Virtual Private Networks (VPN)

Introduction
The Internet has grown in the last few years larger than anyone ever
imagined it could be. As it is now widely recognized that the Internet is the simplest way
of communication and data sharing, more and more companies rely on it for connecting
their offices worldwide.

The first implementation for sharing information between global offices

was the use of lease lines for maintaining a Wide Area Network (WAN). Leased lines
(ranging from ISDN to OC12), provided a company with a way to expand its private
network beyond its geographic area. The WAN had answered the needs of each
company - secure better performance, reliability etc., but maintaining a WAN with an
OC3 connection can become quite expensive. The cost is a function of distance - as the
distance increases, the cost rises and vise versa. Another solution was the famous
intranet. Basically, if a company wanted to use an intranet to share information between
global or local offices, it set up a password-protected (usually basic HTTP
authentication) site the use by the employees. Once again, this method had answered
all the needs of the company except security.
Virtual Private Networks is a total gaining popularity among large
organizations that use the global Internet as both Intra and Inter Organization media,
but require privacy in their intra organization communications.

To achieve privacy the organizations generally uses three strategies:

 Private Networks

Hybrid networks

Virtual Private Networks

Private Networks:

An organization that needs privacy when routing information iside the

organization can use a private network. A small organization with one single site cans an
isolated LAN. A large organization with several suits can create a private internet. The
LANs at different sites can be connected to each other using routers and leased lines.

Internet can be made out of private LANs & private WANs

The Organization can use TCP/IP protocol for end-to-end communication between
stations at different sites. There is no need for IP address. The Organization can use any
IP class and assign network and host address internally.

Hybrid Networks:

Today most organizations need to have privacy in intraorganization data

exchange but at the same time they need to be connected to the global internet for data
exchange. The solution is hybrid network. A Hybrid network allows an organization to
have its own private internet and at the same time access to the global internet.
Intraorganization data is routed through the private internet. Inter organization data is
routed through the global internet.

The organization with 2 sites uses routers R1, R2 connect to the two sites privately
through a leased line. It uses the R3, R4 to connect two sites of the rest of the world.
The organization uses global IP address for both types of communication. Internet
packets are routed through R1, R2 and R3, R4 route the packets destined for outsiders.

VIRTUAL PRIVATE NETWORKS:

Both private and Hybrid have a major drawback i.e. cost. Private networks
are expensive to connect several sites an organization needs several leased lines which
means a high monthly cost.

One solution is to use the global Internet for both the private and public
communication. A technology called Virtual private Network allows organizations to be
global internet for both purposes.

Virtual Private Networks create a network that is private but virtual. It is

private because it guarantees privacy inside the organization; it is virtual because it does
not us real private WANs the network is physically public but virtually private.

Because both public and private networks have advantages, a new

technology has emerged that combines the advantages of both VPN, the technology
that allows the company with multiple sites to have a private network. But use a public
network as a carrier. In particular, although the company can use the public network as
a link between its sites, VPN restricts traffic so that packets can travel only through
companys sites. Further more even if an outsider accidentally receives a copy of a
packet, VPN technology means that they cant understand the contents.

Now a day, more and more companies are creating their own virtual
private network to accommodate their needs. VPN, or virtual private network, is an
Internet service network that establishes a private connection over shared public
facilities. VPN acts as a bridge between two or more Local Area Networks (LANs)
across the Internet. VPN connections manage authentication between servers and
clients using data encryption. VPNs were created, so an access is permitted to
authorize users only. VPNs allow users to have access to the same network resources,
addresses, and so forth as if they were connected locally. VPNs provide a secure
service, because data is sent in an encrypted form between the client and the VPN
server - it makes harder to capture sensitive information, but not impossible.

As it is most commonly defined, a virtual private network (VPN) allows two or

more private networks to be connected over a publicly accessed network. In a sense,
VPNs are similar to wide area networks (WAN) or a securely encrypted tunnel, but the
key feature of VPNs is that they are able to use public networks like the Internet rather
than rely on expensive, private leased lines. At they same time, VPNs have the same
security and encryption features as a private network, while taking the advantage of the
economies of scale and remote accessibility of large public networks.

A VPN is an especially effective means of exchanging critical information

for employees working remotely in branch offices, at home, or on the road. It can
securely deliver information between vendors, suppliers, and business partners, who
may have a huge physical distance between them. Since companies no longer have to
invest in the actual infrastructure themselves, they can reduce their operational costs by
outsourcing network services to service providers. VPNs can also reduce costs by
eliminating the need for long-distance telephone charges to obtain remote access, as
client need only call into the service provider's nearest access point.
A VPN uses a public transport--the Internet--for private communications. It
applies encryption to preserve privacy. Traditionally, companies have used private
transport to do that--dedicated phone lines. The two ways of keeping an electronic
conversation private are to make the line private and the data private. Dedicated lines
are private because the line is private, i.e., inaccessible to others. VPNs are private

because the data is private, i.e., rendered unintelligible by encryption--different means,

same result.
VPNs are most commonly used to connect two networks at different sites
of the same company. The technique in effect plugs the remote computers into the local
network, consolidating the two physical nets into a single logical one. Remote computers
have access to the same local resources as local ones. At the same time, remote
machines enjoy the same degree of privacy as local ones. All this is location-transparent
in terms of operation (though not performance) as if they were attached to the local
network. This combination of full participation plus full privacy between networks, while
using a link that isn't private, is the hallmark of a VPN. The compelling appeal of the VPN
is that it's cheap. Dedicated lines are expensive, so displacing them with a free transport
is economic.
In Other words Virtual private networks are secured private network connections,
built on top of publicly-accessible infrastructure, such as the Internet or the public
telephone network. VPNs typically employ some combination of encryption, digital
certificates, strong user authentication and access control to provide security to the
traffic they carry. They usually provide connectivity to many machines behind a gateway
or firewall.

Virtual Private Networks

Virtual private networks (VPN) provide an encrypted connection between a user's

distributed sites over a public network (e.g., the Internet). By contrast, a private network
uses dedicated circuits and possibly encryption. This describes IP-based VPN
technology over the Internet, though an organization might deploy VPN's on its internal
nets (intranets) to encrypt sensitive information. We also have some performance
numbers. The basic idea is to provide an encrypted IP tunnel through the Internet that
permits distributed sites to communicate securely. The encrypted tunnel provides a
secure path for network applications and requires no changes to the application.
VPNs today are set up a variety of ways, and can be built over ATM, frame
relay, and X.25 technologies. However, the most popular current method is to deploy IPbased VPNs, which offer more flexibility and ease of connectivity. Since most corporate
intranets use IP or Web technologies, IP-VPNs can more transparently extend these
capabilities over a wide network. An IP-VPN link can be set up anywhere in the world
between two endpoints, and the IP network automatically handles the traffic routing.
Privacy and protection of data is of utmost importance when deploying
services over the Internet, where it can be vulnerable to attacks or illegal entry. Secure
IP-VPNs are networks that are secured by encryption and authentication, and layered on
an existing IP network. In response to security issues, the Internet Engineering Task
Force (ietf.org) has developed the IP Security (IPSec) protocol suite, a set of IP
extensions that offer strong data authentication and privacy guarantees.
Although security features differ from product to product, most IP-VPN
providers generally private network tunneling through the IP backbone, data encryption,
authentication proxying, firewall, and spam filtering.

Network VPN service lets clients open secure tunnels across the Internet
by connecting through a host's data center where the VPN equipmentand the staff to
service itactually resides. "Somebody who knows what they're doing picks the
equipment, manages it, and just tells you when there's a problem," says network
consultant Lisa Phifer, vice president of Core Competence in Chester Springs,
Pennsylvania. Because they're easier to deploy and maintain, managed VPNsand
network VPN service in particularare beginning to eclipse do-it-yourself solutions. In its

2000 WAN Manager Survey, IDC reported that companies are opting for VPN services
more often than in-house installations.
One reason for this recent upsurge in interest is that network VPN service
has changed the equation so radically. Until it debuted last year, only two managed
options were available, and both were pricey. Customer premises equipment (CPE)
programs, in which an outside provider installs, maintains, and trouble- shoots
equipment on a company's own premises, require service contracts that cover the cost
of troubleshooting on-site. Internet Protocol (IP) over frame relay is a high-end service
provided by carriers in which tunnels are opened through central data centers where the
equipment is hosted and maintained.
To build a VPN, a company buys a special hardware and software system
for each of its sites. The system is placed between the companys private (i.e. internal)
network and public network. Each of the systems must be configured with the address of
the companys other VPN systems. The software will then exchange packets only with
the VPN systems at the companys other sites. Furthermore to guarantee, privacy VPN
encrypts each packet before transmission.
In addition to configuring, the VPN system at each site, a network
manager must also configure routing at the site. Whenever a computer at one site sends
a packet to a computer to another, the packet is routed to the local VPN system. The
VPN system examines the destination and encrypts the packet and sends the result
across the public network to the VPN system at the destination site when a packet
arrives , the receiving VPN system verifies that it came from a valid peer, decrypts the
contents and forward the packet to its destination.
The point is:
The VPN combines the advantages of private and public networks by
allowing a company with multiple sites to have the illusion of a completely private
network and to use a public network to carry traffic between sites

Real World Example:

Anchor Pharmacies' search for a manageable, low-cost way to link its stores
together led it to network VPN service, one of the hottest twists on VPN connectivity. The
company's expansion strategy was to acquire financially strapped independent
drugstores and restore their profitability by cutting costs through the efficiencies of
central management. But secure connectivityor the lack of itwas standing in the way
of Anchor's plans.

VPN products fall into three broad categories:

Hardware-based systems

Firewall-based systems

Standalone application packages.

Most hardware-based VPNs are encrypting routers, which are considered

secure and simple to use, as they are the nearest thing to "plug-and-play" equipment
available. However, they may not be as flexible as software-based systems, which are
ideal in situations where both endpoints of a VPN are not controlled by the same
organization, which is typical for business partnerships or when client support is
required.
Firewall-based VPNs are considered among the most secure, as they take
advantage of the firewall's existing security mechanisms. However, if the firewall is
already loaded, performance issues may pop up.

However, as the VPN market continues to rapidly evolve, the lines between
different VPN architectures are increasingly blurred; many hardware vendors have
included software clients to their product offerings, and extended their server
Capabilities to include the security features found in software-based or firewall-based
VPNs. Similarly, some standalone products have added support for hardware-Based
encryptions to boost their performance. Companies providing managed VPN services
will usually bundle other value-added services to their secure global connectivity such as
consulting, design and support for emerging applications, such as voice over IP,

E-commerce, and network-hosted applications.

Companies and other global services use one of the following VPN types:

Virtual Private Dial-up Network:

VPDN, or Virtual Private Dial-up Network, is used to allow a user, or
users, to connect to a remote LAN from any place in the world. A connection to a LAN
via VPDN uses the Network Access Server (NAS) of the regional service provider (RSP).
A login name and password are sent to the NAS is the format login@domain, e.g.
[email protected]. Next, if VPDN is enabled, NAS authorized the domain portion. If
domain authorization fails, NAS authenticates the user as a non-VPDN user; if it
succeeds, a tunnel is established (using tunnel ID and home gateway IP address). Now
the user must be authenticated.

Site-to-Site VPN
Site-to-site (STS) based VPN is a private network utilizing the Internet.
This type of application provides levels of security, privacy and manageability that are
similar to networks based upon private leased lines (see above). Site-to-Site VPN can
be either:

Intranet-based Site-to-Site VPN

10

 Extranet-based Site-to-Site VPN

Intranet-based Site-to-Site VPN

this type of application is used to connect two, or more, networks
over the intranet using a Router-to-Router VPN connection. It mainly used if there are
networks that are hidden or contain sensitive information (secure networks). It is also
used to enable a remote connection over the intranet to a network that is hidden or
secure, and is physically disconnected from the intranet.

Extranet-based Site-to-Site VPN

this type of application is used when two LANs wish to join in a single
private network and to work in a shared environment, for example, partners, customers
etc.

VPN Security
In the beginning of the article I have written that VPN provides a
secure environment for a company. In this section I'll discuss three major methods to
secure the connection.

Authentication

Authorization

Accounting

All together these three are called as AAA Server.

AAA Server
11

AAA Server, or Authentication, Authorization and Accounting Server, is a server

program that handles user requests for access. Networks interface with the AAA server
via RADIUS - Remote Authentication Dial-in up Service.
The first process - authentication - provides a way to identify the user, typically
by having the user to enter a valid login name and password. Each user has a unique
set of criteria, which stored in a database. Following the authentication, a user must gain
authorization for doing certain task (what the user is allowed to do). Each user has
his/her own policies, which determine what commands could be executed, what type of
resources and services a user is permitted to use etc. The last step, accounting, acts as
a logger. It logs data, sessions, usage information etc.

Virtual private Networks requires two factors to create a secure connection

namely

Encryption

Tunneling

Encryption
Encryption has the major role when creating a secure connection. Tunneling
creates the network, encryption makes it secure - scrambles data so that only those who
have the right key can decode it. Most of the computer systems use either Symmetrickey encryption or Public-key encryption (for more details see below).

A word about tunneling

Tunneling involves the encapsulation of an encrypted diagram in a

second outer datagram. Tunneling lets the two ends of the VPN communicate across the

12

Internet. Since the Internet doesn't speak the same language as your network does, a
tunnel packages the data you're sending so that the Internet can understand it.

IPSec
IPSec, or Internet Protocol Security, provides IP network-layer encryption.
The common technique to encrypt and authenticate VPN is IP Security. IPSec provides
two operation modes - transport and tunnel. In transport mode, only the IP payload is
encrypted, and IP headers are left intact. This mode doesn't provide defense against
spoofing attack or network analysis. An attacker can pass the IP header in the clear, so
the transport mode allows him to perform an attack. In tunnel mode, the entire datagram
is encrypted. IPSec uses a mechanism called Encapsulation Security Payload (ESP) to
implement encryption. IPSec uses an authentication header to implement authentication.

Design Issues
Some of the design issues considered in case of Virtual Private Networks:

supported platforms (UNIX, Win*, Mac)

proprietary or open solution (standards support)

ease of use (end user and network manager/SNMP)

performance (pkts/sec, encryption bandwidth, compression)

IP fragmentation support

strength of security

firewall inter-operability

features (firewall, addressing, IPv6 support, protocols, multicast)

network address translation (NAT)

mobile user support

key and policy management, authentication

13

scalability

export restrictions

internals (chipset, MHz, memory, net interfaces, tamper resistance)

cost

Software solutions
The software solutions might be better termed "software approximations."
The classic solution is to provide privacy on an application-by-application basis using
crypto APIs. Secure remote access is provided by encrypted telnet services like SRP or
SSH. SSH also permits tunneling other services (like X) over the encrypted connection.
For dial-in connections, Blaze's Encrypting Session Manager (ESM) provides encryption
after the session has been established. Encrypted voice communication over the
Internet is provided by Nautilus or PGPfone. Transport layer encryption for TCP is
provided by SSL, also see the IETF's Transport Layer Security (TLS) drafts. More
integrated software solutions can be provided by Kerberos or OSF's DCE or by using a
Point to Point Tunneling Protocol (PPTP or Microsoft's PPTP implementation and a FAQ)
and vulnerabilities. L2TP combines the best of PPTP and Cisco's L2F protocol.
Blaze's swIPe, or vpnd, and CIPE provide encrypted transport services; also see Gong's
enclave paper. The on-going development of IP security options for IPv4 and IPv6 along
with ISAKMP and GKMP may soon provide the necessary software tools for constructing
your own virtual private network, and there are some implementations available for
testing, also see paper on MS-DOS implementation. Also, see the recent Internet draft,
or the VPN framework, or the S/WAN initiative and Linux free swan or or OpenVPN
NIST's Cerberus.

Test and evaluation

The Network Research Group at ORNL has been doing evaluations of various
VPN solutions, including STEL, SSH, Kerberos, DCE, ESM, and IPv4/v6 with Cisco
ISAKMP daemon. We have also done preliminary testing on Cisco PIX unit, DEC's

14

AltaVista client tunnel, and DSN's Net Fortress. Here are some preliminary performance
data of encrypted tunneling throughput and latency.

Further Information
VPN Papers from Technology Guides

http://www.itpapers.com/resources/tech_guides.html
Super resource on VPNs

http://vpn.shmoo.com/
VPN Design (Cisco)
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
VPN FAQs
(Cisco)http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/vpnmon/1_x/10
/using /vpnmimp.htm
Terms used in VPNs
http://www.vpnc.org/terms.html
what about VPN Security?
http://www.findvpn.com/articles/secure.cfm
IP Security Protocol (IPSec)
http://www.ietf.org/html.charters/ipsec-charter.html
Wireless VPN Solution
http://www.mobileinfo.com/ProductCatalog/Columbitech_VPN.htm

Symmetric-Key Encryption
http://dsa-isis.jrc.it/Trinidad/Infra/Trini_SymKey.html

Public-Key Encryption
http://www.ebcvg.com/download.php?id=1028

15

Danny aka Dr.T ([email protected])

http://www.ebcvg.com - BCVG Network Security, July 2002

16