Docstoc

NS Tutorial

Document Sample
NS Tutorial Powered By Docstoc
					      The Higher Institute of
       Industry - Misurata




Performance Evaluation for Remote Access
      VPNs on Windows Server 2003

                                      By:
                                      Ahmed A. Jaha
                                      Fathi Ben Shatwan
                                      Majdi Ashibani




     1st International Workshop on MOBILE and Wireless
                     SECURITY (WMS’08)
               16-19 / 9/ 2008 Cardiff - Wales
Outlines
•   Paper Objectives
•   VPN Overview.
•   Experimental Testbeds
•   Experimental Results
•   Conclusions and Future Work.




     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
                  Paper Objectives




The Higher Institute of
 Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Paper Objectives
• Overview of VPN
• Survey popular remote access VPN solutions
  that are widely available
• Performance evaluation of these solutions on
  wired and wireless windows server 2003
  platform experimentally.
• Identify issues that have future research
  potential




   The Higher Institute of
    Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
                          VPN Overview




The Higher Institute of
 Industry - Misurata        WMS’08   16-19 / 9/ 2008 Cardiff - Wales
What is VPN?
VPN can be defined as a way to provide secure communication between
members of a group through use of the public telecommunication     Acme Corp
infrastructure (usually the Internet), maintaining privacy through the use of
a tunneling protocol and security procedures. VPN systems provide users
with the illusion of a completely private network.



                                  Internet
          Site 2       VPN                                       VPN      Site 1




     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Tunneling
• Method of using an internetwork infrastructure to transfer data
  from one network over another network (encapsulation,
  transmission, and decapsulation of packets)




     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Security of VPN
• Authentication
  – Authentication ensures that the data is coming from the
    source from which it claims to come.




    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Security of VPN
• Authentication
• Access Control
  – Access control concept relates to the accepting or rejecting of
    a particular requester to have access to some service or data
    in any given system. It is therefore necessary to define a set
    of access rights, privileges, and authorizations, and assign
    these to appropriate people within the domain of the system
    under analysis.




    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Security of VPN
• Authentication
• Access Control
• Confidentiality
   – Confidentiality ensures the privacy of information by
     restricting an unauthorized users from reading data carried on
     the public network.




    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Security of VPN
•   Authentication
•   Access Control
•   Confidentiality
•   Data Integrity
    – Data Integrity verifies that a data has not been altered during
      its travel over the public network.




      The Higher Institute of
       Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Benefits of VPN
• Cost
  – VPN eliminate the fixed monthly charge of dedicated leased
    lines.




   The Higher Institute of
    Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Benefits of VPN
• Cost
• Scalability
   – As the enterprise grows, full-mesh connectivity might be
     required between the different offices. This means that the
     number of leased lines, and the total cost associated with
     deploying them, increases exponentially.
   – VPN that utilizes the Internet avoid this problem by simply
     using the infrastructure already available.




    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Benefits of VPN
• Cost
• Scalability
• Security
   – Security is not impaired when using VPN since transmitted
     data is either encrypted or, if sent unencrypted, forwarded
     through trusted networks.




    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Benefits of VPN
•   Cost
•   Scalability
•   Security
•   Productivity
    – In addition to cost savings, VPN increases profits by
      improving productivity.
    – The improved productivity results from the ability to access
      resources from anywhere at anytime.




      The Higher Institute of
       Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Architecture of VPN
                                                                        Enterprise main
• Remote Access VPN                                                           site
  – User-to-LAN connection used by
    enterprises that have employees
    who need to connect to their
    private network from various
    remote locations (e.g. homes,
    hotel rooms, airports).

                                                                        Internet



                                                                         Remote
                                                                          User



   The Higher Institute of
    Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Architecture of VPN
                                                                               Enterprise main
• Remote Access VPN                                                                  site

• Intranet Site-to-Site VPN
   – LAN-to-LAN connection used to
     connect enterprise’s offices over
     Internet

                                                             Internet




                         Enterprise branch
                                site



    The Higher Institute of
     Industry - Misurata         WMS’08      16-19 / 9/ 2008 Cardiff - Wales
Architecture of VPN
                                                                                Enterprise main
                                                                                      Site
• Remote Access VPN
• Intranet Site-to-Site VPN
• Extranet Site-to-Site VPN
   – LAN-to-LAN connection Provides
     business partners, suppliers, and
     customers access to certain data.                                 Internet




                              Supplier Site
                                                                                   Partner Site




    The Higher Institute of
     Industry - Misurata        WMS’08        16-19 / 9/ 2008 Cardiff - Wales
Remote Access VPN Protocols (L2)
• Point to Point Tunneling Protocol (PPTP)
   – Developed by microsoft and others (RFC 2637).
   – Extension of Point to Point Protocol (PPP).
   – Clients are included in all versions of Windows since
     Windows 95.
   – Servers are included in all windows server products since
     Windows NT.
   – Clients and servers are supported in Linux.




    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Remote Access VPN Protocols (L2)
• Point to Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
   –    Developed by IETF (RFC 2661).
   –    Combines best features of L2F and PPTP.
   –    Commonly used with IPSec -> L2TP/IPSec.
   –    Clients are included in windows xp, 2000, and 2003.
   –    Servers are included in windows server 2000 and 2003.
   –    Clients and servers are supported in Linux.




       The Higher Institute of
        Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Remote Access VPN Protocols (L3)
• Point to Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
• Internet Protocol Security (IPSec)
   – Framework Developed by IETF (RFCs 2401-2411 and 2451 ).
   – IPSec is supported in Windows XP, 2000, 2003 and Vista, in
     Linux 2.6 and later.
   – Many vendors supply IPSec VPN servers and clients.




    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Remote Access VPN Protocols (L5)
•   Point to Point Tunneling Protocol (PPTP)
•   Layer Two Tunneling Protocol (L2TP)
•   Internet Protocol Security (IPSec)
•   Secure Socket Layer (SSL)
    – Higher layer security protocol developed by Netscape.
    – Used with HTTP to enable secure Web browsing (HTTPS).
        • Supported by most browsers and servers
    – SSL can also be used to create a VPN tunnel (OpenVpn).
        • Open-source VPN package for Linux and Windows.




      The Higher Institute of
       Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
         Experimental Testbeds




The Higher Institute of
 Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Performance Metrics
• Throughput
  – The rate at which bulk of data transfers can be transmitted from
    one host to another over a sufficiently long period of time.




     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Performance Metrics
• Throughput
• Round Trip Time (RTT)
  – The amount of time it takes one packet to travel from one host
    to another and back to the originating host.




     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
 Performance Metrics
• Throughput
• Round Trip Time (RTT)
• Packet delay variation (Jitter)
  – The variation of packet delay where delays actually impact the
    quality of service.




     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
 Performance Metrics
• Throughput
• Round Trip Time (RTT)
• Packet delay variation (Jitter)
• Packet loss
  – The portion of packets transmitted but not received in the
    destination compared to the total number or packets
    transmitted.




     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbed Setup




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbed Setup




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbed Setup




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbed Setup




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbed Setup




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wireless Testbed Setup




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Performance measurement Tools
  (Iperf)                                      Throughput/Jitter/Losses
                                                  Iperf
                                                 server




  Throughput/Jitter/Losses
    Iperf
    client




   The Higher Institute of
    Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Performance measurement Tools
  (Hrping)




 Round Trip Time (RTT)

  Hrping




   The Higher Institute of
    Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
           Experimental Results




The Higher Institute of
 Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
TCP throughput




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
TCP throughput




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Round Trip Time (RTT)




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
UDP Throughput




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Jitter




   The Higher Institute of
    Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Packet Loss




  The Higher Institute of
   Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
           TCP throughput in % of no VPN
 82.37 %              55.23 %               52.59 %
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
  Round Trip Time (RTT) in multiple of no VPN
  1.98                  2.52                   2.86
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
           UDP throughput in % of no VPN
 68.12 %              51.04 %                6.65 %
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
             Jitter in multiple of no VPN
  2.53                  4.34                 377.18
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
           Packet loss in multiple of no VPN
  3.49                  5.27                   24.55
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN

    The Higher Institute of
     Industry - Misurata                       WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
           TCP throughput in % of no VPN
 82.37 %              55.23 %               52.59 %
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
  Round Trip Time (RTT) in multiple of no VPN
  1.98                  2.52                   2.86
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
           UDP throughput in % of no VPN
 68.12 %              51.04 %                6.65 %
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
             Jitter in multiple of no VPN
  2.53                  4.34                 377.18
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
           Packet loss in multiple of no VPN
  3.49                  5.27                   24.55
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN

    The Higher Institute of
     Industry - Misurata                       WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
           TCP throughput in % of no VPN
 82.37 %              55.23 %               52.59 %
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
  Round Trip Time (RTT) in multiple of no VPN
  1.98                  2.52                   2.86
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
           UDP throughput in % of no VPN
 68.12 %              51.04 %                6.65 %
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
             Jitter in multiple of no VPN
  2.53                  4.34                 377.18
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
           Packet loss in multiple of no VPN
  3.49                  5.27                   24.55
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN

    The Higher Institute of
     Industry - Misurata                       WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wired Testbeds Results
           TCP throughput in % of no VPN
 82.37 %              55.23 %               52.59 %
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
  Round Trip Time (RTT) in multiple of no VPN
  1.98                  2.52                   2.86
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
           UDP throughput in % of no VPN
 68.12 %              51.04 %                6.65 %
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
             Jitter in multiple of no VPN
  2.53                  4.34                 377.18
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN
           Packet loss in multiple of no VPN
  3.49                  5.27                 24.55
 Wired                Wired                  Wired
 PPTP               L2TP/IPSec              OpenVPN

    The Higher Institute of
     Industry - Misurata                       WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Wireless Testbeds Results
           TCP throughput in % of no VPN
 83.33 %              68.38 %               53.85 %
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
  Round Trip Time (RTT) in multiple of no VPN
  1.33                  1.50                   1.60
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
           UDP throughput in % of no VPN
 65.68 %              59.98 %                8.44 %
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
             Jitter in multiple of no VPN
  1.64                  2.20                   44.76
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN
           Packet loss in multiple of no VPN
  1.43                  1.51                   5.02
 Wired               Wired                   Wired
 PPTP              L2TP/IPSec               OpenVPN

    The Higher Institute of
     Industry - Misurata                       WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Conclusions and Future Work




The Higher Institute of
 Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Conclusions
• Testbeds have been built to evaluate the performance of
  remote access VPN solutions (PPTP, L2TP/IPSec, and
  OpenVPN) on wired and wireless windows server 2003
  platform.
• Performance metrics (Throughput, RTT, Jitter, and
  packet loss) have been measured in both TCP and UDP
  mode. These metrics are used in our experiments as
  they have a direct impact on the ultimate performance
  perceived by end user applications.
• The wireless testbed performance values indicate that
  the deployment of VPNs on a wireless network
  infrastructure could be considered as an acceptable
  choice to secure transmission between wireless clients
  and their enterprise network.


     The Higher Institute of
      Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Future Work
• The performance of software-based VPN solutions on
  platforms other than windows server 2003 (such as
  Linux, BSD, Mac, and Solaris) can be evaluated to
  select the best platform that will be used to implement
  the software-based VPN solutions.
• The performance evaluation of hardware-based VPN
  solutions using different hardware VPN products
  (such as 3Com, ADTRAN, Cisco, and Juniper) should
  be investigated as well.
• The OpenVPN needs to be manipulated to improve it’s
  performance in high traffic environment.



    The Higher Institute of
     Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales
Thank you for your attention




The Higher Institute of
 Industry - Misurata      WMS’08   16-19 / 9/ 2008 Cardiff - Wales

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:13
posted:4/21/2011
language:English
pages:51