Click here to go back to the Home Page! Click to know fun facts abot me Click here to send email to me  

Abstract

Content

Introduction

The Project Proposal

Literature Search

Project Plan

Investigaton & Result

Critical Appraisal

Conclusion

Suggestions for further work

References

Appendices

LITERATURE SEARCH

Hence I have accumulated key topics for research for Virtual Private Networking:

•  What is VPN?
•  What Makes a VPN?
•  Types of VPN
•  Remote-Access VPN
•  Site-to-Site VPN
•  Extranet VPN
•  VPN Security
•  Firewalls
•  Encryption
•  IPSec
•  AAA Servers
•  VPN Technologies
•  VPN Concentrator
•  VPN-Optimized Router
•  Cisco Secure PIX Firewall
•  Tunnelling
•  Carrier protocol
•  Encapsulating protocol
•  Passenger protocol
•  Tunneling: Site-to-Site
•  Tunnelling: Remote-Access
•  L2F (Layer 2 Forwarding)
•  PPTP (Point-to-Point Tunneling Protocol)
•  L2TP (Layer 2 Tunneling Protocol)
•  MPLS

•  What is VPN?
A VPN is a generic term that describes any combination of technologies that can be used to secure a connection through an otherwise unsecured or untrusted network.

Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[ VPN is one of the most used words in networking today and has many different meanings.
The broadest definition of a VPN is 'any network built upon a public network and partitioned for use by individual customers'. This results in public frame relay, X.25, and ATM networks being considered as VPNs. These types of VPNs are generically referred to a Layer 2 VPNs. The emerging forms of VPNs are networks constructed across shared IP backbones, referred to as 'IP VPNs'. ]

Definition by VPN Consortium:
http://www.vpnc.org/vpn-technologies.html
[ A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one company. The main purpose of a VPN is to give the company the same capabilities As private leased lines at much lower cost by using the shared public Infrastructure. Phone companies have provided private shared resources for voice messages for over a decade. A virtual private network makes it possible to have the same protected sharing of public resources for data.
Companies today are looking at using a private virtual network for both extranets and wide-area intranets. ]

My Definition:
Basically a VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.

•  What Makes a VPN?
A well-designed VPN can greatly benefit a company. For example, it can:
•  Extend geographic connectivity
•  Improve security
•  Reduce operational costs versus traditional WAN
•  Reduce transit time and transportation costs for remote users
•  Improve productivity
•  Simplify network topology
•  Provide global networking opportunities
•  Provide telecommuter support
•  Provide broadband networking compatibility
•  Provide faster ROI (return on investment) than traditional WAN
A well-designed VPN should have the following features:
It should incorporate:
•  Security
•  Reliability
•  Scalability
•  Network management
•  Policy management

•  Types of VPN:
1) Remote-Access VPN
2) Site-to-Site VPN
3) Extranet VPNs

•  Remote-Access VPN
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html
[ Remote Access VPNs provide remote access to a corporate Intranet or extranet over a shared infrastructure with the same policies as a private network. Access VPNs enable users to access corporate resources whenever, wherever, and however they require. Access VPNs encompass analog, dial, ISDN, digital subscriber line (DSL), mobile IP, and cable technologies to securely connect mobile users, telecommuters, or branch offices. ]

Remote-Access VPN
My Definition:
Remote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Normally, a company that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a Low Call or Free number (0800, 0500 etc) to reach the NAS and use their VPN client software to access the corporate network.


Image source:-
Understanding Virtual Private Networking, from ADTRAN
http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdf

Remote Access VPN

** Source: Above picture is copyrighted & taken from Cisco website: http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html
A good example of a company that needs a remote-access VPN would be a company with a lot of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.

•  Site-to-Site VPN
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html
[ Site-to-Site VPNs are an alternative WAN infrastructure that used to connect branch offices, home offices, or business partners' sites to all or portions of a company's network. VPNs do not inherently change private WAN requirements, such as support for multiple protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility. ]

A company can connect multiple fixed sites over a public network such as the Internet through the use of dedicated equipment and large-scale encryption. Site-to-site VPNs can be one of two types:

Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN.

Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.

Image source:-
Understanding Virtual Private Networking, from ADTRAN
http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdf
Site-to-Site VPNs

** Source: Above picture is copyrighted & taken from Cisco website: http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html

•  Extranet VPN
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html
[ Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate Intranet over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, QoS, manageability, and reliability. ]

* See reference section for resource detail.

Different VPN Types

** Source: Above picture is copyrighted & taken from Cisco website: http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html

Image Source:
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf

•  VPN Security:
A well-designed VPN uses several methods for keeping your connection and data secure:

•  Firewalls
•  Encryption
•  IPSec
•  AAA Server

•  Firewalls:
Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/f/firewall.html
[ (fir´wâl) (n.) A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. ]

There are several types of firewall techniques:
Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.

Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert.
A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.


•  Encryption Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/e/encryption.html
[ The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text. ]

My Definition:
Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories:

•  Symmetric-key encryption
•  Public-key encryption

In symmetric-key encryption , each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. One should know that which computers will be talking to each other so the key can be installed on each computer. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.

This can be further understood by a simple example: you create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense.

Public-key encryption uses a combination of a private key and a public key. The private key is known only to our computer, while the public key is given by our computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows encrypting almost anything.

•  IPSec Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/I/IPsec.html
[ Short for IP Security, a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPSec has been deployed widely to implement Virtual Private Networks (VPNs). ]

My Definition:
Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.

Image Source:
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very similar security policies set up. IPSec can encrypt data between various devices, such as:
•  Router to router
•  Firewall to router
•  PC to router
•  PC to server

•  AAA Servers Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/A/AAA.html
[ Short for authentication, authorization and accounting, a system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network. ]

My Definition:
AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following:

•  Who you are (authentication)
•  What you are allowed to do (authorization)
•  What you actually do (accounting)
The accounting information is especially useful for tracking client use for security auditing, billing or reporting purposes.

•  VPN Technologies
Depending on the type of VPN (remote-access or site-to-site), certain components will need to be put in place to build the VPN. These might include:

•  Desktop software client for each remote user
•  Dedicated hardware such as a VPN concentrator or secure PIX firewall
•  Dedicated VPN server for dial-up services
•  NAS (network access server) used by service provider for remote-user VPN access
•  VPN network and policy-management center

Because there is no widely accepted standard for implementing a VPN, many companies have developed turn-key solutions on their own.

I will discuss some of the solutions offered by Cisco, one of the most prevalent networking technology companies:-

•  VPN Concentrator
Incorporating the most advanced encryption and authentication techniques available, Cisco VPN concentrators are built specifically for creating a remote-access VPN. They provide high availability, high performance and scalability and include components, called scalable encryption processing (SEP) modules, which enable users to easily increase capacity and throughput. The concentrators are offered in models suitable for everything from small businesses with up to 100 remote-access users to large organizations with up to 10,000 simultaneous remote users.

•  VPN-Optimized Router
Cisco's VPN-optimized routers provide scalability, routing, security and QoS (quality of service). Based on the Cisco IOS (Internet Operating System) software, there is a router suitable for every situation, from small-office/home-office ( SOHO ) access through central-site VPN aggregation, to large-scale enterprise needs.

•  Cisco Secure PIX Firewall
Cisco PIX Firewall is a really technology, the PIX (private Internet exchange) firewall combines dynamic network address translation, proxy server, packet filtration, firewall and VPN capabilities in a single piece of hardware.

Instead of using Cisco IOS, this device has a highly streamlined OS that trades the ability to handle a variety of protocols for extreme robustness and performance by focusing on IP.

•  Tunnelling Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/t/tunneling.html
[ (tun´&l-ing) (n.) A technology that enables one network to send its data via another network's connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. For example, Microsoft's PPTP technology enables organizations to use the Internet to transmit data across a VPN. It does this by embedding its own network protocol within the TCP/IP packets carried by the Internet. ]

My Definition:

Most VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network.

To explain and simplify the process of Tunneling I will give an example: It's like having a Mobile phone delivered by Royal Mail. The Mobile Phone Company packs the Mobile Phone (passenger protocol) into a box (encapsulating protocol) which is then put on a Royal Mail delivery truck (carrier protocol) at the Mobile Phone Company's warehouse (entry tunnel interface). The truck (carrier protocol) travels over the Motorways (Internet) to customer's home (exit tunnel interface) and delivers the Mobile Phone. The customer opens the box (encapsulating protocol) and removes the Mobile Phone (passenger protocol). That's called Tunneling. Simple!

Tunneling requires three different protocols:
•  Carrier protocol - The protocol used by the network that the information is traveling over
•  Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is wrapped around the original data
•  Passenger protocol - The original data (IPX, NetBeui, IP) being carried
Tunneling has several nice uses for VPNs. For example, a packet that uses a protocol not supported on the Internet (such as NetBeui) can be placed inside an IP packet and sent safely over the Internet. Or a packet that uses a private (non-routable) IP address can be put inside a packet that uses a globally unique IP address to extend a private network over the Internet.

•  Tunnelling: Site-to-Site
In a site-to-site VPN, GRE (generic routing encapsulation) is normally the encapsulating protocol that provides the framework for how to package the passenger protocol for transport over the carrier protocol, which is typically IP-based. This includes information on what type of packet is being encapsulated and information about the connection between the client and server. Instead of GRE, IPSec in tunnel mode is sometimes used as the encapsulating protocol. IPSec works well on both remote-access and site-to-site VPNs. IPSec must be supported at both tunnel interfaces to use.

•  Tunnelling: Remote-Access
In a remote-access VPN, tunneling normally takes place using PPP. Part of the TCP/IP stack, PPP is the carrier for other IP protocols when communicating over the network between the host computer and a remote system. Remote-access VPN tunneling relies on PPP.

Each of the protocols listed below were built using the basic structure of PPP and are used by remote-access VPNs.

•  L2F (Layer 2 Forwarding)
Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html
[ Often abbreviated as L2F, a tunneling protocol developed by Cisco Systems. L2F is similar to the PPTP protocol developed by Microsoft, enabling organizations to set up virtual private networks (VPNs) that use the Internet backbone to move packets. ] Developed by Cisco, L2F will use any authentication scheme supported by PPP.

•  PPTP (Point-to-Point Tunnelling Protocol)
Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/P/PPTP.html

[ Short for Point-to-Point Tunneling Protocol, a new technology for creating Virtual Private Networks (VPNs) , developed jointly by Microsoft Corporation, U.S. Robotics, and several remote access vendor companies, known collectively as the PPTP Forum. A VPN is a private network of computers that uses the public Internet to connect some nodes. Because the Internet is essentially an open network, the Point-to-Point Tunneling Protocol (PPTP) is used to ensure that messages transmitted from one VPN node to another are secure. With PPTP, users can dial in to their corporate network via the Internet. ]

PPTP was created by the PPTP Forum, a consortium which includes US Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-bit and 128-bit encryption and will use any authentication scheme supported by PPP.

 •  L2TP (Layer 2 Tunneling Protocol)

Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/L/L2TP.html

[ Short for Layer Two (2) Tunneling Protocol, an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs).

L2TP merges the best features of two other tunneling protocols: PPTP from Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the ISP's routers support the protocol. ]

L2TP is the product of a partnership between the members of the PPTP Forum, Cisco and the IETF (Internet Engineering Task Force). Combining features of both PPTP and L2F, L2TP also fully supports IPSec.

L2TP can be used as a tunneling protocol for site-to-site VPNs as well as remote-access VPNs. In fact, L2TP can create a tunnel between:
•  Client and router
•  NAS and router
•  Router and router

•  MPLS:
** Note: MPLS Information & Description Is Taken From The Article Resource:
“The MPLS FAQ” - MPLS-RC - The MPLS Resource Center
http://www.mplsrc.com/mplsfaq.shtml
Copyright 2000-2004, MPLSRC.COM
**
MPLS History
a. What is MPLS?

MPLS stands for "Multiprotocol Label Switching". In an MPLS network, incoming packets are assigned a "label" by a "label edge router (LER)". Packets are forwarded along a "label switch path (LSP)" where each "label switch router (LSR)" makes forwarding decisions based solely on the contents of the label. At each hop, the LSR strips off the existing label and applies a new label which tells the next hop how to forward the packet.

Label Switch Paths (LSPs) are established by network operators for a variety of purposes, such as to guarantee a certain level of performance, to route around network congestion, or to create IP tunnels for network-based virtual private networks. In many ways, LSPs are no different than circuit-switched paths in ATM or Frame Relay networks, except that they are not dependent on a particular Layer 2 technology.

An LSP can be established that crosses multiple Layer 2 transports such as ATM, Frame Relay or Ethernet. Thus, one of the true promises of MPLS is the ability to create end-to-end circuits, with specific performance characteristics, across any type of transport medium, eliminating the need for overlay networks or Layer 2 only control mechanisms.

To truly understand ["What is MPLS", RFC 3031 - Multiprotocol Label Switching Architecture], is required reading.

b. How did MPLS evolve?

MPLS evolved from numerous prior technologies including Cisco's "Tag Switching", IBM's "ARIS", and Toshiba's "Cell-Switched Router". More information on each of these technologies can be found at http://www.watersprings.org/links/mlr/. The IETF's MPLS Working Group was formed in 1997.

c. What problems does MPLS solve?

The initial goal of label based switching was to bring the speed of Layer 2 switching to Layer 3. Label based switching methods allow routers to make forwarding decisions based on the contents of a simple label, rather than by performing a complex route lookup based on destination IP address. This initial justification for technologies such as MPLS is no longer perceived as the main benefit, since Layer 3 switches (ASIC-based routers) are able to perform route lookups at sufficient speeds to support most interface types.

However, MPLS brings many other benefits to IP-based networks, they include:

Traffic Engineering - the ability to set the path traffic will take through the network, and the ability to set performance characteristics for a class of traffic

VPNs - using MPLS, service providers can create IP tunnels throughout their network, without the need for encryption or end-user applications

Layer 2 Transport - New standards being defined by the IETF's PWE3 and PPVPN working groups allow service providers to carry Layer 2 services including Ethernet, Frame Relay and ATM over an IP/MPLS core

Elimination of Multiple Layers - Typically most carrier networks employ an overlay model where SONET/SDH is deployed at Layer 1, ATM is used at Layer 2 and IP is used at Layer 3. Using MPLS, carriers can migrate many of the functions of the SONET/SDH and ATM control plane to Layer 3, thereby simplifying network management and network complexity. Eventually, carrier networks may be able to migrate away from SONET/SDH and ATM all-together, which means elimination of ATM's inherent "cell-tax" in carrying IP traffic.

d. What is the status of the MPLS standard?

Most MPLS standards are currently in the "Internet Draft" phase, though several have now moved into the RFC-STD phase. See "MPLS Standards" for a complete listing of current ID's and RFC's. For more information on the current status of various Internet Drafts, see the IETF's MPLS Working Group home page at http://www.ietf.org/html.charters/mpls-charter.html

Virtual Private Networking – Literature Search

There's no such thing as a single MPLS "standard". One day there will be a set of RFCs that together will allow you to build an MPLS system. For example today, a typical IP router spec. sheet will list about 20 RFCs to which this router will comply. If you go to the IETF web site (http://www.ietf.org), then click on "I-D Keyword Search", enter "MPLS" as your search term, and crank up the number of items to be returned, (or visit http://www.mplsrc.com/standards.shtml) you'll find over 100 drafts currently stored. These drafts have a lifetime of 6 months. Some of these drafts have been adopted by the IETF WG for MPLS.

Further reading:
Additional information on MPLS:
For articles, papers, and additional resources, see the MPLS Resource Center at http://www.mplsrc.com
   
 
    © 2004-2005 Rashid Yunus Khan. All Rights Reserved.