Loop
          ATM               Asynchronous Transfer Mode
          ISDN              Integrated Services Digital Network
          IETF              Internet Engineering Task Force
          IP                Internet Protocol
                                    Best security through nature….
IPSec   Internet Protocol Security
L2F     Layer 2 Forwarding
L2TP    Layrer 2 Tunneling Protocol
PPP     Point to Point Protocol
PPTP    Point to Point Tunneling Protocol
TCP     Transmission Control Protocol
UDP     User Datagram Protocol
VPN     Virtual Private Network
WAN     Wide Area Network

              Best security through nature….

To top