1 © J. Liebeherr, All rights reserved Virtual Private Networks

2 © J. Liebeherr, All rights reserved 10/22/05 Goal of VPN The goal of a Virtual Private Network (VPN) is to provide private communications within the public Internet Infrastructure VPNs apply various networking technologies to achieve the goal The basic concepts: –Build a virtual overlay network that is run on top of the infrastructure of the Internet –“Virtual” means that there is not new infrastructure –Connect private networks by the overlay networks

3 © J. Liebeherr, All rights reserved 10/22/05 Why is there a need for VPN? Internet has insufficient security mechanisms –IP packets are not authenticated or encrypted –Users with access to network can read content of IP traffic Application layer solutions not always suitable –Secure Web access, secure mail clients, secure file transfer, and secure terminal applications are only point-to- point solutions and assume client/server relationship –Application-layer solutions require that each application is protected in isolation  Does not secure networks

4 © J. Liebeherr, All rights reserved 10/22/05 VPN Overlay Network

5 © J. Liebeherr, All rights reserved 10/22/05 Tunneling VPN routers connect via IP tunnels With tunneling, IP packets are encapsulated by another IP header (IP-in-IP encapsulation)

6 © J. Liebeherr, All rights reserved 10/22/05 VPN Security VPNs use many security mechanisms –Authentication: Identify VPN users and devices –Access control: Ensure authorized use of VPN resources –Data security: Use cryptography to obscure content transmitted over VPN

7 © J. Liebeherr, All rights reserved 10/22/05 Components of a VPN Solution VPN Gateway: Located at the corporate network perimeter, the gateway performs tunneling, authentication, access control, and data security. Sometimes, VPN gateway functions can be integrated in to a router or firewall VPN Client: Software used for remote VPN access Creates a secure path from a remote client computer to a VPN gateway

8 © J. Liebeherr, All rights reserved 10/22/05 VPN Architectures VPN architectures can be separated into three scenarios: 1.Site-to-Site Intranet VPN: –Multiple network sites at different locations within the same organization are connected using a VPN to form a larger corporate network 2.Remote Access VPN: –Connect a single remote device to a corporate intranetwork 3.Extranet VPN: –Network resources within a corporate nework are oppend for access for dedicated purposes

9 © J. Liebeherr, All rights reserved 10/22/05 Site-to-Site Intranet VPN VPN tunnels establish secure communication links

10 © J. Liebeherr, All rights reserved 10/22/05 Remote Access VPN Also called: Virtual Private Dial Network (VPDN)

11 © J. Liebeherr, All rights reserved 10/22/05 Extranet VPN

12 © J. Liebeherr, All rights reserved 10/22/05 VPN Tunneling Protocols Role of VPN tunnels: 1.Encapsulation of messages 2.Privately address packets through public infrastructure 3.Provide data integrity and confidentiality –Layer-2 tunneling protocols carry Point-to-Point (PPP) frames through IP networks –PPP: –PPP is used to send IP packets over serial connections –Used extensively for point-to-point data links (dial-in) –Can provide authentication PPP frame

13 © J. Liebeherr, All rights reserved 10/22/05 Layer-2 Tunneling Protocol Developed to facilitate PPP access by remote computers to a private network over an IP-based network Remote Dial-in: Remote Access Service (RAS) provides banks of phone lines for connecting remote users Remote system calls up and establishes PPP connection to RAS service With Layer-2 tunneling: Approach: Tunnel PPP packets through Internet Access concentrator (possibly inside the remote system) encapsulates PPP frames Network server terminates VPN tunnel

14 © J. Liebeherr, All rights reserved 10/22/05 Layer-2 Tunneling Protocols Point-to-Point Tunneling Protocol (PPTP): –Developed by Microsoft, 3Com, US Robotics, and others –Goal: Provide VPN between remote access users and network servers –Approach: Tunneling on client systems Layer-2 Forwarding Protocol (L2F): –Developed by Cisco, Nortel and others –Virtual dial-up protocol for managed networks –Approach: Tunneling is performed as a network service (not by client) Layer-2 Tunneling Protocol (L2TP): –Developed within the IETF –Combines concepts of PPTP and L2F

15 © J. Liebeherr, All rights reserved 10/22/05 Remote Dial-in Layer-2 Tunneling Protocol Assumes the Layer-2 tunneling protocol PPTP: User does remote dial-in to ISP and establishes PPP connection Establish a (TCP) connection to set up a control channel Establish a PPTP tunnel Establish PPP tunnel that sends PPP frames over the PPTP tunnel IP packets are carried in PPP frames

16 © J. Liebeherr, All rights reserved 10/22/05 Encapsulation at remote client PayloadIP header Original IP packet PayloadIP header PPP encapsulation to remote Network Server PPPPayloadIP header GRE header is used by PPTP PPPGRE headerPayloadIP header IP header for public Internet PPPGRE headerIP headerPayloadIP header PPP encapsulation to ISP Network Server PPPGRE headerIP headerPPP

17 © J. Liebeherr, All rights reserved 10/22/05 Other VPN approaches IPSec: –Protocol suite for secure communications at Layer-3 –Consists of security headers and a set of protocols –Originally designed for IPv6 –Performs services for authentication, integrity, confidentifality –Can perform tunneling of IP datagrams MPLS: –LSPs can provide data link connections between remote networks –Builds on isolation of LSPs in the MPLS networkConsists of security headers and a set of protocols SSH/PPP: –Secure Shell (SSH) is a provides secure access to remote hosts. –Assumes client/server relationship –Intended as a replacement for insecure protocols such as Telnet, rsh, etc. –VPN services can be built by creating a PPP connection within a SSH connection