Embed Size (px)
Citation preview
Virtual Private Networks
BAD 64046Vladislav Hrosinkov
4/30/2003
Traditional Corporate WAN
Traditional corporate WANs are built using private lines or private Frame Relay/ATM
The remote access needs are accommodated by remote access servers and modems. The users dial in through the public switched telephone network.
Traditional corporate WAN
Main advantages Predictable bandwidth Security and privacy
Main disadvantages: High telecommunication costs Not easily scalable
Virtual Private Network
Definition - A VPN is a private network constructed within the public Internet
Goals Connect private networks using shared public
infrastructure Simplify distributed network creation Desirable properties Security – An obvious issue because a public
network (Internet) becomes physical part of the private network
Quality of service guarantees
VPN Architectures
Site-to-site intranet VPNs - Connect different networks. A VPN gateway is located at the boundary between a private corporate network and the public Internet
VPN Architectures
Remote access VPNs – Enable remote connectivity using any Internet access technology. The remote user launches the VPN client to create a VPN tunnel to the gateway
VPN Architectures
Extranet VPNs – Provide customers and suppliers with access to the corporate LAN. VPN tunnels are created through the Internet between the corporate gateway and a gateway or a client located in a partner’s network
Tunneling
Tunnel – A logical link between the tunnel client and the tunnel server. The path through which the packets travel
Tunneling is the process of encapsulating (placing an entire packet within another packet (which provides the routing information) and sending it over the Internet.
Tunnels serve three major purposes in VPNs: To enable different protocols to be transported over IP To route privately addressed packet through the Internet To provide data integrity and confidentiality
TunnelingExample: If node C takes the original packet and
places it completely within a new packet addressed for node G, the nodes D, E and F would not know the original destination I.
Tunneling protocols
PPTP (Point-to-point Tunneling Protocol)� Developed by Microsoft and other companies� Layer 2 protocol� For encapsulation uses the GRE (Generic Routing
Encapsulation) protocol� Voluntary tunneling (the VPN client manages
connection setup)� Disadvantage: Does not provide strong encryption
Tunneling Protocols
L2F (Layer 2 Forwarding Protocol) Developed by Cisco and other vendors Layer 2 protocol Compulsory tunneling: no VPN client, the Internet
service provider manages the VPN connection. Can use any packet-oriented protocol for
encapsulation Tunnels can support more than one connection Disadvantage: does not define encryption for the
encapsulated packet.
Tunneling Protocols
L2TP (Layer 2 Tunneling Protocol) Combines features of the previous two to
overcome their shortcomings and become a standard
Supports both voluntary and compulsory tunneling Has its own encapsulation protocol Again lack of good security features. The current L2TP draft standard recommends that
IPSec be used for encryption and key management in IP environments.
Tunneling Protocols
IPSec Probably the most important protocol used in VPNs Layer 3 protocol. Provides the sender with the opportunity to
authenticate or encrypt (or both) each IP packet. Two methods of using IPSec (modes) Transport mode – only the transport-layer segment
of a IP packet is authenticated or encrypted Tunnel mode – the entire packet is authenticated or
encrypted.
Tunneling Protocols
IPSec (cont.) Supports AH (Authentication Header) protocol for per-
packet authentication. Supports ESP (Encapsulating Security Payload)
protocol for authentication, encryption, anti-replay. Either one or both can be used Uses a number of standardized cryptographic
technologies Supports both manual key exchange and IKE (Internet
Key Exchange) protocol for automated key management.
IPSec is considered for the best VPN solution for IP environment
VPNs - Performance IPSec solves the problem of VPN security,
but performance remains an issue. VPN performance depends on: The speed of transition through the Internet – the
public Internet cannot provide guaranteed levels of response time and reliability. Some SP offer quality of service agreements.
The efficiency of the VPN processing at each end of the connection. Encapsulation and encryption require adding data fields to each packet – long packets, likelihood of fragmentations. Encryption is very computationally intensive. Must be performed on products that are optimized for these functions.
VPN Gateways A key element of a VPN Sit between public and private network, preventing
intrusions Can perform also tunneling and encryption Generally, fits in one of the following categories: routers,
firewalls, integrated hardware, software. Routers – usually are preferred for high throughput VPNs Firewalls – can provide tunneling and encryption only on
small VPNs with low traffic Integrated hardware – some of them provide very high
throughput and number of tunnels. Software Gateways – usually low-cost solutions for small
VPNs
VPNs - Advantages
Eliminate the need for expensive private or leased lines
Reduce the long-distance telephone charges Reduced equipment costs (modem banks,
CSU/DSUs) Reduced technical support Scalability – easy adding of new locations to the
VPN Security
VPNs - Disadvantages Require an in-depth understanding of public
network security issues and taking proper precautions in VPN deployment
The availability and performance of a corporate VPN (over the Internet) depends on uncontrollable external factors.
Shortage of standardization. The products from different vendors may not work well together.
VPNs need to accommodate complicated protocols other than IP
VPNs – Global Market1997-2001
$-
$10,000
$20,000
$30,000
$40,000
$M
2000 2001 2002 2003 2004
VPN Services
Managed CPE Unmanaged Managed Cloud
Source: Infonetics Research, June 2000
$-
$1,000
$2,000
$3,000
$4,000
$M
2000 2001 2002 2003 2004
VPN Equipment
In 2000 – VPN Hardware $1.2 B
VPN Services $5.1 B
VPN Market – Major Players Check Point –
62% Nortel – 15% Net Screen – 6% Avaya – 4%
Source: Data Monitor June 2001
VPNs – Some Implications
Facilitate place-displacement work
Facilitate the creation of virtual corporations
VPNs – Future?
Forecasts predict fast growth in the next 5 years
The future of VPNs depends mainly on the savings they provide
What if the telecommunication costs continue to drop?
Sources Yuan, R., Strayer, T. “Virtual private networks”,
2001. Mairs, J. “VPNs – a beginner’s guide”, 2002 VPN Tutorial
http://www.iec.org/online/tutorials/vpn/
Virtual Private Networks – research of Infonetics Inc.http://www1.avaya.com/enterprise/whitepapers/vpnetworkswp.pdf
Questions?
