Advanced VPNs

  • View

  • Download

Embed Size (px)

Text of Advanced VPNs

  • 8/7/2019 Advanced VPNs


    Advanced VPNs


    Pyla Naveen Kumar (M00326029)

    Arun Kumar Y (M00325442)

    Chirag Rajendran (M00323819)

    Tejaswi Jetty(M00332283)

    Kodi Venkatesh (M00333216)

    MSc Computers and Network Security

  • 8/7/2019 Advanced VPNs




    What is a VPN

    Components of VPN

    Types of VPNs

    Multicast VPN topics



  • 8/7/2019 Advanced VPNs


    What is a Virtual Private Network (VPN)?

    A VPN is :

    Network connectivity across a shared infrastructure (such as an ISP).

    A VPN is private network constructed within a public network infrastructure,

    such as the global Internet.

    It aims to provide the same policies and "performance" as a private network. Creating many opportunities for cost savings through operations and


    (Source: CISCO White Paper on Multicast VPNs)

  • 8/7/2019 Advanced VPNs


    VPN Topology: How it works

    Operates at layer 2 or 3 of OSI model

    Layer 2 frame Ethernet

    Layer 3 packet IP


    allows senders to encapsulate their data in IP packets that hide therouting and switching infrastructure of the Internet

    to ensure data security against unwanted viewers, or hackers.

  • 8/7/2019 Advanced VPNs


    VPN Components







  • 8/7/2019 Advanced VPNs


    VPN Components: Protocols

    IP Security (IPSec)

    Transport mode

    Tunnel mode

    Point-to-Point Tunneling Protocol (PPTP)

    Voluntary tunneling method

    Uses PPP (Point-to-Point Protocol)

    Layer 2 Tunneling Protocol (L2TP)

    Exists at the data link layer of OSI

    Composed from PPTP and L2F (Layer 2 Forwarding)

    Compulsory tunneling method

  • 8/7/2019 Advanced VPNs


    Example of encapsulating packets:

  • 8/7/2019 Advanced VPNs


    VPN Components: Security


    Technique for scrambling and unscrambling information

    Unscramble called clear-text

    Scrambled information cipher-text


    Secret code that the encryption algorithm uses to create a unique

    version of cipher-text(8,16,56,168 bits..)


    Determine if the sender is the authorized person and if the data hasbeen redirect or corrupted (system and data authentication)

  • 8/7/2019 Advanced VPNs


    VPN Components: Appliances

    Intrusion detection firewalls

    Monitors traffic crossing network parameters and protects

    enterprises from unauthorized access

    Packet-level firewall checks source and destination Application-level firewall acts as a host computer between

    the organizations network and the Internet

  • 8/7/2019 Advanced VPNs


    Advantages of VPN

    Extends geographic connectivity

    Boosts employee productivity

    Improves Internet security

  • 8/7/2019 Advanced VPNs


    VPN - Types

    A simple method for VPN is PPTP.

    It is a software based VPN system that uses your existing Internet connection.

    By using your existing Internet connection, a secure "tunnel" is created between

    two points allowing a remote user to connect to a remote network.

    One can setup this type of connection with various types of software or hardware.

    Windows Server has a PPTP build-it and you can connect to it via a native VPN

    client within Windows.

    Juniper and Cisco also have this ability, but require a 3rd party software to be

    loaded on remote workstations.

    It is sometimes referred to as "dial-up VPN" because when the client software

    connects it looks like it's dialing up.

    PPTP VPN (Dial-up VPN)

  • 8/7/2019 Advanced VPNs


    PPTP VPN (Dial-up VPN) Topology

  • 8/7/2019 Advanced VPNs


    Site-to-site is the same much the same thing as point-to-point except there is no "dedicated" line inuse.

    Each site has it's own internet connection which may not be from the same ISP or even the same


    One may have a T1 while the other only has DSL.

    Unlike point-to-point, the routers at both ends do all the work. They do all the routing and


    Site-to-site VPNs can work with hardware or software-based firewall devices.


    Site-to-Site VPN

  • 8/7/2019 Advanced VPNs


    Site-to-Site VPN Topology

  • 8/7/2019 Advanced VPNs


    A traditional VPN can also come as a point-to-point. These are also referred to as "leased-line VPNs."

    Simply put, two or more networks are connected using a dedicated line from an ISP.

    These lines can be packet or circuit switched.

    For example, T1's, Metro Ethernet, DS3, ATM or something else.

    The main strength of using a leased line is the direct point-to-point connection.

    It does not go out over the public Internet.

    So there performance is not degraded by routing problems, latency, and external congestion.


    Point to Point VPNs

  • 8/7/2019 Advanced VPNs


    Point to Point VPNs Topology

  • 8/7/2019 Advanced VPNs


    MPLS is a true "ISP-tuned" VPN. It requires 2 or more sites connected via the same ISP or an "on-net" connection*.

    There is a way to configure this using different ISP's or "off-net" but you never get the same


    While it does use your existing Internet connection, tweaks are made by your ISP for performance

    and security.



  • 8/7/2019 Advanced VPNs


    IP Multicast is part of the TCP/IP suite of protocols. While IP Unicast uses Class A, B, and Caddress, IP Multicast uses Class D addresses.

    Multicast is an efficient paradigm for transmitting the same data to multiple receivers, because of its

    concert of a Group address. This allows a group of receivers to listen to the single address.

    IP Multicast packets are replicated by routers within the network when there is more than one sub-

    network requiring a copy of the data. IP Unicast makes the source responsible for creating an

    individual IP stream for each receiver. Multicast is a robust and scalable solution for group

    communication because of this distributed replication of data and because only 1 copy of the packetneeds to traverse a link

    For example, suppose a company president sends a presentation to all employees.

    IP Multicast: bandwidth for one viewer equates bandwidth for all viewers



  • 8/7/2019 Advanced VPNs



    MPLS VPNs Topology

  • 8/7/2019 Advanced VPNs


    Several routing protocols were designed to work with IP Multicast. These were a "ships in the night"approach, which required a separate Routing table forIP Multicast traffic.

    Distance Vector Multicast Routing Protocol (DVMRP)

    DVMRP was the first Multicast routing Protocol, and is an example of a source tree routing


    Multicast Open Shortest Path First (MOSPF)

    MOSPF attempted to use OSPF with multicast routing. It is also an example of a Source tree routing


    Core Base Trees (CBT)

    CBTs were designed to use a shared tree to deliver multicast data, but they were never implemented

    beyond the experimental networks.

    Multicast Routing Protocols

  • 8/7/2019 Advanced VPNs


    Protocol Independent Multicast (PIM)

    PIM does not use a "ships in the night" approach; rather, it is designed to forward IP Multicasttraffic using the standard Unicast routing table.

    There are two types of PIM protocols: Dense Mode (DM) and Sparse Mode (SM).

    PIM Dense Mode (DM)

    PIM DM is no longer a widely deployed protocol because PIM SM has proven to be the moreefficient multicast

    PIMSparse Mode (SM)

    PIM sparse mode has been enhanced over the years, evolving from an experimental standard to adraft standard.

    It is now the most widely deployed multicast protocol. It initially uses a shared tree, but thenallows the last hop router to join a Source tree if it so chooses.

    This is an efficient methodology, as it prevents the flooding of data and associated waste ofresources, while forwarding data along the optimal path.

    Multicast Modes

  • 8/7/2019 Advanced VPNs


    Multicast Domains

    This solution requires the provider to enable IP Multicast within its network.

    On each Provider Edge (PE) router, the provider creates a Multicast Tunnel Interface (MTI) andMulticast VPN routing / forwarding (VRF) for each customer.

    The MTI encapsulates customers' Multicast data within its own Multicast packet with a destination

    group that is unique for a particular customer and to which all PE for that customer belong.

    MTI Encapsulation:

    Proposed Multi-Cast VPN Solutions

  • 8/7/2019 Advanced VPNs


    This solution uses a tunnel interface on the PE. Unlike GRE tunnelling, this is not a point-to-point tunnel.

    This tunnel interface tracks the remote PE and Unicasts the multicast packets to the remote PEs.

    This solution is initially attractive, because it keeps multicast state out of the core; however, itrequires a large amount of replication by the PE router and creates a great deal of additional Unicasttraffic.Uni