Advanced VPNs

  • View
    218

  • Download
    0

Embed Size (px)

Text of Advanced VPNs

  • 8/7/2019 Advanced VPNs

    1/29

    Advanced VPNs

    By,

    Pyla Naveen Kumar (M00326029)

    Arun Kumar Y (M00325442)

    Chirag Rajendran (M00323819)

    Tejaswi Jetty(M00332283)

    Kodi Venkatesh (M00333216)

    MSc Computers and Network Security

  • 8/7/2019 Advanced VPNs

    2/29

    Contents

    Introduction

    What is a VPN

    Components of VPN

    Types of VPNs

    Multicast VPN topics

    Conclusion

    References

  • 8/7/2019 Advanced VPNs

    3/29

    What is a Virtual Private Network (VPN)?

    A VPN is :

    Network connectivity across a shared infrastructure (such as an ISP).

    A VPN is private network constructed within a public network infrastructure,

    such as the global Internet.

    It aims to provide the same policies and "performance" as a private network. Creating many opportunities for cost savings through operations and

    infrastructure.

    (Source: CISCO White Paper on Multicast VPNs)

  • 8/7/2019 Advanced VPNs

    4/29

    VPN Topology: How it works

    Operates at layer 2 or 3 of OSI model

    Layer 2 frame Ethernet

    Layer 3 packet IP

    Tunneling

    allows senders to encapsulate their data in IP packets that hide therouting and switching infrastructure of the Internet

    to ensure data security against unwanted viewers, or hackers.

  • 8/7/2019 Advanced VPNs

    5/29

    VPN Components

    Protocols

    Security

    Encryption

    Keys

    authentication

    Appliances

  • 8/7/2019 Advanced VPNs

    6/29

    VPN Components: Protocols

    IP Security (IPSec)

    Transport mode

    Tunnel mode

    Point-to-Point Tunneling Protocol (PPTP)

    Voluntary tunneling method

    Uses PPP (Point-to-Point Protocol)

    Layer 2 Tunneling Protocol (L2TP)

    Exists at the data link layer of OSI

    Composed from PPTP and L2F (Layer 2 Forwarding)

    Compulsory tunneling method

  • 8/7/2019 Advanced VPNs

    7/29

    Example of encapsulating packets:

  • 8/7/2019 Advanced VPNs

    8/29

    VPN Components: Security

    Encryption

    Technique for scrambling and unscrambling information

    Unscramble called clear-text

    Scrambled information cipher-text

    Keys

    Secret code that the encryption algorithm uses to create a unique

    version of cipher-text(8,16,56,168 bits..)

    Authentication

    Determine if the sender is the authorized person and if the data hasbeen redirect or corrupted (system and data authentication)

  • 8/7/2019 Advanced VPNs

    9/29

    VPN Components: Appliances

    Intrusion detection firewalls

    Monitors traffic crossing network parameters and protects

    enterprises from unauthorized access

    Packet-level firewall checks source and destination Application-level firewall acts as a host computer between

    the organizations network and the Internet

  • 8/7/2019 Advanced VPNs

    10/29

    Advantages of VPN

    Extends geographic connectivity

    Boosts employee productivity

    Improves Internet security

  • 8/7/2019 Advanced VPNs

    11/29

    VPN - Types

    A simple method for VPN is PPTP.

    It is a software based VPN system that uses your existing Internet connection.

    By using your existing Internet connection, a secure "tunnel" is created between

    two points allowing a remote user to connect to a remote network.

    One can setup this type of connection with various types of software or hardware.

    Windows Server has a PPTP build-it and you can connect to it via a native VPN

    client within Windows.

    Juniper and Cisco also have this ability, but require a 3rd party software to be

    loaded on remote workstations.

    It is sometimes referred to as "dial-up VPN" because when the client software

    connects it looks like it's dialing up.

    PPTP VPN (Dial-up VPN)

  • 8/7/2019 Advanced VPNs

    12/29

    PPTP VPN (Dial-up VPN) Topology

  • 8/7/2019 Advanced VPNs

    13/29

    Site-to-site is the same much the same thing as point-to-point except there is no "dedicated" line inuse.

    Each site has it's own internet connection which may not be from the same ISP or even the same

    type.

    One may have a T1 while the other only has DSL.

    Unlike point-to-point, the routers at both ends do all the work. They do all the routing and

    encryption.

    Site-to-site VPNs can work with hardware or software-based firewall devices.

    Continued

    Site-to-Site VPN

  • 8/7/2019 Advanced VPNs

    14/29

    Site-to-Site VPN Topology

  • 8/7/2019 Advanced VPNs

    15/29

    A traditional VPN can also come as a point-to-point. These are also referred to as "leased-line VPNs."

    Simply put, two or more networks are connected using a dedicated line from an ISP.

    These lines can be packet or circuit switched.

    For example, T1's, Metro Ethernet, DS3, ATM or something else.

    The main strength of using a leased line is the direct point-to-point connection.

    It does not go out over the public Internet.

    So there performance is not degraded by routing problems, latency, and external congestion.

    Continued

    Point to Point VPNs

  • 8/7/2019 Advanced VPNs

    16/29

    Point to Point VPNs Topology

  • 8/7/2019 Advanced VPNs

    17/29

    MPLS is a true "ISP-tuned" VPN. It requires 2 or more sites connected via the same ISP or an "on-net" connection*.

    There is a way to configure this using different ISP's or "off-net" but you never get the same

    performance.

    While it does use your existing Internet connection, tweaks are made by your ISP for performance

    and security.

    Continued

    MPLS VPNs

  • 8/7/2019 Advanced VPNs

    18/29

    IP Multicast is part of the TCP/IP suite of protocols. While IP Unicast uses Class A, B, and Caddress, IP Multicast uses Class D addresses.

    Multicast is an efficient paradigm for transmitting the same data to multiple receivers, because of its

    concert of a Group address. This allows a group of receivers to listen to the single address.

    IP Multicast packets are replicated by routers within the network when there is more than one sub-

    network requiring a copy of the data. IP Unicast makes the source responsible for creating an

    individual IP stream for each receiver. Multicast is a robust and scalable solution for group

    communication because of this distributed replication of data and because only 1 copy of the packetneeds to traverse a link

    For example, suppose a company president sends a presentation to all employees.

    IP Multicast: bandwidth for one viewer equates bandwidth for all viewers

    Continued

    IPMulti-Cast

  • 8/7/2019 Advanced VPNs

    19/29

    Continued

    MPLS VPNs Topology

  • 8/7/2019 Advanced VPNs

    20/29

    Several routing protocols were designed to work with IP Multicast. These were a "ships in the night"approach, which required a separate Routing table forIP Multicast traffic.

    Distance Vector Multicast Routing Protocol (DVMRP)

    DVMRP was the first Multicast routing Protocol, and is an example of a source tree routing

    protocol.

    Multicast Open Shortest Path First (MOSPF)

    MOSPF attempted to use OSPF with multicast routing. It is also an example of a Source tree routing

    protocol.

    Core Base Trees (CBT)

    CBTs were designed to use a shared tree to deliver multicast data, but they were never implemented

    beyond the experimental networks.

    Multicast Routing Protocols

  • 8/7/2019 Advanced VPNs

    21/29

    Protocol Independent Multicast (PIM)

    PIM does not use a "ships in the night" approach; rather, it is designed to forward IP Multicasttraffic using the standard Unicast routing table.

    There are two types of PIM protocols: Dense Mode (DM) and Sparse Mode (SM).

    PIM Dense Mode (DM)

    PIM DM is no longer a widely deployed protocol because PIM SM has proven to be the moreefficient multicast

    PIMSparse Mode (SM)

    PIM sparse mode has been enhanced over the years, evolving from an experimental standard to adraft standard.

    It is now the most widely deployed multicast protocol. It initially uses a shared tree, but thenallows the last hop router to join a Source tree if it so chooses.

    This is an efficient methodology, as it prevents the flooding of data and associated waste ofresources, while forwarding data along the optimal path.

    Multicast Modes

  • 8/7/2019 Advanced VPNs

    22/29

    Multicast Domains

    This solution requires the provider to enable IP Multicast within its network.

    On each Provider Edge (PE) router, the provider creates a Multicast Tunnel Interface (MTI) andMulticast VPN routing / forwarding (VRF) for each customer.

    The MTI encapsulates customers' Multicast data within its own Multicast packet with a destination

    group that is unique for a particular customer and to which all PE for that customer belong.

    MTI Encapsulation:

    Proposed Multi-Cast VPN Solutions

  • 8/7/2019 Advanced VPNs

    23/29

    This solution uses a tunnel interface on the PE. Unlike GRE tunnelling, this is not a point-to-point tunnel.

    This tunnel interface tracks the remote PE and Unicasts the multicast packets to the remote PEs.

    This solution is initially attractive, because it keeps multicast state out of the core; however, itrequires a large amount of replication by the PE router and creates a great deal of additional Unicasttraffic.Uni