VPN - DOC by wulinqing



                    The Virtual Private Network - VPN - has attracted the attention of many
                    organizations looking to both expand their networking capabilities and reduce their

                    The VPN can be found in workplaces and homes, where they allow employees to
                    safely log into company networks. Telecommuters and those who travel often find
                    a VPN a more convenient way to stay "plugged in" to the corporate intranet.

                    No matter your current involvement with VPNs, this is a good technology to know
                    something about. A study of VPN involves many interesting aspects of network
                    protocol design, Internet security, network service outsourcing, and technology

                               What Exactly Is A VPN?
                    A VPN supplies network connectivity over a possibly long physical distance. In
                    this respect, a VPN is a form of Wide Area Network (WAN).
                    The key feature of a VPN, however, is its ability to use public networks like the
                    Internet rather than rely on private leased lines. VPN technologies implement
                    restricted-access networks that utilize the same cabling and routers as a public
                    network, and they do so without sacrificing features or basic security.
                    A VPN supports at least three different modes of use:

                       Remote access client connections
                       LAN-to-LAN internetworking
                       Controlled access within an intranet

                              VPN Pros and Cons
                    Like many commercialized network technologies, a significant amount of sales and
                    marketing "hype" surrounds VPN. In reality, VPNs provide just a simple few clear
                    potential advantages over more traditional forms of wide-area networking. These
                    advantages can be quite significant, but they do not come for free.
                    The potential problems with the VPN outnumber the advantages and are generally
                    more difficult to understand. The disadvantages do not necessarily outweigh the
                    advantages, however. From security and performance concerns, to coping with a
                    wide range of sometimes incompatible vendor products, the decision of whether or
                    not to use a VPN cannot be made without significant planning and preparation.

TheDirectData.com                                                                                         Page 1


                        Technology Behind VPNs
                    Several network protocols have become popular as a result of VPN developments:

                       PPTP
                       L2TP
                       IPsec
                       SOCKS

                    These protocols emphasize authentication and encryption in VPNs. Authentication
                    allows VPN clients and servers to correctly establish the identity of people on the
                    network. Encryption allows potentially sensitive data to be hidden from the general
                    Many vendors have developed VPN hardware and/or software products.
                    Unfortunately, immature VPN standards mean that some of these products remain
                    incompatible with each other.

                                     The Future of VPN
                    The success of VPNs in the future depends mainly on industry dynamics. Most of
                    the value in VPNs lies in the potential for businesses to save money. Should the
                    cost of long-distance telephone calls and leased lines continue to drop, fewer
                    companies may feel the need to switch to VPNs for remote access. Conversely, if
                    VPN standards solidify and vendor products interoperate fully with other, the
                    appeal of VPNs should increase.
                    The success of VPNs also depends on the ability of intranets and extranets to
                    deliver on their promises. Companies have had difficulty measuring the cost
                    savings of their private networks, but if it can be demonstrated that these provide
                    significant value, the use of VPN technology internally may also increase.

TheDirectData.com                                                                                         Page 2

TheDirectData.com   Page 3


                    1. INTRODUCTION                                         1
                    2.WORKING OF VPN                                        3
                         2.1. EXAMPLE USE OF VPN
                    3.TYPES OF VPN                                          9
                          3.1.VIRTUAL LEASED LINE(VLL)
                          3.2. VIRTUAL PRIVATE ROUTED NETWORK(VPRN)
                          3.3. VIRTUAL PRIVATE DIAL-UP NETWORK(VPDN)
                          3.4. VIRTUAL PRIVATE LAN SEGMENT(VPLS)
                          3.5. INTRANET VPN
                          3.6. EXTRANET VPN
                          3.7. REMOTE ACCESS VPN
                    4. TUNNELING                                          16
                    5. TUNNELING PROTOCOLS                                18
                         5.1. MOTIVE OF PROTOCOLS
                         5.2. HISTORY
                         5.3. IPSec DESIGN GOALS AND OVERVIEW
                         5.4. L2TP DESIGN GOALS AND OVERVIEW
                         5.5. PPTP DESIGN GOALS AND OVERVIEW
                         5.6. MICROSOFT SUPPORT FOR IPSec,L2TP & PPTP
                         5.7. REMOTE ACCESS POLICY MANAGEMENT
                         5.8. CLIENT MANAGEMENT
                    6. SECURTY OF VPN                                     26
                    7. VPN H|W & S\W SPECIFICATION                        27
                    8. APPLICATION OF VPN                                 29
                    9. ADVANTAGES OF VPN                                  30
                    10. DISADVANTAGES OF VPN                              31
                    11. CONCLUSION                                        32
                    12. BIBLIOGRAPHY                                      33

TheDirectData.com                                                       Page 4

                            1. INTORDUCTION :

                                    An Internet-based virtual private network (VPN) uses the open,
            distributed infrastructure of the Internet to transmit data between corporate sites.


                          Why to develop vpn ?

                         Businesses today are faced with supporting a broader variety of
            communications among a wider range of sites even as they seek to reduce the cost of
            their communications infrastructure.

                            Employees are looking to access the resources of their corporate intranets
            as they take to the road, telecommute, or dial in from customer sites.

                            Plus business partners are joining together in extranets to share business
            information, either for a joint project of a few months' duration or for long-term strategic

TheDirectData.com                                                                                          Page 5

                                  At the same time, businesses are finding that past solutions to wide-
            area networking between the main corporate network and branch offices, such as
            dedicated leased lines or frame-relay circuits, do not provide the flexibility required for
            quickly creating new partner links or supporting project teams in the field.

                           Meanwhile, the growth of the number of telecommuters and an
            increasingly mobile sales force is eating up resources as more money is spent on modem
            banks, remote-access servers, and phone charges.

                           The trend toward mobile connectivity shows no sign of abating; Forrester
            Research estimated that more than 80 percent of the corporate workforce would have at
            least one mobile computing device by 1999.

                          Comparison of vpn with exiting network:

                            First and foremost are the cost savings of Internet VPNs when compared
            to traditional VPNs. A traditional corporate network built using leased T1 (1.5 Mbps)
            links and T3 (45 Mbps) links must deal with tariffs that are structured to include an
            installation fee, a monthly fixed cost, and a mileage charge, adding up to monthly fees
            that are greater than typical fees for leased Internet connections of the same speed.

                            Leased Internet lines offer another cost advantage because many providers
            offer prices that are tiered according to usage. For businesses that require the use of a full
            T1 or T3 only during busy times of the day but do not need the full bandwidth most of
            the time, ISP services, such as burstable T1, are an excellent option. Burstable T1
            provides on-demand bandwidth with flexible pricing. For example, a customer who signs
            up for a full T1 but whose traffic averages 512 kbps of usage on the T1 circuit will pay
            less than a T1 customer whose average monthly traffic is 768 kbps.

                            Because point-to-point links are not a part of the Internet VPN, companies
            do not have to support one of each kind of connection, further reducing equipment and
            support costs. With traditional corporate networks, the media that serve smaller branch
            offices, telecommuters, and mobile works—digital subscriber line (xDSL), integrated
            services digital network (ISDN), and high-speed modems, for instance—must be
            supported by additional equipment at corporate headquarters. In a VPN, not only can T1
            or T3 lines be used between the main office and the ISP, but many other media can be
            used to connect smaller offices and mobile workers to the ISP and, therefore, to the VPN
            without installing any added equipment at headquarters.

                          VPN resolves the limitations of ordinary networks:

                          VPNs using the Internet have the potential to solve many of these business
            networking problems.

TheDirectData.com                                                                                            Page 6

                           VPNs allow network managers to connect remote branch offices and
            project teams to the main corporate network economically and provide remote access to
            employees while reducing the in-house requirements for equipment.

                             Rather than depend on dedicated leased lines or frame relay's permanent
            virtual circuits (PVCs), an Internet-based VPN uses the open, distributed infrastructure of
            the Internet to transmit data between corporate sites.

                            Companies using an Internet VPN set up connections to the local
            connection points (called points-of-presence [POPs]) of their Internet service provider
            (ISP) and let the ISP ensure that the data is transmitted to the appropriate destinations via
            the Internet, leaving the rest of the connectivity details to the ISP's network and the
            Internet infrastructure.

                           Because the Internet is a public network with open transmission of most
            data, Internet-based VPNs include measures for encrypting data passed between VPN
            sites, which protects the data against eavesdropping and tampering by unauthorized

                           In addition, VPNs are not limited to corporate sites and branch offices. As
            an added advantage, a VPN can provide secure connectivity for mobile workers. These
            workers can connect to their company's VPN by dialing into the POP of a local ISP,
            which reduces the need for long-distance charges and outlays for installing and
            maintaining large banks of modems at corporate sites.

                          While VPNs offer direct cost savings over other communications methods
            (such as leased lines and long-distance calls), they can also offer other advantages,
            including indirect cost savings as a result of reduced training requirements and
            equipment, increased flexibility, and scalability.

                    2.WORKING OF VPN:

                            The world has changed a lot in the last couple of decades. Instead of
            simply dealing with local or regional concerns, many businesses now have to think about
            global markets and logistics. Many companies have facilities spread out across the
            country or even around the world. But there is one thing that all of them need: A way to
            maintain fast, secure and reliable communications wherever their offices are.

                          Until recently, this has meant the use of leased lines to maintain a Wide
            Area Network (WAN). Leased lines, ranging from ISDN (Integrated Services Digital
            Network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company
            with a way to expand their private network beyond their immediate geographic area. A

TheDirectData.com                                                                                           Page 7

            WAN had obvious advantages over a public network like the Internet when it came to
            reliability, performance and security. But maintaining a WAN, particularly when using
            leased lines can become quite expensive and often rises in cost as the distance between
            the offices increases.

                           As the popularity of the Internet grew, businesses turned to it as a means
            of extending their own networks. First came intranets, which are password-protected
            sites designed for use only by company employees. Now, many companies are creating
            their own VPNs (Virtual Private Networks) to accommodate the needs of remote
            employees and distant offices.

                    Image         courtesy        of        Cisco    Systems,        Inc.
                    A typical VPN might have a main LAN at the corporate headquarters of
                    a company, other LANs at remote offices or facilities and individual
                    users connecting from out in the field.

                            Basically, a VPN is a private network that uses a public network (usually
            the Internet) to connect remote sites or users together. Instead of using a dedicated, real-
            world connection such as leased line, a VPN uses "virtual" connections routed through
            the Internet from the company's private network to the remote site or employee.

                            For years, voice, data, and just about all software-defined network
            services were called "virtual private networks" by the telephone companies. The current
            generation of VPNs, however, is a more advanced combination of tunneling, encryption,

TheDirectData.com                                                                                          Page 8

            authentication and access control technologies and services used to carry traffic over the
            Internet, a managed IP network or a provider's backbone.

                             The traffic reaches these backbones using any combination of access
            technologies, including T1, frame relay, ISDN, ATM or simple dial access. VPNs use
            familiar networking technology and protocols. The client sends a stream of encrypted
            Point-to-Point Protocol (PPP) packets to a remote server or router, except instead of
            going across a dedicated line (as in the case of WANs); the packets go across a tunnel
            over a shared network.

                             The general idea behind using this method is that a company reduces the
            recurring telecommunications charges that are shouldered when connecting remote users
            and branch offices to resources in a corporation's headquarters.

                             The most commonly accepted method of creating VPN tunnels is by
            encapsulating a network protocol (including IPX, NetBEUI, AppleTalk, and others)
            inside the PPP, and then encapsulating the entire package inside a tunneling protocol,
            which is typically IP, but could also be ATM or frame relay. This increasingly popular
            approach is called Layer 2 tunneling, because the passenger is a Layer-2 Tunneling
            Protocol (L2TP).

                              Using this VPN model, packets headed towards the remote network will
            reach a tunnel-initiating device, which can be anything from an extranet router to a PC
            with VPN-enabled dial-up software. The tunnel initiator communicates with a VPN
            terminator, or a tunnel switch, to agree on an encryption scheme. The tunnel initiator then
            encrypts the package for security before transmitting to the terminator, which decrypts
            the packet and delivers it to the appropriate destination on the network.

                           L2TP is the combination of Cisco Systems' Layer-2 Forwarding (L2F) and
            Microsoft's Point-to-Point Tunneling Protocol (PPTP). It supports any routed protocol,
            including IP, IPX, and AppleTalk, as well as any WAN backbone technology, including
            frame relay, ATM, X.25, and SONET. Because of L2TP's use of Microsoft's PPTP, it is
            included as part of the remote access features of most Windows products.

                            Another approach to VPN is SOCKS 5, which follows a proxy server
            model and works at the TCP socket level. It requires a SOCKS 5 server and appropriate
            software in order to work. The SOCKS 5 client intercepts a request for service, and
            checks it against a security database. If the request is granted, the server establishes an
            authenticated session with the client, acting as a proxy. This allows network managers to
            apply specific controls and proxies traffic, and specify which applications can cross the
            firewall into the Internet.

                          VPN technology can be used for site-to-site connectivity as well, which
            would allow a branch office with multiple access lines get rid of the data line, and move

TheDirectData.com                                                                                         Page 9

            traffic over the existing Internet access connection. Since many sites use multiple lines,
            this can be a very useful application, and it can be deployed without adding additional
            equipment or software.

                    2.1.             Example use of VPN:

                                  Step 1. The remote user dials into their local ISP and logs into the
            ISP’s network as usual.

                           Step 2.

            When connectivity to the corporate network is desired, the user initiates a tunnel request

TheDirectData.com                                                                                        Page

            to the destination Security server on the corporate network. The Security server
            authenticates the user and creates the other end of tunnel.

                          Step 3.

            The user then sends data through the tunnel which encrypted by the VPN software before
            being sent over the ISP connection.

TheDirectData.com                                                                                    Page

                          Step 4

                                    The destination Security server receives the encrypted data and
            decrypts. The Security server then forwards the decrypted data packets onto the corporate
            network. Any information sent back to the Remote user is also encrypted before being
            sent over the Internet.

TheDirectData.com                                                                                       Page

                                   The figure below illustrates that VPN software can be used from
            any location through any existing ISP’s dial-in service.

                           3.TYPES OF VPN:

                    3.1.Virtual Leased Lines (VLL)
                                    This is the simplest form of a VPN. In this type there is point to
            point link between two customer premise equipment (CPE). The CPE devices can be
            either routers, bridges or hosts. The IP tunnel is set up between two ISP nodes which are
            connected by IP network. Each of these node is configured to bind the stub link and the
            IP tunnel together at layer 2. Frames are relayed between the two links. The contents of
            the payload is opaque to the ISP node. The IP network is invisible to the customer. It
            seems a single ATM Virtual Channel Connections (VCC) or Frame Relay circuit were
            used to interconnect the CPE devices for him. If the two links used to connect the CPE
            devices to the ISP nodes are not the same then ISP traffic is not opaque. In this case ISP
            nodes must perform the functions of an inter-working device between the two media
            types (e.g., ATM and Frame Relay) and any media specific processing that is expected by
            the CPE devices.

TheDirectData.com                                                                                        Page

                Figure 3.1: Virtual Leased Lines (VLL)

                    3.2. Virtual Private Routed Network (VPRN)
                                    A VPRN is emulation of a multi-site wide area routed network
            using IP facilities. In VPRN packet forwarding is carried out at the network layer. A
            VPRN consists of a mesh of IP tunnels between ISP routers, together with the routing
            capabilities needed to forward traffic received at each VPRN node to the appropriate
            destination site. At each ISP router to which members of the VPRN are connected there is
            a VPRN specific forwarding table. Traffic is forwarded between ISP routers and between
            ISP routers and customer sites, using these forwarding tables. The forwarding tables
            contain network layer reachability information. VPRN carries out forwarding at the
            network layer, hence a single VPRN only directly supports a single network layer
            protocol. For multiprotocol support, a separate VPRN for each network layer protocol
            could be used or one protocol could be tunneled over another.

                    VPRN Requirements

                                  1. VPN Identifier The use of a globally unique VPN identifier.

                                  2. VPRN membership determination An edge router must learn
            of the local stub links that are in each VPRN and the set of other routers that have
            members in that VPRN.

                                   3. Stub link reachability information An edge router must learn
            the set of addresses and address prefixes reachable via each stub link.

                                   4. Intra-VPRN reachability information Edge router must
            disseminate the address prefixes information associated with each of its stub links to each
            other edge router in the VPRN.

                                   5. Tunneling mechanism An edge router must construct the
            necessary tunnels to other routers that have members in the VPRN, and must perform the
            encapsulation and decapsulation necessary to send and receive packets over the tunnels.

TheDirectData.com                                                                                         Page

                                 Figure 3.2: Virtual Private Routed Network (VPRN)

                    3.3. Virtual Private Dial Network (VPDN)
                                   A Virtual Private Dial Network (VPDN) allows on demand ad hoc
            tunnel between remote user and another site. The user is connected to a public IP network
            via a dial-up PSTN or ISDN link. User packets are tunneled across the public network to
            the destination site. To the user, it gives the impression of being directly connected into
            that site. The most important thing here is authentication of user since anybody can try to
            gain access to destination sites using dial-up network. There are two types of possible
            tunnel in this case :

                           Compulsory Tunnel

                           Voluntary Tunnel

                    Compulsory Tunnel

                                 In this scenario L2TP Access Contractor (LAC) acting as a dial or
            network access server extends a PPP session across a backbone using L2TP to a remote

TheDirectData.com                                                                                         Page

            L2TP Network Server (LNS). The operation of initiating the PPP session to the LAC is
            transparent to the user.

                      Figure 3.3: Compulsory Tunnel (VPDN)

                    Voluntary Tunnel

                                   Voluntary tunnel refers to the case where an individual host
            connects to a remote site using a tunnel originating on the host, with no involvement from
            intermediate network nodes. Tunnel mechanism chosen can be IPSec or L2TP. There is
            considerable overhead with such a protocol stack, particularly when IPSec is also needed.
            The overhead consists of both extra headers in the data plane and extra control protocols
            needed in the control plane.

                         Figure 3.4: Voluntary Tunnel (VPDN)

TheDirectData.com                                                                                        Page

                    3.4.Virtual Private Lan Segment (VPLS)

                                 A Virtual Private Lan Segment (VPLS) is the emulation of a LAN
            segment using internet facilities. VPLS can be used to provide Transparent Lan Service
            (TLS). Topologically and operationally a VPLS is similar to VPRN, except that each
            VPLS edge nod implements link layer bridging rather than network layer forwarding.

                        Figure 3.5: Virtual Private Lan Segment (VPLS)

TheDirectData.com                                                                                    Page

                     3.5.Branch office connection network (Intranet VPN)

                                   The branch office scenario securely connects two trusted intranets
            within the organization. Routers or firewalls acting as gateways for the office with vpn
            capabilities can be used to protect the corporate traffic. They provide the necessary data
            authentication and encryption.

                     3.6.Business partner/supplier network (Extranet VPN)

                                    In this scenario multiple supplier intranets that need to access a
            common corporate network over the Internet. Each supplier is allowed access to only a
            limited set of destinations within the corporate network. The VPN must be constructed to
            guarantee that no traffic from a supplier will be visible to any other supplier or to any
            system other than its intended destination.

                    Figure 3.7: Extranet VPN

TheDirectData.com                                                                                        Page

                     Design Considerations

                           The clients have to support the IPSec protocols.

                          Client addresses are dynamic hence dynamic tunnel establishing is needed.
            Manual tunnels are possible only in case of fixed remote client IP addresses.

                           Dial in traffic that cannot be authenticated will be rejected by firewall.

                     3.7. Remote access network (Access VPN)

                                     A remote user wants to be able to communicate securely and cost-
            effectively to his corporate intranet. This can be done by use of an VPN IPSec enabled
            remote client and firewall (or gateway). The client accesses the Internet via dial-up to an
            ISP, and then establishes an authenticated and encrypted tunnel between itself and the
            firewall at the intranet boundary.

                    Figure 3.8: Access VPN

TheDirectData.com                                                                                         Page

                            Most VPNs rely on tunneling to create a private network that reaches
            across the Internet. Essentially, tunneling is the process of placing an entire packet within
            another packet and sending it over a network. The protocol of the outer packet is
            understood by the network and both points, called tunnel interfaces, where the packet
            enters and exits the network.

                    Tunneling requires three different protocols:

                            Carrier protocol: The protocol used by the network that the information
            is traveling over

                           Encapsulating protocol: The protocol (GRE, IPSec, L2F, PPTP, L2TP)
            that is wrapped around the original data

TheDirectData.com                                                                                           Page

                           Passenger protocol: The original data (IPX, NetBeui, IP) being carried

                           Tunneling has amazing implications for VPNs. For example, you can
            place a packet that uses a protocol not supported on the Internet (such as NetBeui) inside
            an IP packet and send it safely over the Internet. Or you could put a packet that uses a
            private (non-routable) IP address inside a packet that uses a globally unique Ip address to
            extend a private network over the Internet.

                           In a Site-to-Site VPN, GRE (Generic Routing Encapsulation) is
            normally the encapsulating protocol that provides the framework for how to package the
            passenger protocol for transport over the carrier protocol, which is typically IP-based.
            This includes information on what type of packet you are encapsulating and information
            about the connection between the client and server. Instead of GRE, IPSec in Tunnel
            Mode is sometimes used as the encapsulating protocol. IPSec works well on both
            Remote-Access and Site-to-Site VPNs. IPSec must be supported at both tunnel interfaces
            to use.

                            In a Remote-Access VPN, tunneling normally takes place-using PPP. Part
            of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over
            the network between the host computer and a remote system. Remote-Access VPN
            tunneling relies on PPP.

                  Each of the protocols listed below were built using the basic structure of PPP
            and are used by Remote-Access VPNs.

                     L2F (Layer 2 Forwarding): Developed by Cisco, L2F will use any
            authentication scheme supported by PPP.

                    PPTP (Point-to-Point Tunneling Protocol): PPTP was created by the PPTP
            Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI
            Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication
            scheme supported by PPP.

                      L2TP (Layer 2 Tunneling Protocol): The most recent addition, L2TP is the
            product of a partnership between the members of the PPTP Forum, Cisco and the IETF
            (Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP
            also fully supports IPSec.

                        L2TP can be used as a tunneling protocol for Site-to-Site VPNs as well as
            Remote-Access VPNs. In fact, L2TP can create a tunnel between:

                             Client and Router
                             NAS and Router

TheDirectData.com                                                                                         Page

                              Router and Router

               The truck is the carrier protocol, the box is the encapsulating protocol and
               the computer is the passenger protocol.

                           Think of tunneling like having a computer delivered to you by UPS. The
            vendor packs the computer (passenger protocol) into a box (encapsulating protocol),
            which is then put on a UPS truck (carrier protocol) at the vendor's warehouse (entry
            tunnel interface). The truck (carrier protocol) travels over the highways (Internet) to your
            home (exit tunnel interface) and delivers the computer. You open the box (encapsulating
            protocol) and remove the computer (passenger protocol). Tunneling is just that simple!

                         As you can see, VPNs are a great way for a company to keep its
            employees and partners connected no matter where they are.

                    5. TUNNELING PROTOCOLS:

                    5.1.Motive of protocols:

                                   Four different protocols have been suggested for creating VPNs
            over the Internet: point-to-point tunneling protocol (PPTP), layer-2 forwarding (L2F),
            layer-2 tunneling protocol (L2TP), and IP security protocol (IPSec).

                                    One reason for the number of protocols is that, for some
            companies, a VPN is a substitute for remote-access servers, allowing mobile users and
            branch offices to dial into the protected corporate network via their local ISP. For others,
            a VPN may consist of traffic traveling in secure tunnels over the Internet between
TheDirectData.com                                                                                          Page

            protected LANs. The protocols that have been developed for VPNs reflect this
            dichotomy. PPTP, L2F, and L2TP are largely aimed at dial-up VPNs, while IPSec's main
            focus has been LAN–to–LAN solutions.


                                    the first protocols deployed for VPNs was PPTP. It has been a
            widely deployed solution for dial-in VPNs since Microsoft included support for it in
            RRAS for Windows NT Server 4.0 and offered a PPTP client in a service pack for
            Windows 95. Microsoft's inclusion of a PPTP client in Windows 98 practically ensures
            its continued use for the next few years, although it is not likely that PPTP will become a
            formal standard endorsed by any of the standards bodies (like the Internet Engineering
            Task Force [IETF]).

                                   The most commonly used protocol for remote access to the
            Internet is point-to-point protocol (PPP). PPTP builds on the functionality of PPP to
            provide remote access that can be tunneled through the Internet to a destination site. As
            currently implemented, PPTP encapsulates PPP packets using a modified version of the
            generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of
            handling protocols other than IP, such as Internet packet exchange (IPX) and network
            basic input/output system extended user interface (NetBEUI).

                                   Because of its dependence on PPP, PPTP relies on the
            authentication mechanisms within PPP, namely password authentication protocol (PAP)
            and CHAP. Because there is a strong tie between PPTP and Windows NT, an enhanced
            version of CHAP, MS–CHAP, is also used, which utilizes information within NT
            domains for security. Similarly, PPTP can use PPP to encrypt data, but Microsoft has also
            incorporated a stronger encryption method called Microsoft point-to-point encryption
            (MPPE) for use with PPTP.

                                   Aside from the relative simplicity of client support for PPTP, one
            of the protocol's main advantages is that PPTP is designed to run at open systems
            interconnection (OSI) Layer 2, or the link layer, as opposed to IPSec, which runs at Layer
            3. By supporting data communications at Layer 2, PPTP can transmit protocols other than
            IP over its tunnels. PPTP does have some limitations. For example, it does not provide
            strong encryption for protecting data nor does it support any token-based methods for
            authenticating users.

                    5.3. IPSec Design Goals and Overview

TheDirectData.com                                                                                         Page

                                  IPSec provides integrity protection, authentication, and (optional)
            privacy and replay protection services for IP traffic. IPSec packets are of two types:

                                  •                        IP protocol 50 called the Encapsulating
                                    Security Payload (ESP) format, which provides privacy,
                                    authenticity, and integrity.
                                  •                        IP protocol 51 called the Authentication
                                    Header (AH) format, which only provides integrity and
                                    authenticity for packets, but not privacy

                                  IPSec can be used in two modes; transport mode which secures an
            existing IP packet from source to destination, and tunnel mode which puts an existing IP
            packet inside a new IP packet that is sent to a tunnel end point in the IPSec format. Both
            transport and tunnel mode can be encapsulated in ESP or AH headers.

                                  IPSec transport mode was designed to provide security for IP
            traffic end-to-end between two communicating systems, for example to secure a TCP
            connection or a UDP datagram. IPSec tunnel mode was designed primarily for network
            midpoints, routers, or gateways, to secure other IP traffic inside an IPSec tunnel that
            connects one private IP network to another private IP network over a public or untrusted
            IP network (for example, the Internet). In both cases, a complex security negotiation is
            performed between the two computers through the Internet Key Exchange (IKE),
            normally using PKI certificates for mutual authentication.

                                   The IETF RFC IPSec tunnel protocol specifications did not include
            mechanisms suitable for remote access VPN clients. Omitted features include user
            authentication options or client IP address configuration. To use IPSec tunnel mode for
            remote access, some vendors chose to extend the protocol in proprietary ways to solve
            these issues. While a few of these extensions are documented as Internet drafts, they lack
            standards status and are not generally interoperable. As a result, customers must seriously
            consider whether such implementations offer suitable multi-vendor interoperability.

                    5.4. L2TP Design Goals and Overview

                                  L2TP is a mature IETF standards track protocol that has been
            widely implemented. L2TP encapsulates Point-to-Point Protocol (PPP) frames to be sent
            over IP, X.25, frame relay, or asynchronous transfer mode (ATM) networks. When
            configured to use IP as its transport, L2TP can be used as a VPN tunneling protocol over
            the Internet. L2TP over IP uses UDP port 1701 and includes a series of L2TP control
            messages for tunnel maintenance. L2TP also uses UDP to send L2TP-encapsulated PPP
            frames as the tunneled data. The encapsulated PPP frames can be encrypted or
            compressed. When L2TP tunnels appear as IP packets, they take advantage of standard
            IPSec security using IPSec transport mode for strong integrity, replay, authenticity, and
            privacy protection. L2TP was specifically designed for client connections to network
            access servers, as well as for gateway-to-gateway connections. Through its use of PPP,
TheDirectData.com                                                                                         Page

            L2TP gains multi-protocol support for protocols such as IPX and Appletalk. PPP also
            provides a wide range of user authentication options, including CHAP, MS-CHAP, MS-
            CHAPv2 and Extensible Authentication Protocol (EAP) that supports token card and
            smart card authentication mechanisms. L2TP/IPSec therefore provides well-defined and
            interoperable tunneling, with the strong and interoperable security of IPSec. It is a good
            solution for secure remote access and secure gateway-to-gateway connections.

                    5.5. PPTP Design Goals and Overview

                                  PPTP was designed to provide authenticated and encrypted
            communications between a client and a gateway or between two gateways—without
            requiring a public key infrastructure—by using a user ID and password. It was first
            delivered in 1996, two years before the availability of IPSec and L2TP. The design goal
            was simplicity, multiprotocol support, and ability to traverse a broad range of IP
            networks. The Point-to-Point Tunneling Protocol (PPTP) uses a TCP connection for
            tunnel maintenance and Generic Routing Encapsulation (GRE) encapsulated PPP frames
            for tunneled data. The payloads of the encapsulated PPP frames can be encrypted and/or
            compressed. The use of PPP provides the ability to negotiate authentication, encryption,
            and IP address assignment services.

                                   Table 1 summarizes some of the key technical differences between
            these three security protocols.

                                  Table 1 Network Security Protocol Differences

                                  Feature                             Description
                                                                                     P/ PPP                        P/ PP
                                  User                                 Can                                  Yes
            Authentication                      authenticate the user that is
                                                initiating the communications.
                                  Machine                              Authenticates                        Yes2
            Authentication                      the machines involved in the
                                  NAT                                  Can      pass                        Yes
            Capable                             through        Network      Address
                                                Translators to hide one or both end-
                                                points of the communications.
                                  Multiprotocol                        Defines     a                        Yes
            Support                             standard method for carrying IP and
                                                non-IP traffic.
                                  Dynamic                              Defines     a                        Yes

TheDirectData.com                                                                                        Page

                                  Feature                             Description
                                                                                       P/ PPP                     P/ PP
            Tunnel IP Address Assignment        standard way to negotiate an IP
                                                address for the tunneled part of the
                                                communications. Important so that
                                                returned packets are routed back
                                                through the same session rather
                                                than through a non-tunneled and
                                                unsecured path and to eliminate
                                                static,       manual    end-system
                                  Encryption                          Can encrypt                           Yes
                                                traffic it carries.
                                  Uses PKI                            Can use PKI                           Yes
                                                to implement encryption and/or
                                  Packet                              Provides an                           No
            Authenticity                        authenticity method to ensure
                                                packet content is not changed in
                                  Multicast                           Can carry IP                          Yes
            support                             multicast traffic in addition to IP
                                                unicast traffic.

                    5.6. Microsoft Support for IPSec, L2tp, and PPTP


                                  The Microsoft Windows 2000 operating system simplifies
            deployment and management of network security with Windows IP Security, a robust
            implementation of IPSec. IPSec protocol is an integral part of the TCP/IP protocol stack.
            Microsoft and Cisco Systems, Inc., have jointly developed IPSec and related services in
            Windows 2000. Interoperability is tested with Cisco and a number of other vendors for
            each of the examples below.

                                    Using IPSec, you can provide privacy, integrity and authenticity
            for network traffic in the following situations.

                                  •                        End-to-end security for IP unicast traffic,
                                    from client-to-server, server-to-server and client-to-client using
                                    IPSec transport mode
                                  •                        Remote access VPN client and gateway

TheDirectData.com                                                                                        Page

                                     functions using L2TP secured by IPSec transport mode.
                                   •                      Site-to-Site VPN connections, across
                                     outsourced private WAN or Internet- based connections using
                                     L2TP/IPSec or IPSec tunnel mode.

                                  Windows IP Security builds upon the IETF IPSec architecture by
            integrating with Windows 2000 domains and the Active Directory service. Active
            Directory delivers policy-based, directory-enabled networking. IPSec policy is assigned
            and distributed to Windows 2000 domain members through Windows 2000 Group
            Policy. Local policy configuration is provided, so membership in a domain is not

                                  An automatic security negotiation and key management service is
            also provided using the IETF-defined Internet Key Exchange (IKE) protocol, RFC 2409.
            The implementation of IKE provides three authentication methods to establish trust
            between computers:

                                   •                      Kerberos v5.0 authentication is provided
                                     by the Windows 2000 domain that serves as a Kerberos version
                                     5.0 Key Distribution Center (KDC). This provides easy
                                     deployment of secure communications between Windows 2000
                                     computers that are members in a domain or across trusted
                                     domains. IKE only uses the authentication properties of
                                     Kerberos, as documented in draft-ietf-ipsec-isakmp-gss-auth-
                                     02.txt. Key generation for IPSec security associations is done
                                     using IKE RFC2409 methods.
                                   •                      Public/Private key signatures using
                                     certificates is compatible with several certificate systems,
                                     including Microsoft, Entrust, Verisign, and Netscape. This is
                                     part of RFC 2409.
                                   •                      Passwords       ,   termed     pre-shared
                                     authentication keys, are used strictly for establishing trust
                                     between computers. This is part of RFC 2409.

                                    Once configured with an IPSec policy, peer computers negotiate
            using IKE to establish a main security association for all traffic between the two
            computers. This involves authenticating using one of the methods above and generating a
            shared master key. The systems then use IKE to negotiate another security association for
            the application traffic they are trying to protect at the moment. This involves generating
            shared session keys. Only the two computers know both sets of keys. The data exchanged
            using the security association is very well-protected against modification or interpretation
            by attackers who may be in the network. The keys are automatically refreshed according
            to IPSec policy settings to provide constant protection according to the administrator
            defined policy.

TheDirectData.com                                                                                          Page

                                  For customers familiar with technical details of IPSec, Windows
            2000 supports DES (56-bit key strength) and 3DES (168-bit key strength) encryption
            algorithms, and SHA-1 and MD5 integrity algorithms. These algorithms are supported in
            all combinations in the ESP format. Because the AH format provides only integrity and
            authenticity, only MD5 and SHA-1 are used.


                                   Windows 2000 includes L2TP support when used with IPSec for
            client-to-gateway and gateway-to-gateway configurations. In these configurations, all
            traffic from the client to a gateway, and all traffic between two gateways is encrypted.
            This implementation has been tested with a variety of other vendor implementations of


                                   Windows 2000 includes PPTP support for client-to-gateway and
            gateway-to-gateway configurations. This implementation is consistent with the PPTP
            services available for the Microsoft Windows NT® Server, Windows NT Workstation,
            Windows 98, and Windows 95 operating systems. Customers can take advantage of their
            existing investment in Windows operating system–based platforms by using PPTP.
            Windows 2000-based systems can interoperate with Windows NT–based PPTP servers,
            and today's Windows–based systems interoperate with Windows 2000–based PPTP
            servers. In addition to password-based authentication, Windows 2000 PPTP can support
            public key authentication through the Extensible Authentication Protocol (EAP).

                    5.7.          Remote Access Policy Management

                                   Another dimension of security policy management that goes
            beyond encryption policy is access policy. In client-to-gateway and gateway-to-gateway
            situations, Windows 2000 provides a rich set of administrative policies that can be
            implemented to control user access through direct-dial, PPTP, and L2TP/IPSec
            connections. These access policies allow administrators to grant or deny access based
            upon a combination of user ID, time-of-day, protocol port, encryption level, and more.
            While available natively within a Windows 2000 Active Directory environment, these
            access policies can also be enforced on non-Windows 2000 environments through the use
            of RADIUS. For example, an existing Windows NT–based PPTP server can be
            configured to use a Windows 2000 Server to authenticate users through RADIUS. When
            used in this way, the Windows 2000 Server can be configured to enforce access policies
            and apply them to the Windows NT–based PPTP server. This is an example of how
            Windows 2000 can simplify and strengthen central administration during a transition to
            Windows 2000, and demonstrates one of the many benefits of using Windows 2000 for
            authentication in heterogeneous environments.

TheDirectData.com                                                                                      Page

                    5.8. Client Management

                                    As previously mentioned for IPSec, Active Directory is used to
            define and control IPSec policy. Installation of the PPTP, L2TP, and IPSec protocols is
            inherent in the installation of Windows 2000. Client configuration of these protocols for
            client-to-gateway scenarios can be accomplished in two ways:

                                  •                        On end systems, a New Connections
                                    wizard prompts the user through a simple set of screens to set
                                    configure the connection.
                                  •                        In larger scale installations, the
                                    Connection Manager Administration Kit and Connection Point
                                    Services can be used together to deliver a customized remote
                                    access direct-dial and VPN client to corporate systems.

                                  With these tools the administrator can provide the client with a
            specially configured profile that:

                                  •                         Brands the dialer consistent with corporate
                                      remote access programs.
                                  •                         Integrates customize help files and
                                      corporate remote access use licenses.
                                  •                         Integrates applications and other tools for
                                      automatic launch at various stages of the connection process.
                                  •                         Administers a central phonebook of
                                      remote access numbers.
                                  •                         Contracts with Internet Service Providers
                                      (ISPs) for management of point-of-presence (POP) phone
                                  •                         Configures clients to automatically
                                      update, and collates phonebooks from the ISP and the corporate
                                      phonebook servers.

                                  The resulting profile can be distributed centrally to clients through
            Microsoft System Management Services, Web downloads, file transfers, e-mail, floppy
            disks, or CDs. This lets administrators centrally manage clients while users get a single
            interface that:

                                  •                        Connects, regardless of type of protocol or
                                    connection (direct dial or VPN protocol).
                                  •                        Hides the complexity of the connection
                                    process (single click access).
                                  •                        Provides single sign-on using company
                                    user IDs (no separate ISP account required).

TheDirectData.com                                                                                         Page

                                 Based on customer feedback, Microsoft considers this to be one of
            the most important components for deploying VPN services.

                    6.SECURITY OF VPN:

                          The key word in "virtual private networks" is private. The last thing a
            business wants is to have sensitive corporate information end up in the hands of some
            pubescent hacker, or worse, the competition. Fortunately, VPNs are widely considered
            extremely secure, despite using public networks.

                           In order to authenticate the VPN's users, a firewall will be necessary.
            While in the past, firewalls have been a major source of headaches for network
            administrators, the new generation of firewalls are far simpler to create and maintain.
            Nowadays, there is a wide variety of hassle-free, prepackaged appliances to keep
            unwanted packets out of the network. Many "black box" security systems also include
            some sort of encryption system, although some VPNs do not.

                            Firewall products for VPNs, such as Net Screen, Watch guard, or Net
            Fortress are often relatively simple, plug-and-play solutions for network security. The
            system can be connected to as many LANs as needed, keys are exchanged between the
            two units, and the VPN is complete. However, these solutions can come at a substantial
            cost, and the right choice will depend on the unique networking and security needs of the
            company or companies using the network. Generally, if you already own the appropriate
            equipment and Internet connection, an out-of-the-box solution is not necessary.

                           All VPNs require configuration of an access device, either software- or
            hardware-based, to set up a secure channel. A random user cannot simply log in to a
            VPN, as some information is needed to allow a remote user access to the network, or to
            even begin a VPN handshake. When used in conjunction with strong authentication,
            VPNs can prevent intruders from successfully authenticating to the network, even if they
            were able to somehow capture a VPN session.

                            Most VPNs use IPSec technologies, the evolving framework of protocols
            that has become the standard for most vendors. IPSec is useful because it is compatible
            with most different VPN hardware and software, and is the most popular for networks
            with remote access clients. IPSec requires very little knowledge for clients, because the
            authentication is not user-based, which means a token (such as Secure ID or Crypto Card)
            is not used. Instead, the security comes from the workstation's IP address or its certificate,

TheDirectData.com                                                                                            Page

            establishing the user's identity and ensuring the integrity of the network. An IPSec tunnel
            basically acts as the network layer protecting all the data packets that pass through,
            regardless of the application.

                            Depending on the solution used, it is possible to control the type of traffic
            sent over a VPN solution. Many devices allow the administrator to define group-based
            filter, which controls UP address and protocol/port services allowed through the tunnel.
            IPSec-based VPNs also allow the administrator to define a list of specific networks and
            applications to which traffic can be passed.

                           One downside to IPSec-compliant products is that they provide access
            control over the network and transport layers only, and not a great deal of measures to
            selectively regulate access to individual resources within these hosts. If customers given
            access to particular company information on a server, for instance, highly selective
            controls are needed to make sure they access only the information they've been
            authorized to see.

                           This type of selective or unidirectional access, within a VPN is available
            in some non-IPSec solutions, such as Aventail's SOCKS 5 server. In a unidirectional
            connection, a two-way trusted relationship is not assumed as it is with tunneled VPNs.
            With this model, if there is some kind of breach in security, only the destination network
            is affected. SOCKS 5 are also able to handle virtually any authentication and encryption

                                   Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Forwarding
            (L2F) are also available, and although only a handful of firewall vendors support these
            security protocols, they are part of the reason why there is no current universally accepted
            standard. Although VPN vendors must decide which standard they use, it is the
            administrators who will eventually decide the outcome of this emerging technology.
            Because of factors like this, it is all the more important to make a wise, informed decision
            before purchasing a VPN.

                    7.       VPN -H\W & S\W SPECIFICATION:
                            Depending on the type of VPN (Remote-Access or Site-to-Site), you will
            need to put in place certain components to build your VPN. These might include:

                         Desktop software client for each remote user

                               Dedicated hardware such as a VPN Concentrator or Secure

                              PIX      Firewall

                               Dedicated VPN server for dial-up services

TheDirectData.com                                                                                           Page

                             NAS (Network Access Server) used by service provider for

                           remote user VPN access

                            VPN Concentrator: Incorporating the most advanced encryption and
            authentication techniques available, Cisco VPN Concentrators are built specifically for
            creating a Remote-Access VPN. They provide high availability, high performance and
            scalability and include components, called Scalable Encryption Processing (SEP)
            modules that enable users to easily increase capacity and throughput. The Concentrators
            are offered in models suitable for small businesses with 100 or fewer remote-access users
            to large enterprise organizations with up to 10,000 simultaneous remote users.

                          Photo     courtesy    of     Cisco             Systems,       Inc.
                          The Cisco VPN 3000 Concentrator

                            VPN-optimized router: Cisco's VPN-optimized routers provide
            scalability, routing, security and QoS (quality of service). Based on the Cisco IOS
            (Internet Operating System) software, there is a router suitable for every situation, from
            small-office/home-office (SOHO) access through central-site VPN aggregation, to large-
            scale enterprise needs.

                     Photo      courtesy     of      Cisco              Systems,        Inc.
                     The Cisco 1750 Modular Access Router

TheDirectData.com                                                                                        Page

                            Cisco Secure PIX Firewall: An amazing piece of technology, the PIX
            (Private Internet exchange) Firewall combines dynamic network address translation,
            proxy server, packet filtration, firewall and VPN capabilities in a single piece of
            hardware. Instead of using Cisco IOS, this device has a highly streamlined OS that trades
            the ability to handle a variety of protocols for extreme robustness and performance by
            focusing on IP.

                          Photo     courtesy     of         Cisco       Systems,      Inc.
                          The Cisco PIX Firewall


                    VPN/VOIP Application

                                   Once you’ve set up your VPN network, you can easily save money
            on interoffice long distance calling by bridging your voice network to your data network
            with Multi-Tech’s MultiVOIP Voice over IP gateway. MultiVOIP is a point-to-point
            solution (one box is required at each location) that merges voice/fax from traditional
            telephones onto an IP data network. It then utilizes another MultiVOIP gateway at the
            remote end to separate the voice/fax from the data network and send it back to the
            receiving phone. With MultiVOIP a company can save thousands of dollars on recurring
            long distance charges.

TheDirectData.com                                                                                       Page

                    9.ADVANTAGES OF VPN:

                            There are a number of reasons to set up a VPN for remote access, but the
            biggest selling point by far is the potential cost savings.

                           Using the Internet to distribute network services over long distances
            means companies no longer have to purchase expensive leased lines to branch or partners'
            offices as a VPN connection needs only to use a relatively short dedicated connection. In
            an organization experiencing rapid growth, this can make a enormous difference in costs.
            As an organization adds companies to its network, the number of leased lines required
            climbs with it exponentially. In a traditional WAN, this can limit the flexibility for
            growth, whereas VPNs avoid this problem by tapping into an almost universally available

                           VPNs can further reduce costs by lessening the need for long-distance
            telephone charges, as clients can gain access by dialing into the nearest service provider's
            access point. While in some cases this may entail making a long-distance call or using an
            800 service, a local call is usually sufficient. This can dramatically cut
            telecommunications costs for enterprises with many international sites, sometimes in the
            range of thousands of dollars per person, each month.

                           A third, more subtle way that VPNs may result in lower expenditures, is
            through reducing the company's support burden. With a VPN, the service provider must
            support dial-up access, instead of the organization using it. Theoretically, a public service
TheDirectData.com                                                                                           Page

            provider can charge much less for support, because its cost is shared among a wider
            customer base.

                           Finally, VPNs save a company on operational costs for equipment
            previously used to support remote users. A company using a VPN can get rid of its
            modem pools, remote-access servers, and other WAN equipment and simply use its
            existing Internet installation. Many companies employ several links with different
            functions prior to setting up a VPN.

                            Companies enjoy the flexibility that comes with VPNs, since they
            typically do not require long-term contracts, as is the case with most data services. This
            allows companies to easily switch over to a lower-priced service if they so desire.
            Companies can usually get a high-speed Internet connection established and configured
            in a much shorter time than it takes to get a similar data service. In some foreign
            countries, it can take as long as a year to get a leased line installed. For some industries,
            such as construction or insurance, this can make a crucial difference in a company's
            operations and financial health.

                           VPN technologies are also considered remarkably secure. Since the
            introduction of IPSec, VPN data protection has become more standardized among service
            providers. Data that is sent over VPNs is confidential, requiring authorization to be
            received or replayed. Users can authenticate packets to establish the validity of the
            information, and the integrity of the data is usually guaranteed.

                            Companies may also choose to build an extranet application on a VPN, in
            order to use its access controls and authentication services to deny or grant access to
            specific information for customers, trading partners or business associates. This can help
            build customer loyalty, as clients who are given higher levels of access would be less
            likely to switch to another business partner. The same technology can also be used
            internally to assign worker populations to segmented groups with different access levels.
            This solution is simpler and more economical than traditional methods used by IT

                                   A VPN-based extranet may replace a more expensive system, such
            as an electronic data interchange (EDI), which typically necessitate custom software and
            the use of a value-added network (VAN) provider. Some VANs charge upwards of $6 to
            $12 (US) per hour of connectivity, much more than ordinary service providers.

                            10. DISADVANTAGES OF VPN:

                                   With the hype that has surrounded VPNs historically, the potential
            pitfalls or "weak spots" in the VPN model can be easy to forget.
TheDirectData.com                                                                                           Page

                      These four concerns with VPN solutions are often raised.

                   1. VPNs require an in-depth understanding of public network security issues and
            taking       proper          precautions         in         VPN           deployment.

            2. The availability and performance of an organization's wide-area VPN (over the
            Internet in particular) depends on factors largely outside of their control.

            3. VPN technologies from different vendors may not work well together due to immature

            4. VPNs need to accomodate protocols other than IP and existing ("legacy") internal
            network technology.

                                   Generally speaking, these four factors comprise the hidden costs of
            a VPN solution. Whereas VPN advocates tout cost savings as the primary advantage of
            this technology, detractors cite hidden costs as the primary disadvantage of VPNs.

                    11. CONCLUSION:                                                        VPN’s
            are an effective way to create secure communication channels across the Internet or
            between sensitive systems within a company’s internal network. With the inclusion of
            VPN support in Microsoft 2000, Cisco routers, Checkpoint 2000, and a host of other
            systems, the deployment of VPN’s is going to become more commonplace. Without
            proper security design, these VPN’s could add many more unwanted entrances to
            corporate networks. Use VPN’s where appropriate but ensure security issues including
            machine configuration, policy and user security awareness have been considered

TheDirectData.com                                                                                        Page


                    our reference sites are:





TheDirectData.com                              Page

To top