Presentation is loading. Please wait.

Presentation is loading. Please wait.

Learning to Live and Work with Virtual Private Networks Richard Perlman CEENET #6 Budapest Hungary.

Published byCameron Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "Learning to Live and Work with Virtual Private Networks Richard Perlman CEENET #6 Budapest Hungary."— Presentation transcript:

1 Learning to Live and Work with Virtual Private Networks Richard Perlman perl@lucent.com CEENET #6 Budapest Hungary

2 CEENET #6 - Introduction to VPNs 1.2 Tunneling Defined Creating a transparent virtual network link between two network nodes that is unaffected by physical network links and devices.

3 CEENET #6 - Introduction to VPNs 1.3 Tunneling Explained  Tunneling is encapsulating one protocol in another  Tunnels provide routable transport for unroutable packets  encrypted, illegal addressing, non-supported  Tunneling itself provides no security

4 CEENET #6 - Introduction to VPNs 1.4 Tunneling Illustrated

5 CEENET #6 - Introduction to VPNs 1.5 Tunneling Illustrated

6 CEENET #6 - Introduction to VPNs 1.6 Tunneling Illustrated LAN A LAN B

7 CEENET #6 - Introduction to VPNs 1.7 Tunneling Illustrated Router A Workstation X Router B Workstation Y Original IP packet dest Y Step 1. Original, unroutable IP Packet sent to router Step 2 Original IP packet encapsulated in another IP packet Original IP packet New IP Packet Tunnel Step 3 Original packet extracted, sent to destination Original IP packet dest Y Tunnel

8 CEENET #6 - Introduction to VPNs 1.8 Virtual Private Networks (VPN)  What is a VPN?  A means of augmenting a shared network on a secure basis through encryption and/or tunneling  Tunnels created between endpoints for transporting data securely across public networks  Benefits  Leverages existing Service Provider infrastructure for private data communications  Cost savings

9 CEENET #6 - Introduction to VPNs 1.9 What Is an IP VPN ?  Emulate a private network over a shared IP network …..  Why IP ?  Service Differentiation, Global Connectivity, Flexibility, Platform for fast growing new services (e.g E Commerce) Shared IP Network Branch Offices Corporate Headquarters Customers, Suppliers Remote Workers Internet

10 CEENET #6 - Introduction to VPNs 1.10 Types of IP VPN Services Service options  Applications : Dial, Intranet, Extranet  QoS :End to end guarantees, service differentiation, best effort  Security :Network based, user based  Infrastructure :Internet, IP, ATM, MPLS

11 CEENET #6 - Introduction to VPNs 1.11 One way to communicate… Router CSU/DSU LAN Firewall LAN Web Sites New York HQ Tokyo London CSU/DSU Router Firewall CSU/DSU Router PSTN (Dial) or Dedicated Line Remote Access Server Internet CSU/DSU Firewall Remote Access Server

12 CEENET #6 - Introduction to VPNs 1.12 Another view of network possibilities... A Virtual Private Network Internet Router w/L2TP CSU/DSU LAN Firewall LAN Web Sites New York Tokyo London Remote Clients CSU/DSU Router w/L2TP Firewall CSU/DSU Router w/L2TP

13 CEENET #6 - Introduction to VPNs 1.13 Internet as Backbone: Dial-Up VPN Gateway Private Network Secure Tunnel Remote User with VPN Software Internet/ISP Network Hacker

14 CEENET #6 - Introduction to VPNs 1.14 Internet as Backbone: Branch Offices VPN Gateway Private Network VPN Router Internet/ISP Network Branch Office Secure Tunnel

15 CEENET #6 - Introduction to VPNs 1.15 Shared Dial Networking Mobile Employee Shared Service Provider Network Tunneled Traffic Private Network IAG VPN Gateway Telecommuter IAG Contractor IAG

16 CEENET #6 - Introduction to VPNs 1.16 Virtual Private Networks VPN Gateway Private Servers Virtual Private Dial-Up Shared Network Tunnels Extends private network boundary across a shared network using tunneling technology Internal Users VPN Gateway IAG Virtual Private Dial-Up

17 CEENET #6 - Introduction to VPNs 1.17 Types of Tunnels  Two basic types of tunnels  Voluntary tunnels Tunneling initiated by the end-user (Requires client software on remote computer)  Compulsory tunnels Tunnel is created by NAS or router (Tunneling support required on NAS or Router)

18 CEENET #6 - Introduction to VPNs 1.18 Voluntary Tunnels  Will work with any network device  Tunneling transparent to leaf and intermediate devices  But user must have a tunneling client compatible with tunnel server  PPTP, L2TP, L2F, IPSEC, IP-IP, etc.  Simultaneous access to Intranet (via tunnel) and Internet possible  Employees can use personal accounts for corporate access  Remote office applications Dial-up VPN’s for low traffic volumes

19 CEENET #6 - Introduction to VPNs 1.19 A Voluntary PPTP Tunnel

20 CEENET #6 - Introduction to VPNs 1.20 Compulsory Tunnels  Will work with any client  But NAS must support same tunnel method But… Tunneling transparent to intermediate routers  Network access controlled by tunnel server  User traffic can only travel through tunnel  Internet access possible Must be by pre-defined facilities Greater control Can be monitored

21 CEENET #6 - Introduction to VPNs 1.21 Compulsory Tunnels  Static Tunnels  All calls from a given NAS/Router tunneled to a given server  Realm-based tunnels  Each tunnel based on information in NAI (I.e. user@realm)  User-based tunnels  Calls tunneled based on userID data stored in authentication system

22 CEENET #6 - Introduction to VPNs 1.22 A Compulsory L2TP Tunnel

23 CEENET #6 - Introduction to VPNs 1.23 RADIUS Support for Tunnels  Can define tunnel type  Can define/limit tunnel end points  Allows tunnel configuration to be based on Calling-Station-ID or Called-Station-ID  Additional accounting information  Tunnel end points  Tunnel ID, etc.

24 CEENET #6 - Introduction to VPNs 1.24 RADIUS Dial Up Security Remote User User Login Private Network Authenticates dial in users at boundary of private network RADIUS Protocol Boundary Hacker RADIUS Server RAS

25 CEENET #6 - Introduction to VPNs 1.25 Protocol Comparison PPTPL2TPIPSEC Authenticated Tunnels X X Compression X X X Smart Cards X X Address Allocation X X Multiprotocol X X Strong Encryption X Flow Control X Requires Server X X

26 CEENET #6 - Introduction to VPNs 1.26 Virtual Private Networks via the Layer Two Tunneling Protocol (L2TP)

27 CEENET #6 - Introduction to VPNs 1.27 L2TP Building Blocks  L2TP Access Concentrator (LAC) – Typically attached to the switched network fabric, such as public switched telephone network (PSTN) – Only needs to implement the media, over which L2TP operates in order to pass traffic to one or more LNS's – Typically the initiator of incoming calls and the receiver of outgoing calls

28 CEENET #6 - Introduction to VPNs 1.28 L2TP Building Blocks (Con’t-)  L2TP Network Server (LNS) – Operates on any platform capable of PPP termination – Handles the server side of the L2TP protocol  scalability is critical – Able to terminate calls arriving at any LAC's full range of PPP interfaces (async, ISDN, PPP over ATM, PPP over Frame Relay) – The initiator of outgoing calls – The receiver of incoming calls

29 CEENET #6 - Introduction to VPNs 1.29 RADIUS Remote, Telecommuter Employees LAC Analog ISDN LNS Corporate Network/ Servers = L2TP Encapsulated Tunnel Service Provider Customer Premise Equipment RADIUS L2TP VPN in the Network PSTN Internet, Frame Relay, ATM Network

30 CEENET #6 - Introduction to VPNs 1.30 How Does a L2TP VPN Device Work?  Service provider provides remote access outsourcing services to utilize idle network infrastructure and provide their customers with the cost savings of using a public network like the Internet  The customer wants to connect their remote branch offices and telecommuters to Corporate HQ servers

31 CEENET #6 - Introduction to VPNs 1.31 STEP 1 –Remote users/telecommuters/branch offices initiate a session or call into a L2TP Access Concentrator (LAC) device How Does a L2TP VPN Device Work? RADIUS Remote, Telecommuter Employees LAC Analog ISDN LNS Corporate Network/ Servers Service Provider CPE RADIUS STEP 1 Internet, Frame Relay, ATM Network PSTN

32 CEENET #6 - Introduction to VPNs 1.32 STEP 2 –The LAC sends an authentication request to a RADIUS Server, which will authenticate the call and generate configuration information about the creation, type of L2TP tunnel and end point of the tunnel STEP 2 How Does a L2TP VPN Device Work? RADIUS Remote, Telecommuter Employees LAC Analog ISDN LNS Corporate Network/ Servers Service Provider CPE RADIUS Internet, Frame Relay, ATM Network PSTN

33 CEENET #6 - Introduction to VPNs 1.33 STEP 3 –Tunnel creation information is sent to the LAC which encapsulates the users PPP Frames and tunnels them over the network to the LNS device. STEP 3 How Does a L2TP VPN Device Work? RADIUS Remote, Telecommuter Employees LAC Analog ISDN LNS Corporate Network/ Servers Service Provider CPE RADIUS Internet, Frame Relay, ATM Network PSTN

34 CEENET #6 - Introduction to VPNs 1.34 STEP 4 –LNS serves as termination point where the encapsulated L2TP frame is stripped and processed. The PPP Frame is then passed on to higher layer protocols and users on the local area network. STEP 4 How Does a L2TP VPN Device Work? RADIUS Remote, Telecommuter Employees LAC Analog ISDN LNS Corporate Network/ Servers Service Provider CPE RADIUS Internet, Frame Relay, ATM Network PSTN

35 CEENET #6 - Introduction to VPNs 1.35 VPN Questions and Answers (FAQs)

36 CEENET #6 - Introduction to VPNs 1.36 Q: What is a virtual private network?  A VPN gives users a secure way to access or link corporate network resources over the Internet or other public or private networks.

37 CEENET #6 - Introduction to VPNs 1.37 Q: What are the elements to a VPN?  VPNs typically include a number of security features including encryption, authentication, and tunneling.  VPN software may be included on laptops and network workstations and servers or may be included with routers and remote access servers

38 CEENET #6 - Introduction to VPNs 1.38 Q: How do companies use VPNs?  I place of traditional dial-up connections to provide access to remote users and telecommuters  To connect LANs in different sites instead of using the public switched telephone network or dedicated leased lines  To give customers, clients and consultants access to corporate resources.

39 CEENET #6 - Introduction to VPNs 1.39 Q: Is a VPN the same thing as an extranet?  No. Most VPNs can be designed to work as an extranet. But not all extranets are VPNs.

40 CEENET #6 - Introduction to VPNs 1.40 Q: Then what is an extranet?  Extranet is a general term than can mean many different things. The common definition of an extranet is a type of network that gives outside users, such as customers, clients and consultants, access to data residing on a corporation's network. Users access the data through a Web brows er over the Internet and typically need to enter a user name and password before access to the data is granted.

41 CEENET #6 - Introduction to VPNs 1.41 Q: How is this different from a VPN?  A VPN can be used in a similar manner, but typically a VPN has much higher security associated with it. Specifically, a VPN typically requires the establishment of a tunnel into the corporate network and the encryption of data passed between the user's PC and corporate servers.

42 CEENET #6 - Introduction to VPNs 1.42 Q: Why bother with a VPN, aren't there other ways to give users secure access to network resources?  There are different ways to control access and provide secure access to network resources. A VPN is just one of those ways.  However, a well implemented VPN is transparent to the user and should require no special skills or knowledge to use

43 CEENET #6 - Introduction to VPNs 1.43 Q: What are other methods for accessing network resources over the Internet?  Depending on the level of security needed, a company could choose to use an extranet approach or a customized approach that combines password protection of network servers with third-party auth entication systems.

44 CEENET #6 - Introduction to VPNs 1.44 Q: Why do companies use VPNs?  There are many reasons to use a VPN. The most common reasons are (1) to save telecommunications costs by using the Internet to carry traffic (rather than paying long distance phone charges) (2) to save telecommunications costs by reducing the number of access lines into a corporate site, and (3) to save operational costs by outsourcing the management of remote access equipment to a service provider.

45 CEENET #6 - Introduction to VPNs 1.45 Q: How does a VPN cut long distance phone charges?  Long distance phone charges are reduced with a VPN because a user typically dials a local call to an ISP rather than placing a long distance or international call directly to his or her company.

46 CEENET #6 - Introduction to VPNs 1.46 Q: How do VPNs help reduce the number of access lines.  Many companies pay monthly charges for two types access lines: (1) high-speed links for their Internet access (2) frame relay, ISDN Primary Rate Interface or T1 lines to carry data. A VPN may allow a company to carry the data traffic over its Internet access lines, thus reducing the need for some installed lines.

47 CEENET #6 - Introduction to VPNs 1.47 Q: How can a VPN save operational costs?  Some companies hope to save operational costs by outsourcing their remote access to an ISP or other type of service provider. The idea is that by giving users access to the network via a VPN, a company can get rid of its modem pools and remote access servers. The operational cost savings come from not having to manage those devices.

48 CEENET #6 - Introduction to VPNs 1.48 Performance Issues

49 CEENET #6 - Introduction to VPNs 1.49 Q: What about VPN performance?  There are several issues to consider when exploring VPN performance. Some are related to the Internet itself. Is it available? What is the latency for packets traveling across the network? Other performance issues are related to the specific VPN applications.  In general, VPNs implemented over the public Internet will have poorer performance than VPNs implemented over private IP networks.

50 CEENET #6 - Introduction to VPNs 1.50 Q: What are the concerns about network availability?  The Internet occasionally experiences outages. For example, in 1997 there was a system-wide availability problem when a corrupted master list of Domain Names was distributed to the handful of root servers that are the heart of the Internet. More frequently, a particular Internet service provider may experience equipment problems leading to a service outage that can last from hours to days.

51 CEENET #6 - Introduction to VPNs 1.51 Q: What can be done to ease concerns about network availability?  Many service providers are trying to improve the reliability of their networks to prevent outages. While they cannot guarantee 100 percent availability, many providers are offering service level agreements that offer credits or refunds if network availability falls below a certain level.

52 CEENET #6 - Introduction to VPNs 1.52 Q: How good are the network availability service level agreements (SLAs)?  Most of the service providers with nation-wide backbones guarantee the network will be available at least 99.6 percent of the time. That translates into a maximum outage time of about 6.5 minutes a day before the refund or credits kick in. Some offer higher availability with refunds or credits kicking in for outages of 3 minutes per day or longer.

53 CEENET #6 - Introduction to VPNs 1.53 Q: What are the short-comings of these SLAs?  All VPN SLAs offered today only apply to the specific service provider's network. If the traffic crosses from one provider's network to another, the SLAs do not apply.

54 CEENET #6 - Introduction to VPNs 1.54 Q: What about latency?  To date, there are no VPN SLAs that address latency. The service providers say they will need a number of things, like the ability to offer quality of service guarantees, to happen before latency SLAs will be offered.

55 CEENET #6 - Introduction to VPNs 1.55 Q: Are there other issues that will prevent latency-related VPN SLAs?  Yes. IT managers will not see end-to- end latency SLAs for VPNs as they get for other services such as a Frame Relay service that carriers time- sensitive SNA terminal to host traffic. One of the reasons end-to-end latency SLAs will not be practical for VPN s is that there are many variables, such as the type of encryption used and the client's process power, that determine end-to-end performance in VPN applications.

56 CEENET #6 - Introduction to VPNs 1.56 VPN Technology Questions

57 CEENET #6 - Introduction to VPNs 1.57 Q: What are the common tunneling protocols?  There are currently three major tunneling protocols for VPNs. They are:  Point-to-Point Tunneling Protocol (PPTP)  Internet Protocol Security (IPSec)  Layer 2 Tunneling Protocol (L2TP)  Two proprietary protocols often seen are:  Ascend’s ATMP  Cisco’s L2F

58 CEENET #6 - Introduction to VPNs 1.58 Q: What types of encryption can be used in VPN applications.  Virtually all of the common encryption technologies can be used in a VPN. Most VPN equipment vendors give the user a choice. IT managers can often select anything from the 40-bit built-in encryption offered by Microsoft under Windows 95 to more robust, but less exportable, encryption technologies like triple-DES.

59 CEENET #6 - Introduction to VPNs 1.59 Q: How are VPN users authenticated?  VPN vendors support a number of different authentication methods. Many vendors now support a wide range of authentication techniques and products including such services as RADIUS, Kerberos, token cards, NDS, NT Domain, and software and hardware- based dynamic passwords.

60 CEENET #6 - Introduction to VPNs 1.60 Q: Can user access and authentication be linked to existing access control systems?  Yes. Some vendors, such as Lucent, support existing standards like RADIUS.  Other VPN vendors, notably Aventail, Novell, and New Oak Communications, provide ways to link VPN access rights to defined access rights such as those in Windows NT Workgroup lists, Novell Directory Services or Binderies.

61 CEENET #6 - Introduction to VPNs 1.61 Net 10.x.1.0Net 10.x.2.0 RADIUS Server 10.x.2.3 Telnet Server 10.x.2.5 Router LNS LAC L2TP Tunnel Lab Diagram 10.x.1.1 10.x.2.1 USER DB This RADIUS server is used to select the LNS based on the DNIS, Realm or other information Workstation 10.x.2.128 Net 10.x.2.0 $ This RADIUS server is used to authenticate the user Terminal Server 10.x.1.2

62 CEENET #6 - Introduction to VPNs 1.62 L2TP Tunnel Lab Diagram Net 10.x.2.0 LNS USER DB Net 10.x.1.0 LAC Net 10.x.2.0 $

Download ppt "Learning to Live and Work with Virtual Private Networks Richard Perlman CEENET #6 Budapest Hungary."

Similar presentations

Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.

Virtual Private Networks COSC541 Project Jie Qin & Sihua Xu October 11, 2014.
1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.

1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.
VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.

VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
1 Fall 2005 Network Characteristics: Ownership, Service Paradigm, Performance Qutaibah Malluhi CSE Department Qatar University.

1 Fall 2005 Network Characteristics: Ownership, Service Paradigm, Performance Qutaibah Malluhi CSE Department Qatar University.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Virtual Private Networks Globalizing LANs Timothy Hohman.

Virtual Private Networks Globalizing LANs Timothy Hohman.
Virtual Private Networking Karlene R. Samuels COSC513.

Virtual Private Networking Karlene R. Samuels COSC513.
Internet Security Seminar Class CS591 Presentation Topic: VPN.

Internet Security Seminar Class CS591 Presentation Topic: VPN.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.

VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Remote Networking Architectures

Remote Networking Architectures
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Similar presentations

Ads by Google