Embed Size (px)
Citation preview
DECLARATION
This is to certify that Thesis/Report entitled “VIRTUAL PRIVATE NETWORK” by me in partial fulfillment of the requirement for the award of degree B.Tech. in Computer Science And Engineering which is submitted to B------ V--------- College Of Engineering --------- University, comprises only my original work and due acknowledgement has been made in the text to all other material used.
Date: Aug 2010 Rohit Thapliyal
1
ACKNOWLEDGEMENT
I would like to express my gratitude to all those who gave me the possibility to complete my summer training successfully. I want to thank the ----------- for giving me permission to commence this training and to do the necessary project work and also to gain some office experience. I have furthermore to thank Mrs. ---------------- Technical Director and his colleagues under whose supervision I underwent my training.
Very sincere thanks also to MR. ------------------- , my project guide at B-------- V--------------- COLLEGE OF ENGINEERING
I would also like to express my sincere thanks to Mr--------- (HOD, CSE Deptt.) and all the other involved faculty of the college.
2
ABSTRACT
Students, staff and faculty increasingly connect to the campus data network via the Internet. The need to access university resources is likely to increase dramatically with the implementation of projects such as Sakai, and VPN services appear to offer solutions to related remote access requirements. Additionally, VPN services provide a secure method of improving remote access to licensed material and other university resources restricted to systems assigned a campus IP address. The workgroup examined available VPN technology and believes that SSL VPN solutions reflect a cost-effective and capable VPN solution for UC Davis. The workgroup recommends Information and Educational Technology prepare a Request for Information for an SSL VPN solution. As part of the RFI process, the workgroup further recommends that IET perform a pilot test using SSL VPN solution(s) that meet RFI specifications to ensure product conformity with our requirements for infrastructure and campus unit services and performance. The result of examination and successful testing should be a Request for Quote that permits a phased implementation based on campus size, but that does not make a commitment beyond an initial implementation level that includes current library proxy users and those users who are denied access to university resources due to network source address restrictions.
3
COMPUTER NETWORKS:
• Introduction• Network classification• Types of networks• Basic hardware components
Definition: Computer network is a group of interconnected computers. Networks may be classified according to a wide variety of characteristics.
Introduction:
A computer network is a collection of computers and devices
connected to each other. The network allows computers to
communicate with each other and share resources and
information. The Advanced Research Projects Agency (ARPA) designed "Advanced Research Projects Agency Network" (ARPANET) for the United States Department of Defense. It was the first computer network in the world in late 1960s and early 1970s.
Network classification:
The following list presents categories used for classifying
4
networks
Connection method
Computer networks can also be classified according to the
hardware and software technology that is used to interconnect the individual devices in the network, such as Optical fiber, Ethernet, Wireless LAN, HomePNA, Power line communication or G.hn. Ethernet uses physical wiring to connect devices. Frequently deployed devices include hubs, switches, bridges and/or routers. Wireless LAN technology is designed to connect devices withoutwiring. These devices use radio waves or infrared signals as atransmission medium.
ITU-T G.hn technology uses existing home wiring (coaxial cable, phone lines and power lines) to create a high-speed (up to 1 Gigabit/s) local area network.
Scale
Networks are often classified as Local Area Network (LAN), Wide Area Network (WAN), Metropolitan Area Network (MAN),
Personal Area Network (PAN), Virtual Private Network (VPN),
Campus Area Network (CAN), Storage Area Network (SAN), etc. depending on their scale, scope and purpose. Usage, trust levels and access rights often differ between these types of network – for example, LANs tend to be designed for internal use by an organization's internal systems and employees in individual physical locations (such as a building), while WANs may connect physically separate parts of an organization to each other and may include connections to third parties.
Functional relationship (network architecture)
5
Computer networks may be classified according to the functional relationships which exist among the elements of the network, e.g., Active Networking, Client-server and Peer-to-peer (workgroup) architecture.
Network topology
Computer networks may be classified according to the network
topology upon which the network is based, such as bus network, star network, ring network, mesh network, star-bus network, tree or hierarchical topology network. Network topology signifies the way in which devices in the network see their logical relations to one another. The use of the term "logical" here is significant. That is, network topology is independent of the "physical" layout of the network. Even if networked computers are physically placed in a linear arrangement, if they are connected via a hub, the network has a Star topology, rather than a bus topology. In this regard the
visual and operational characteristics of a network are distinct; the logical network topology is not necessarily the same as the
physical layout. Networks may be classified based on the method of data used to convey the data, these include digital and analog networks.
Types of networks
Below is a list of the most common types of computer networks.
Personal area network:
6
A personal area network (PAN) is a computer network used
for communication among computer devices close to one
person. Some examples of devices that are used in a PAN are
printers, fax machines, telephones, PDAs and scanners. The
7
reach of a PAN is typically about 20-30 feet (approximately 6-9
meters), but this is expected to increase with technology
improvements.
Local area network
A local area network (LAN) is a computer network
covering a small physical area, like a home, office, or small group of buildings, such as a school, or an airport. Current wired LANs are most likely to be based on Ethernet technology, although new standards like ITU-T G.hn also provide a way to create a wired LAN using existing home wires (coaxial cables, phone lines and power lines).
For example, a library may have a wired or wireless
LAN for users to interconnect local devices (e.g., printers and
8
servers) and to connect to the internet. On a wired LAN, PCs in the library are typically connected by category 5 (Cat5) cable, running the IEEE 802.3 protocol through a system of interconnected devices and eventually connect to the Internet. The cables to the servers are typically on Cat 5e enhanced cable, which will support IEEE 802.3 at 1 Gbit/s. A wireless LAN may exist using a different IEEE protocol, 802.11b, 802.11g or possibly 802.11n.
The staff computers (bright green in the figure) can get to the color printer, checkout records, and the academic network and the Internet. All user computers can get to the Internet and the card catalog. Each workgroup can get to its local printer. Note that the printers are not accessible from outside their workgroup.
Typical library network, in a branching tree topology and controlled access to resources
All interconnected devices must understand the network layer (layer 3), because they are handling multiple subnets (the different colors). Those inside the library, which have only 10/100 Mbit/s Ethernet connections to the user device and a Gigabit Ethernet connection to the central router, could be called "layer 3 switches" because they only have Ethernet interfaces and must understand IP. It would be more correct to call them access routers, where the router at the top is a distribution router that connects to the Internet and academic networks' customer access routers.
The defining characteristics of LANs, in contrast to
WANs (wide area networks), include their higher data transfer
rates, smaller geographic range, and lack of a need for leased
telecommunication lines. Current Ethernet or other IEEE 802.3
LAN technologies operate at speeds up to 10 Gbit/s. This is the
9
data transfer rate. IEEE has projects investigating the
standardization of 100 Gbit/s, and possibly 400 Gbit/s.
Campus area network
A campus area network (CAN) is a computer network
made up of an interconnection of local area networks (LANs) within a limited geographical area. It can be considered one form Of a metropolitan area network, specific to an academic setting.
In the case of a university campus-based campus area network, the network is likely to link a variety of campus buildings including; academic departments, the university library and student residence halls. A campus area network is larger than a local area network but smaller than a wide area network (WAN) (in some cases).
10
The main aim of a campus area network is to facilitate students accessing internet and university resources. This is a network that connects two or more LANs but that is limited to a specific and contiguous geographical area such as a college campus, industrial complex, office building, or a military base. A CAN may be considered a type of MAN (metropolitan area network), but is generally limited to a smaller area than a typical MAN. This term is most often used to discuss the implementation of networks for a contiguous area. This should not be confused with a Controller Area Network. A LAN connects network devices over a relatively short distance. A networked office building, school, or home usually contains a single LAN, though sometimes one building will contain a few small LANs (perhaps one per room), and occasionally a LAN will span a group of nearby buildings. In TCP/IP networking, a LAN is often but not always implemented as a single IP subnet.
Metropolitan area network
A metropolitan area network (MAN) is a network that
connects two or more local area networks or campus area networks
11
together but does not extend beyond the boundaries of the
immediate town/city. Routers, switches and hubs are connected to create a metropolitan area network
Wide area network
A wide area network (WAN) is a computer network that
covers a broad area (i.e. any network whose communications links
12
cross metropolitan, regional, or national boundaries [1]). Less
formally, a WAN is a network that uses routers and public
communications links. Contrast with personal area networks
(PANs), local area networks (LANs), campus area networks
(CANs), or metropolitan area networks (MANs), which are usually limited to a room, building, campus or specific metropolitan area (e.g., a city) respectively. The largest and most well-known example of a WAN is the Internet.
A WAN is a data communications network that covers a relatively broad geographic area (i.e. one city to another and one country to another country) and that often uses transmission facilities provided by common carriers, such as telephone companies. WAN technologies generally function at the lower three layers of the OSI reference model: the physical layer, the data link layer, and the network layer.
13
Global area network
A global area networks (GAN) specification is in
development by several groups, and there is no common definition.
In general, however, a GAN is a model for supporting mobile
communications across an arbitrary number of wireless LANs,
satellite coverage areas, etc. The key challenge in mobile
communications is "handing off" the user communications from
one local coverage area to the next. In IEEE Project 802, this
involves a succession of terrestrial WIRELESS local area networks
14
(WLAN).
Internetwork
Internetworking involves connecting two or more distinct computer networks or network segments via a common routing technology. The result is called an internetwork (often shortened to internet). Two or more networks or network segments connected using devices that operate at layer 3 (the 'network' layer) of the OSI Basic Reference Model, such as a router. Any interconnection among or between public, private, commercial, industrial, or governmental networks may also be defined as an internetwork.
In modern practice, the interconnected networks use the
Internet Protocol. There are at least three variants of internetwork, depending on who administers and who participates in them:
15
� Intranet
� Extranet
� Internet
Intranets and extranets may or may not have
connections to the Internet. If connected to the Internet, the intranet or extranet is normally protected from being accessed from the Internet without proper authorization. The Internet is not considered to be a part of the intranet or extranet, although it may serve as a portal for access to portions of an extranet.
Intranet
An intranet is a set of networks, using the Internet
Protocol and IP-based tools such as web browsers and file transfer applications, that is under the control of a single administrative entity. That administrative entity closes the intranet to all but specific, authorized users. Most commonly, an intranet is the internal network of an organization. A large intranet will typically have at least one web server to provide users with organizational information
Extranet
An extranet is a network or internetwork that is limited in scope to a single organization or entity but which also has limited connections to the networks of one or more other usually, but not necessarily, trusted
16
organizations or entities (e.g., a company's customers may be given access to some part of its
intranet creating in this way an extranet, while at the same time the customers may not be considered 'trusted' from a security
standpoint). Technically, an extranet may also be categorized as a CAN, MAN, WAN, or other type of network, although, by
definition, an extranet cannot consist of a single LAN; it must have at least one connection with an external network.
Internet
The Internet is a specific internetwork. It consists of a worldwide interconnection of governmental, academic, public, and private networks based upon the networking technologies of the Internet Protocol Suite. It is the successor of the Advanced Research Projects Agency Network (ARPANET) developed by DARPA of the U.S. Department of Defense. The Internet is also the communications backbone underlying the World Wide Web (WWW). The 'Internet' is most commonly spelled with a capital 'I' as a proper noun, for historical reasons and to distinguish it from other generic internetworks. Participants in the Internet use a diverse array of methods of several hundred documented, and often standardized, protocols compatible with the Internet Protocol Suite and an addressing system (IP Addresses) administered by the Internet
Assigned Numbers Authority and address registries. Service providers and large enterprises exchange information about the reachability of
17
their address spaces through the Border Gateway Protocol (BGP), forming a redundant worldwide mesh of transmission paths.
Virtual private network
18
A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) instead of by physical wires. The link-layer protocols
of the virtual network are said to be tunneled through the larger
network when this is the case. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.
A VPN may have best-effort performance, or may have
a defined service level agreement (SLA) between the VPN
customer and the VPN service provider. Generally, a VPN has a topology more complex than point-to-point.
19
A VPN allows computer users to appear to be editing from an IP address location other than the one which connects the
actual computer to the Internet.
Basic hardware components
All networks are made up of basic hardware building blocks to interconnect network nodes, such as Network Interface Cards (NICs), Bridges, Hubs, Switches, and Routers. In addition, some method of connecting these building blocks is required, usually in the form of galvanic cable (most commonly Category 5 cable). Less common are microwave links (as in IEEE 802.12) or optical cable ("optical fiber"). An ethernet card may also be required.
Network interface cards
20
A network card, network adapter or NIC (network interface card) is a piece of computer hardware designed to allow computers to communicate over a computer network. It provides physical access to a networking medium and often provides a lowlevel addressing system through the use of MAC addresses.
Repeaters
21
A repeater is an electronic device that receives a signal
and retransmits it at a higher power level, or to the other side of an obstruction, so that the signal can cover longer distances without degradation. In most twisted pair Ethernet configurations, repeaters are required for cable which runs longer than 100 meters.
22
Hubs
A hub contains multiple ports. When a packet arrives at one port, it is copied unmodified to all ports of the hub for transmission. The destination address in the frame is not changed to a broadcast address.
Bridges
23
A network bridge connects multiple network segments at the data link layer (layer 2) of the OSI model. Bridges do not promiscuously copy traffic to all ports, as hubs do, but learn which MAC addresses are reachable through specific ports. Once the bridge associates a port and an address, it will send traffic for that address only to that port. Bridges do send broadcasts to all ports except the one on which the broadcast was received. Bridges learn the association of ports and addresses by examining the source address of frames that it sees on various ports. Once a frame arrives through a port, its source address is stored and the bridge assumes that MAC address is associated with that port. The first time that a previously unknown destination address is seen, the bridge will forward the frame to all ports other than the one on which the frame arrived.
Bridges come in three basic types:
1. Local bridges: Directly connect local area networks (LANs)
2. Remote bridges: Can be used to create a wide area network
(WAN) link between LANs. Remote bridges, where the connecting link is slower than the end networks, largely have
been replaced by routers.
3. Wireless bridges: Can be used to join LANs or connect
remote stations to LANs.
Switches
24
A switch is a device that forwards and filters OSI layer 2 datagrams (chunk of data communication) between ports(connected cables) based on the MAC addresses in the packets. This is distinct from a hub in that it only forwards the packets to the ports involved in the communications rather than all ports connected. Strictly speaking, a switch is not capable of routing traffic based on IP address (OSI Layer 3) which is necessary for communicating between network segments or within a large or complex LAN. Some switches are capable of routing based on IP addresses but are still called switches as a marketing term. A switch normally has numerous ports, with the intention being that most or all of the network is connected directly to the switch, or another switch that is in turn connected to a switch.
Switch is a marketing term that encompasses routers and bridges, as well as devices that may distribute traffic on load or by application content (e.g., a Web URL identifier). Switches may operate at one or more OSI model layers, including physical, data link, network, or transport (i.e., end-to-end). A device that operates simultaneously at more than one of these layers is called a multilayer switch.
25
Overemphasizing the ill-defined term "switch" often leads to confusion when first trying to understand networking. Many experienced network designers and operators recommend starting with the logic of devices dealing with only one protocol
level, not all of which are covered by OSI. Multilayer device selection is an advanced topic that may lead to selecting particular implementations, but multilayer switching is simply not a real world design concept.
Routers
Routers are networking devices that forward data packets between networks using headers and forwarding tables to determine the best path to forward the packets.
INTRODUCTION
Virtual private network
26
A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) instead of by physical wires. The link-layer protocols of the virtual network are said to be tunneled through the larger network when this is the case. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.
A VPN may have best-effort performance, or may have a defined service level agreement (SLA) between the VPN customer and the VPN service provider. Generally, a VPN has a topology more complex than point-to-point.
27
A VPN allows computer users to appear to be editing from an IP address location other than the one which connects the actual computer to the Internet.It gives extremely secure connections between private networks linked through the Internet. It allows remote computers to act as though they were on the same secure, local network.
It is a way to use a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.
It is a form of communication over networks that are public in ownership, but emulate a private network in terms of security.
A VPN is a private tunnel through the Internet that is designed to connect a remote office or employee into a main server. The virtual private network is slow because all the data sent back and forth to the server is locked down and encrypted. This is to ensure the data is secure as it travels through the vast expanse of the Internet.
VPN ACCOUNT AND CERTIFICATE:
ACCOUNT:
• Verification by HOD and Web Coordinator. • Communicated through Email.
DIGITAL CERTIFICATE:
• The digital certificate enrollment : online through http://vpnca.nic.in/certsrv
• Mail the request ID .• Verification and issued
28
• Certificate derived from site / send by mail
Installing the VPN client software:
1. Install setup ‘ windows installer package’ for Windows XP/ 2000
2. For windows 98 the software is available in http://ftp.ren.nic.in/pub/Cisco/vpn/VPN%20client%20software/vpnclient-win-is-3-6.6-a-k9.exe
3. Client software is in Zip format. Unzipp it
4. For Linux , the software is available in
http://ftp.ren.nic.in/pub/Cisco/vpn/VPN%20client%20software/vpnclient-linux-4.6.02003-k9.tar.gz
HISTORY
Until the end of the 1990s the computers in computer networks connected through very expensive leased lines and/or dial-up phone lines. It could cost thousands of dollars for 56kbps lines or tens of thousands for T1 lines, depending on the distance between the sites.Virtual Private Networks reduce network costs because they avoid a need for many leased lines that individually connect to the Internet. Users can exchange private data securely, making the expensive leased
29
lines redundant. The term VPN has been associated in the past with such remote connectivity services as the public telephone network and Frame Relay PVCs, but has finally settled in as being synonymous with IP-based data networking. Before this concept surfaced, large corporations had expended considerable resources to set up complex private networks,now commonly called Intranets. These networks were installed using costly leased line services, Frame Relay, and ATM to incorporate remote users. For the smaller sites and mobile workers on theremote end, companies supplemented their networks with remote access servers or ISDN.At the same time, the small- to medium-sized enterprises (SMEs), who could not afforddedicated leased lines, were relegated to low-speed switched services.As the Internet became more and more accessible and bandwidth capacities grew,companies began to offload their Intranets to the web and create what are now known as Extranets to link internal and external users. However, as cost-effective and quick-todeployas the Internet is, there is one fundamental problem – security.Today’s VPN solutions overcome the security factor. Using special tunneling protocols and complex encryption procedures, data integrity and privacy is achieved in what seems,for the most part, like a dedicated point-to-point connection. And, because these operations occur over a public network, VPNs can costsignificantly less to implement than privately owned or leased services.Although early VPNs required extensive expertise to implement, the technology has matured already to a level that makes its deployment a simple and affordable solution for businesses of all sizes, including SMEs who were previously being left out of the e-revolution.Using the Internet, companies can connect their remote branch offices, project teams,business partners, and e-customers into the main corporate network. Mobile workers and telecommuters can get secure connectivity by dialing into the POP (Point-of-Presence) of a local ISP (Internet Service Provider). With a VPN, corporations see immediate costreduction opportunities in their long distance charges (especially important to global companies), leased line fees, equipment inventories (like large banks of modems), andnetwork support requirements.
30
VPN technologies have myriad protocols, terminologies and marketing influences that define them. For example, VPN technologies can differ in:
1.The protocols they use to tunnel the traffic
2.The tunnel's termination point, i.e., customer edge or network provider edge
3.Whether they offer site-to-site or remote access connectivity
4.The levels of security provided
5.The OSI layer they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity.
REQUIREMENTS:
Operating System Computer Requirements
Windows 2000 SP4.
Windows XP SP2.
Windows Vista.
Windows 7
Computer with a
Pentium®-class
processor or
greater.
In addition, x64 or
x86 processors are
supported for
Windows XP and
• 5 MB hard disk space.
• RAM:
– 128 MB for Windows 2000.
– 256 MB for Windows XP.
– 512 MB for Windows Vista.
31
Windows Vista. • Microsoft Installer, version 3.
Mac OS X, Version
10.4 or later
Macintosh
computer1
50 MB hard disk space
Requirements for VPNs
There is one very important requirement that is common to secure VPNs, trusted VPNs, and hybrid VPNs: the VPN administrator must know the extent of the VPN. Regardless of the type of VPN in use, a VPN is meant to have capabilities that the "regular" network does not. Thus, the VPN administrator must be able to know at all times what data will and will not be in the VPN.
Each of the four types of VPNs have their own additional requirements.
Secure VPN requirements
All traffic on the secure VPN must be encrypted and authenticated. Many of the protocols that are used to create secure VPNs allow the creation of VPNs that have authentication but no encryption. Although such a network is more secure than a network with no authentication, it is not a VPN because there is no privacy.
The security properties of the VPN must be agreed to by all parties in the VPN. Secure VPNs have one or more tunnels, and each tunnel has two endpoints. The administrators of the two endpoints of each tunnel must be able to agree on the security properties of the tunnel.
No one outside the VPN can affect the security properties of the VPN. It must be impossible for an attacker to change the security properties of any part of a VPN, such as to weaken the encryption or to affect which encryption keys are used.
Trusted VPN requirements
No one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. The entire value of the trusted
32
VPN is that the customer can trust that the provider to provision and control the VPN. Therefore, no one outside the realm of trust can change any part of the VPN. Note that some VPNs span more than one provider; in this case, the customer is trusting the group of providers as if they were a single provider.
No one other than the trusted VPN provider can change data, inject data, or delete data on a path in the VPN. A trusted VPN is more than just a set of paths: it is also the data that flows along those paths. Although the paths are typically shared among many customers of a provider, the path itself must be specific to the VPN and no one other than trusted provider can affect the data on that path. Such a change by an outside party would affect the characteristics of the path itself, such as the amount of traffic measured on the path.
The routing and addressing used in a trusted VPN must be established before the VPN is created. The customer must know what is expected of the customer, and what is expected of the service provider, so that they can plan for maintaining the network that they are purchasing.
Hybrid VPN requirements
The address boundaries of the secure VPN within the trusted VPN must be extremely clear. In a hybrid VPN, the secure VPN may be a subset of the trusted VPN, such as if one department in a corporation runs its own secure VPN over the corporate trusted VPN. For any given pair of address in a hybrid VPN, the VPN administrator must be able to definitively say whether or not traffic between those two addresses is part of the secure VPN.
33
Different Types of VPN
A VPN supports at least three different modes of use:
Under this application only a single VPN gateway is involved. The
other party involved in negotiating the secure communication
channel with the VPN Gateway is a PC or laptops that is onnected
to the Internet and running VPN Client software. The VPN Client
allows telecommuters and traveling users to communicate on the
central network and access servers from many different locations.
BENEFIT : Significant cost savings by reducing the burden of
long distance charges associated with dial-up access. Also helps
34
increase productivity and peace of mind by ensuring secure
network access regardless of where an employee physically is.
2. Site to site : Dedicated VPN connection established among
multiple LANs . Each site requires one a local leased/ RF/ ISDN
connection to the local ISPs .
With Intranet VPN, gateways at various physical locations within
the same business negotiate a secure communication channel
across the Internet known as a VPN tunnel. An example would be
a network that exists in several buildings connected to a data
center or mainframe that has secure access through private lines.
Users from the networks on either side of the tunnel can
communicate with one another as if it were a single network.
These may need strong encryption and strict performance and
bandwidth requirements.
BENEFIT : Substantial cost savings over traditional leased-line or
frame relay technologies through the use of Internet to bridge
potentially long distances between sites.
3.Site-to-Site Extranet VPN - Almost identical to Intranets, except
they are meant for external business partners. As such, firewall
access restrictions are used in conjunction with VPN tunnels, so
35
that business partners are only able to gain secure access to
specific data / resources, while not gaining access to private
corporate information.
BENEFIT : Businesses enjoy the same policies as a private
network, including security, QoS, manageability, and reliability.
Desired VPN Features :
The workgroup found that the following characteristics are necessary for a successful UC Davis VPN implementation:
1.Available to all CyberSafe remote computers. Every vendor supported end-user platform should be able to use the VPN service, but VPN access from computing systems that are or can be compromised should be denied.
2. Easily supportable. VPN implementation must not substantially increase help desk utilization or costs.
3. Integrate with existing authentication/authorization infrastructure. The log-in procedure should be simpler and less confusing than current proxy login.
4. Security that is not “one size fits all”. The ability to assign remote users to security zones based on authorization groups is highly desirable in many circumstances. For example, SSL VPN technology could be
36
used to enhance campus wireless security through the assignment of users to trusted and untrusted zones depending on their affiliation.
5. Granular administration. A VPN implementation that permits administrative delegation in an environment of central control would be highly desirable. A vendor solution that permits departmental participation through independent purchase of compatible equipment may also be acceptable.
6. Split tunnel services. Split tunnel services should be supported by a campus VPN implementation.
7. Browser support. The SSL VPN solution must be compatible with current Internet Web browsers, including Internet Explorer, Safari, Netscape, Opera and Firefox. 8. Monitoring and logging. Monitoring should go beyond the indispensable network utilization and error reporting level. Any VPN solution has to provide logging that is integrated with syslog services. In the case of DMCA violations, the University must be able to remove access to infringing files upon notification. For resources licensed by the UC Office of the President and the Davis campus, the University is obligated by contract to remedy abuses or suffer penalties that could include denial to future resource access for all campus users. For those reasons, it is necessary to associate user identity and activity. The obligation to remedy abuse is a requirement for departments even if they manage VPNs independently.
9. Scalability. It should be possible to begin small and economically increase capacity without degrading performance. Technical details relating to interoperation with the existing VLAN infrastructure may contribute significantly in this respect.
10. Hardened. The VPN platform should have a hardened operating system and firmware that provide no opportunities for exploits. 11. Operation 24x7x365. Every hour of the night and day, some UC Davis affiliate uses campus resources remotely, so we require a high
37
availability platform. An active/passive configuration would provide fail-safe operation if a load balancing active/active configuration was unaffordable.
12. Supported. As a core service, VPN would require 24x7 vendor telephone support and 24x7 hardware maintenance availability.
The workgroup identified one feature, Endpoint Security
Integration, which will require further analysis. While end-point
security is a highly desirable function for entry to the campus
network, the ability to check an operating system version,
application of security patches or the currency of anti-virus
detection files would likely benefit the campus as part of a broader
offering, integrated into network access for wired, wireless and
VPN services. Nonetheless, some SSL VPN products are capable
of using the endpoint security services to check for specific
programs and files needed for interoperation with particular
servers and services.
38
Technologies Supported by VPNC
The following technologies support the requirements from the previous section. VPNC supports these technologies when they are implemented by users themselves and when they are implemented in provider-provisioned VPNs.
5.1 Secure VPN technologies
IPsec with encryption in either tunnel and transport modes. The security associations can be set up either manually or using IKE with either certificates or preshared secrets.
IPsec, short for Internet Protocol Security, can run in either transport or tunnel mode, eachhaving significantly different implications particularly with regard to security — tunnel mode will encrypt both the header information as well as the data transmitted, whereas transport mode will encrypt only the data. Keys must be shared by both the sender and recipient in order to correctly decrypt the transmission.IPsec works at Layer 3, or the Network Layer of the OSI Model, which enables it to operate independently of any application. An IPsec VPN reates a tunnel between two endpoints through which any number of connections and protocol types (Web, email, file transfer, VoIP) can travel. The original IP data packet is re-encapsulated so that all application protocol information is hidden during the actual transmission of the data. A typical deployment will consist of one or more VPN gateways to the secured networks. Special VPN client software must be installed on each remote access user’s computer, and each VPN client must be configured to define which packets should be encrypted and which gateway is to be used for the VPN tunnel. Once connected, the client becomes a full member of the secured network, able to see and
39
access everything just as if that system was actually physically connected to the network.
IPsec inside of L2TP : has significant deployment for client-server remote access secure VPNs.
SSL (Secure Socket Layer) VPNs :are often referred to as transparent, or clientless, due to the lack of any additional client-side VPN software that must be explicitly installed. The SSL components required to create a secure channel from the remote system are a part of all major Web browsers, at least one of which is always already available on virtually every modern computer. The only new item that is necessary is a designated SSL VPN server, to act as the gateway between the secured network and all remote systems. The SSL protocol operates in Layer 7, the Application Layer, allowing it to act as a proxy for the secured resources. Authentication of both the client and the server is achieved during the initial handshake routine where both parties identify themselves via digital certificates. The handshake process also generates session keys which are used to encrypt all traffic sent and received during a remote access session. These technologies (other than SSL 3.0) are standardized in the IETF, and each has many vendors who have shown their products to interoperate well in the field. An SSL VPN can
maintain and enforce finer-grained access control policies, to individualinternal resources as well as by individual users, by intercepting all traffic between the authenticated remote system and the requested resource inside the secured network. This introduces greater flexibility since now virtually any computer with an Internet connection canbe used for secure remote access — home computers, computers on customers’ premises, andeven Internet cafés!
IPsec vs SSL VPNs
IPsec and SSL each have their own advantages, so what is “better” may often come down to what is most suited for your network, but many
40
organizations are increasingly turning to SSL VPNs for the additional benefits available.
5.2 Trusted VPN technologies
Modern service providers offer many different types of trusted VPNs. These can generally be separated into "layer 2" and "layer 3" VPNs.
Technologies for trusted layer 2 VPNs include:
• ATM circuits
• Frame relay circuits
Multi-Protocol Label Switching (MPLS) :Multi-Protocol Label Switching (MPLS) was originally presented as a way of improving the forwarding speed of routers but is now emerging as a crucial standard technology that offers new capabilities for large scale IP networks. Traffic engineering, the ability of network operators to dictate the path that traffic takes through their network, and Virtual Private Network support are examples of two key applications where MPLS is superior to any currently available IP technology.
Although MPLS was conceived as being independent of Layer 2, much of the excitement generated by MPLS revolves around its promise to provide a more effective means of deploying IP networks across ATM-based WAN backbones. The Internet Engineering Task Force is developing MPLS with draft standards expected by the end of 1998. MPLS is viewed by some as one of the most important network developments of the 1990's. This article will explain why MPLS is generating such interest.
The essence of MPLS is the generation of a short fixed-length label that acts as a shorthand representation of an IP packet's header. This is much the same way as a ZIP code is shorthand for the house, street and city in a postal address, and the use of that label to make forwarding decisions about the packet. IP packets have a field in their 'header' that contains the address to which the packet is to be routed. Traditional routed networks process this information at every router in a packet's path through the network (hop by hop routing).
41
In MPLS, the IP packets are encapsulated with these labels by the first MPLS device they encounter as they enter the network. The MPLS edge router analyses the contents of the IP header and selects an appropriate label with which to encapsulate the packet. Part of the great power of MPLS comes from the fact that, in contrast to conventional IP routing, this analysis can be based on more than just the destination address carried in the IP header. At all the subsequent nodes within the network the MPLS label, and not the IP header, is used to make the forwarding decision for the packet. Finally, as MPLS labeled packets leave the network, another edge router removes the labels.
In MPLS terminology, the packet handling nodes or routers are called Label Switched Routers (LSRs). The derivation of the term should be obvious; MPLS routers forward packets by making switching decisions based on the MPLS label. This illustrates another of the key concepts in MPLS. Conventional IP routers contain routing tables which are looked up using the IP header from a packet to decide how to forward that packet. These tables are built by IP routing protocols (e.g., RIP or OSPF) which carry around IP reachability information in the form of IP addresses. In practice, we find that forwarding (IP header lookup) and control planes (generation of the routing tables) are tightly coupled. Since MPLS forwarding is based on labels it is possible to cleanly separate the (label-based) forwarding plane from the routing protocol control plane. By separating the two, each can be modified independently. With such a separation, we don't need to change the forwarding machinery, for example, to migrate a new routing strategy into the network.
There are two broad categories of LSR. At the edge of the network, we require high performance packet classifiers that can apply (and remove) the requisite labels: we call these MPLS edge routers. Core LSRs need to be capable of processing the labeled packets at extremely high bandwidths.
This is an abstract of the MPLS article contained in techguide.com. The complete article examines MPLS and the opportunities it offers to users and also to the service providers who are designing and
42
engineering the next generation of IP networks. It also describes why new carrier-class edge devices will become a key component in the provisioning of future network services.
Technologies for trusted layer 3 VPNs include:
• MPLS with constrained distribution of routing information through BGP, as described in RFC 4364 and other related Internet Drafts.
It is widely assumed that both will become standards in the future. Also, the service provider industry has not embraced one of these technologies much more strongly than the other.
5.3 Hybrid VPN technologies
• Any supported secure VPN technologies running over any supported trusted VPN technology.
It is important to note that a hybrid VPN is only secure in the parts that are based on secure VPNs. That is, adding a secure VPN to a trusted VPN does not increase the security for the entire trusted VPN, only to the part that was directly secured. The secure VPN acquires the advantages of the trusted VPN, such as having known QoS features.
Protocols Used
The protocol incorporates three major components: the
Authentication Header (AH), Encapsulating Security Payload
(ESP), and Internet Key Exchange (IKE).
VPN Tunneling Protocols
43
Several computer network protocols have been implemented
specifically for use with VPN tunnels. The three most popular
VPN tunneling protocols listed below continue to compete with
each other for acceptance in the industry. These protocols are
generally incompatible with each other.
Point-to-Point Tunneling Protocol (PPTP)
Several corporations worked together to create the PPTP specification. People generally associate PPTP with Microsoft because nearly all flavors of Windows include built-in client support for this protocol. The initial releases of PPTP for Windows by Microsoft contained security features that some experts claimed were too weak for serious use. Microsoft continues to improve its PPTP support, though.
PPTP VPN Tunnel Frame Format
44
A PPP frame (an IP datagram, an IPX datagram, or a NetBEUI frame) is wrapped with a Generic Routing Encapsulation (GRE) header and an IP header. In the IP header is the source and destination IP address that correspond to the VPN client and VPN server.
Normal IP Packet without VPN
Point-to-Point Tunneling Protocol (PPTP) is a proprietary development of Microsoft intended for VPN-like communications. PPTP offers user authentication employing authentication protocols such as MS-CHAP, CHAP, SPAP, and PAP. The protocol lacks the flexibility offered by other solutions and does not possess the same level of interoperability as the other VPN protocols, but its use is easy and abundant in the real world.
PPTP PACKET
It consists of three types of communication:
• PPTP connection, where a client establishes a PPP link to an ISP.
45
• PPTP control connection, where the user creates a PPTP
connection to the VPN server and negotiates the tunnel
characteristics.
• PPTP data tunnel, where both client and server exchange
communications inside an encrypted tunnel.
PPTP is commonly used for creation of secure communication channels between a large number of Windows hosts on the intranet. We have to caution you that it has a long history of insecurities and typically uses lower grade encryption ciphers, such as MD4 or DES.
Layer Two Tunneling Protocol (L2TP)
The original competitor to PPTP for VPN tunneling was L2F, a protocol implemented primarily in Cisco products. In an attempt to improve on L2F, the best features of it and PPTP were combined to create a new standard called L2TP. Like PPTP, L2TP exists at the data link layer (Layer Two) in the OSI model -- thus the origin of its name. Jointly developed by Cisco, Microsoft, and 3Com, L2TP promised to replace PPTP as a major tunneling protocol. It is essentially a combination of PPTP and Cisco Layer Two Forwarding (L2F), merging both into a single standard. L2TP is used to tunnel PPP over a public IP network.
L2TP : Tunneling with IPSec Encryption
46
It relies on PPP to establish a dial-in connection using PAP or CHAP authentication but, unlike PPTP, L2TP defines its own tunneling protocol. Because L2TP works on Layer 2, the non-IP protocols can be transported through the tunnel, yet it will work on any Layer 2 media, such as ATM, Frame Relay, or 802.11. The protocol does not offer encryption by itself, but it can be used in conjunction with the other protocols or application-layer encryption mechanisms to provide for security needs.
Internet Protocol Security (IPsec)
IPsec is actually a collection of multiple related protocols. It can be used as a complete VPN protocol solution or simply as the encryption scheme within L2TP or PPTP. IPsec exists at the network layer (Layer Three) of the OSI model.
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP
47
packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.
IPsec is a dual mode, end-to-end, security scheme operating between the Internet and Transport layers of the Internet Protocol Suite. It effectively acts as an additional, optional "presentation layer" considering a transport level protocol the application.
Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be used for protecting any application traffic across the Internet. Applications don't need to be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must typically be incorporated into the design of applications.
IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA).
IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Requests for Comment addressing various components and extensions, including the official capitalization style of the term.
The IPsec suite is a framework of open standards. IPsec uses the following protocols to perform various functions.
48
• A security association (SA) is set up by Internet Key Exchange (IKE and IKEv2) or Kerberized Internet Negotiation of Keys (KINK) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec.
• Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks.
• Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.
Modes of operation
IPsec can be implemented in a host-to-host transport mode, as well as in a network tunnel mode.
Transport mode
In transport mode, only the payload (the data you transfer) of the IP packet is encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in
49
any way (for example by translating the port numbers). Transport mode is used for host-to-host communications.
A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT-T mechanism.
Tunnel mode
In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create Virtual Private Networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access), and host-to-host communications (e.g. private chat).
50
GRE
Generic Routing Encapsulation (GRE) is a Cisco-developed protocol that is used in networking to tunnel traffic between different private networks. This includes non-IP traffic that cannot be carried across the network in its native form. Even though it does not provide any encryption by itself, it does provide efficient low-overhead tunneling. GRE is often used in conjunction with network-layer encryption protocols to accommodate both features provided by GRE, such as encapsulation of non-IP protocols, and encryption provided by other protocols, such as IPSec.
GRE tunnels are designed to be completely stateless. This means that each tunnel end-point does not keep any information about the state or availability of the remote tunnel end-point. A consequence of this is that the local tunnel end-point router does not have the ability to bring the line protocol of the GRE tunnel interface down if the remote end-point is unreachable. The ability to mark an interface as down when the remote end of the link is not available is used in order to remove any routes (specifically static routes) in the routing table that use that interface as the outbound interface. Specifically, if the line protocol for an interface is changed to down, then any static routes that point out that interface are removed from the routing table. This allows for the installation of an alternate (floating) static route or for policy-based routing (PBR) to select an alternate next-hop or interface.
Normally, a GRE tunnel interface comes up as soon as it is configured and it stays up as long as there is a valid tunnel source address or interface which is up. The tunnel destination IP address must also be routable. This is true even if the other side of the tunnel has not been configured. This means that a static route or PBR forwarding of packets
51
via the GRE tunnel interface remains in effect even though the GRE tunnel packets do not reach the other end of the tunnel.
VPNs IN MOBILE ENVIRONMENTS:
Mobile VPNs handle the special circumstances when an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points. Mobile VPNs have been widely used in public safety, where they give law enforcement officers access to mission-critical applications, such as computer-assisted dispatch and criminal databases, as they travel between different subnets of a mobile
52
network.They are also used in field service management and by healthcare organizations, among other industries.
Increasingly, mobile VPNs are being adopted by mobile professionals and white-collar workers who need reliable connections. They allow users to roam seamlessly across networks and in and out of wireless-coverage areas without losing application sessions or dropping the secure VPN session. A conventional VPN cannot survive such events because the network tunnel is disrupted, causing applications to disconnect, time out, or fail, or even cause the computing device itself to crash.
Instead of logically tying the endpoint of the network tunnel to the physical IP address, each tunnel is bound to a permanently associated IP address at the device. The mobile VPN software handles the necessary network authentication and maintains the network sessions in a manner transparent to the application and the user. The Host Identity Protocol (HIP), under study by the Internet Engineering Task Force, is designed to support mobility of hosts by separating the role of IP addresses for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access networks.
ADVANTAGES AND DISADVANTAGES OF VPN:
53
Advantages of VPN
►Enhanced security. When you connect to the network through a VPN, the data is kept secured and encrypted. In this way the information is away from hackers’ eyes.
►Remote control. In case of a company, the great advantage of having a VPN is that the information can be accessed remotely even from home or from any other place. That’s why a VPN can increase productivity within a company.
►Share files. A VPN service can be used if you have a group that needs to share files for a long period of time.
►Online anonymity. Through a VPN you can browse the web in complete anonymity. Compared to hide IP software or web proxies, the advantage of a VPN service is that it allows you to access both web applications and websites in complete anonymity.
►Unblock websites & bypass filters. VPNs are great for accessing blocked websites or for bypassing Internet filters. This is why there is an increased number of VPN services used in countries where Internet censorship is applied.
►Change IP address. If you need an IP address from another country, then a VPN can provide you this.
►Better performance. Bandwidth and efficiency of the network can be generally increased once a VPN solution is implemented.
►Reduce costs. Once a VPN network is created, the maintenance cost is very low. More than that, if you opt for a service provider, the network setup and surveillance is no more a concern.
►Firewall connection: Your system is often attacked by several hackers who may possibly misuse your private data. But with VPN account, the activities won't be on your IP address as your specific IP
54
address will not likely be seen. Your computer is completely secured as the hackers will attack the VPN server IP. So, the cyber-terrorist will be confident that they are attacking your home personal computer IP address, but this IP address will be the business IP address.
►Access from anywhere in the world: Often in gulf countries and even numerous other countries for instance China, Singapore, Myanmar, Syria, Yemen, Korea, etc. you ought to deal with numerous limitations. But with VPN account, you can surf on the internet freely with no restrictions at all.
►Highest level of security against password thefts: Your VPN account even safe guards your system from password robbery therefore allowing you to browse on the web without any strain. However, with VPN account there is no worry about password theft even if you are surfing through Wi-Fi connectivity.
Disadvantages of VPN
►Lack of Security:VPN message traffic is carried on public networking infrastructure e.g. the Internet, or over a service provider's network, which mean - circulating corporate data —one of your most valuable assets—on the line (literally). Even though there are many methods and technologies available to ensure data protection (like encryption implementation) , the level of concern about Internet security is quite high and data on transmission is vulnerable to hackers. The use of VPNs at this moment still require an in-depth understanding of public network security issues.
►Less Bandwidth than Dedicated Line :The other major
downside of VPNs relates to guaranteeing adequate bandwidth for
the work being done. Every use of internet system consume
bandwidth; the more users there are, the less bandwidth there is for
any single user. Some VPN service providers offer guaranteed
55
bandwidth, and private networks can be built with guaranteed
bandwidth allocations, however, these options will increase the
cost of the system.
►The needs to accomodate protocols other than IP and
existing ("legacy") internal network technology:IP applications
were designed for low-latency, high-reliability networks. An
increasing number of real-time, interactive applications are being
used on the network. Although some applications can be tuned to
allow for increased latency, many of the applications tested cannot
be easily adjusted or cannot be adjusted at all, making the use of
the application problematic.
►others pitfall to consider:
• VPN technologies from different vendors may not work well
together due to different standard compliant or immature
standards.
• VPNs is more prone to Internet connectivity problems.
• The availability and performance of an organization's wide-
area VPN (over the Internet in particular) depends on factors
largely outside of their control.
• Understanding of security issues
• Unpredictable Internet traffic
56
• Less Bandwidth as compared to Leased Lines• Difficult to accommodate products from different vendors
Limitations of VPN
Although the VPN Service should enable you to access many restricted resources from outside the network, it does have some limitations. As a result of these limitations, we recommend that you use the VPN connection only when you need to access resources that you would otherwise be unable to access and that you terminate the connection as soon as you have finished accessing these resources. Most of the limitations arise because while the VPN connection is active, the PC behaves as if it were part of the Oxford University network, and therefore some resources that are local to it may not be available while the connection is active. Some particular limitations are listed below.
►If you are making the VPN connection over a dial-up internet connection that uses a standard modem and phone line, you may find that some services are very slow. In particular this may be the case if you are using the full version of OxLIP (as opposed to the web version) which may take 10 minutes or more just to start up. If you find this to be the case and you really need access to the full version of OxLIP, consider increasing the speed of your underlying internet connection, e.g. by switching to a broadband connection.
►While the VPN connection is active you are unlikely to be able to print to any printer unless it is directly attached to your PC. To get around this problem, save or copy information that you require into a file on your computer and print it once the VPN connection is closed.
57
►If the PC that you are using is connected to a network, make sure that you close any files that are stored on servers on that network before making the VPN connection because you will not be able to access them when the connection is active. If you need to copy or save information into a file while the connection is active, save the file onto the local hard disk of the PC, or onto floppy disk, zip disk etc.
►If the PC that you are using is connected to a network and you are running software that is located on servers on that network rather than locally on the PC, again you will not be able to access this software while the VPN connection is active, so we recommend that you close any such programs before making the connection.
►If you connect to the Internet using a dial-up service, you probably won't be able to send out e-mail via your service provider while the connection is active.
►If you are connecting from behind a firewall you may have problems either establishing the connection in the first place, or you may find that you can make the connection but then you cannot access anything over the internet. Please contact OUCS for more information on specific ports used by the VPN connection.
Study of VPN in NIC
In big organizations such as NIC(National Informatics Centre) VPN services are used to a great extend .VPN servers are setted in the NIC from where they provide the VPN service all around the world .The request for the vpn service send to them by people all around the world and they make them the VPN client .Proper procedure is being followed in making the VPN client .A Digital Certificate is being issued to the clients which has an expiry date linked with it and should be renewed at times .The whole data of the VPN client is maintained in the organization about the sites they want to access and all.Thus VPN services are provided to them ,username and password is issued to the vpn client .Thus the
58
clints can securely access the network. NIC looks to all the Problems related to the VPN services.They have their sites such as www.inoc.nic.in maintained for such
purposes.
FUTURE PROSPECTIVES
VPN in future will be used in more areas like:
►Sales professionals, field technical specialists and others working from remote offices.
►Employees who are required to frequently work from home.
►Employees whose time spent online exceed an average of 20 hours per week.
►Executive and key management personnel who frequently need access from home.
►Support personnel who need remote access to JnJ Network to carry out business critical activities.
►VPNs are continually being enhanced.
59
Example: Equant NV
►As the VPN market becomes larger, more applications will be created along with more VPN providers and new VPN types.
►Networks are expected to converge to create an integrated VPN
►Improved protocols are expected, which will also improve VPNs.
CONCLUSION:
In a nutshell, a VPN is exactly what its name suggests, a pseudo-private network. Instead of building a SECURED PHYSICAL CONNECTION directly to the mobile employees (which is a very expensive proposition, not to mention inflexible), VPN makes use of the VERY PUBLIC and VERY UNSECURED Internet to connect the employees to the office securely.
VPNs are increasingly becoming an everyday part of life on the Internet. Many people use them to gain access to many of the systems in their offices, such as e-mail and intranets. This trend is certain to become more popular as many companies are finding it cheaper for their employees to work from home, relieving them of the need to lease additional office space.
Site-to-site VPNs will also continue to be deployed as companies, both small and large find it increasingly necessary to share access to their business systems. One notable area is in the realm of IP telephony, where VPNs enable all remote offices to use a single IP switchboard at
60
the center of a VPN hub and spoke network. Intra-office communication is therefore encrypted and the use of a single switchboard saves costs.
Knowledge of VPNs is now indispensable for systems administrators. We have seen in this tutorial the two main ways a VPN is used today as well as the three main protocols that are used. The PPTP protocol is particularly useful for RoadWarrior connections. L2TP is similar but also has the ability of encapsulating all types of network traffic and can therefore route everything, even protocols that normally can not be routed without encapsulation.
The IPSec protocol is ideal for LAN to LAN tunnels as it offers security at each layer of the communication. IPSec, with its installation in IPv6, will become the most widely used tunnelling protocol in both VPN domains (LAN to LAN and RoadWarrior). One thing that should be focused on is the encryption that you want to use with your VPN connection so that your data is encrypted.
VPN is a network that uses public telecommunication infrastructure for the following purposes:
1. It helps in extent geographic connectivity.
2.It reduces cost of WAN connection.
3.It helps in increasing mobility.
4. It reduces transit time.
61
COLLEGE PROFILE:
B--------- V------------- College of Engineering is an engineering college located at India. Its parent body is University, and it shares its infrastructure with Institute of Computers and management It is affiliated with---------. It is one of the leading engineering colleges in. The institute conducts training programme in collaboration with leading multinational company in the areas of VLSI & Embedded Systems. The institute also conducts in-plant training programme for the students in view of the campus recruitment programmes attempted to match the aspirations of the future with the expectations of the corporate sector.
It offers the B.Tech engineering degree in the following streams:
1. Electronics & Communication Engineering - 120
2. Computer Science & Engineering - 60
3. Information Technology Engineering - 60
4. Electrical & Electronics Engineering - 60
5. Instrumentation & Control Engineering – 60
62
BIBLIOGRAPHY:
2.CISCO’S CCNA all modules for networking information.
3. VIRTUAL PRIVATE NETWORKS:TECHNOLOGIES AND SOLUTIONS & VIRTUAL PRIVATE NETWORKS:MAKING THE RIGHT CONNECTION books for VPN related stuff.
http://www.inoc.nic.in
http://www.vpnserver.nic.in
http://www.vpn-info.com/disadvantages_of_vpn.htm
http://en.wikipedia.org/wiki/VPN
63
INDEX
Topics Page no.
1) ABSTRACT 1
2) INTRODUCTION OF VPN 28
3) HISTORY OF VPN 31
4) DIFFERENT TYPES OF VPN 36
5) TECHNOLOGIES SUPPORTED BY VPN 42
6) PROTOL USED 47
7) ADVANTAGES AND DISADVANTAGES OF VPN 59
8) LIMITATIONS 62
9) FUTURE EXPANSION 65
10) CONCLUSION 66
11)ORGANISATION PROFILE 68
12) COLLEGE PROFILE 73
13)BIBLIOGRAPHY 76
64
