Virtual Private Networks Globalizing LANs Timothy Hohman

What is A VPN? ► Tell me about it Microsoft:  “A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet.” (Microsoft, 2001) ► It provides LAN access to end systems not physically located on the LAN ► An alternative to WAN (Wide Area Networks) which use leased lines to connect

Image courtesy Cisco Systems, Inc. A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field. Image courtesy Cisco Systems, Inc. A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field.LAN

How does it work? ► Data is encrypted (cannot be deciphered without the key) ► Virtual Point to Point Connection  To the user, it acts like a point to point connection ► Data is packaged with a header

Benefits of Using VPN ► Expand Globally ► Costs reduced  No dedicated lines necessary ► Easier ► Technology is on the end systems, which makes it more scalable ► No single point of failure ► Easier Network Management

Types of VPN ► Two Types:  Site to Site VPN  Remote Access VPN

Remote Access VPN ► Essentially provides LAN access through dial-up connection  Typically done by purchasing a NAS (Network Access Server) with a toll free number  Can instead be done through normal ISP connection using the VPN software to make a virtual connection to the LAN

Site to Site VPN ► Connects two LANs over local ISP connections ► Very useful if you need to connect a branch to a main hub (Big business) ► Much less expensive than purchasing one dedicated line between the hub and branch ► Intranet  connects remote locations from one company Extranet  connects two companies (partners) into one shared Private Network Extranet  connects two companies (partners) into one shared Private Network

Site to Site Connection

Two Ways to “Get it Done” ► Two Tunneling protocols can be used  PPTP (Point to Point Tunneling Protocol)  L2TP (Layer Two Tunneling Protocol)  Tunneling encapsulates frames in an extra header to be passed over the internet appearing as normal frames. The process includes: ► Encapsulation (adding extra frame), transmission, Decapsulation

Tunneling Protocols ► Both of these protocols support these methods:  User Authentication  Token Card Support (one time passwords)  Dynamic Address Assignment  Data Compression  Data Encryption  Key Management  Multi-protocol Support

Tunneling Protocols cont. ► Each are built on PPP (Point to Point Protocol)  4 Phases ► 1) Link Establishment - a physical link between ends ► 2) User Authentication – Password protocols used  PAP, CHAP, MS-CHAP ► 3) Call Back Control – optional  Disconnects and server calls back after authentication ► 4) Data Transfer Phase – exactly what it sounds like

Tunneling Protocols cont. ► PPTP  Uses IP datagrams for encapsulation  Uses TCP for tunnel maintenance  Uses encryption and compression ► L2TP  Encapsulation in IP, ATM, Frame Relay, X.25 ► IP when going over internet  UDP used for tunnel maintenance

Advantages ► PPTP:  No certificate infrastructure  Can be used on more operating systems  Can operate behind NATs ► L2TP:  More tools to guarantee packet integrity and data security  Require user and computer certificates  PPP authentication is encrypted (takes place after IP security check)

Security ► Many types of Security are offered including:  Firewalls  Encryption  IPSec  Certificates  AAA servers

Firewalls ► Can be used with VPN is right technology is set up on the router  Cisco 1700 router for example ► Can restrict:  The type of data being transferred  The number of ports open  Which protocols are allowed through

Encryption ► Symmetric Key Encryption (private key)  All communicating computers use the same key stored on their computer ► Asymmetric Key Encryption  Uses a Private key and a Public Key ► Private key on local computer ► Public key sent out to anyone who you want to communicate with ► Mathematically related through encryption algorithm ► Both must be used to decrypt anything sent

IPSec ► Made up of two parts  Authentication Header ► Verify data integrity  Encapsulation Security Payload ► Data integrity ► Data encryption

IPSec continued ► Authentication Header  Authentication Data  Sequence number ► Encapsulating Security Payload  Encrypt data  Another layer of integrity and authentication checks

Certificates ► Used alongside public keys  Contains: ► Certificate Name ► Owner of the public key ► Public key itself ► Expiration date ► Certificate authority  Verifies that information is coming from the private key  Can be distributed on disks, smart cards, or electronically

AAA Servers ► Authentication, Authorization, Accounting  These advanced servers ask each user who they are, what they are allowed to do, and what the actually want to do each time they connect  This allows the LAN to track usage from dial up connections and closely monitor those remotely connected as they would those physically connected.

How can I get this up and running? ► You need:  Software on each end system ► Windows: PPTP  Dedicated hardware (firewalls, routers, etc.)  Dedicated VPN server  May need NAS

A Hardware Example ► ShHMofEQ ShHMofEQ ShHMofEQ

An Example of VPN in Action ► 2001, CISCO direct-connect company filed for bankruptcy ► Changing over the 9000 employees to different direct-connect companies would be very costly and take 10 times the available staff to pull off

The VPN Solution ► User managed solution based on VPN software ► Users provide own internet connection ► Cisco provided IT support for VPN problems and provide gateway from internet to CISCO network

Benefits of the Change ► Productivity ► Employee Satisfaction  Able to work from home, making home work balance easier ► Globalization ► Flexibility ► Easier when letting employees go  Ex-employees do not have to have their dedicated line removed, rather they just lose Authentication to AAA server ► Cost, cost, cost

Things to Come ► Expansion  China and India ► Faster Upgrades  Use of Microsoft installer ► Better encryption  Advanced encryption standard ► Better compression ► Voice and Video or VPN

Things to come cont. ► Wireless vendor support  Access to employees from anywhere ► PDA support  Possible software packages to be used on PDAs ► Hardware for home client  As shown in previous clip

References ► Cisco Systems (2004). Cisco VPN Client Brings Flexibility and Cost Reduction to Cisco Remote Access Solution. Retrieved from: rk/pdf/Cisco_IT_Case_Study_VPN_Client_print.pdf rk/pdf/Cisco_IT_Case_Study_VPN_Client_print.pdf rk/pdf/Cisco_IT_Case_Study_VPN_Client_print.pdf ► Jeff Tyson (2007). How Virtual Private Network Work. Retrieved from: ► Barrel, Matthew D. (2006). Take your network anywhere. PC Magazine, 25(21), p ► Calin, Doru; McGee, Andrew R.; Chandrashekhar, Uma; Prasad, Ramjee (2006). MAGNET: An approach for secure personal networking in beyond 3g wireless networks. Bell Labs Technical Journal, 11(1), pp. 79 – 98. ► Tanner, John C. (2006). Ethernet rides the NGN wave. America’s Network, 110(2), pp