VPN Virtual Private Networks ___________________________________________________ Virtual Private Networks Raghavendra KN Rao
Introduction Virtual Private Network ( VPN ) In today's insecure world, there comes a need to gain ability to transfer information in a network that won't be seen, or intercepted by unauthorized people. The traditional way was to use a point to point lines where the lines were just for you and the people you need to pass covert information to. However, these lines were very expensive, and inflexible. What they needed was to the ability to communicate safely through a public network. Thus came the Virtual Private Network ( VPN )
What is VPN ? ( Definition ) A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining privacy using encryption and, tunneling protocol and security procedures to connect users securely. “virtual” implies that there is no physical connection between the two networks; Instead connections routed through the Internet “private” implies that the transmitted data is kept confidential (encryption and secured tunneling) “network” implies communication medium using private, public, wired, wireless, Internet or any resource available
Why VPN ? Low-cost Secured and reliable communication Dynamic access to private networks Such access would otherwise only be possible Using expensive leased dedicated lines provided by telephone companies point to point dedicated digital circuit Dialing into the local area network (LAN)
How VPN works ? ( Example ) Typical VPN Network When I' am sending a mail from my home computer to office computer thru VPN network ; VPN enabled Firewall / Router will encapsulate / encrypt the mail Home Comp VPN Firewall / Router VPN Firewall / Router Mail will go thru Public network ( Internet ) encrypted VPN enabled Firewall / Router will decrypt the mail and pass it Office Computer
Types Of VPNs Remote Access This type of VPN is a user-to-LAN connection via a public or shared network. Many large companies have employees that have a need to connect to the corporate LAN from the field. These field agents will access the corporate LAN by using their remote computers and laptops. Their systems use special client-loaded software that enables a secure link between themselves and the corporate LAN. Internet Corporate HQ Continued…. User from Home
Site-to-site A Site-to-site VPN connects fixed sites to a corporate LAN, thus extending it over a public or shared network. There are two types of Site-to-site VPNs: Intranet-based - This type of Site-to-site VPN is used to extend a company's existing LAN to other buildings and sites, so that these remote employees can utilize the same network services. Extranet-based- With an Extranet-based VPN two or more companies can establish a secure network connection in order to enjoy a shared computing environment. A good example would be companies that work closely with suppliers and partners to achieve common goals such as supply and demand relationships. Such as, when one company has a demand for supplies and the supplier fulfills the demand based upon the company's needs. Working across an Extranet, these two companies can share information much faster.
Remote Access Network A remote access VPN is for home or traveling users who need to access their corporate network from a remote location. They dial their ISP and connect over the Internet to company’s internal WAN. This is made possible by installing client software program on the remote user’s laptop or PC that deals with the encryption and decryption of the VPN traffic between itself and the VPN gateway on the central LAN.
Site- to- Site Connection Network A Fixed VPN is normally used between two or more sites allowing a central LAN to be accessed by remote LANs over the Internet of private communication lines using VPN Gateways. VPN Gateways (Normally a VPN- enabled router) are placed at each remote site and at the central site to allow all encryption and decryption and tunneling to be carried out transparently.
Design Goals and Features of VPN Security - Tunneling support between sites with at least 128 bit encryptions of the data. Confidentiality – Protects Privacy Private key cryptography Public key cryptography Integrity - Ensures that the information being transmitted over the Internet is not being altered One-way hash functions Message Authentication codes (encryption of hash) Digital Signatures (Hash functions + Private Key) Authentication - Ensures the identity of all communicating parties Password Authentication Digital Certificates - is a file that binds an identity to the associated public key. This binding is validated by a trusted third party, the certification authority (CA) Scalability - Extra users and bandwidth can be added easily to adapt new requirements. Services QoS (Quality of Services) Reports on user activity, management of user policies and monitoring of VPN.
VPN Tunneling Tunneling is a way of forwarding multiprotocol packets from a remote user to a corporate network or a third-party Internet Service Provider (ISP) using an ISP that supports Virtual Private Networking (VPN). Voluntary Tunneling: The VPN Client manages connection setup. The client first makes a connection to the carrier network provider (ISP) and then, the VPN Client application creates the tunnel to a VPN server over this live connection. Compulsory Tunneling: 1. The carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier immediately brokers a VPN connection between the client and a VPN server. From the client point of view, VPN connections are setup in just one step compared to the two- step procedure for voluntary tunnels 2. Compulsory VPN tunneling authenticates clients and associates them with specific VPN server using logic built into the broker device. It also hides the details of VPN server connectivity from VPN client.
VPN Protocols Layer 2 - Data Link Layer: PPTP - Point-to-Point Tunneling Protocol L2F - Layer 2 Forwarding Protocol L2TP - Layer 2 Tunneling Protocol CHAP - Challenged Handshake Authentication Protocol PAP - Password Authentication Protocol MS-CHAP - Microsoft Challenged Handshake Authentication Protocol Layer 3 – Network Layer (IP): IPSec - Internet Protocol Security Transport Layer (TCP/UDP): SOCKS V5 - Sock-et-S version 5 SSL -Secure Socket Layer
Dell Wireless Routers Specific Does the Dell TrueMobile 2300 support Virtual Private Networking (VPN)? Yes, the Dell TrueMobile 2300 supports PPTP, IPSec, L2TP VPN pass-through. http://training.us.dell.com/training/new_products/Peripherals_Portables/network/ziggy/UG/English/help/index.htm Does the Dell TrueMobile 1184 support Virtual Private Networking (VPN)? Yes, the Dell TrueMobile 1184 supports PPTP, IPSec, L2TP VPN pass-through. http://training.us.dell.com/training/new_products/Peripherals_Portables/network/ozzy/usergde/enu/help/index.htm
IPSec – Internet Protocol Security Network Layer Protocol – Layer 3 Solution A set of authentication and encryption – the only protocol with Standard of IFTF (Internet Engineering task Force) Data confidentiality, integrity, authentication and key management, in addition to tunneling Typically works on the edges of a security domain. Supports Ipv4 and IPv6 Encapsulates each packet by wrapping another packet around it and then encrypts the entire packet. This encrypted stream of traffic forms a secure tunnel across an otherwise unsecured network. Majority VPN vendors are implementing IPSec in their solutions
PPTP – Point- to- Point Tunneling Protocol PPTP is a tunneling protocol provided by Microsoft, which provides remote users, encrypted, multi protocol access to a corporate network over the Internet. It encapsulates PPP frames in IP data grams (IP, IPX and NetBEUI are encapsulated) PPTP is built in to NT 4.0 and the client is free for the older versions such as Windows 95. Microsoft’s implementation of PPTP has been found to have several problems that make it vulnerable to attacks, and it also lakes the scalability in that it only supports 255 concurrent connections per server. Require an IP Network between PPTP Client and PPTP Server ( either LAN or dial- up) PPTP can support only one tunnel at a time for each user. Uses TCP Port 1723
L2TP – Layer 2 Tunneling Protocol PPTP’s successor L2TP (a hybrid of Microsoft’s PPTP and Cisco Systems’ Layer 2 Forwarding - L2F protocol) can support multiple, simultaneous tunnels for each user. It encapsulates PPP frames in IP data grams Extends from the remote host to all the way back to corporate gateway. In effect, the remote host appears to be on the same subnet as the corporate gateway It Uses UDP and supports any routed protocol, including IP, IPX and AppleTalk, including frame relay, ATM, X. 25 Because of L2TP’s use of PPTP, it is included as part of the remote access features of most Windows Products It does not provide cryptographically key security features It can support IPSec for data encryption and integrity Compulsory tunneling Model UDP Port 1701
VPN Advantages Authenticate all packets of data received, ensuring that they are from a trusted source and encryption ensures the data remains confidential Most VPNs connect over the Internet so call costs are minimal, even if the remote user is a great distance from the central LAN. A reduction in the overall telecommunication infrastructure – as the ISP Provides the bulk of the network. Reduced cost of management, maintenance of equipment and technical support. Simplifies network topology by eliminating modem pools and a private network infrastructure. VPN functionality is already present in some IT equipments. VPNs are easily extended by increasing the available bandwidth and by licensing extra client software.
VPN Disadvantages If the ISP or Internet connection is down, so it’s VPN. The central site must have a permanent Internet connection so that the remote clients and other sites can connect at anytime. May provide less bandwidth than a dedicated line solution. Different VPN manufacturers may comply with different standards. All traffic over the VPN is encrypted, regardless of need. This can be potentially cause bottleneck since encrypting and decrypting causes network overhead. Provides no internal protection on the corporate network. – The VPN endpoint is typically at the edge of the network. Once employees are on the internal corporate network, data is no longer encrypted. (SSH provides point-to-point secure communication.) Most VPN technologies today do not address performance and availability issues as important as they are. Why? Because the majority of VPN solutions exist on client machines and gateway servers at the extreme ends of the communication path. They simply cannot consistently affect the performance of the network components in the middle. Unfortunately, this middle is exactly the Internet.
Troubleshooting Dell Wireless Routers - VPN Connections 1. Remember, Dell Wireless routers only supports PPTP, IPSec, L2TP VPN pass-through 2. Make sure the VPN connection is not using any Static IP on the VPN Client 3. If your computer is running a software firewall (such as Norton Firewall, ZoneAlarm, or Windows XP Firewall) the VPN Client may not be able to initiate a tunnel. Disable the software firewall and try again. 4. Even the connection depends on the VPN Client Application; In general, most VPN applications will automatically function properly through the router. In some cases, you may need to specifically open ports in the router through the Port Forwarding section. If connection is using IP Sec, need to open port 500. If connection is using PPTP, need to open port 1723. If connection is using L2TP, need to open port 1701. 5. If VPN client application is like SafeNet, Checkpoint, Cisco, SecureRemote, AT&T Client VPN etc. Try reinstalling the software or need to open specific ports depending on application. Continue for the Port Forwarding screens…..
Port Forwarding screens….. TM 2300 Goto Router page by 192.168.2.1 – Click tab – Click tab Click ADD button under Custom Port Forwarding Settings – Opens the Ports and SUBMIT Continue….
Port Forwarding screens….. TM 1184 Goto Router page by 192.168.2.1 – Click tab – Click tab Under Custom Port Forwarding – Put the Port information and SUBMIT
The END